I seem to have found a good post on a firewall scheme to grant Internet only, LAN only, or Internet plus LAN access to different Wireguard peers (devices) coming to a peer acting as server:
One feature of the scheme is that PostUp and PostDown are not embedded in wg0.conf but stand separate in scripts /etc/wireguard/postup.sh and /etc/wireguard/postdown.sh.
Is there any reason such scripts may not work in an OpenWrt router?
Thank you. Would it then be a matter of my understanding what the (github post's) postup and postdown scripts do and translating them into OpenWrt (fw3) equivalents? (For me that won't be trivial, but a highly interesting project.)
I suppose one difference will be that the fw3 rules are constantly on while Wireguard postup rules go into effect only when Wireguard is started. Is this right? (I seem to have read that if the firewall is restarted, then Wireguard's postup rules are not restarted therewith but become ineffective.)
Why is direct manipulation of iptables discouraged for OpenWrt?