Using mwan3 to direct traffic through specific interface

I have an interface defined in /etc/network/config like this:

config device
	option type 'bridge'
	list ports 'lan4'
	option name 'dedi-lan4'

config interface 'dlan'
	option device 'dedi-lan4'
	option metric '2000'
	option proto 'dhcp'

It is in the LAN zone of the firewall, I'm able to ping the host I need to be able to reach like this:

ping <host> -I dedi-lan4

If I add a static route, it works without the iface name as well. But the host has a domain name and the underlying IP keeps changing so I need to make use of an IPSet so I figured I could use mwan3.

My mwan3 rule looks like this:

config globals 'globals'
	option enabled '1'
	option mmx_mask '0x3F00'
	option logging '1'
	option loglevel 'debug'

config interface 'wan'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '1.1.1.1'
	list track_ip '1.0.0.1'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'

config interface 'wan6'
	option initial_state 'online'
	option family 'ipv6'
	list track_ip '2404:6800:4007:823::200e'
	list track_ip '2404:6800:4007:824::2003'
	list track_ip '2404:6800:4007:827::2003'
	list track_ip '2001:4860:4860::8844'
	list track_ip '2001:4860:4860::8888'
	list track_ip '2606:4700:4700::1111'
	list track_ip '2606:4700:4700::1001'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'
	option enabled '1'

config interface '4G'
	option enabled '1'
	option initial_state 'online'
	option family 'ipv4'
	list track_ip '1.1.1.1'
	list track_ip '1.0.0.1'
	list track_ip '8.8.8.8'
	list track_ip '8.8.4.4'
	option track_method 'ping'
	option reliability '1'
	option count '1'
	option size '56'
	option max_ttl '60'
	option timeout '4'
	option interval '10'
	option failure_interval '5'
	option recovery_interval '5'
	option down '5'
	option up '5'

config policy 'wan_lte'
	list use_member 'wan_m1_w1'
	list use_member 'wan6_m1_w1'
	list use_member '4G_m2_w2'
	option last_resort 'unreachable'

config member 'wan_m1_w1'
	option interface 'wan'
	option metric '1'
	option weight '1'

config member 'wan6_m1_w1'
	option interface 'wan6'
	option metric '1'
	option weight '1'

config member '4G_m2_w2'
	option interface '4G'
	option metric '2'
	option weight '2'

config interface 'dlan'
	option count '1'
	option down '5'
	option enabled '1'
	option failure_interval '5'
	option family 'ipv4'
	option initial_state 'online'
	option interval '10'
	option max_ttl '60'
	option recovery_interval '5'
	option reliability '1'
	option size '56'
	option timeout '4'
	option track_method 'ping'
	option up '5'

config member 'dlan_m3_w3'
	option metric '3'
	option weight '3'
	option interface 'dlan'

config policy 'toTrunk_po'
	option last_resort 'unreachable'
	list use_member 'dlan_m3_w3

config rule 'toTrunk_rule'
	option proto 'all'
	option family 'ipv4'
	option use_policy 'toTrunk_po'
	option logging '1'
	option sticky '0'
	option src_ip '0.0.0.0/0'
	option ipset 'kbgtayhajxmbxwz'

config rule 'default_rule_v4'
	option proto 'all'
	option family 'ipv4'
	option use_policy 'wan_lte'
	option dest_ip '0.0.0.0/0'

The ipset is indeed being populated I can see the output using ipset -L command. But when I try to ping the interface (after adding the rules and restarting mwan3) I see this in the debug logs:

Tue Jun  6 15:25:58 2023 kern.debug kernel: [69533.624154] MWAN3(toTrunk_rule)IN= OUT=wwan0 SRC=10.85.59.104 DST=10.238.70.97 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=20536 DF PROTO=ICMP TYPE=8 CODE=0 ID=4812 SEQ=0

10.85.59.104 is my wwan0 IP and wwan0 is my main WAN interface, why is that? But when I try to ping specifying the interface, the ping does indeed go through and mwan3 reports the right "OUT" interface

Tue Jun  6 15:28:05 2023 kern.debug kernel: [69659.860054] MWAN3(toTrunk_rule)IN= OUT=dedi-lan4 SRC=10.57.9.215 DST=10.238.70.97 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=15657 DF PROTO=ICMP TYPE=8 CODE=0 ID=5459 SEQ=0

My goal is to have all requests (all protocol's) to the IPSet kbgtayhajxmbxwz routed to trough the dedi-lan4 interface. Any pointers in the right direction would be appreciated.

