Hi all,
I am finally trying to update my routers VPN to Wireguard. I've tried a few times now, but can't seem to get the magic recipe correct, and I was hoping somebody could give me a hand.
The issue is that packets don't seem to be getting to the Wireguard interface (the interface shows zero packets received). If I do a "tcpdump" on port 51820, I see that the peer is trying to connect, but not getting a response. I thought maybe the firewall was dumping the packets, but in Luci, if I enable "Logging of this zone" for each zone, I don't see any UDP packets getting dumped.
I've also followed a couple of different How-To's over the course of trying to set this up, so I probably now have a hodge-podge of settings now, which is not helping.
From this page, here's the output I get. Any help is appreciated.
root@Linksys21:~# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
udp 0 0 0.0.0.0:51820 0.0.0.0:* -
udp 0 0 0.0.0.0:50152 0.0.0.0:* -
udp 0 0 :::51820 :::* -
root@Linksys21:~# # Runtime configuration
root@Linksys21:~# pgrep -f -a wg; wg show; wg showconf vpn
22626 wg-crypt-wg0
interface: wg0
public key: Public Key goes here=
private key: (hidden)
listening port: 51820
peer: Peer Key goes here=
allowed ips: 172.16.2.1/32
persistent keepalive: every 25 seconds
Unable to access interface: No such device
root@Linksys21:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
inet6 1234:5678:910a:bcd:ef01/64 scope link
valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 5a:ef:68:0f:61:70 brd ff:ff:ff:ff:ff:ff
inet 87.65.43.21/23 brd 87.65.43.255 scope global wan
valid_lft forever preferred_lft forever
inet6 fe80::58ef:68ff:fe0f:6170/64 scope link
valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.1/24 brd 172.16.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd25:c11c:2ed6::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 1234:5678:910a:bcd:ef01/64 scope link
valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
link/[65534]
inet 172.16.2.1/24 brd 172.16.2.255 scope global wg0
valid_lft forever preferred_lft forever
17: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
link/ether 58:ef:68:0f:61:72 brd ff:ff:ff:ff:ff:ff
18: wlan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
link/ether 58:ef:68:0f:61:71 brd ff:ff:ff:ff:ff:ff
default via 87.65.43.1 dev wan src 87.65.43.21
87.65.43.0/23 dev wan scope link src 87.65.43.21
172.16.1.0/24 dev br-lan scope link src 172.16.1.1
172.16.2.0/24 dev wg0 scope link src 172.16.2.1
broadcast 87.65.43.0 dev wan table local scope link src 87.65.43.21
local 87.65.43.21 dev wan table local scope host src 87.65.43.21
broadcast 87.65.43.255 dev wan table local scope link src 87.65.43.21
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 172.16.1.0 dev br-lan table local scope link src 172.16.1.1
local 172.16.1.1 dev br-lan table local scope host src 172.16.1.1
broadcast 172.16.1.255 dev br-lan table local scope link src 172.16.1.1
broadcast 172.16.2.0 dev wg0 table local scope link src 172.16.2.1
local 172.16.2.1 dev wg0 table local scope host src 172.16.2.1
broadcast 172.16.2.255 dev wg0 table local scope link src 172.16.2.1
fd25:c11c:2ed6::/64 dev br-lan metric 1024
unreachable fd25:c11c:2ed6::/48 dev lo metric 2147483647
fe80::/64 dev eth0 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev wan metric 256
local ::1 dev lo table local metric 0
anycast fd25:c11c:2ed6:: dev br-lan table local metric 0
local fd25:c11c:2ed6::1 dev br-lan table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wan table local metric 0
local fe80::58ef:68ff:fe0f:6170 dev wan table local metric 0
local 1234:5678:910a:bcd:ef01 dev eth0 table local metric 0
local 1234:5678:910a:bcd:ef01 dev br-lan table local metric 0
root@Linksys21:~# ip rule show; iptables-save -c
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*nat
:PREROUTING ACCEPT [7:505]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:362]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_postrouting - [0:0]
:zone_wg_prerouting - [0:0]
[7:505] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[7:505] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg_prerouting
[9:605] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[9:605] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[7:505] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[9:605] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[9:605] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wg_postrouting -m comment --comment "!fw3: Custom wg postrouting rule chain" -j postrouting_wg_rule
[0:0] -A zone_wg_prerouting -m comment --comment "!fw3: Custom wg prerouting rule chain" -j prerouting_wg_rule
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*mangle
:PREROUTING ACCEPT [98:10034]
:INPUT ACCEPT [70:3014]
:FORWARD ACCEPT [24:6758]
:OUTPUT ACCEPT [156:24026]
:POSTROUTING ACCEPT [180:30784]
[2:104] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1:52] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_dest_ACCEPT - [0:0]
:zone_wg_dest_REJECT - [0:0]
:zone_wg_forward - [0:0]
:zone_wg_input - [0:0]
:zone_wg_output - [0:0]
:zone_wg_src_ACCEPT - [0:0]
