Here is the output
root@meow:~# ip address show; ip route show table all; ip rule show; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 5e:09:4d:5a:83:a0 brd ff:ff:ff:ff:ff:ff
inet 192.168.12.103/24 brd 192.168.12.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f/128 scope global dynamic noprefixroute
valid_lft 86363sec preferred_lft 86363sec
inet6 6666:xxxx:yyyy:qqqq:5c09:4dff:fe5a:83a0/64 scope global dynamic noprefixroute
valid_lft 86363sec preferred_lft 86363sec
inet6 fe80::5c09:4dff:fe5a:83a0/64 scope link
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
inet 192.168.44.1/24 brd 192.168.44.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fdb6:bf3f:ddd8::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
valid_lft forever preferred_lft forever
10: eth0.666@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
inet 172.66.0.1/24 brd 172.66.0.255 scope global eth0.666
valid_lft forever preferred_lft forever
inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
valid_lft forever preferred_lft forever
11: eth0.200@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a6:e0:8d:df:24:bd brd ff:ff:ff:ff:ff:ff
inet 172.17.200.1/24 brd 172.17.200.255 scope global eth0.200
valid_lft forever preferred_lft forever
inet6 fdb6:bf3f:ddd8:10::1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::a4e0:8dff:fedf:24bd/64 scope link
valid_lft forever preferred_lft forever
13: vpsgw: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1350 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.100.100.10/24 brd 10.100.100.255 scope global vpsgw
valid_lft forever preferred_lft forever
inet6 2605:6404:2fa:100::10/64 scope global
valid_lft forever preferred_lft forever
default dev vpsgw table 20 proto static scope link
10.100.100.0/24 dev vpsgw table 20 proto static scope link
default via 192.168.12.1 dev eth1 proto static src 192.168.12.103
45.61.184.24 via 192.168.12.1 dev eth1 proto static
172.17.200.0/24 dev eth0.200 proto kernel scope link src 172.17.200.1
172.66.0.0/24 dev eth0.666 proto kernel scope link src 172.66.0.1
192.168.12.0/24 dev eth1 proto kernel scope link src 192.168.12.103
192.168.44.0/24 dev br-lan proto kernel scope link src 192.168.44.1
broadcast 10.100.100.0 dev vpsgw table local proto kernel scope link src 10.100.100.10
local 10.100.100.10 dev vpsgw table local proto kernel scope host src 10.100.100.10
broadcast 10.100.100.255 dev vpsgw table local proto kernel scope link src 10.100.100.10
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.200.0 dev eth0.200 table local proto kernel scope link src 172.17.200.1
local 172.17.200.1 dev eth0.200 table local proto kernel scope host src 172.17.200.1
broadcast 172.17.200.255 dev eth0.200 table local proto kernel scope link src 172.17.200.1
broadcast 172.66.0.0 dev eth0.666 table local proto kernel scope link src 172.66.0.1
local 172.66.0.1 dev eth0.666 table local proto kernel scope host src 172.66.0.1
broadcast 172.66.0.255 dev eth0.666 table local proto kernel scope link src 172.66.0.1
broadcast 192.168.12.0 dev eth1 table local proto kernel scope link src 192.168.12.103
local 192.168.12.103 dev eth1 table local proto kernel scope host src 192.168.12.103
broadcast 192.168.12.255 dev eth1 table local proto kernel scope link src 192.168.12.103
broadcast 192.168.44.0 dev br-lan table local proto kernel scope link src 192.168.44.1
local 192.168.44.1 dev br-lan table local proto kernel scope host src 192.168.44.1
broadcast 192.168.44.255 dev br-lan table local proto kernel scope link src 192.168.44.1
2605:6404:2fa:100::/64 dev vpsgw table 20 proto static metric 1024 pref medium
default dev vpsgw table 20 proto static metric 1024 pref medium
default from 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
default from 6666:xxxx:yyyy:qqqq::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
6666:xxxx:yyyy:qqqq::/64 dev eth1 proto static metric 256 pref medium
6666:xxxx:yyyy:qqqq::/64 via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto static metric 512 pref medium
unreachable 6666:xxxx:yyyy:qqqq::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdb6:bf3f:ddd8::/64 dev br-lan proto static metric 1024 pref medium
fdb6:bf3f:ddd8:10::/64 dev eth0.200 proto static metric 1024 pref medium
unreachable fdb6:bf3f:ddd8::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev eth0.666 proto kernel metric 256 pref medium
fe80::/64 dev eth0.200 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
default via fe80::e7c:28ff:fe8d:6ecc dev eth1 proto ra metric 1024 expires 1761sec mtu 1440 hoplimit 64 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2605:6404:2fa:100:: dev vpsgw table local proto kernel metric 0 pref medium
local 2605:6404:2fa:100::10 dev vpsgw table local proto kernel metric 0 pref medium
anycast 6666:xxxx:yyyy:qqqq:: dev eth1 table local proto kernel metric 0 pref medium