There were some issues with ipset identified.

Unfortunately even without the ipset I'm unable to send the traffic through the interface I need:

Wed Jun  7 01:53:57 2023 kern.debug kernel: [107172.492587] MWAN3(toVPN_rule)IN= OUT=wwan0 SRC=10.15.53.11 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58170 DF PROTO=ICMP TYPE=8 CODE=0 ID=10779 SEQ=3
Wed Jun  7 01:53:59 2023 kern.debug kernel: [107174.359021] MWAN3(toVPN_rule)IN= OUT=wwan0 SRC=10.15.53.11 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58175 DF PROTO=ICMP TYPE=8 CODE=0 ID=11382 SEQ=0
Wed Jun  7 01:54:03 2023 kern.debug kernel: [107177.823425] MWAN3(toVPN_rule)IN= OUT=wwan0 SRC=10.15.53.11 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=58348 DF PROTO=ICMP TYPE=8 CODE=0 ID=11549 SEQ=0
Wed Jun  7 01:54:30 2023 kern.debug kernel: [107205.424779] MWAN3(toVPN_rule)IN= OUT=dedi-lan4 SRC=10.57.9.215 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55820 DF PROTO=ICMP TYPE=8 CODE=0 ID=11802 SEQ=0
Wed Jun  7 01:54:33 2023 kern.debug kernel: [107208.479528] MWAN3(toVPN_rule)IN= OUT=wwan0 SRC=10.15.53.11 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=59773 DF PROTO=ICMP TYPE=8 CODE=0 ID=11803 SEQ=0

The

Wed Jun  7 01:54:30 2023 kern.debug kernel: [107205.424779] MWAN3(toVPN_rule)IN= OUT=dedi-lan4 SRC=10.57.9.215 DST=10.238.70.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55820 DF PROTO=ICMP TYPE=8 CODE=0 ID=11802 SEQ=0

in the middle is me sending the ping by manually specifying the interface with -I

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
mwan3 status; \
iptables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.15.114",
	"hostname": "owrtbox",
	"system": "ARMv8 Processor rev 4",
	"model": "Banana Pi R3",
	"board_name": "bananapi,bpi-r3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r0+23363-ff644faf3b",
		"target": "mediatek/filogic",
		"description": "OpenWrt 22.03.5 r0+23363-ff644faf3b"
	}
}
Interface status:
 interface wan is offline and tracking is paused
 interface wan6 is offline and tracking is paused
 interface 4G is online 00h:00m:38s, uptime 21h:20m:04s and tracking is active
 interface dlan is online 00h:00m:00s, uptime 00h:00m:34s and tracking is not enabled

Current ipv4 policies:
toTrunk_po:
 dlan (100%)
wan_lte:
 4G (100%)

Current ipv6 policies:
toTrunk_po:
 unreachable
wan_lte:
 unreachable

Directly connected ipv4 networks:
213.42.21.132
192.168.0.1
127.255.255.255
172.19.210.0/24
10.15.53.11
172.19.210.5
10.15.53.15
192.168.0.255
192.168.0.0/24
127.0.0.1
10.15.53.8/29
10.57.127.255
127.0.0.0/8
224.0.0.0/3
10.57.0.0/17
10.57.9.215

Directly connected ipv6 networks:
fe80::/64
fd76:3451:5375::/64
<public-ipv6-redacted>
<public-ipv6-redacted>
<public-ipv6-redacted>
<public-ipv6-redacted>

Active ipv4 user rules:
    6   504 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/24           
    6   504 - toTrunk_po  all  --  *      *       0.0.0.0/0            0.0.0.0/24           
   92  7430 - wan_lte  all  --  *      *       0.0.0.0/0            0.0.0.0/0            

Active ipv6 user rules:

