Hello, here's the output of the commands:
root@Main-Router:~# uci export network;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9f:ee95:8521::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.12.1'
option delegate '0'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan#
root@Maioption device 'switch0'
root@Maioption vlan '1'
root@Maioption vid '1'ear
option ports '0t 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 5'
option vid '3'
config interface 'APP'
option ifname 'eth0.3'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.13.1'
option type 'bridge'
option delegate '0'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
root@Main-Router:~# uci export wireless;
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT80'
option country 'IT'
option channel '48'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ft_over_ds '1'
option ssid 'Home-WiFi'
option encryption 'psk2'
option ft_psk_generate_local '1'
option key 'xxxxx'
option ieee80211r '1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option path 'platform/ahb/18100000.wmac'
option htmode 'HT20'
option country 'IT'
option channel '6'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ft_over_ds '1'
option ssid 'Home-WiFi'
option encryption 'psk2'
option ft_psk_generate_local '1'
option key 'xxxxx'
option ieee80211r '1'
config wifi-iface 'wifinet2'
option ssid 'App-WiFi'
option encryption 'psk2'
option device 'radio1'
option mode 'ap'
option network 'APP'
option key 'xxxxx'
root@Main-Router:~# uci export dhcp;
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option start '30'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'APP'
option leasetime '12h'
option limit '150'
option interface 'APP'
option start '30'
root@Main-Router:~# uci export vpn-policy-routing;
package vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_enable_column '0'
option webui_protocol_column '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option dest_ipset 'ipset'
option enabled '1'
option strict_enforcement '0'
option boot_timeout '60'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option interface 'wan'
option name 'Main'
option src_port '0-65535'
option dest_addr '0.0.0.0/0'
option dest_port '0-65535'
option src_addr '192.168.12.0/24'
config policy
option name 'App'
option interface 'VPN'
option src_addr '192.168.13.0/24'
option src_port '0-65535'
option dest_addr '0.0.0.0/0'
option dest_port '0-65535'
root@Main-Router:~# uci export firewall;
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option output 'ACCEPT'
option mtu_fix '1'
option forward 'REJECT'
option network 'lan'
option family 'ipv4'
option input 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'APP'
option input 'ACCEPT'
option forward 'REJECT'
option name 'app'
option output 'ACCEPT'
option mtu_fix '1'
config zone
option network 'VPN'
option forward 'REJECT'
option name 'vpn'
option output 'ACCEPT'
option mtu_fix '1'
option input 'REJECT'
option masq '1'
config forwarding
option dest 'vpn'
option src 'app'
config zone
option network 'wan'
option forward 'REJECT'
option name 'wan'
option output 'ACCEPT'
option masq '1'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'wan'
option src 'app'
root@Main-Router:~# head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@Main-Router:~# iptables-save -c;
# Generated by iptables-save v1.8.3 on Tue Jun 9 08:16:31 2020
*nat
:PREROUTING ACCEPT [3897:667004]
:INPUT ACCEPT [951:76942]
:OUTPUT ACCEPT [524:35742]
:POSTROUTING ACCEPT [51:2624]
:postrouting_app_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_app_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_app_postrouting - [0:0]
:zone_app_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3897:667004] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3754:644951] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[95:15689] -A PREROUTING -i br-APP -m comment --comment "!fw3" -j zone_app_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[48:6364] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[1972:226339] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[48:1920] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3:704] -A POSTROUTING -o br-APP -m comment --comment "!fw3" -j zone_app_postrouting
[604:38982] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[1317:184733] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:704] -A zone_app_postrouting -m comment --comment "!fw3: Custom app postrouting rule chain" -j postrouting_app_rule
[95:15689] -A zone_app_prerouting -m comment --comment "!fw3: Custom app prerouting rule chain" -j prerouting_app_rule
[48:1920] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[3754:644951] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[604:38982] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[604:38982] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[1317:184733] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1317:184733] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[48:6364] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Jun 9 08:16:31 2020
# Generated by iptables-save v1.8.3 on Tue Jun 9 08:16:31 2020
*raw
:PREROUTING ACCEPT [213323:176751546]
