Wireguard: site to site AND remote access from win8.1?

Hello!

I recently set up wireguard server on two routers: Fritzbox4020 and Raspberry Pi, both with OpenWRT. I can access to each of them remotely using Wireguard client on Win8.1.

Since I am in the local net with RasPi Router most of the time, I thought I would set up Wireguard client to access from Raspi to FB4020, but in such a way that when I'm away, I would remote access to Raspi using Wireguard on Win8.1, then I can also manage the network devices on the local net of FB4020 at once. I wanted to check if I understood the set up correctly before proceeding with it and perhaps screwing something up.

Raspi:Net1, FB4020:Net2: goal: access from Net1 to Net2 devices, and access from outside to devices on both nets through wireguard to Net1.

I think:

  1. I need two VPN interfaces on Raspi=Net1: VPN for server (already there, 192.168.9.1/24), which belongs to LAN-Zone for the firewall, VPN2 for client, but with a different subnet, let's say 192.168.8.2/24. It should belong to WAN-zone for the firewall.

  2. FB4020=Net2 has already VPN server, say, VPN3, I will leave it there, but it has to be 192.168.8.1/24.

  3. The range of the IP addresses of the devices on Net2 should not overlap with any subnets of Net1 which I may want to access: because my request will be sent over the wireguard to FB4020 then and I lose access to the devices to Net1.

  4. Between VPN3 server and VPN2 client, setup like I did for VPN3 server and Win8.1 client.
    I set the subnet of the network devices on Net2 as "allowed addresses". Other traffic will not go through wireguard.

  5. I will turn the wireguard between VPN3 and VPN2 on. Then, when I'm on the net of Raspi, I have an access to the devices of FB4020 as well.

  6. When I'm away, I will run Win8.1 wireguard to access VPN of Net1. Then I will have access to devices on both networks: Raspi and FB4020.

Would that work ? I'm actually not sure if I really need two interfaces: can it go with just one somehow? Like, putting it to both LAN und WAN zone, giving three different IP addresses to Raspi, FB4020, and Win8.1.

I will appreciate your opinion and input !

You don't need 2 wireguard interfaces, one is enough. You'll need 2 peer configurations. One for the other router and one for the roadwarrior win. You could use one subnet for all the wg peers, but it might feel easier to configure two separate for the roadwarrior win. The 2 lan segments must have separate subnets.
You can assign the wg interfaces to lan zones of both routers.

1 Like

Thank you so much for your reply ! I will give it a try with just one interface.

Now I realized that I can't do this experiment at this point: I don't have the second internet contract yet, so for now I have FB4020 behind Raspi, and trying to set FB4020 up as much as possible. It seems that wireguard doesn't work if both the server and client are under the same public address: I tried to use WG client on win8.1 while being on the net of Raspi, and it already didn't work. I thought that I might try to set the static route for the public IP, so that it will go out once, and come back again, by setting the gateway to be 8.8.8.8, but when I look at traceroute, it doesn't seem to go away at all.

I should perhaps just wait till I get the second internet, but is it possible to make it work in the current situation ?

Better wait for the second connection. Otherwise you'll have to reconfigure it when you get it.

OK... yeah, since I have wireguard connection from Win8.1 to FB4020 anyway, perhaps I should just wait, I wont have to run back and forth.

Meanwhile, I wanted to have access to GUI of FB4020 while being on Raspi anyway. I'm not very familiar with port forwarding, I just set "any protocol", source=wan, destination=lan, internal IP address: 192.168.10.1/24
then it worked. (I accessed the WAN address of FB4020 from Raspi) I wonder if I opened more than necessary ? What would be a proper way of forwarding port in this situation ?

You may want to narrow it down to TCP port 80 or 443. Like the way you have it you won't be able to create any other forwarding rule.

1 Like

Thank you! It worked !
Now, I realized that in either way (i.e. narrowed down or just allowing all), I cannot access to the GUI of a device on the same subnet. I set on Raspi a static route for 192.168.10.0/24 though 192.168.1.101 (WAN Address of FB4020), but it just took me to the Luci of the FB4020, as I tried to open 192.168.10.118 (GUI of something else).

Is it supposed to be possible at all ? Could you please tell me how that works ?

You need to add a redirect rule on FB4020 for tcp 80 or 443 for packets coming from wan towards the .10.118.

Thank you for your hint ! However I didn't manage to figure out how to make it work.... I did the following:

(1). On raspi, I set this (over luci, but I'm pasting config file here, in the style of wiki.)

config route
	option interface 'lan'
	option netmask '255.255.255.0'
	option gateway '192.168.1.101'
	option target '192.168.10.1/24'

(2). On FB4020 I set this:

config redirect
	option target 'DNAT'
	option name 'Pap2t access'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.10.118'

I had thought that (1) would take my request for 192.168.10.118 to the entrance of Fb4020, which is 192.168.1.101 (Address of WAN), then (2) on FB4020 would take it to the GUI at 192.168.10.118. But obviously I'm not getting it right.... could you please correct ?

