Using UCI to configure firewall

Hi as a workaround I need to push UCI commands instead of IP tables, they don't work properly in the firmware of teltonika's RUT9xx series. I never really worked with them and my not working command string now is like this. RUT OS is based on openwrt.

It will be fixed in a firmware update but I need to deploy earlier.

uci add firewall rule
uci set firewall.@rule[18].rule.enabled='1'
uci set firewall.@rule[18].src='hotspot'
uci set firewall.@rule[18].target='ACCEPT'
uci set firewall.@rule[18].proto='tcp'
uci set firewall.@rule[18].source_port='8080'
uci set firewall.@rule[18].dest_port='8080'
uci set firewall.@rule[18].E_HTTPS_W_P.dest_ip='10.0.0.101'
uci set firewall.@rule[18].rule.enabled='1'
uci commit firewall

uci commit firewall
/etc/init.d/firewall restart

I am assuming people understand my command set, but I want to go to the router via VPN tun0 is appearently dedicated to the hotspot. If I would use an roadwarrior and go to 10.8.0.4:8080 in browser (the ip in the router) over TCP it would foward me to 10.0.0.101:8080. This doesn't work tho, what am I doing wrong?

Here is a more verbose output of an earlier failed attempt. http://paste.debian.net/1134140/

Are you sure you need this?

I hope it is a typo.

Then you need a redirect, not a rule.

1 Like

I am a bit unsure on how uci works, it seems I do need a redirect. How do I do this in the given scenario? Before this I always used IPtables and we have an IPtable rule now enabling access from tun0

iptables -A INPUT -i tun0 -j ACCEPT

We tried some things with IPtables but that failed.

Something like this:

uci add firewall redirect
uci add_list firewall.@redirect[-1].proto='tcp'
uci set firewall.@redirect[-1].src_dport='8080'
uci set firewall.@redirect[-1].dest_ip='10.0.0.101'
uci set firewall.@redirect[-1].dest_port='8080'
uci set firewall.@redirect[-1].src='hotspot'
uci set firewall.@redirect[-1].name='test'
uci set firewall.@redirect[-1].dest='lan'
uci set firewall.@redirect[-1].reflection='0'
uci set firewall.@redirect[-1].target='DNAT'

This will accept input from tun0, but it is better to assign tun0 interface to a zone.

I have an assumption I want to be sure of, [-1] means the last rule?

Correct, it is better to assign it like this rather than with absolute numbers.

1 Like

I added the rules I tried this from as well LAN as the VPN. (both different machines) But sadly it didn't work not after restarting the firewall or a reboot.

Here is my full firewall configuration.

