To many difference between speedtest on computer vs openwrt

Installing and Using OpenWrt Network and Wireless Configuration
1

hello,
i hope someone can help me.

I noticed that my up & download has decreased.
I was thinking the problem should be pihole. So i made some differents tests.
To be sure, i have checked dhcp configuration on computer before

(ping/Download/UpLoad)

    • from computer : openwrt+pihole ==> 7 / 117 / 102
    • from computer : openwrt+pihole disable ==> 6 ms / 99 / 97
    • from computer : openwrt+pihole + firewall disabled ==> 6 / 141 / 146

A problem i have noticed on openwrt is nslookup

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
*** Can't find openwrt.org: No answer

i really have no idea if this problem is due to openwrt.
tks in advance for your time.

2

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
1 Like
3

Yes, I have also noticed that busybox nslookup is broken. It's resolving the name correctly, just reporting an error where there is none. I've already replaced my version with the full nslookup from bind9. I'll submit a PR to the openwrt packages repository with this patch.

EDIT: this problem appears to happen when the name being looked up does not have an ipv6 address as well as an ipv4 address. So it's benign.

root@openwrt:/# nslookup www.google.com
Server:		192.168.1.1
Address:	192.168.1.1#53

Name:      www.google.com
Address 1: 216.58.210.36
Address 2: 2a00:1450:4009:800::2004

root@openwrt:/# nslookup whatsmyipaddress.com
Server:		192.168.2.1
Address:	192.168.2.1#53

Name:      whatsmyipaddress.com
Address 1: 35.186.238.101
*** Can't find whatsmyipaddress.com: No answer

However, I don't think this is the cause of your problem.

1 Like
4

tks for your quick reply !

package network

package network

config interface 'loopback'
        option proto 'static'
        option ifname 'lo'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option proto 'static'
        option type 'bridge'
        option ifname 'eth0.1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.2'
        option peerdns '0'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'vpn0'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'nordvpn_vpn'
        option proto 'none'
        option ifname 'tun0'
        option metric '10'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'ffe09000.pcie/pci9000:00/9000:00:00.0/9000:01:00.0'
        option country 'FR'
        option htmode 'HT40'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'ffe0a000.pcie/pcia000:02/a000:02:00.0/a000:03:00.0'
        option country 'FR'
        option htmode 'HT40'
        option txpower '20'

package dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option domain 'xxxxxxxxx'
        option domainneeded '1'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option limit '254'
        option start '10'
        option ra_management '1'
        option force '1'
        list dhcp_option '6,192.168.1.101,192.168.1.10'
        option leasetime '5d'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Router_SFR'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.0.1'

config host
        option name 'WDR4900'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.1'

config host
        option name 'WR2543ND'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.2'

[----DELETED-----]

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option name 'vpn_client'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpn_vpn'

config forwarding
        option src 'lan'
        option dest 'vpn_client'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Autoriser-OpenVPN'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '1194'
        list proto 'udp'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

[----DELETED-----]

config redirect
[----DELETED-----]       

# This file is interpreted as shell script.
[----DELETED-----]

# https://nordvpn.com/fr/tutorials/openwrt/openvpn/
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.101 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.101 -p tcp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.227 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i br-lan ! -s 192.168.1.227 -p tcp --dport 53 -j REDIRECT