# Generated by iptables-save v1.8.8 (nf_tables) on Wed Jun  7 14:05:09 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:mwan3_connected_ipv4 - [0:0]
:mwan3_custom_ipv4 - [0:0]
:mwan3_dynamic_ipv4 - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_4G - [0:0]
:mwan3_iface_in_dlan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_toTrunk_po - [0:0]
:mwan3_policy_wan_lte - [0:0]
:mwan3_rules - [0:0]
[1114:442088] -A PREROUTING -j mwan3_hook
[1188:456199] -A OUTPUT -j mwan3_hook
[427:68500] -A mwan3_connected_ipv4 -m set --match-set mwan3_connected_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_custom_ipv4 -m set --match-set mwan3_custom_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_dynamic_ipv4 -m set --match-set mwan3_dynamic_ipv4 dst -j MARK --set-xmark 0x3f00/0x3f00
[1582:524839] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[176:16998] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[176:16998] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_custom_ipv4
[176:16998] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected_ipv4
[125:13212] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_dynamic_ipv4
[125:13212] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[2302:898287] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[850:150383] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_custom_ipv4
[850:150383] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected_ipv4
[474:85669] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_dynamic_ipv4
[0:0] -A mwan3_iface_in_4G -i wwan0 -m set --match-set mwan3_custom_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_4G -i wwan0 -m set --match-set mwan3_connected_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_4G -i wwan0 -m set --match-set mwan3_dynamic_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_4G -i wwan0 -m mark --mark 0x0/0x3f00 -m comment --comment 4G -j MARK --set-xmark 0x300/0x3f00
[0:0] -A mwan3_iface_in_dlan -i dedi-lan4 -m set --match-set mwan3_custom_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_dlan -i dedi-lan4 -m set --match-set mwan3_connected_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_dlan -i dedi-lan4 -m set --match-set mwan3_dynamic_ipv4 src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[0:0] -A mwan3_iface_in_dlan -i dedi-lan4 -m mark --mark 0x0/0x3f00 -m comment --comment dlan -j MARK --set-xmark 0x400/0x3f00
[176:16998] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_4G
[89:6482] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_dlan
[3:252] -A mwan3_policy_toTrunk_po -m mark --mark 0x0/0x3f00 -m comment --comment "dlan 3 3" -j MARK --set-xmark 0x400/0x3f00
[47:3430] -A mwan3_policy_wan_lte -m mark --mark 0x0/0x3f00 -m comment --comment "4G 2 2" -j MARK --set-xmark 0x300/0x3f00
[6:504] -A mwan3_rules -d 0.0.0.0/24 -m mark --mark 0x0/0x3f00 -m comment --comment toTrunk_rule -j LOG --log-prefix "MWAN3(toTrunk_rule)" --log-level 7
[6:504] -A mwan3_rules -d 0.0.0.0/24 -m mark --mark 0x0/0x3f00 -j mwan3_policy_toTrunk_po
[92:7430] -A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_wan_lte
COMMIT
# Completed on Wed Jun  7 14:05:09 2023
# Warning: table ip mangle is managed by iptables-nft, do not touch!
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		counter packets 1114 bytes 442088 jump mwan3_hook
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
		counter packets 1188 bytes 456199 jump mwan3_hook
	}

	chain mwan3_ifaces_in {
		meta mark & 0x00003f00 == 0x00000000 counter packets 176 bytes 16998 jump mwan3_iface_in_4G
		meta mark & 0x00003f00 == 0x00000000 counter packets 89 bytes 6482 jump mwan3_iface_in_dlan
	}

	chain mwan3_custom_ipv4 {
		xt match "set" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_connected_ipv4 {
		xt match "set" counter packets 427 bytes 68500 xt target "MARK"
	}

	chain mwan3_dynamic_ipv4 {
		xt match "set" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_rules {
		ip daddr 10.238.66.0/24 meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 6 bytes 504 xt target "LOG"
		ip daddr 10.238.66.0/24 meta mark & 0x00003f00 == 0x00000000 counter packets 6 bytes 504 jump mwan3_policy_toTrunk_po
		meta mark & 0x00003f00 == 0x00000000 counter packets 92 bytes 7430 jump mwan3_policy_wan_lte
	}