root@Teltonika-RUT955:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='ppp wan2 wan'
firewall.vpn_zone=zone
firewall.vpn_zone.name='vpn'
firewall.vpn_zone.input='ACCEPT'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.forward='REJECT'
firewall.vpn_zone.masq='1'
firewall.vpn_zone.network='vpn'
firewall.vpn_zone.device='tun_+'
firewall.l2tp_zone=zone
firewall.l2tp_zone.name='l2tp'
firewall.l2tp_zone.input='ACCEPT'
firewall.l2tp_zone.output='ACCEPT'
firewall.l2tp_zone.forward='REJECT'
firewall.l2tp_zone.masq='1'
firewall.l2tp_zone.network='l2tp'
firewall.l2tp_zone.device='l2tp+ xl2tp+'
firewall.pptp_zone=zone
firewall.pptp_zone.name='pptp'
firewall.pptp_zone.input='ACCEPT'
firewall.pptp_zone.output='ACCEPT'
firewall.pptp_zone.forward='REJECT'
firewall.pptp_zone.masq='1'
firewall.pptp_zone.network='pptp'
firewall.pptp_zone.device='pptp+'
firewall.gre_zone=zone
firewall.gre_zone.name='gre'
firewall.gre_zone.input='ACCEPT'
firewall.gre_zone.output='ACCEPT'
firewall.gre_zone.forward='REJECT'
firewall.gre_zone.masq='1'
firewall.gre_zone.device='gre+'
firewall.gre_zone.network='gre'
firewall.hotspot=zone
firewall.hotspot.name='hotspot'
firewall.hotspot.input='REJECT'
firewall.hotspot.output='ACCEPT'
firewall.hotspot.forward='REJECT'
firewall.hotspot.device='tun0 tun1 tun2 tun3'
firewall.hotspot.network='hotspot'
firewall.sstp=zone
firewall.sstp.name='sstp'
firewall.sstp.input='REJECT'
firewall.sstp.output='ACCEPT'
firewall.sstp.forward='REJECT'
firewall.sstp.device='sstp-+'
firewall.sstp.masq='1'
firewall.sstp.network='sstp'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Relay'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='67'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-DHCP-Renew'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='udp'
firewall.@rule[1].dest_port='68'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].family='ipv4'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-Ping'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='icmp'
firewall.@rule[2].icmp_type='echo-request'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-vpn-traffic'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].src='wan'
firewall.@rule[3].family='ipv4'
firewall.@rule[3].dest_port='1194'
firewall.@rule[3].proto='tcp udp'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='vpn'
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='l2tp'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='pptp'
firewall.@forwarding[2].dest='lan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='gre'
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[4].src='hotspot'
firewall.custom=include
firewall.custom.path='/etc/firewall.user'
firewall.custom.enabled='1'
firewall.custom.reload='1'
firewall.@include[1]=include
firewall.@include[1].path='/tmp/privoxy/firewall'
firewall.@include[1].enabled='1'
firewall.@include[1].reload='1'
firewall.@include[2]=include
firewall.@include[2].enabled='1'
firewall.@include[2].reload='1'
firewall.@include[2].path='/etc/logtrigger/fwblock_wrapper.sh'
firewall.@include[3]=include
firewall.@include[3].path='/etc/add-firewall-rule.sh'
firewall.@include[4]=include
firewall.@include[4].path='/etc/add-rs-rule.sh'
firewall.@include[4].reload='1'
firewall.@include[5]=include
firewall.@include[5].path='/etc/add-port-rule.sh'
firewall.@include[5].reload='1'
firewall.pbridge=include
firewall.pbridge.enabled='0'
firewall.pbridge.reload='1'
firewall.pbridge.path='/tmp/tmp_file/pbridge_firewall.sh'
firewall.ipsec=include
firewall.ipsec.reload='1'
firewall.ipsec.path='/tmp/ipsec/firewall.sh'
firewall.ipsec.enabled='1'
firewall.Hotspot_input=rule
firewall.Hotspot_input.enabled='0'