The redirect seems right.
The route is wrong, change target to 192.168.10.0

In fact I had it that way earlier, but since it didn't work, I changed it to 10.1. I brought it back:

config route
	option interface 'lan'
	option netmask '255.255.255.0'
	option gateway '192.168.1.101'
	option target '192.168.10.0'

but it still doesn't work;; I'm taken to Luci when I try to access 192.168.10.118. Now I see, any address, 192.168.10.n, where n =/= 1, takes me to luci. but 192.168.10.1 doesn't, even though that's the only right address for it (aside from 192.168.101: wan-side.).

Now I realized that if I change the general setting of WAN to device from "reject" to "accept", then 192.168.10.1 will take me to luci, too.

So it looks like access to luci through 192.168.10.1 is blocked by wan->device reject.

I thought that this redirecting any 192.168.10.n into luci of the router might have something to do with "masquerading" checked on wan->, so I unchecked it, but it didn't stop....

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
2 Likes

Thank you for taking a look ! Sorry it's very long... First it's from Raspi. Now, it looks like I have to cut into half: too long for a post.

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.124",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.4",
	"board_name": "raspberrypi,4-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.0-rc3",
		"revision": "r16172-2aba3e9784",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 21.02.0-rc3 r16172-2aba3e9784"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde4:e3d5:8959::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'eth0.16'

config interface 'WAN'
	option proto 'pppoe'
	option username 'xxxxxxxx@t-online.de'
	option password '676xxxx'
	option ipv6 'auto'
	option metric '10'
	option device 'eth0.7'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '208.67.222.123'
	list dns '208.67.220.123'

config interface 'guest'
	option proto 'static'
	option device 'eth0.11'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'students'
	option proto 'static'
	option device 'eth0.15'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'lan12admin'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option device 'eth0.12'

config interface 'WAN_nat'
	option proto 'dhcp'
	option metric '20'
	option device 'eth0.8'

config interface 'telefon'
	option device 'eth0.17'
	option proto 'static'
	list ipaddr '192.168.5.1/24'

config device
	option type 'bridge'
	option name 'br-12'
	list ports 'eth0.12'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51821'
	option private_key 'aFDNDFVfWxnOz9h/xxx'
	list addresses '192.168.9.3/24'

config wireguard_vpn 'wgserver'
	option public_key 'L1/ozA3HqMKy7KR/lASUZQ0xxx'
	list allowed_ips '192.168.9.2/32'
	option description 'win8.1'

config route
	option interface 'WAN'
	option gateway '192.168.1.101'
	option target '192.168.9.0'
	option netmask '255.255.255.0'

config route
	option interface 'lan'
	option target '192.168.10.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.101'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan12admin'
	list network ''
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'
	list network 'modem'
	list network 'WAN_nat'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'IPv6 anyzone drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest '*'
	option target 'DROP'

config rule
	option name 'IPv6 device block'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config zone
	option name 'students'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'students'
	list network 'telefon'

config forwarding
	option src 'students'
	option dest 'wan'

config rule
	option name 'Guest DHCP+DNS'
	option family 'ipv4'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Student DHCP+DNS'
	option family 'ipv4'
	option src 'students'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'LAN access all'
	option src 'lan'
	option dest '*'
	option target 'ACCEPT'
	option family 'ipv4'
	list proto 'all'

config zone
	option name 'Telefon'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'Telefon'

config forwarding
	option src 'Telefon'
	option dest 'wan'

config rule
	option name 'Telefon DNS DHCP'
	option src 'Telefon'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'IoT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config rule
	option name 'guests cant access others'
	list proto 'all'
	option src 'guest'
	option dest '*'
	list dest_ip '192.168.1.0/24'
	list dest_ip '192.168.3.0/24'
	list dest_ip '192.168.4.0/24'
	option target 'DROP'

config rule
	option name 'Students don'\''t see the others'
	list proto 'all'
	option src 'students'
	option dest '*'
	list dest_ip '192.168.1.0/24'
	list dest_ip '192.168.2.0/24'
	list dest_ip '192.168.4.0/24'
	option target 'DROP'

config zone
	option name 'vlan12'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vlan12'
	option dest 'wan'

config rule
	option name 'vlan12 dhcp dns'
	option family 'ipv4'
	option src 'vlan12'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'vlan 12 can'\''t see the others'
	option src 'vlan12'
	option dest '*'
	option target 'DROP'
	list proto 'all'
	list dest_ip '192.168.0.0/16'