	chain mwan3_hook {
		meta mark & 0x00003f00 == 0x00000000 counter packets 1582 bytes 524839 xt target "CONNMARK"
		meta mark & 0x00003f00 == 0x00000000 counter packets 176 bytes 16998 jump mwan3_ifaces_in
		meta mark & 0x00003f00 == 0x00000000 counter packets 176 bytes 16998 jump mwan3_custom_ipv4
		meta mark & 0x00003f00 == 0x00000000 counter packets 176 bytes 16998 jump mwan3_connected_ipv4
		meta mark & 0x00003f00 == 0x00000000 counter packets 125 bytes 13212 jump mwan3_dynamic_ipv4
		meta mark & 0x00003f00 == 0x00000000 counter packets 125 bytes 13212 jump mwan3_rules
		counter packets 2302 bytes 898287 xt target "CONNMARK"
		meta mark & 0x00003f00 != 0x00003f00 counter packets 850 bytes 150383 jump mwan3_custom_ipv4
		meta mark & 0x00003f00 != 0x00003f00 counter packets 850 bytes 150383 jump mwan3_connected_ipv4
		meta mark & 0x00003f00 != 0x00003f00 counter packets 474 bytes 85669 jump mwan3_dynamic_ipv4
	}

	chain mwan3_iface_in_4G {
		iifname "wwan0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "wwan0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "wwan0" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "wwan0" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_policy_wan_lte {
		meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 47 bytes 3430 xt target "MARK"
	}

	chain mwan3_policy_toTrunk_po {
		meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 3 bytes 252 xt target "MARK"
	}

	chain mwan3_iface_in_dlan {
		iifname "dedi-lan4" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "dedi-lan4" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "dedi-lan4" xt match "set" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
		iifname "dedi-lan4" meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
	}
}
# Warning: table ip6 mangle is managed by iptables-nft, do not touch!
table ip6 mangle {
	chain PREROUTING {
		type filter hook prerouting priority mangle; policy accept;
		counter packets 387 bytes 38575 jump mwan3_hook
	}

	chain OUTPUT {
		type route hook output priority mangle; policy accept;
		counter packets 337 bytes 64072 jump mwan3_hook
	}

	chain mwan3_ifaces_in {
	}

	chain mwan3_custom_ipv6 {
		xt match "set" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_connected_ipv6 {
		xt match "set" counter packets 26 bytes 3554 xt target "MARK"
	}

	chain mwan3_dynamic_ipv6 {
		xt match "set" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_rules {
	}

	chain mwan3_hook {
		meta l4proto ipv6-icmp xt match "icmp6" counter packets 0 bytes 0 return
		meta l4proto ipv6-icmp xt match "icmp6" counter packets 1 bytes 192 return
		meta l4proto ipv6-icmp xt match "icmp6" counter packets 1 bytes 72 return
		meta l4proto ipv6-icmp xt match "icmp6" counter packets 0 bytes 0 return
		meta l4proto ipv6-icmp xt match "icmp6" counter packets 0 bytes 0 return
		meta mark & 0x00003f00 == 0x00000000 counter packets 722 bytes 102383 xt target "CONNMARK"
		meta mark & 0x00003f00 == 0x00000000 counter packets 60 bytes 6866 jump mwan3_ifaces_in
		meta mark & 0x00003f00 == 0x00000000 counter packets 60 bytes 6866 jump mwan3_custom_ipv6
		meta mark & 0x00003f00 == 0x00000000 counter packets 60 bytes 6866 jump mwan3_connected_ipv6
		meta mark & 0x00003f00 == 0x00000000 counter packets 34 bytes 3312 jump mwan3_dynamic_ipv6
		meta mark & 0x00003f00 == 0x00000000 counter packets 34 bytes 3312 jump mwan3_rules
		counter packets 722 bytes 102383 xt target "CONNMARK"
		meta mark & 0x00003f00 != 0x00003f00 counter packets 34 bytes 3312 jump mwan3_custom_ipv6
		meta mark & 0x00003f00 != 0x00003f00 counter packets 34 bytes 3312 jump mwan3_connected_ipv6
		meta mark & 0x00003f00 != 0x00003f00 counter packets 34 bytes 3312 jump mwan3_dynamic_ipv6
	}