:OUTPUT ACCEPT [3373:638066]
:zone_app_helper - [0:0]
:zone_lan_helper - [0:0]
[86329:50413496] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[557:89429] -A PREROUTING -i br-APP -m comment --comment "!fw3: app CT helper assignment" -j zone_app_helper
COMMIT
# Completed on Tue Jun 9 08:16:31 2020
# Generated by iptables-save v1.8.3 on Tue Jun 9 08:16:31 2020
*mangle
:PREROUTING ACCEPT [212777:176599416]
:INPUT ACCEPT [3062:868940]
:FORWARD ACCEPT [208307:175345335]
:OUTPUT ACCEPT [3238:623310]
:POSTROUTING ACCEPT [211256:175953113]
:QOS_MARK_br-APP - [0:0]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[0:0] -A PREROUTING -i vtun+ -p tcp -j MARK --set-xmark 0x2/0xff
[1000:43664] -A PREROUTING -i br-APP -m dscp ! --dscp 0x00 -j DSCP --set-dscp 0x00
[212938:176638592] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[1834:777450] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[847:49640] -A FORWARD -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[24:1440] -A FORWARD -o br-APP -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone app MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[67:3700] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[124791:125445393] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[109440:11413167] -A OUTPUT -p udp -m multiport --ports 123,53 -j DSCP --set-dscp 0x24
[3295:627042] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[118362:118414780] -A POSTROUTING -o br-APP -m mark --mark 0x0/0xff -g QOS_MARK_br-APP
[118362:118414780] -A QOS_MARK_br-APP -j MARK --set-xmark 0x2/0xff
[1:76] -A QOS_MARK_br-APP -m dscp --dscp 0x08 -j MARK --set-xmark 0x3/0xff
[1186:399597] -A QOS_MARK_br-APP -m dscp --dscp 0x30 -j MARK --set-xmark 0x1/0xff
[0:0] -A QOS_MARK_br-APP -m dscp --dscp 0x2e -j MARK --set-xmark 0x1/0xff
[556:130559] -A QOS_MARK_br-APP -m dscp --dscp 0x24 -j MARK --set-xmark 0x1/0xff
[556:130559] -A QOS_MARK_br-APP -m tos --tos 0x10/0x3f -j MARK --set-xmark 0x1/0xff
[0:0] -A VPR_FORWARD -m set --match-set VPN dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set VPN dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set VPN dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[75:14791] -A VPR_PREROUTING -s 192.168.13.0/24 -p udp -m multiport --sports 0:65535 -m multiport --dports 0:65535 -m comment --comment App -j MARK --set-xmark 0x20000/0xff0000
[456:70956] -A VPR_PREROUTING -s 192.168.13.0/24 -p tcp -m multiport --sports 0:65535 -m multiport --dports 0:65535 -m comment --comment App -j MARK --set-xmark 0x20000/0xff0000
[10185:1696895] -A VPR_PREROUTING -s 192.168.12.0/24 -p udp -m multiport --sports 0:65535 -m multiport --dports 0:65535 -m comment --comment Main -j MARK --set-xmark 0x10000/0xff0000
[75505:48626604] -A VPR_PREROUTING -s 192.168.12.0/24 -p tcp -m multiport --sports 0:65535 -m multiport --dports 0:65535 -m comment --comment Main -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set VPN dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Tue Jun 9 08:16:31 2020
# Generated by iptables-save v1.8.3 on Tue Jun 9 08:16:31 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_app_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_app_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_app_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_app_dest_ACCEPT - [0:0]
:zone_app_dest_REJECT - [0:0]
:zone_app_forward - [0:0]
:zone_app_input - [0:0]
:zone_app_output - [0:0]
:zone_app_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1:76] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3140:891186] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1957:784426] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[6:344] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1023:75764] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[87:17367] -A INPUT -i br-APP -m comment --comment "!fw3" -j zone_app_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[73:13629] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[208783:175473910] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[205206:174960592] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3541:510966] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[36:2352] -A FORWARD -i br-APP -m comment --comment "!fw3" -j zone_app_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[136:10127] -A FORWARD -m comment --comment "!fw3" -j reject
[1:76] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3403:645454] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2826:606038] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[6:1710] -A OUTPUT -o br-APP -m comment --comment "!fw3" -j zone_app_output
[568:37298] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[1:328] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[129:17092] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[80:6664] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[6:344] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[6:1710] -A zone_app_dest_ACCEPT -o br-APP -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_app_dest_REJECT -o br-APP -m comment --comment "!fw3" -j reject