config forwarding
	option src 'lan'
	option dest 'guest'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config redirect
	option target 'DNAT'
	option name 'Port forwarding '
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '192.168.1.101'
	list proto 'udp'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '51821'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Sun Dec 19 20:59:33 2021
*nat
:PREROUTING ACCEPT [747827:80886520]
:INPUT ACCEPT [335274:28777965]
:OUTPUT ACCEPT [506024:37715629]
:POSTROUTING ACCEPT [169279:13834216]
:ndsOUT - [0:0]
:postrouting_IoT_rule - [0:0]
:postrouting_Telefon_rule - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_students_rule - [0:0]
:postrouting_vlan12_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_IoT_rule - [0:0]
:prerouting_Telefon_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_students_rule - [0:0]
:prerouting_vlan12_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_IoT_postrouting - [0:0]
:zone_IoT_prerouting - [0:0]
:zone_Telefon_postrouting - [0:0]
:zone_Telefon_prerouting - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_students_postrouting - [0:0]
:zone_students_prerouting - [0:0]
:zone_vlan12_postrouting - [0:0]
:zone_vlan12_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[136816:13965327] -A PREROUTING -i eth0.11 -j ndsOUT
[747828:80886696] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[202367:29929690] -A PREROUTING -i eth0.16 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.12 -m comment --comment "!fw3" -j zone_lan_prerouting
[67:4394] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[86044:4445163] -A PREROUTING -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.8 -m comment --comment "!fw3" -j zone_wan_prerouting
[109617:11757873] -A PREROUTING -i eth0.11 -m comment --comment "!fw3" -j zone_guest_prerouting
[349733:34749576] -A PREROUTING -i eth0.15 -m comment --comment "!fw3" -j zone_students_prerouting
[0:0] -A PREROUTING -i eth0.17 -m comment --comment "!fw3" -j zone_students_prerouting
[906177:88035662] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[129679:11037779] -A POSTROUTING -o eth0.16 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.12 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[736898:74201446] -A POSTROUTING -o pppoe-WAN -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.8 -m comment --comment "!fw3" -j zone_wan_postrouting
[3135:453935] -A POSTROUTING -o eth0.11 -m comment --comment "!fw3" -j zone_guest_postrouting
[1549:140081] -A POSTROUTING -o eth0.15 -m comment --comment "!fw3" -j zone_students_postrouting
[0:0] -A POSTROUTING -o eth0.17 -m comment --comment "!fw3" -j zone_students_postrouting
[87:5568] -A ndsOUT -d 192.168.2.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 2050
[0:0] -A ndsOUT -m mark --mark 0x20000/0x30000 -j RETURN
[109617:11757873] -A ndsOUT -m mark --mark 0x30000/0x30000 -j RETURN
[775:44973] -A ndsOUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:2050
[26337:2156913] -A ndsOUT -j ACCEPT
[0:0] -A zone_IoT_postrouting -m comment --comment "!fw3: Custom IoT postrouting rule chain" -j postrouting_IoT_rule
[0:0] -A zone_IoT_prerouting -m comment --comment "!fw3: Custom IoT prerouting rule chain" -j prerouting_IoT_rule
[0:0] -A zone_Telefon_postrouting -m comment --comment "!fw3: Custom Telefon postrouting rule chain" -j postrouting_Telefon_rule
[0:0] -A zone_Telefon_prerouting -m comment --comment "!fw3: Custom Telefon prerouting rule chain" -j prerouting_Telefon_rule
[3135:453935] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[109617:11757873] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[129679:11037779] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j SNAT --to-source 192.168.9.3
[202434:29934084] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 79.25xxx/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.101:51820
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 79.25xxx/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.101:51820
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 79.xxx/32 -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding  (reflection)" -j DNAT --to-destination 192.168.1.101:51820
[1549:140081] -A zone_students_postrouting -m comment --comment "!fw3: Custom students postrouting rule chain" -j postrouting_students_rule
[349733:34749576] -A zone_students_prerouting -m comment --comment "!fw3: Custom students prerouting rule chain" -j prerouting_students_rule
[0:0] -A zone_vlan12_postrouting -m comment --comment "!fw3: Custom vlan12 postrouting rule chain" -j postrouting_vlan12_rule
[0:0] -A zone_vlan12_prerouting -m comment --comment "!fw3: Custom vlan12 prerouting rule chain" -j prerouting_vlan12_rule
[736898:74201446] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[736898:74201446] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[86044:4445163] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1:176] -A zone_wan_prerouting -p udp -m udp --dport 51820 -m comment --comment "!fw3: Port forwarding " -j DNAT --to-destination 192.168.1.101:51820
COMMIT
# Completed on Sun Dec 19 20:59:33 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 20:59:33 2021
*raw
:PREROUTING ACCEPT [159927288:159594167336]
:OUTPUT ACCEPT [3393007:443010502]
:zone_IoT_helper - [0:0]
:zone_Telefon_helper - [0:0]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_students_helper - [0:0]
:zone_vlan12_helper - [0:0]
[11995251:2964575881] -A PREROUTING -i eth0.16 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i eth0.12 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[430:48380] -A PREROUTING -i vpn -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[7696634:2132650095] -A PREROUTING -i eth0.11 -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
[20270343:6069965426] -A PREROUTING -i eth0.15 -m comment --comment "!fw3: students CT helper assignment" -j zone_students_helper
[0:0] -A PREROUTING -i eth0.17 -m comment --comment "!fw3: students CT helper assignment" -j zone_students_helper