firewall.Hotspot_input.target='ACCEPT'
firewall.Hotspot_input.name='Hotspot_input'
firewall.Hotspot_input.src='hotspot'
firewall.Hotspot_input.dest_port='53 67-68 444 81 1812 1813 3991 3990'
firewall.@rule[5]=rule
firewall.@rule[5].dest_port='22'
firewall.@rule[5].proto='tcp udp'
firewall.@rule[5].name='Enable_SSH_WAN'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].src='wan'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].dest_port='4200-4220'
firewall.@rule[6].proto='tcp udp'
firewall.@rule[6].name='Enable_CLI_WAN'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].src='wan'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].dest_port='80'
firewall.@rule[7].proto='tcp udp'
firewall.@rule[7].name='Enable_HTTP_WAN'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].src='wan'
firewall.@rule[7].enabled='0'
firewall.@rule[8]=rule
firewall.@rule[8].dest_port='443'
firewall.@rule[8].proto='tcp udp'
firewall.@rule[8].name='Enable_HTTPS_WAN'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].src='wan'
firewall.@rule[8].enabled='0'
firewall.@rule[9]=rule
firewall.@rule[9].name='Block_DNS_forwarding'
firewall.@rule[9].src='*'
firewall.@rule[9].dest='wan'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='53'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='1812 1813'
firewall.@rule[10].proto='tcp udp'
firewall.@rule[10].name='Enable_Radius_WAN'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].name='Allow-DHCPv6'
firewall.@rule[11].src='wan'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src_ip='fe80::/10'
firewall.@rule[11].src_port='547'
firewall.@rule[11].dest_ip='fe80::/10'
firewall.@rule[11].dest_port='546'
firewall.@rule[11].family='ipv6'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[12]=rule
firewall.@rule[12].name='Allow-ICMPv6-Input'
firewall.@rule[12].src='wan'
firewall.@rule[12].proto='icmp'
firewall.@rule[12].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[12].limit='1000/sec'
firewall.@rule[12].family='ipv6'
firewall.@rule[12].target='ACCEPT'
firewall.@rule[13]=rule
firewall.@rule[13].name='Allow-ICMPv6-Forward'
firewall.@rule[13].src='wan'
firewall.@rule[13].dest='*'
firewall.@rule[13].proto='icmp'
firewall.@rule[13].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[13].limit='1000/sec'
firewall.@rule[13].family='ipv6'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[14]=rule
firewall.@rule[14].name='Allow-l2tpd-on-1701'
firewall.@rule[14]._name='l2tpd'
firewall.@rule[14].target='ACCEPT'
firewall.@rule[14].proto='udp'
firewall.@rule[14].dest_port='1701'
firewall.@rule[14].family='ipv4'
firewall.@rule[14].src='wan'
firewall.@rule[14].enabled='0'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-pptpd-on-1723'
firewall.@rule[15]._name='pptpd'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].proto='tcp'
firewall.@rule[15].dest_port='1723'
firewall.@rule[15].family='ipv4'
firewall.@rule[15].src='wan'
firewall.@rule[15].enabled='0'
firewall.@rule[16]=rule
firewall.@rule[16].name='Allow-pptpd-gre-output-connections'
firewall.@rule[16]._name='pptpd'
firewall.@rule[16].dest='wan'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].enabled='0'
firewall.@rule[16].proto='gre'
firewall.@rule[16].family='ipv4'
firewall.@rule[17]=rule
firewall.@rule[17].name='Allow-pptpd-gre-input-connections'
firewall.@rule[17]._name='pptpd'
firewall.@rule[17].src='wan'
firewall.@rule[17].target='ACCEPT'
firewall.@rule[17].enabled='0'
firewall.@rule[17].proto='gre'
firewall.@rule[17].family='ipv4'
firewall.TR069=rule
firewall.TR069.target='ACCEPT'
firewall.TR069.src='wan'
firewall.TR069.proto='tcp'
firewall.TR069.dest_port='7547'
firewall.TR069.name='Allow_TR069_server_request'
firewall.TR069.enabled='0'