local 6666:xxxx:yyyy:qqqq:5c09:4dff:fe5a:83a0 dev eth1 table local proto kernel metric 0 pref medium
local 6666:xxxx:yyyy:qqqq:cc4f:9c8f:0:e9f dev eth1 table local proto kernel metric 0 pref medium
anycast fdb6:bf3f:ddd8:: dev br-lan table local proto kernel metric 0 pref medium
local fdb6:bf3f:ddd8::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fdb6:bf3f:ddd8:10:: dev eth0.200 table local proto kernel metric 0 pref medium
local fdb6:bf3f:ddd8:10::1 dev eth0.200 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.200 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.666 table local proto kernel metric 0 pref medium
local fe80::5c09:4dff:fe5a:83a0 dev eth1 table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev br-lan table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev eth0.200 table local proto kernel metric 0 pref medium
local fe80::a4e0:8dff:fedf:24bd dev eth0.666 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.666 table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.200 table local proto kernel metric 256 pref medium
ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
ff00::/8 dev vpsgw table local proto kernel metric 256 pref medium
0: from all lookup local
10000: from 10.100.100.10 lookup 20
20000: from all to 10.100.100.10/24 lookup 20
30000: from all iif eth0.666 lookup 20
32766: from all lookup main
32767: from all lookup default
90013: from all iif lo lookup 20
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*nat
:PREROUTING ACCEPT [62:4773]
:INPUT ACCEPT [23:1530]
:OUTPUT ACCEPT [23:1521]
:POSTROUTING ACCEPT [20:1317]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_surfshark_rule - [0:0]
:postrouting_untrusted_rule - [0:0]
:postrouting_vpsgw_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_surfshark_rule - [0:0]
:prerouting_untrusted_rule - [0:0]
:prerouting_vpsgw_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_surfshark_postrouting - [0:0]
:zone_surfshark_prerouting - [0:0]
:zone_untrusted_postrouting - [0:0]
:zone_untrusted_prerouting - [0:0]
:zone_vpsgw_postrouting - [0:0]
:zone_vpsgw_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_prerouting
-A PREROUTING -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_prerouting
-A PREROUTING -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.666 -m comment --comment "!fw3" -j zone_surfshark_postrouting
-A POSTROUTING -o eth0.200 -m comment --comment "!fw3" -j zone_untrusted_postrouting
-A POSTROUTING -o vpsgw -m comment --comment "!fw3" -j zone_vpsgw_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_surfshark_postrouting -m comment --comment "!fw3: Custom surfshark postrouting rule chain" -j postrouting_surfshark_rule
-A zone_surfshark_prerouting -m comment --comment "!fw3: Custom surfshark prerouting rule chain" -j prerouting_surfshark_rule
-A zone_untrusted_postrouting -m comment --comment "!fw3: Custom untrusted postrouting rule chain" -j postrouting_untrusted_rule
-A zone_untrusted_prerouting -m comment --comment "!fw3: Custom untrusted prerouting rule chain" -j prerouting_untrusted_rule
-A zone_vpsgw_postrouting -m comment --comment "!fw3: Custom vpsgw postrouting rule chain" -j postrouting_vpsgw_rule
-A zone_vpsgw_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpsgw_prerouting -m comment --comment "!fw3: Custom vpsgw prerouting rule chain" -j prerouting_vpsgw_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jul 27 11:20:17 2021
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*mangle
:PREROUTING ACCEPT [662:201356]
:INPUT ACCEPT [481:121397]
:FORWARD ACCEPT [159:75667]
:OUTPUT ACCEPT [801:306955]
:POSTROUTING ACCEPT [960:382622]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Jul 27 11:20:17 2021
# Generated by iptables-save v1.8.3 on Tue Jul 27 11:20:17 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_surfshark_rule - [0:0]
:forwarding_untrusted_rule - [0:0]
:forwarding_vpsgw_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_surfshark_rule - [0:0]
:input_untrusted_rule - [0:0]
:input_vpsgw_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_surfshark_rule - [0:0]
:output_untrusted_rule - [0:0]
:output_vpsgw_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_surfshark_dest_ACCEPT - [0:0]
:zone_surfshark_forward - [0:0]
:zone_surfshark_input - [0:0]
:zone_surfshark_output - [0:0]
:zone_surfshark_src_REJECT - [0:0]
:zone_untrusted_dest_ACCEPT - [0:0]
:zone_untrusted_forward - [0:0]
:zone_untrusted_input - [0:0]
:zone_untrusted_output - [0:0]
:zone_untrusted_src_REJECT - [0:0]
:zone_vpsgw_dest_ACCEPT - [0:0]
:zone_vpsgw_dest_REJECT - [0:0]
:zone_vpsgw_forward - [0:0]
:zone_vpsgw_input - [0:0]
:zone_vpsgw_output - [0:0]
:zone_vpsgw_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_input
-A INPUT -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_input