COMMIT
# Completed on Sun Dec 19 20:59:33 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 20:59:33 2021
*mangle
:PREROUTING ACCEPT [11903827:12637400129]
:INPUT ACCEPT [425235:44741172]
:FORWARD ACCEPT [11478545:12592655009]
:OUTPUT ACCEPT [434398:45578395]
:POSTROUTING ACCEPT [11911678:12638168461]
:ndsALW - [0:0]
:ndsBLK - [0:0]
:ndsINC - [0:0]
:ndsOUT - [0:0]
:ndsTRU - [0:0]
[7696634:2132650095] -A PREROUTING -i eth0.11 -j ndsOUT
[7696634:2132650095] -A PREROUTING -i eth0.11 -j ndsBLK
[7696634:2132650095] -A PREROUTING -i eth0.11 -j ndsTRU
[207762:12283638] -A FORWARD -o pppoe-WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[196698:11107672] -A FORWARD -i pppoe-WAN -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.8 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.8 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[23816583:31465404553] -A POSTROUTING -o eth0.11 -j ndsINC
COMMIT
# Completed on Sun Dec 19 20:59:33 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 20:59:33 2021
*filter
:INPUT ACCEPT [2:2392]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_IoT_rule - [0:0]
:forwarding_Telefon_rule - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_students_rule - [0:0]
:forwarding_vlan12_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_IoT_rule - [0:0]
:input_Telefon_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_students_rule - [0:0]
:input_vlan12_rule - [0:0]
:input_wan_rule - [0:0]
:ndsAUT - [0:0]
:ndsNET - [0:0]
:ndsRTR - [0:0]
:ndsTRT - [0:0]
:ndsTRU - [0:0]
:ndsULR - [0:0]
:output_IoT_rule - [0:0]
:output_Telefon_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_students_rule - [0:0]
:output_vlan12_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_IoT_dest_ACCEPT - [0:0]
:zone_IoT_dest_REJECT - [0:0]
:zone_IoT_forward - [0:0]
:zone_IoT_input - [0:0]
:zone_IoT_output - [0:0]
:zone_IoT_src_ACCEPT - [0:0]
:zone_Telefon_dest_ACCEPT - [0:0]
:zone_Telefon_forward - [0:0]
:zone_Telefon_input - [0:0]
:zone_Telefon_output - [0:0]
:zone_Telefon_src_REJECT - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_students_dest_ACCEPT - [0:0]
:zone_students_dest_REJECT - [0:0]
:zone_students_forward - [0:0]
:zone_students_input - [0:0]
:zone_students_output - [0:0]
:zone_students_src_REJECT - [0:0]
:zone_vlan12_dest_ACCEPT - [0:0]
:zone_vlan12_dest_REJECT - [0:0]
:zone_vlan12_forward - [0:0]
:zone_vlan12_input - [0:0]
:zone_vlan12_output - [0:0]
:zone_vlan12_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[81937:7160938] -A INPUT -i eth0.11 -j ndsRTR
[595311:62714880] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2548708:275202560] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2010220:203184039] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[69853:2891389] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[234412:52628322] -A INPUT -i eth0.16 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.12 -m comment --comment "!fw3" -j zone_lan_input
[65:4290] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[136262:6503651] -A INPUT -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.8 -m comment --comment "!fw3" -j zone_wan_input
[3559:745337] -A INPUT -i eth0.11 -m comment --comment "!fw3" -j zone_guest_input
[164154:12135337] -A INPUT -i eth0.15 -m comment --comment "!fw3" -j zone_students_input
[0:0] -A INPUT -i eth0.17 -m comment --comment "!fw3" -j zone_students_input
[7614613:2125482695] -A FORWARD -i eth0.11 -j ndsNET
[156682524:159248075564] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[156162609:159184665157] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[257132:26249784] -A FORWARD -i eth0.16 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.12 -m comment --comment "!fw3" -j zone_lan_forward
[6:304] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[1:176] -A FORWARD -i pppoe-WAN -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.8 -m comment --comment "!fw3" -j zone_wan_forward
[58033:8690203] -A FORWARD -i eth0.11 -m comment --comment "!fw3" -j zone_guest_forward
[204743:28469940] -A FORWARD -i eth0.15 -m comment --comment "!fw3" -j zone_students_forward
[0:0] -A FORWARD -i eth0.17 -m comment --comment "!fw3" -j zone_students_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[595309:62714704] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2797665:380292762] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2122698:319419849] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[130206:11240495] -A OUTPUT -o eth0.16 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.12 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[541886:48900728] -A OUTPUT -o pppoe-WAN -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.8 -m comment --comment "!fw3" -j zone_wan_output
[2407:594998] -A OUTPUT -o eth0.11 -m comment --comment "!fw3" -j zone_guest_output
[468:136692] -A OUTPUT -o eth0.15 -m comment --comment "!fw3" -j zone_students_output
[0:0] -A OUTPUT -o eth0.17 -m comment --comment "!fw3" -j zone_students_output
[0:0] -A ndsNET -m mark --mark 0x10000/0x30000 -j DROP
[2729:179620] -A ndsNET -m conntrack --ctstate INVALID -j DROP
[66409:3888692] -A ndsNET -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A ndsNET -m mark --mark 0x20000/0x30000 -j ACCEPT
[7592628:2123758491] -A ndsNET -m mark --mark 0x30000/0x30000 -j RETURN
[19256:1544584] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsRTR -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsRTR -m conntrack --ctstate INVALID -j DROP
[13964:1467378] -A ndsRTR -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
[1352:80137] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -m mark --mark 0x20000/0x30000 -j ACCEPT
[7:372] -A ndsRTR -p tcp -m tcp --dport 53 -j ACCEPT
[60390:4236063] -A ndsRTR -p udp -m udp --dport 53 -j ACCEPT
[1649:541792] -A ndsRTR -p udp -m udp --dport 67 -j ACCEPT
[54:18037] -A ndsRTR -p udp -m udp --dport 68 -j ACCEPT