firewall.IPsecESP=rule
firewall.IPsecESP.enabled='0'
firewall.IPsecESP.src='wan'
firewall.IPsecESP.name='Allow-IPsec-ESP'
firewall.IPsecESP.target='ACCEPT'
firewall.IPsecESP.proto='esp'
firewall.IPsecNAT=rule
firewall.IPsecNAT.dest_port='4500'
firewall.IPsecNAT.src='wan'
firewall.IPsecNAT.name='Allow-IPsec-NAT-T'
firewall.IPsecNAT.target='ACCEPT'
firewall.IPsecNAT.enabled='0'
firewall.IPsecNAT.proto='udp'
firewall.IPsecIKE=rule
firewall.IPsecIKE.dest_port='500'
firewall.IPsecIKE.src='wan'
firewall.IPsecIKE.name='Allow-IPsec-IKE'
firewall.IPsecIKE.target='ACCEPT'
firewall.IPsecIKE.enabled='0'
firewall.IPsecIKE.proto='udp'
firewall.E_SSH_W_P=redirect
firewall.E_SSH_W_P.enabled='0'
firewall.E_SSH_W_P.target='DNAT'
firewall.E_SSH_W_P.src='wan'
firewall.E_SSH_W_P.dest='lan'
firewall.E_SSH_W_P.proto='tcp'
firewall.E_SSH_W_P.name='Enable_SSH_WAN_PASSTHROUGH'
firewall.E_SSH_W_P.dest_ip='127.0.0.1'
firewall.E_SSH_W_P.reflection='0'
firewall.E_SSH_W_P.src_dport='22'
firewall.E_HTTP_W_P=redirect
firewall.E_HTTP_W_P.enabled='0'
firewall.E_HTTP_W_P.target='DNAT'
firewall.E_HTTP_W_P.src='wan'
firewall.E_HTTP_W_P.dest='lan'
firewall.E_HTTP_W_P.proto='tcp'
firewall.E_HTTP_W_P.name='Enable_HTTP_WAN_PASSTHROUGH'
firewall.E_HTTP_W_P.dest_ip='127.0.0.1'
firewall.E_HTTP_W_P.reflection='0'
firewall.E_HTTP_W_P.src_dport='80'
firewall.E_HTTPS_W_P=redirect
firewall.E_HTTPS_W_P.enabled='0'
firewall.E_HTTPS_W_P.target='DNAT'
firewall.E_HTTPS_W_P.src='wan'
firewall.E_HTTPS_W_P.dest='lan'
firewall.E_HTTPS_W_P.proto='tcp'
firewall.E_HTTPS_W_P.name='Enable_HTTPS_WAN_PASSTHROUGH'
firewall.E_HTTPS_W_P.dest_ip='127.0.0.1'
firewall.E_HTTPS_W_P.reflection='0'
firewall.E_HTTPS_W_P.src_dport='443'
firewall.E_CLI_W_P=redirect
firewall.E_CLI_W_P.enabled='0'
firewall.E_CLI_W_P.target='DNAT'
firewall.E_CLI_W_P.src='wan'
firewall.E_CLI_W_P.dest='lan'
firewall.E_CLI_W_P.proto='tcp'
firewall.E_CLI_W_P.name='Enable_CLI_WAN_PASSTHROUGH'
firewall.E_CLI_W_P.dest_ip='127.0.0.1'
firewall.E_CLI_W_P.reflection='0'
firewall.E_CLI_W_P.src_dport='4200-4220'
firewall.A_PASSTH_T=rule
firewall.A_PASSTH_T.target='ACCEPT'
firewall.A_PASSTH_T.src='wan'
firewall.A_PASSTH_T.dest='lan'
firewall.A_PASSTH_T.name='Allow-passthrough-traffic'
firewall.A_PASSTH_T.proto='all'
firewall.A_PASSTH_T.enabled='0'
firewall.M_PASSTH=redirect
firewall.M_PASSTH.enabled='0'
firewall.M_PASSTH.target='SNAT'
firewall.M_PASSTH.dest='wan'
firewall.M_PASSTH.proto='all'
firewall.M_PASSTH.name='Enable_Mobile_Passthrough'
firewall.A_OSPFIGP=rule
firewall.A_OSPFIGP.enabled='0'
firewall.A_OSPFIGP.target='ACCEPT'
firewall.A_OSPFIGP.src='wan'
firewall.A_OSPFIGP.name='Allow-OSPFIGP-WAN-traffic'
firewall.A_OSPFIGP.proto='89'
firewall.REDIR_DNS=redirect
firewall.REDIR_DNS.enabled='0'
firewall.REDIR_DNS.target='DNAT'
firewall.REDIR_DNS.src='lan'
firewall.REDIR_DNS.dest='lan'
firewall.REDIR_DNS.proto='tcp udp'
firewall.REDIR_DNS.name='Redirect_DNS'
firewall.REDIR_DNS.dest_ip='192.168.1.1'
firewall.REDIR_DNS.src_dport='53'
firewall.REDIR_DNS.dest_port='53'
firewall.ALLOW_GRE=rule
firewall.ALLOW_GRE.enabled='0'
firewall.ALLOW_GRE.name='Allow-GRE-Input'
firewall.ALLOW_GRE.src='wan'
firewall.ALLOW_GRE.proto='47'
firewall.ALLOW_GRE.target='ACCEPT'
firewall.@redirect[6]=redirect
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src_dport='8080'
firewall.@redirect[6].dest_ip='10.0.0.101'
firewall.@redirect[6].dest_port='8080'
firewall.@redirect[6].src='hotspot'
firewall.@redirect[6].name='test'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].reflection='0'
firewall.@redirect[6].target='DNAT'
firewall.DMZ=redirect
firewall.DMZ.src='wan'
firewall.DMZ.name='DMZ'
firewall.DMZ.proto='all'
firewall.DMZ.enabled='0'