	chain mwan3_policy_wan_lte {
		meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
	}

	chain mwan3_policy_toTrunk_po {
		meta mark & 0x00003f00 == 0x00000000 xt match "comment" counter packets 0 bytes 0 xt target "MARK"
	}
}
table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper ftp {
		type "ftp" protocol tcp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set f2bset-v4 {
		type ipv4_addr
	}

	set f2bset-v6 {
		type ipv6_addr
	}

	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname { "br-lan", "dedi-lan4" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "wwan0", "br-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "wgc_gardens" jump input_WG_gardens comment "!fw4: Handle WG_gardens IPv4/IPv6 input traffic"
		jump handle_reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname { "br-lan", "dedi-lan4" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "wwan0", "br-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "wgc_gardens" jump forward_WG_gardens comment "!fw4: Handle WG_gardens IPv4/IPv6 forward traffic"
		jump upnp_forward comment "Hook into miniupnpd forwarding chain"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname { "br-lan", "dedi-lan4" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "wwan0", "br-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "wgc_gardens" jump output_WG_gardens comment "!fw4: Handle WG_gardens IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname { "br-lan", "dedi-lan4" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		tcp dport 853 counter packets 0 bytes 0 jump handle_reject comment "!fw4: ubus:https-dns-proxy[instance1] rule 1"
		udp dport 853 counter packets 0 bytes 0 jump handle_reject comment "!fw4: ubus:https-dns-proxy[instance1] rule 1"
		counter packets 0 bytes 0 jump accept_to_WG_gardens comment "!fw4: LAN-WG_gardens^^$$as"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump accept_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_lan {
		iifname { "br-lan", "dedi-lan4" } counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname { "br-lan", "dedi-lan4" } counter packets 13 bytes 1200 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		ip saddr @f2bset-v4 counter packets 0 bytes 0 jump handle_reject comment "!fw4: fail2ban-v4"
		ip6 saddr @f2bset-v6 counter packets 0 bytes 0 jump handle_reject comment "!fw4: fail2ban-v6"
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		ip6 saddr <my-ipv6-redacted> counter packets 0 bytes 0 accept comment "!fw4: Allow-Test^^$$ums"
		tcp dport { 5060, 6068-6069, 20000-30000 } counter packets 0 bytes 0 accept comment "!fw4: Allow-SIP^^$$ums"
		udp dport { 5060, 6068-6069, 20000-30000 } counter packets 0 bytes 0 accept comment "!fw4: Allow-SIP^^$$ums"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		counter packets 0 bytes 0 jump accept_to_WG_gardens comment "!fw4: WAN-WG_gardens^^$$as"
		jump reject_to_wan
	}

	chain accept_to_wan {
		meta nfproto ipv4 oifname { "wwan0", "br-wan" } ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname { "wwan0", "br-wan" } counter packets 87 bytes 8918 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname { "wwan0", "br-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "wwan0", "br-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname { "br-lan", "dedi-lan4" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "wwan0", "br-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
		oifname "wgc_gardens" jump srcnat_WG_gardens comment "!fw4: Handle WG_gardens IPv4/IPv6 srcnat traffic"
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
	}

	chain dstnat_lan {
		tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
		udp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: ubus:https-dns-proxy[instance1] redirect 0"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname { "wwan0", "br-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname { "wwan0", "br-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}

	chain upnp_forward {
	}

	chain upnp_prerouting {
	}

	chain upnp_postrouting {
	}

	chain input_WG_gardens {
		jump accept_from_WG_gardens
	}

	chain output_WG_gardens {
		jump accept_to_WG_gardens
	}

	chain forward_WG_gardens {
		counter packets 0 bytes 0 jump accept_to_wan comment "!fw4: WG_gardens-WAN^^$$as"
		counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: WG_gardens-LAN^^$$as"
		jump accept_to_WG_gardens
	}