[3559:745337] -A ndsRTR -m mark --mark 0x30000/0x30000 -j RETURN
[962:71822] -A ndsRTR -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsULR -j RETURN
[119434:4940195] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[16708:2118029] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[69817:2889805] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[36:1584] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_IoT_forward -m comment --comment "!fw3: Custom IoT forwarding rule chain" -j forwarding_IoT_rule
[0:0] -A zone_IoT_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_IoT_forward -m comment --comment "!fw3" -j zone_IoT_dest_REJECT
[0:0] -A zone_IoT_input -m comment --comment "!fw3: Custom IoT input rule chain" -j input_IoT_rule
[0:0] -A zone_IoT_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_IoT_input -m comment --comment "!fw3" -j zone_IoT_src_ACCEPT
[0:0] -A zone_IoT_output -m comment --comment "!fw3: Custom IoT output rule chain" -j output_IoT_rule
[0:0] -A zone_IoT_output -m comment --comment "!fw3" -j zone_IoT_dest_ACCEPT
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3: Custom Telefon forwarding rule chain" -j forwarding_Telefon_rule
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3: Zone Telefon to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Telefon_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Telefon_forward -m comment --comment "!fw3" -j zone_Telefon_dest_ACCEPT
[0:0] -A zone_Telefon_input -m comment --comment "!fw3: Custom Telefon input rule chain" -j input_Telefon_rule
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Telefon DNS DHCP" -j ACCEPT
[0:0] -A zone_Telefon_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Telefon_input -m comment --comment "!fw3" -j zone_Telefon_src_REJECT
[0:0] -A zone_Telefon_output -m comment --comment "!fw3: Custom Telefon output rule chain" -j output_Telefon_rule
[0:0] -A zone_Telefon_output -m comment --comment "!fw3" -j zone_Telefon_dest_ACCEPT
[2407:594998] -A zone_guest_dest_ACCEPT -o eth0.11 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o eth0.11 -m comment --comment "!fw3" -j reject
[58033:8690203] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[397:27556] -A zone_guest_forward -d 192.168.1.0/24 -m comment --comment "!fw3: guests cant access others" -j DROP
[1518:97152] -A zone_guest_forward -d 192.168.3.0/24 -m comment --comment "!fw3: guests cant access others" -j DROP
[0:0] -A zone_guest_forward -d 192.168.4.0/24 -m comment --comment "!fw3: guests cant access others" -j DROP
[56118:8565495] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[3559:745337] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Guest DHCP+DNS" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3559:745337] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[2407:594998] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[2407:594998] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[3559:745337] -A zone_guest_src_REJECT -i eth0.11 -m comment --comment "!fw3" -j reject
[130206:11240495] -A zone_lan_dest_ACCEPT -o eth0.16 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth0.12 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[257138:26250088] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[257138:26250088] -A zone_lan_forward -m comment --comment "!fw3: LAN access all" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Telefon forwarding policy" -j zone_Telefon_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to IoT forwarding policy" -j zone_IoT_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to guest forwarding policy" -j zone_guest_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[234477:52632612] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[234477:52632612] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[130206:11240495] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[130206:11240495] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[234410:52625930] -A zone_lan_src_ACCEPT -i eth0.16 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i eth0.12 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[65:4290] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[468:136692] -A zone_students_dest_ACCEPT -o eth0.15 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_students_dest_ACCEPT -o eth0.17 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_students_dest_REJECT -o eth0.15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_students_dest_REJECT -o eth0.17 -m comment --comment "!fw3" -j reject
[204743:28469940] -A zone_students_forward -m comment --comment "!fw3: Custom students forwarding rule chain" -j forwarding_students_rule
[265:17580] -A zone_students_forward -d 192.168.1.0/24 -m comment --comment "!fw3: Students don\'t see the others" -j DROP
[277:20200] -A zone_students_forward -d 192.168.2.0/24 -m comment --comment "!fw3: Students don\'t see the others" -j DROP
[0:0] -A zone_students_forward -d 192.168.4.0/24 -m comment --comment "!fw3: Students don\'t see the others" -j DROP
[204201:28432160] -A zone_students_forward -m comment --comment "!fw3: Zone students to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_students_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_students_forward -m comment --comment "!fw3" -j zone_students_dest_REJECT
[164154:12135337] -A zone_students_input -m comment --comment "!fw3: Custom students input rule chain" -j input_students_rule
[42:1808] -A zone_students_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[154737:11244032] -A zone_students_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[474:159891] -A zone_students_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[19:6232] -A zone_students_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Student DHCP+DNS" -j ACCEPT
[0:0] -A zone_students_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[8882:723374] -A zone_students_input -m comment --comment "!fw3" -j zone_students_src_REJECT