The redirect is for hotspot, not lan or vpn firewall zones.

It's not going extremely well right now.

firewall.@redirect[6]=redirect
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src_dport='8080'
firewall.@redirect[6].dest_ip='10.0.0.101'
firewall.@redirect[6].dest_port='8080'
firewall.@redirect[6].src='hotspot'
firewall.@redirect[6].name='test'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].reflection='0'
firewall.@redirect[6].target='DNAT'
firewall.@redirect[7]=redirect
firewall.@redirect[7].proto='tcp'
firewall.@redirect[7].src_dport='8080'
firewall.@redirect[7].dest_ip='10.0.0.101'
firewall.@redirect[7].dest_port='8080'
firewall.@redirect[7].src='vpn'
firewall.@redirect[7].name='test'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].reflection='0'
firewall.@redirect[7].target='DNAT'

This made me assume hotspot in the firstplace.

root@Teltonika-RUT955:~# uci show firewall | grep tun0
firewall.hotspot.device='tun0 tun1 tun2 tun3'

This is my ifconfig output

root@Teltonika-RUT955:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 00:1E:42:15:84:78  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:692 errors:0 dropped:0 overruns:0 frame:0
          TX packets:454 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:54885 (53.5 KiB)  TX bytes:47411 (46.2 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:15:84:78  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:674 errors:0 dropped:0 overruns:0 frame:0
          TX packets:479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:84264 (82.2 KiB)  TX bytes:53186 (51.9 KiB)
          Interrupt:5 

eth1      Link encap:Ethernet  HWaddr 00:1E:42:15:84:79  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:190 errors:0 dropped:0 overruns:0 frame:0
          TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:19343 (18.8 KiB)  TX bytes:42908 (41.9 KiB)
          Interrupt:4 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:51 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4052 (3.9 KiB)  TX bytes:4052 (3.9 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.4  P-t-P:10.8.0.4  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:646 errors:0 dropped:0 overruns:0 frame:0
          TX packets:618 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:61270 (59.8 KiB)  TX bytes:77175 (75.3 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:15:84:7A  
          inet addr:192.168.1.17  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6056 errors:0 dropped:0 overruns:0 frame:0
          TX packets:976 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1683179 (1.6 MiB)  TX bytes:177793 (173.6 KiB)

wlan0-1   Link encap:Ethernet  HWaddr 02:1E:42:15:84:7A  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:9213 (8.9 KiB)

wwan0     Link encap:Ethernet  HWaddr 32:DD:50:20:C8:A7  
          inet6 addr: fe80::30dd:50ff:fe20:c8a7/64 Scope:Link
          UP BROADCAST RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:3011 (2.9 KiB)

You can verify that the iptables rule is installed correctly:
iptables-save -c | grep 8080
There should be some hits at the beginning of the line.
If not verify with tcpdump that you can see the packets coming in.
tcpdump -i tun0 -vn tcp port 8080

[4:240] -A zone_hotspot_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: test" -j DNAT --to-destination 10.0.0.101:8080
[0:0] -A zone_vpn_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: test" -j DNAT --to-destination 10.0.0.101:8080

I have hits, I am unsure if I can figure out zone more concrete defenitions for tun0 but from earlier I would asume its hotspot.