	chain accept_from_WG_gardens {
		iifname "wgc_gardens" counter packets 0 bytes 0 accept comment "!fw4: accept WG_gardens IPv4/IPv6 traffic"
	}

	chain accept_to_WG_gardens {
		oifname "wgc_gardens" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
		oifname "wgc_gardens" counter packets 0 bytes 0 accept comment "!fw4: accept WG_gardens IPv4/IPv6 traffic"
	}

	chain srcnat_WG_gardens {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 WG_gardens traffic"
		meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 WG_gardens traffic"
	}
}
table bridge difuse-nft-qos {
	chain download {
		type filter hook postrouting priority 0; policy accept;
	}

	chain upload {
		type filter hook prerouting priority 0; policy accept;
	}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
54: wwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    inet 10.15.53.11/29 brd 10.15.53.15 scope global wwan0
       valid_lft forever preferred_lft forever
71: wgc_gardens: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 172.19.210.5/32 brd 255.255.255.255 scope global wgc_gardens
       valid_lft forever preferred_lft forever
73: dedi-lan4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.57.9.215/17 brd 10.57.127.255 scope global dedi-lan4
       valid_lft forever preferred_lft forever
default via 10.15.53.12 dev wwan0 table 3 proto static src 10.15.53.11 metric 1500 
10.15.53.8/29 dev wwan0 table 3 proto static scope link metric 1500 
172.19.210.0/24 dev wgc_gardens table 3 proto static scope link metric 30 
172.19.210.5 dev wgc_gardens table 3 proto static scope link metric 30 
192.168.0.0/24 dev br-lan table 3 proto kernel scope link src 192.168.0.1 
default via 10.57.0.1 dev dedi-lan4 table 4 proto static src 10.57.9.215 metric 2000 
10.57.0.0/17 dev dedi-lan4 table 4 proto static scope link metric 2000 
172.19.210.0/24 dev wgc_gardens table 4 proto static scope link metric 30 
172.19.210.5 dev wgc_gardens table 4 proto static scope link metric 30 
192.168.0.0/24 dev br-lan table 4 proto kernel scope link src 192.168.0.1 
213.42.21.132 via 10.57.0.1 dev dedi-lan4 table 4 proto static src 10.57.9.215 metric 2000 
default via 10.15.53.12 dev wwan0 proto static src 10.15.53.11 metric 1500 
default via 10.57.0.1 dev dedi-lan4 proto static src 10.57.9.215 metric 2000 
10.15.53.8/29 dev wwan0 proto static scope link metric 1500 
10.57.0.0/17 dev dedi-lan4 proto static scope link metric 2000 
172.19.210.0/24 dev wgc_gardens proto static scope link metric 30 
172.19.210.5 dev wgc_gardens proto static scope link metric 30 
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1 
213.42.21.132 via 10.57.0.1 dev dedi-lan4 proto static src 10.57.9.215 metric 2000 
local 10.15.53.11 dev wwan0 table local proto kernel scope host src 10.15.53.11 
broadcast 10.15.53.15 dev wwan0 table local proto kernel scope link src 10.15.53.11 
local 10.57.9.215 dev dedi-lan4 table local proto kernel scope host src 10.57.9.215 
broadcast 10.57.127.255 dev dedi-lan4 table local proto kernel scope link src 10.57.9.215 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.19.210.5 dev wgc_gardens table local proto kernel scope host src 172.19.210.5 
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1 
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1 
0:	from all lookup local
220:	from all lookup 220
1003:	from all iif wwan0 lookup 3
1004:	from all iif dedi-lan4 lookup 4
2003:	from all fwmark 0x300/0x3f00 lookup 3
2004:	from all fwmark 0x400/0x3f00 lookup 4
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3003:	from all fwmark 0x300/0x3f00 unreachable
3004:	from all fwmark 0x400/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default

Here you go

This one doesn't fit anywhere. Maybe some leftover from other experiment.

The subnet mask is wrong, post again the whole uci export mwan3

    220: from all lookup 220

That is coming from a strongswan instance

I've removed mwan3 since it was causing a lot of issues and started policy routing with vanilla netifd, firewall marks and IPSet, this guide helped a bunch.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.