-A INPUT -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3: Zone * to vpsgw forwarding policy" -j zone_vpsgw_dest_ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.666 -m comment --comment "!fw3" -j zone_surfshark_forward
-A FORWARD -i eth0.200 -m comment --comment "!fw3" -j zone_untrusted_forward
-A FORWARD -i vpsgw -m comment --comment "!fw3" -j zone_vpsgw_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.666 -m comment --comment "!fw3" -j zone_surfshark_output
-A OUTPUT -o eth0.200 -m comment --comment "!fw3" -j zone_untrusted_output
-A OUTPUT -o vpsgw -m comment --comment "!fw3" -j zone_vpsgw_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_surfshark_dest_ACCEPT -o eth0.666 -m comment --comment "!fw3" -j ACCEPT
-A zone_surfshark_forward -m comment --comment "!fw3: Custom surfshark forwarding rule chain" -j forwarding_surfshark_rule
-A zone_surfshark_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_surfshark_forward -m comment --comment "!fw3" -j zone_surfshark_dest_ACCEPT
-A zone_surfshark_input -m comment --comment "!fw3: Custom surfshark input rule chain" -j input_surfshark_rule
-A zone_surfshark_input -p icmp -m comment --comment "!fw3: Allow-vlan666-Ping" -j ACCEPT
-A zone_surfshark_input -p tcp -m comment --comment "!fw3: vlan666-to-router" -j ACCEPT
-A zone_surfshark_input -p udp -m comment --comment "!fw3: vlan666-to-router" -j ACCEPT
-A zone_surfshark_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_surfshark_input -m comment --comment "!fw3" -j zone_surfshark_src_REJECT
-A zone_surfshark_output -m comment --comment "!fw3: Custom surfshark output rule chain" -j output_surfshark_rule
-A zone_surfshark_output -m comment --comment "!fw3" -j zone_surfshark_dest_ACCEPT
-A zone_surfshark_src_REJECT -i eth0.666 -m comment --comment "!fw3" -j reject
-A zone_untrusted_dest_ACCEPT -o eth0.200 -m comment --comment "!fw3" -j ACCEPT
-A zone_untrusted_forward -m comment --comment "!fw3: Custom untrusted forwarding rule chain" -j forwarding_untrusted_rule
-A zone_untrusted_forward -m comment --comment "!fw3: Zone untrusted to * forwarding policy" -j ACCEPT
-A zone_untrusted_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_untrusted_forward -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
-A zone_untrusted_input -m comment --comment "!fw3: Custom untrusted input rule chain" -j input_untrusted_rule
-A zone_untrusted_input -p icmp -m comment --comment "!fw3: Allow-vlan200-Ping" -j ACCEPT
-A zone_untrusted_input -p tcp -m comment --comment "!fw3: vlan200-to-router" -j ACCEPT
-A zone_untrusted_input -p udp -m comment --comment "!fw3: vlan200-to-router" -j ACCEPT
-A zone_untrusted_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_untrusted_input -m comment --comment "!fw3" -j zone_untrusted_src_REJECT
-A zone_untrusted_output -m comment --comment "!fw3: Custom untrusted output rule chain" -j output_untrusted_rule
-A zone_untrusted_output -m comment --comment "!fw3" -j zone_untrusted_dest_ACCEPT
-A zone_untrusted_src_REJECT -i eth0.200 -m comment --comment "!fw3" -j reject
-A zone_vpsgw_dest_ACCEPT -o vpsgw -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpsgw_dest_ACCEPT -o vpsgw -m comment --comment "!fw3" -j ACCEPT
-A zone_vpsgw_dest_REJECT -o vpsgw -m comment --comment "!fw3" -j reject
-A zone_vpsgw_forward -m comment --comment "!fw3: Custom vpsgw forwarding rule chain" -j forwarding_vpsgw_rule
-A zone_vpsgw_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpsgw_forward -m comment --comment "!fw3" -j zone_vpsgw_dest_REJECT
-A zone_vpsgw_input -m comment --comment "!fw3: Custom vpsgw input rule chain" -j input_vpsgw_rule
-A zone_vpsgw_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpsgw_input -m comment --comment "!fw3" -j zone_vpsgw_src_REJECT
-A zone_vpsgw_output -m comment --comment "!fw3: Custom vpsgw output rule chain" -j output_vpsgw_rule
-A zone_vpsgw_output -m comment --comment "!fw3" -j zone_vpsgw_dest_ACCEPT
-A zone_vpsgw_src_REJECT -i vpsgw -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Tue Jul 27 11:20:17 2021
The above output is from when the openwrt eth0.666 is configured with route table lookup. Let me know if it would be helpful to do the same output when surfshark_vpn rule is deleted (which makes eth0.666 vlan traffic to not be able to reach internet - due to no forward zone rule - this I did expect but surprised i didnt need rule for wireguard)
root@meow:~# ip rule list
0: from all lookup local
10000: from 10.100.100.10 lookup 20
20000: from all to 10.100.100.10/24 lookup 20
30000: from all iif eth0.666 lookup 20
32766: from all lookup main
32767: from all lookup default
90013: from all iif lo lookup 20
In my settings I am using a number "20" for the table name - during my experiments with vpn-policy-routing package I noted the above command ip rule list
actually outputted a device_name 'vpsgw' instead of a number - is this a setting I can use instead of ip4table = 20?
I tried a non integer value in config and it did not like it.