[468:136692] -A zone_students_output -m comment --comment "!fw3: Custom students output rule chain" -j output_students_rule
[468:136692] -A zone_students_output -m comment --comment "!fw3" -j zone_students_dest_ACCEPT
[8882:723374] -A zone_students_src_REJECT -i eth0.15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_students_src_REJECT -i eth0.17 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vlan12_forward -m comment --comment "!fw3: Custom vlan12 forwarding rule chain" -j forwarding_vlan12_rule
[0:0] -A zone_vlan12_forward -d 192.168.0.0/16 -m comment --comment "!fw3: vlan 12 can\'t see the others" -j DROP
[0:0] -A zone_vlan12_forward -m comment --comment "!fw3: Zone vlan12 to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vlan12_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vlan12_forward -m comment --comment "!fw3" -j zone_vlan12_dest_REJECT
[0:0] -A zone_vlan12_input -m comment --comment "!fw3: Custom vlan12 input rule chain" -j input_vlan12_rule
[0:0] -A zone_vlan12_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -p udp -m udp --dport 53 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -p udp -m udp --dport 67 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -p udp -m udp --dport 68 -m comment --comment "!fw3: vlan12 dhcp dns" -j ACCEPT
[0:0] -A zone_vlan12_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vlan12_input -m comment --comment "!fw3" -j zone_vlan12_src_REJECT
[0:0] -A zone_vlan12_output -m comment --comment "!fw3: Custom vlan12 output rule chain" -j output_vlan12_rule
[0:0] -A zone_vlan12_output -m comment --comment "!fw3" -j zone_vlan12_dest_ACCEPT
[7383:371815] -A zone_wan_dest_ACCEPT -o pppoe-WAN -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[794822:85526568] -A zone_wan_dest_ACCEPT -o pppoe-WAN -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.8 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.8 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-WAN -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.8 -m comment --comment "!fw3" -j reject
[1:176] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[1:176] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[136262:6503651] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[12560:913962] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[1:176] -A zone_wan_input -p udp -m udp --dport 51821 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[123701:5589513] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[541886:48900728] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[541886:48900728] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[123701:5589513] -A zone_wan_src_REJECT -i pppoe-WAN -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.8 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Dec 19 20:59:33 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
16887: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0.11
       valid_lft forever preferred_lft forever
16888: eth0.16@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0.16
       valid_lft forever preferred_lft forever
16889: eth0.12@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global eth0.12
       valid_lft forever preferred_lft forever
16890: eth0.15@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global eth0.15
       valid_lft forever preferred_lft forever
16891: eth0.17@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.5.1/24 brd 192.168.5.255 scope global eth0.17
       valid_lft forever preferred_lft forever
16893: pppoe-WAN: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 79.254.117.120 peer 62.155.243.253/32 scope global pppoe-WAN
       valid_lft forever preferred_lft forever
16895: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.3/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 62.155.243.253 dev pppoe-WAN proto static metric 10 
62.155.243.253 dev pppoe-WAN proto kernel scope link src 79.254.117.120 
79.254.125.88 via 62.155.243.253 dev pppoe-WAN proto static metric 10 
84.135.104.21 via 62.155.243.253 dev pppoe-WAN proto static metric 10 
192.168.1.0/24 dev eth0.16 proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev eth0.11 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev eth0.15 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev eth0.12 proto kernel scope link src 192.168.4.1 
192.168.5.0/24 dev eth0.17 proto kernel scope link src 192.168.5.1 
192.168.9.0/24 dev vpn proto kernel scope link src 192.168.9.3 
192.168.10.0/24 via 192.168.1.101 dev eth0.16 proto static 
local 79.254.117.120 dev pppoe-WAN table local proto kernel scope host src 79.2xxx 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev eth0.16 table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev eth0.16 table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev eth0.16 table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.2.0 dev eth0.11 table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev eth0.11 table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev eth0.11 table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev eth0.15 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev eth0.15 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev eth0.15 table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev eth0.12 table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev eth0.12 table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev eth0.12 table local proto kernel scope link src 192.168.4.1 
broadcast 192.168.5.0 dev eth0.17 table local proto kernel scope link src 192.168.5.1 
local 192.168.5.1 dev eth0.17 table local proto kernel scope host src 192.168.5.1 
broadcast 192.168.5.255 dev eth0.17 table local proto kernel scope link src 192.168.5.1 
broadcast 192.168.9.0 dev vpn table local proto kernel scope link src 192.168.9.3 
local 192.168.9.3 dev vpn table local proto kernel scope host src 192.168.9.3 
broadcast 192.168.9.255 dev vpn table local proto kernel scope link src 192.168.9.3 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

