Transparent tor proxy - not working

Hi

I tried to install tor client following this guide https://openwrt.org/docs/guide-user/services/tor/client and had no success. Clients cannot reach internet being connected by ethernet or wifi ap.

Seems like tor was not 100% bootstrapped.
What should I do? Any help would be appreciated.

Here is troubleshooting info:

root@OpenWrt:/# service log restart; service firewall restart; service tor restart
root@OpenWrt:/# logread -e Tor; netstat -l -n -p | grep -e tor
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: We compiled with OpenSSL 1010117f: OpenSSL 1.1.1w  11 Sep 2023 and we are running with OpenSSL 1010117f: 1.1.1w. These two versions should be binary compatible.
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Tor 0.4.7.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1w, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Read configuration file "/tmp/torrc".
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Processing configuration path "/etc/tor/torrc" at recursion level 1.
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Including configuration file "/etc/tor/torrc".
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Processing configuration path "/etc/tor/custom" at recursion level 1.
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Including configuration file "/etc/tor/custom".
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.warn Tor[4182]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opening Socks listener on 127.0.0.1:9050
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opening DNS listener on 0.0.0.0:9053
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opened DNS listener connection (ready) on 0.0.0.0:9053
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opening DNS listener on [::]:9053
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opened DNS listener connection (ready) on [::]:9053
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opening Transparent pf/netfilter listener on 0.0.0.0:9040
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opened Transparent pf/netfilter listener connection (ready) on 0.0.0.0:9040
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opening Transparent pf/netfilter listener on [::]:9040
Wed Feb 14 11:11:21 2024 daemon.notice Tor[4182]: Opened Transparent pf/netfilter listener connection (ready) on [::]:9040
Wed Feb 14 11:11:22 2024 daemon.notice Tor[4182]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Wed Feb 14 11:11:26 2024 daemon.notice Tor[4182]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Wed Feb 14 11:11:33 2024 daemon.notice Tor[4182]: Bootstrapped 0% (starting): Starting
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: We compiled with OpenSSL 1010117f: OpenSSL 1.1.1w  11 Sep 2023 and we are running with OpenSSL 1010117f: 1.1.1w. These two versions should be binary compatible.
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Tor 0.4.7.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1w, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Read configuration file "/tmp/torrc".
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Processing configuration path "/etc/tor/torrc" at recursion level 1.
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Including configuration file "/etc/tor/torrc".
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Processing configuration path "/etc/tor/custom" at recursion level 1.
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Including configuration file "/etc/tor/custom".
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.warn Tor[4210]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opening Socks listener on 127.0.0.1:9050
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opening DNS listener on 0.0.0.0:9053
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opened DNS listener connection (ready) on 0.0.0.0:9053
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opening DNS listener on [::]:9053
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opened DNS listener connection (ready) on [::]:9053
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opening Transparent pf/netfilter listener on 0.0.0.0:9040
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opened Transparent pf/netfilter listener connection (ready) on 0.0.0.0:9040
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opening Transparent pf/netfilter listener on [::]:9040
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Opened Transparent pf/netfilter listener connection (ready) on [::]:9040
Wed Feb 14 11:11:47 2024 daemon.notice Tor[4210]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Wed Feb 14 11:11:52 2024 daemon.notice Tor[4210]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Wed Feb 14 11:11:58 2024 daemon.notice Tor[4210]: Bootstrapped 0% (starting): Starting
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: We compiled with OpenSSL 1010117f: OpenSSL 1.1.1w  11 Sep 2023 and we are running with OpenSSL 1010117f: 1.1.1w. These two versions should be binary compatible.