iptables -t nat -A PREROUTING -i eth0.2 -p udp --dport 53 -j REDIRECT
iptables -t nat -A PREROUTING -i eth0.2 -p tcp --dport 53 -j REDIRECT
5 
# Generated by iptables-save v1.8.3 on Thu May 14 23:58:05 2020
*nat
:PREROUTING ACCEPT [2564325:335241127]
:INPUT ACCEPT [733934:59227390]
:OUTPUT ACCEPT [706721:47326434]
:POSTROUTING ACCEPT [66577:4052357]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_client_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_client_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_client_postrouting - [0:0]
:zone_vpn_client_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[483663:31597466] -A PREROUTING ! -s 192.168.1.101/32 -i br-lan -p udp -m udp --dport 53 -j REDIRECT
[1234:74260] -A PREROUTING ! -s 192.168.1.101/32 -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT
[0:0] -A PREROUTING ! -s 192.168.1.227/32 -i br-lan -p udp -m udp --dport 53 -j REDIRECT
[0:0] -A PREROUTING ! -s 192.168.1.227/32 -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT
[333:21502] -A PREROUTING -i eth0.2 -p udp -m udp --dport 53 -j REDIRECT
[84:3420] -A PREROUTING -i eth0.2 -p tcp -m tcp --dport 53 -j REDIRECT
[2608670:337563892] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2060485:286365100] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[548099:51189770] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[86:9022] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_client_prerouting
[86:9022] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[2266260:209824903] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[51036:3099986] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[2199683:205772546] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_client_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[51036:3099986] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.126/32 -p tcp -m tcp --dport 51023 -m comment --comment "!fw3: Lifedomus (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.126/32 -p tcp -m tcp --dport 8090 -m comment --comment "!fw3: LifeDomus (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.126/32 -p tcp -m tcp --dport 8443 -m comment --comment "!fw3: Lifedomus (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.185/32 -p tcp -m tcp --dport 8181 -m comment --comment "!fw3: squash (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.185/32 -p udp -m udp --dport 8181 -m comment --comment "!fw3: squash (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Jeedom (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: Jeedom (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: jeedom (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: jeedom (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: jeedom-todel (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.190/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: jeedom-todel (reflection)" -j SNAT --to-source 192.168.1.1
[2060485:286365100] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 51023 -m comment --comment "!fw3: Lifedomus (reflection)" -j DNAT --to-destination 192.168.1.126:51023
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 8090 -m comment --comment "!fw3: LifeDomus (reflection)" -j DNAT --to-destination 192.168.1.126:8090
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 8443 -m comment --comment "!fw3: Lifedomus (reflection)" -j DNAT --to-destination 192.168.1.126:8443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 8181 -m comment --comment "!fw3: squash (reflection)" -j DNAT --to-destination 192.168.1.185:8181
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p udp -m udp --dport 8181 -m comment --comment "!fw3: squash (reflection)" -j DNAT --to-destination 192.168.1.185:8181
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 9080 -m comment --comment "!fw3: Jeedom (reflection)" -j DNAT --to-destination 192.168.1.190:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p udp -m udp --dport 9080 -m comment --comment "!fw3: Jeedom (reflection)" -j DNAT --to-destination 192.168.1.190:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: jeedom (reflection)" -j DNAT --to-destination 192.168.1.190:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: jeedom (reflection)" -j DNAT --to-destination 192.168.1.190:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: jeedom-todel (reflection)" -j DNAT --to-destination 192.168.1.190:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.0.11/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: jeedom-todel (reflection)" -j DNAT --to-destination 192.168.1.190:80
[0:0] -A zone_vpn_client_postrouting -m comment --comment "!fw3: Custom vpn_client postrouting rule chain" -j postrouting_vpn_client_rule
[0:0] -A zone_vpn_client_postrouting -m comment --comment "!fw3" -j MASQUERADE
[86:9022] -A zone_vpn_client_prerouting -m comment --comment "!fw3: Custom vpn_client prerouting rule chain" -j prerouting_vpn_client_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[86:9022] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[2199683:205772546] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[2199683:205772546] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[548099:51189770] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 51023 -m comment --comment "!fw3: Lifedomus" -j DNAT --to-destination 192.168.1.126:51023
[216:10788] -A zone_wan_prerouting -p tcp -m tcp --dport 8090 -m comment --comment "!fw3: LifeDomus" -j DNAT --to-destination 192.168.1.126:8090
[3185:166480] -A zone_wan_prerouting -p tcp -m tcp --dport 8443 -m comment --comment "!fw3: Lifedomus" -j DNAT --to-destination 192.168.1.126:8443
[14354:859284] -A zone_wan_prerouting -p tcp -m tcp --dport 8181 -m comment --comment "!fw3: squash" -j DNAT --to-destination 192.168.1.185:8181
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8181 -m comment --comment "!fw3: squash" -j DNAT --to-destination 192.168.1.185:8181
[675:35136] -A zone_wan_prerouting -p tcp -m tcp --dport 9080 -m comment --comment "!fw3: Jeedom" -j DNAT --to-destination 192.168.1.190:80
[2:861] -A zone_wan_prerouting -p udp -m udp --dport 9080 -m comment --comment "!fw3: Jeedom" -j DNAT --to-destination 192.168.1.190:80
[21842:1017704] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: jeedom" -j DNAT --to-destination 192.168.1.190:443
[46:23974] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: jeedom" -j DNAT --to-destination 192.168.1.190:443
[4003:207200] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: jeedom-todel" -j DNAT --to-destination 192.168.1.190:80
[21:1298] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: jeedom-todel" -j DNAT --to-destination 192.168.1.190:80
COMMIT
6 
# Completed on Thu May 14 23:58:05 2020
# Generated by iptables-save v1.8.3 on Thu May 14 23:58:05 2020
*mangle
:PREROUTING ACCEPT [413915016:557877508732]
:INPUT ACCEPT [4636147:4655921978]
:FORWARD ACCEPT [408615699:553084908145]
:OUTPUT ACCEPT [3661537:2243482925]
:POSTROUTING ACCEPT [412210863:555324771394]
[1416576:81384284] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[78:4680] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_client MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu May 14 23:58:05 2020
# Generated by iptables-save v1.8.3 on Thu May 14 23:58:05 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_client_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_client_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_client_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_client_dest_ACCEPT - [0:0]
:zone_vpn_client_dest_REJECT - [0:0]
:zone_vpn_client_forward - [0:0]
:zone_vpn_client_input - [0:0]
:zone_vpn_client_output - [0:0]
:zone_vpn_client_src_REJECT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[75368:6818749] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[4560781:4649103309] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2083657:4210211055] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[202885:8561828] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2023487:410373855] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[453637:28518399] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_client_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[408615701:553084908399] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[406879362:552870609418] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1680501:211281928] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[55748:3006473] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[87:10400] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_client_forward
[87:10400] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[3:180] -A FORWARD -m comment --comment "!fw3" -j reject
[77524:7046255] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3584017:2236437694] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2889991:2189830238] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6821:821531] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[687205:45785925] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_client_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[196862:8244780] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[12240:2420993] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[202885:8561828] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[6841:822741] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1680501:211281928] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[1680501:211281928] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn_client forwarding policy" -j zone_vpn_client_dest_ACCEPT