[36:2352] -A zone_app_forward -m comment --comment "!fw3: Custom app forwarding rule chain" -j forwarding_app_rule
[36:2352] -A zone_app_forward -m comment --comment "!fw3: Zone app to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_app_forward -m comment --comment "!fw3: Zone app to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_app_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_app_forward -m comment --comment "!fw3" -j zone_app_dest_REJECT
[87:17367] -A zone_app_input -m comment --comment "!fw3: Custom app input rule chain" -j input_app_rule
[0:0] -A zone_app_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[87:17367] -A zone_app_input -m comment --comment "!fw3" -j zone_app_src_ACCEPT
[6:1710] -A zone_app_output -m comment --comment "!fw3: Custom app output rule chain" -j output_app_rule
[6:1710] -A zone_app_output -m comment --comment "!fw3" -j zone_app_dest_ACCEPT
[87:17367] -A zone_app_src_ACCEPT -i br-APP -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
[3541:510966] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3541:510966] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[136:10127] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
[1023:75764] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1023:75764] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:80] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:80] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1023:75764] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[22:880] -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[582:38770] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_REJECT
[568:37298] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[568:37298] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[203:9634] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[3203:491533] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[73:13629] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[73:13629] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1:328] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1:328] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[73:13629] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Jun 9 08:16:31 2020
root@Main-Router:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
13: br-APP: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UP group default qlen 1000
inet 192.168.13.1/24 brd 192.168.13.255 scope global br-APP
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.12.1/24 brd 192.168.12.255 scope global br-lan
valid_lft forever preferred_lft forever
17: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.11.10/24 brd 192.168.11.255 scope global eth0.2
valid_lft forever preferred_lft forever
79: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.1.14/24 brd 10.8.1.255 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.11.1 dev eth0.2 table 201
192.168.13.0/24 dev br-APP table 201 proto kernel scope link src 192.168.13.1
default via 10.8.1.14 dev tun0 table 202
192.168.13.0/24 dev br-APP table 202 proto kernel scope link src 192.168.13.1
0.0.0.0/1 via 10.8.1.1 dev tun0
default via 192.168.11.1 dev eth0.2 proto static src 192.168.11.10
10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.14
128.0.0.0/1 via 10.8.1.1 dev tun0
192.168.11.0/24 dev eth0.2 proto kernel scope link src 192.168.11.10
192.168.12.0/24 dev br-lan proto kernel scope link src 192.168.12.1
192.168.13.0/24 dev br-APP proto kernel scope link src 192.168.13.1
217.138.197.219 via 192.168.11.1 dev eth0.2
broadcast 10.8.1.0 dev tun0 table local proto kernel scope link src 10.8.1.14
local 10.8.1.14 dev tun0 table local proto kernel scope host src 10.8.1.14
broadcast 10.8.1.255 dev tun0 table local proto kernel scope link src 10.8.1.14
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.11.0 dev eth0.2 table local proto kernel scope link src 192.168.11.10
local 192.168.11.10 dev eth0.2 table local proto kernel scope host src 192.168.11.10
broadcast 192.168.11.255 dev eth0.2 table local proto kernel scope link src 192.168.11.10
broadcast 192.168.12.0 dev br-lan table local proto kernel scope link src 192.168.12.1
local 192.168.12.1 dev br-lan table local proto kernel scope host src 192.168.12.1
broadcast 192.168.12.255 dev br-lan table local proto kernel scope link src 192.168.12.1
broadcast 192.168.13.0 dev br-APP table local proto kernel scope link src 192.168.13.1
local 192.168.13.1 dev br-APP table local proto kernel scope host src 192.168.13.1
broadcast 192.168.13.255 dev br-APP table local proto kernel scope link src 192.168.13.1
0: from all lookup local
32560: from all fwmark 0x20000/0xff0000 lookup 202
32561: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
root@Main-Router:~# ls -l /etc/resolv.* /tmp/resolv.*;
lrwxrwxrwx 1 root root 16 May 16 20:32 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Jun 8 10:22 /tmp/resolv.conf
-rw-r--r-- 1 root root 54 Jun 8 22:54 /tmp/resolv.conf.auto
root@Main-Router:~# head -n -0 /etc/resolv.* /tmp/resolv.*
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
Also my idea is to configure DMZ on the DSL Modem to the OpenWrt IP (and manage everything from OpenWrt Firewall).
Thanks a lot for your help!