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Tor 0.4.7.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1w, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Read configuration file "/tmp/torrc".
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Processing configuration path "/etc/tor/torrc" at recursion level 1.
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Including configuration file "/etc/tor/torrc".
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Processing configuration path "/etc/tor/custom" at recursion level 1.
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Including configuration file "/etc/tor/custom".
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '0.0.0.0:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '[::]:9053' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '0.0.0.0:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.warn Tor[4213]: You specified a public address '[::]:9040' for TransPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opening Socks listener on 127.0.0.1:9050
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opening DNS listener on 0.0.0.0:9053
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opened DNS listener connection (ready) on 0.0.0.0:9053
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opening DNS listener on [::]:9053
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opened DNS listener connection (ready) on [::]:9053
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opening Transparent pf/netfilter listener on 0.0.0.0:9040
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opened Transparent pf/netfilter listener connection (ready) on 0.0.0.0:9040
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opening Transparent pf/netfilter listener on [::]:9040
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Opened Transparent pf/netfilter listener connection (ready) on [::]:9040
Wed Feb 14 11:12:13 2024 daemon.notice Tor[4213]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
tcp        0      0 0.0.0.0:9040            0.0.0.0:*               LISTEN      4213/tor
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      4213/tor
tcp        0      0 :::9040                 :::*                    LISTEN      4213/tor
udp    11968      0 0.0.0.0:9053            0.0.0.0:*                           4213/tor
udp    11968      0 :::9053                 :::*                                4213/tor
root@OpenWrt:/# pgrep -f -a tor
root@OpenWrt:/# nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 1481 bytes 109375 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 23 bytes 1592 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 3 bytes 1014 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 3 bytes 108 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                oifname "eth1" counter packets 242 bytes 17571 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "eth1" counter packets 9 bytes 1449 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "eth1" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
                tcp dport 53 counter packets 19 bytes 1228 redirect to :53 comment "!fw4: Intercept-DNS"
                udp dport 53 counter packets 895 bytes 65509 redirect to :53 comment "!fw4: Intercept-DNS"
                fib daddr type != { local, broadcast } tcp dport 0-65535 counter packets 0 bytes 0 redirect to :9040 comment "!fw4: Intercept-TCP"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }
}
root@OpenWrt:/# uci show firewall; uci show tor; grep -v -r -e "^#" -e "^$" /etc/tor
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.dns_int=redirect
firewall.dns_int.name='Intercept-DNS'
firewall.dns_int.src='lan'
firewall.dns_int.src_dport='53'
firewall.dns_int.proto='tcp udp'
firewall.dns_int.family='any'
firewall.dns_int.target='DNAT'
firewall.tor_nft=include
firewall.tor_nft.path='/etc/nftables.d/tor.sh'
firewall.tcp_int=redirect
firewall.tcp_int.name='Intercept-TCP'
firewall.tcp_int.src='lan'
firewall.tcp_int.src_dport='0-65535'
firewall.tcp_int.dest_port='9040'
firewall.tcp_int.proto='tcp'
firewall.tcp_int.family='any'
firewall.tcp_int.target='DNAT'
tor.conf=tor
tor.conf.default='/etc/tor/torrc'
tor.conf.generated='/tmp/torrc'
tor.conf.tail_include='/etc/tor/custom'
/etc/tor/torrc:Log notice syslog
/etc/tor/torrc:DataDirectory /var/lib/tor
/etc/tor/torrc:User tor
/etc/tor/custom:AutomapHostsOnResolve 1
/etc/tor/custom:AutomapHostsSuffixes .
/etc/tor/custom:VirtualAddrNetworkIPv4 172.16.0.0/12
/etc/tor/custom:VirtualAddrNetworkIPv6 [fc00::]/8
/etc/tor/custom:DNSPort 0.0.0.0:9053
/etc/tor/custom:DNSPort [::]:9053
/etc/tor/custom:TransPort 0.0.0.0:9040
/etc/tor/custom:TransPort [::]:9040

Be aware that there can't be a transparent proxy for https connections by design, which make up the majority of the web these days.

Thanks for pointing this out. Does it mean that I have to also configure SOCKS proxy on clients?

It means that you have to configure the proxy on your clients explicitly.

It looks like with this config it works good if wlan is disabled. Clients connected to ethernet ports can access web via tor, even https sites without any additional configuration on client side.
If I enable wlan everything stops working.