[1680483:211280992] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2023487:410373855] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[268243:17746138] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1755244:392627717] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[6821:821531] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[6821:821531] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1755244:392627717] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[18:936] -A zone_vpn_client_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_client_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_client_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[87:10400] -A zone_vpn_client_forward -m comment --comment "!fw3: Custom vpn_client forwarding rule chain" -j forwarding_vpn_client_rule
[0:0] -A zone_vpn_client_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[87:10400] -A zone_vpn_client_forward -m comment --comment "!fw3" -j zone_vpn_client_dest_REJECT
[0:0] -A zone_vpn_client_input -m comment --comment "!fw3: Custom vpn_client input rule chain" -j input_vpn_client_rule
[0:0] -A zone_vpn_client_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_client_input -m comment --comment "!fw3" -j zone_vpn_client_src_REJECT
[0:0] -A zone_vpn_client_output -m comment --comment "!fw3: Custom vpn_client output rule chain" -j output_vpn_client_rule
[0:0] -A zone_vpn_client_output -m comment --comment "!fw3" -j zone_vpn_client_dest_ACCEPT
[0:0] -A zone_vpn_client_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[87:10400] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[87:10400] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[20:1210] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[66401:3635500] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2301354:253440607] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[55748:3006473] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[55748:3006473] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[453637:28518399] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[65:2955] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Autoriser-OpenVPN" -j ACCEPT
[42:15666] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[206405:16617353] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[38026:1216832] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[209099:10665593] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[687205:45785925] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[687205:45785925] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[209099:10665593] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu May 14 23:58:05 2020
# Generated by ip6tables-save v1.8.3 on Thu May 14 23:58:05 2020
*mangle
:PREROUTING ACCEPT [2060113:196091778]
:INPUT ACCEPT [1404219:116874846]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1373294:220889897]
:POSTROUTING ACCEPT [1436243:225422225]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_client MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu May 14 23:58:05 2020
# Generated by ip6tables-save v1.8.3 on Thu May 14 23:58:05 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_client_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_client_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_client_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_client_dest_ACCEPT - [0:0]
:zone_vpn_client_dest_REJECT - [0:0]
:zone_vpn_client_forward - [0:0]
:zone_vpn_client_input - [0:0]
:zone_vpn_client_output - [0:0]
:zone_vpn_client_src_REJECT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1:192] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1404218:116874654] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[186222:17241306] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[208:16676] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1217996:99633348] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_client_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_client_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1:192] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1373293:220889705] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[985807:192829755] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[375000:26187050] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[12486:1872900] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_client_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[208:16676] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[375000:26187050] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn_client forwarding policy" -j zone_vpn_client_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1217996:99633348] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[1217996:99633348] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[375000:26187050] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[375000:26187050] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1217996:99633348] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_client_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_client_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_client_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_client_forward -m comment --comment "!fw3: Custom vpn_client forwarding rule chain" -j forwarding_vpn_client_rule
[0:0] -A zone_vpn_client_forward -m comment --comment "!fw3" -j zone_vpn_client_dest_REJECT
[0:0] -A zone_vpn_client_input -m comment --comment "!fw3: Custom vpn_client input rule chain" -j input_vpn_client_rule
[0:0] -A zone_vpn_client_input -m comment --comment "!fw3" -j zone_vpn_client_src_REJECT
[0:0] -A zone_vpn_client_output -m comment --comment "!fw3: Custom vpn_client output rule chain" -j output_vpn_client_rule
[0:0] -A zone_vpn_client_output -m comment --comment "!fw3" -j zone_vpn_client_dest_ACCEPT
[0:0] -A zone_vpn_client_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[12486:1872900] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Autoriser-OpenVPN" -j ACCEPT
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[12486:1872900] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[12486:1872900] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu May 14 23:58:05 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.11/24 brd 192.168.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0.2 proto static src 192.168.0.11
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.11
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0.2 table local proto kernel scope link src 192.168.0.11
local 192.168.0.11 dev eth0.2 table local proto kernel scope host src 192.168.0.11
broadcast 192.168.0.255 dev eth0.2 table local proto kernel scope link src 192.168.0.11
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c24a:ff:fe50:fd6a/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd48:2080:194b::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::c24a:ff:fe50:fd6a/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c24a:ff:fe50:fd6b/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c24a:ff:fe50:fd6a/64 scope link
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::41d9:637f:ec51:ade1/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
15: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::c24a:ff:fe50:fd69/64 scope link
       valid_lft forever preferred_lft forever
fd48:2080:194b::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd48:2080:194b::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd48:2080:194b:: dev br-lan table local proto kernel metric 0 pref medium
local fd48:2080:194b::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
local fe80::41d9:637f:ec51:ade1 dev tun0 table local proto kernel metric 0 pref medium
local fe80::c24a:ff:fe50:fd69 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::c24a:ff:fe50:fd6a dev eth0 table local proto kernel metric 0 pref medium
local fe80::c24a:ff:fe50:fd6a dev br-lan table local proto kernel metric 0 pref medium
local fe80::c24a:ff:fe50:fd6a dev wlan0 table local proto kernel metric 0 pref medium
local fe80::c24a:ff:fe50:fd6b dev eth0.2 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo failed_policy
4200000005:     from all iif br-lan failed_policy
4200000007:     from all iif eth0.2 failed_policy
4200000012:     from all iif tun0 failed_policy
4200000012:     from all iif tun0 failed_policy
lrwxrwxrwx    1 root     root            16 Jan  6 17:47 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            37 May  3 00:45 /tmp/resolv.conf
-rw-r--r--    1 root     root            66 Apr 17 12:32 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search chtiloft
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search chtiloft
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 103.86.96.100
nameserver 103.86.99.100
7