[8140:815315] -A INPUT -j LOGGING
[8140:815315] -A INPUT -j LOGGING
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[76:3254] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[76:3254] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_input
[25:6798] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[22:6555] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:243] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[8794:2034530] -A OUTPUT -j LOGGING
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[167:25666] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[161:25304] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[6:362] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[3:243] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3:243] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[9:605] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: wan-wg" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[6:362] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[6:362] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Custom wg forwarding rule chain" -j forwarding_wg_rule
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3" -j zone_wg_dest_REJECT
[0:0] -A zone_wg_input -m comment --comment "!fw3: Custom wg input rule chain" -j input_wg_rule
[0:0] -A zone_wg_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_input -m comment --comment "!fw3" -j zone_wg_src_ACCEPT
[0:0] -A zone_wg_output -m comment --comment "!fw3: Custom wg output rule chain" -j output_wg_rule
[0:0] -A zone_wg_output -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wg_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
root@Linksys21:~# ip -6 rule show; ip6tables-save -c
0: from all lookup local
32766: from all lookup main
4200000001: from all iif lo lookup unspec 12
4200000007: from all iif wan lookup unspec 12
4200000015: from all iif br-lan lookup unspec 12
4200000016: from all iif wg0 lookup unspec 12
# Generated by ip6tables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*mangle
:PREROUTING ACCEPT [6:482]
:INPUT ACCEPT [6:482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:574]
:POSTROUTING ACCEPT [6:574]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by ip6tables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_dest_ACCEPT - [0:0]
:zone_wg_dest_REJECT - [0:0]
:zone_wg_forward - [0:0]
:zone_wg_input - [0:0]
:zone_wg_output - [0:0]
:zone_wg_src_ACCEPT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[6:482] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[6:482] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6:574] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6:574] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:482] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[6:482] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:482] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: wan-wg" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Custom wg forwarding rule chain" -j forwarding_wg_rule
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3" -j zone_wg_dest_REJECT
[0:0] -A zone_wg_input -m comment --comment "!fw3: Custom wg input rule chain" -j input_wg_rule
[0:0] -A zone_wg_input -m comment --comment "!fw3" -j zone_wg_src_ACCEPT
[0:0] -A zone_wg_output -m comment --comment "!fw3: Custom wg output rule chain" -j output_wg_rule
[0:0] -A zone_wg_output -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wg_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
root@Linksys21:~# # Persistent configuration
root@Linksys21:~# uci show network; uci show firewall; crontab -l
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd25:c11c:2ed6::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='172.16.1.1'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='5a:ef:68:0f:61:70'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='Private key goes here'
network.wg0.listen_port='51820'
network.wg0.addresses='172.16.2.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='Pixel6'
network.@wireguard_wg0[0].public_key='Another Key='
network.@wireguard_wg0[0].allowed_ips='172.16.2.1'
network.@wireguard_wg0[0].endpoint_port='51820'
network.@wireguard_wg0[0].persistent_keepalive='25'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='JumpBox'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='2200'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='172.16.1.222'
firewall.@redirect[0].dest_port='22'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.wg.dest_port='51820'
firewall.wg.family='ipv4'
firewall.wg.enabled='0'
firewall.@zone[2]=zone
firewall.@zone[2].name='wg'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='wg0'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='wg'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='wg'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='wg'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wan'
firewall.@forwarding[4].dest='wg'
firewall.@rule[11]=rule
firewall.@rule[11].name='wan-wg'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest_port='51820'
firewall.@rule[11].target='ACCEPT'
root@Linksys21:~#
Thanks for looking!