tcp dump output if I browse to 10.0.0.101:8080

root@Teltonika-RUT955:~# iptables-save -c | grep 8080
[4:240] -A zone_hotspot_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: test" -j DNAT --to-destination 10.0.0.101:8080
[0:0] -A zone_vpn_prerouting -p tcp -m tcp --dport 8080 -m comment --comment "!fw3: test" -j DNAT --to-destination 10.0.0.101:8080
root@Teltonika-RUT955:~# tcpdump -i tun0 -vn tcp port 8080
tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
13:11:19.977136 IP (tos 0x0, ttl 63, id 8217, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56442 > 10.8.0.4.8080: Flags [S], cksum 0xac71 (correct), seq 2147372348, win 64240, options [mss 1358,sackOK,TS val 1095139937 ecr 0,nop,wscale 7], length 0
13:11:19.977573 IP (tos 0x0, ttl 63, id 58879, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56444 > 10.8.0.4.8080: Flags [S], cksum 0x2061 (correct), seq 3055788837, win 64240, options [mss 1358,sackOK,TS val 1095139937 ecr 0,nop,wscale 7], length 0
13:11:20.226533 IP (tos 0x0, ttl 63, id 62674, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56448 > 10.8.0.4.8080: Flags [S], cksum 0xa2da (correct), seq 763209812, win 64240, options [mss 1358,sackOK,TS val 1095140187 ecr 0,nop,wscale 7], length 0
13:11:20.983906 IP (tos 0x0, ttl 63, id 58880, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56444 > 10.8.0.4.8080: Flags [S], cksum 0x1c73 (correct), seq 3055788837, win 64240, options [mss 1358,sackOK,TS val 1095140943 ecr 0,nop,wscale 7], length 0
13:11:20.984268 IP (tos 0x0, ttl 63, id 8218, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56442 > 10.8.0.4.8080: Flags [S], cksum 0xa883 (correct), seq 2147372348, win 64240, options [mss 1358,sackOK,TS val 1095140943 ecr 0,nop,wscale 7], length 0
13:11:21.238755 IP (tos 0x0, ttl 63, id 62675, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56448 > 10.8.0.4.8080: Flags [S], cksum 0x9ee6 (correct), seq 763209812, win 64240, options [mss 1358,sackOK,TS val 1095141199 ecr 0,nop,wscale 7], length 0
13:11:23.000547 IP (tos 0x0, ttl 63, id 8219, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56442 > 10.8.0.4.8080: Flags [S], cksum 0xa0a3 (correct), seq 2147372348, win 64240, options [mss 1358,sackOK,TS val 1095142959 ecr 0,nop,wscale 7], length 0
13:11:23.000888 IP (tos 0x0, ttl 63, id 58881, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56444 > 10.8.0.4.8080: Flags [S], cksum 0x1493 (correct), seq 3055788837, win 64240, options [mss 1358,sackOK,TS val 1095142959 ecr 0,nop,wscale 7], length 0
13:11:23.258963 IP (tos 0x0, ttl 63, id 62676, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56448 > 10.8.0.4.8080: Flags [S], cksum 0x9702 (correct), seq 763209812, win 64240, options [mss 1358,sackOK,TS val 1095143219 ecr 0,nop,wscale 7], length 0
13:11:27.031105 IP (tos 0x0, ttl 63, id 58882, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56444 > 10.8.0.4.8080: Flags [S], cksum 0x04d3 (correct), seq 3055788837, win 64240, options [mss 1358,sackOK,TS val 1095146991 ecr 0,nop,wscale 7], length 0
13:11:27.031436 IP (tos 0x0, ttl 63, id 8220, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56442 > 10.8.0.4.8080: Flags [S], cksum 0x90e3 (correct), seq 2147372348, win 64240, options [mss 1358,sackOK,TS val 1095146991 ecr 0,nop,wscale 7], length 0
13:11:27.286481 IP (tos 0x0, ttl 63, id 62677, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56448 > 10.8.0.4.8080: Flags [S], cksum 0x8746 (correct), seq 763209812, win 64240, options [mss 1358,sackOK,TS val 1095147247 ecr 0,nop,wscale 7], length 0
13:11:35.222994 IP (tos 0x0, ttl 63, id 8221, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56442 > 10.8.0.4.8080: Flags [S], cksum 0x70e3 (correct), seq 2147372348, win 64240, options [mss 1358,sackOK,TS val 1095155183 ecr 0,nop,wscale 7], length 0
13:11:35.224431 IP (tos 0x0, ttl 63, id 58883, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56444 > 10.8.0.4.8080: Flags [S], cksum 0xe4d2 (correct), seq 3055788837, win 64240, options [mss 1358,sackOK,TS val 1095155183 ecr 0,nop,wscale 7], length 0
13:11:35.478692 IP (tos 0x0, ttl 63, id 62678, offset 0, flags [DF], proto TCP (6), length 60)
10.8.0.3.56448 > 10.8.0.4.8080: Flags [S], cksum 0x6746 (correct), seq 763209812, win 64240, options [mss 1358,sackOK,TS val 1095155439 ecr 0,nop,wscale 7], length 0

It is the hotspot, as it has the hits.
From the dump you can see only incoming packets, but no replies. This means that the routing is not correct and the replies of server 10.0.0.101 are being routed to a different interface.