I see you are using a VPN... if you disable the VPN, do you still see the same issues?

1 Like
8

hello, sorry for the late !

well, i disabled vpn :

# sh betterspeedtest.sh -H netperf-west.bufferbloat.net
2020-05-25 14:30:12 Testing against netperf-west.bufferbloat.net (ipv4) with 5 simultaneous sessions while pinging gstatic.com (60 seconds in each direction)
.............................................................
 Download: 93.22 Mbps
  Latency: (in msec, 61 pings, 0.00% packet loss)
      Min: 141.650
    10pct: 141.786
   Median: 142.469
      Avg: 211.994
    90pct: 384.940
      Max: 527.704
....................................................................................................................................................................................
   Upload: 0.00 Mbps
  Latency: (in msec, 181 pings, 0.00% packet loss)
      Min: 141.634
    10pct: 141.796
   Median: 142.381
      Avg: 146.585
    90pct: 155.463
      Max: 221.828

and than i run speedtest from my computer, pihole running :
image

i really don't understand, because upload & download was better from openwrt before...

many tks for your time

9

Speedtest is rubbish. It depends on the server you are using. I get results all over the map, particularly on upload. I change to a different server and it works better.

Try http://testmy.net

10

For the record, that script gives me results consistent with dslreports speedtest. I think it's real power is not in down/up speeds, but in measuring bufferbloat.