And this is from FB4020 (Openwrt2)
r

oot@OpenWrt2:~# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.154",
	"hostname": "OpenWrt2",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "AVM FRITZ!Box 4020",
	"board_name": "avm,fritz4020",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "ath79/generic",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7b:8e0b:fa87::/48'

config device
	option name 'eth1'
	option macaddr '44:4E:6D:0F:E9:B8'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '208.67.222.123'
	list dns '208.67.220.123'
	option metric '10'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '44:4E:6D:0F:E9:B7'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option type 'bridge'
	option device 'br-16'
	option ipaddr '192.168.10.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-11'
	list dns '208.67.222.222'
	list dns '208.67.220.220'

config interface 'resident'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-15'
	list dns '208.67.222.222'
	list dns '208.67.222.220'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.11'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-16'
	list ports 'eth0.16'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '16'
	option ports '0t 1 3t 4'

config device
	option type 'bridge'
	option name 'br-11'
	list ports 'eth0.11'
	option ipv6 '0'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '11'
	option ports '0t 3t'

config device
	option type 'bridge'
	option name 'br-15'
	list ports 'eth0.15'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option vid '15'
	option ports '0t'

config interface 'vlan12'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option device 'br-12'
	list dns '208.67.222.222'
	list dns '208.67.222.220'

config device
	option type 'bridge'
	option name 'br-12'
	list ports 'eth0.12'

config switch_vlan
	option device 'switch0'
	option vlan '9'
	option vid '12'
	option ports '0t'

config interface 'WANb'
	option proto 'dhcp'
	option device 'eth0.7'
	option metric '20'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option ports '0t 2'
	option vid '7'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'
	option private_key 'MB5yqf3Z7U/mDyJdURr xxx'

config wireguard_vpn 'wgclient'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
	option public_key 'WDG1WvM2kstCvNSS4Rvxxx'
	option description 'Win8.1'
	option persistent_keepalive '25'

config route
	option interface 'wan'
	option target '192.168.10.0'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'guest'
	list network 'vlan12'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WANb'
	option input 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'IPv6 device block'
	option family 'ipv6'
	option src '*'
	option target 'DROP'
	list proto 'all'

config rule
	option name 'IPv6 forward drop'
	option family 'ipv6'
	list proto 'all'
	option src '*'
	option dest '*'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'resident'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'resident'

config rule
	option name 'guest DNS DHCP'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'resident DHCP DNS'
	option src 'resident'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'guest forward block'
	list proto 'all'
	option src 'guest'
	option dest '*'
	list dest_ip '192.168.0.0/16'
	option target 'DROP'

config rule
	option name 'resident forward drop'
	list proto 'all'
	option src 'resident'
	option dest '*'
	list dest_ip '192.168.0.0/16'
	option target 'DROP'

config include 'opennds'
	option type 'script'
	option path '/usr/lib/opennds/restart.sh'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	list proto 'tcp'
	option src_dport '80'
	option name 'from Raspi luci'
	option dest_ip '192.168.10.1/24'

config nat
	option name 'pap2t access from WAN'
	list proto 'tcp'
	option src 'wan'
	option dest_ip '192.168.10.118'
	option dest_port '80'
	option target 'MASQUERADE'
	option enabled '0'

config rule
	option name 'pap2t access from wan'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	list dest_ip '192.168.10.118'
	option dest_port '80'
	option target 'ACCEPT'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'from raspi ssh'
	option src 'wan'
	option src_dport '22'
	option dest 'lan'
	option dest_ip '192.168.10.1/24'
	list proto 'tcp'
	list proto 'udp'

config redirect
	option target 'DNAT'
	option name 'Pap2t access'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '192.168.10.118/24'


# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Sun Dec 19 21:07:15 2021
*nat
:PREROUTING ACCEPT [15278:7982275]
:INPUT ACCEPT [198:18488]
:OUTPUT ACCEPT [2611:171479]
:POSTROUTING ACCEPT [1426:85612]
:ndsOUT - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_resident_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_resident_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_resident_postrouting - [0:0]
:zone_resident_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[361:35201] -A PREROUTING -i br-11 -j ndsOUT
[15296:7983423] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[171:14109] -A PREROUTING -i br-16 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i br-11 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i br-12 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[15125:7969314] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.7 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-15 -m comment --comment "!fw3" -j zone_resident_prerouting
[2615:172337] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-16 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-11 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-12 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[1189:86725] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.7 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-15 -m comment --comment "!fw3" -j zone_resident_postrouting
[0:0] -A ndsOUT -d 192.168.2.1/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 2050
[0:0] -A ndsOUT -m mark --mark 0x20000/0x30000 -j RETURN
[0:0] -A ndsOUT -m mark --mark 0x30000/0x30000 -j RETURN
[19:1048] -A ndsOUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:2050
[342:34153] -A ndsOUT -j ACCEPT
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j SNAT --to-source 192.168.2.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.0/24 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.2.1
[0:0] -A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.10.0/24 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.2.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.10.0/24 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.10.0/24 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j SNAT --to-source 192.168.2.1
[0:0] -A zone_lan_postrouting -s 192.168.4.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j SNAT --to-source 192.168.4.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.10.0/24 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j SNAT --to-source 192.168.9.1
[171:14109] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j DNAT --to-destination 192.168.10.1:80
[0:0] -A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j DNAT --to-destination 192.168.10.1:80
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j DNAT --to-destination 192.168.10.1:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci (reflection)" -j DNAT --to-destination 192.168.10.1:80
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.101/32 -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh (reflection)" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j DNAT --to-destination 192.168.10.118:80
[0:0] -A zone_lan_prerouting -s 192.168.2.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j DNAT --to-destination 192.168.10.118:80
[0:0] -A zone_lan_prerouting -s 192.168.4.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j DNAT --to-destination 192.168.10.118:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.101/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access (reflection)" -j DNAT --to-destination 192.168.10.118:80
[0:0] -A zone_resident_postrouting -m comment --comment "!fw3: Custom resident postrouting rule chain" -j postrouting_resident_rule
[0:0] -A zone_resident_prerouting -m comment --comment "!fw3: Custom resident prerouting rule chain" -j prerouting_resident_rule
[1189:86725] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1189:86725] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[15125:7969314] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[16:1024] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: from Raspi luci" -j DNAT --to-destination 192.168.10.1:80
[2:124] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: from raspi ssh" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 22 -m comment --comment "!fw3: from raspi ssh" -j DNAT --to-destination 192.168.10.1:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Pap2t access" -j DNAT --to-destination 192.168.10.118:80
COMMIT
# Completed on Sun Dec 19 21:07:15 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 21:07:15 2021
*raw
:PREROUTING ACCEPT [55136:14554487]
:OUTPUT ACCEPT [41458:4978451]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_resident_helper - [0:0]
[6002:2344097] -A PREROUTING -i br-16 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-11 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-12 -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-15 -m comment --comment "!fw3: resident CT helper assignment" -j zone_resident_helper
COMMIT
# Completed on Sun Dec 19 21:07:15 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 21:07:15 2021
*mangle
:PREROUTING ACCEPT [55141:14554783]
:INPUT ACCEPT [37906:8875481]
:FORWARD ACCEPT [11662:4604851]
:OUTPUT ACCEPT [41464:4979795]
:POSTROUTING ACCEPT [53126:9584646]
:ndsALW - [0:0]
:ndsBLK - [0:0]
:ndsINC - [0:0]
:ndsOUT - [0:0]
:ndsTRU - [0:0]
[519:51172] -A PREROUTING -i br-11 -j ndsOUT
[519:51172] -A PREROUTING -i br-11 -j ndsBLK
[519:51172] -A PREROUTING -i br-11 -j ndsTRU
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.7 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.7 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[235:115327] -A POSTROUTING -o br-11 -j ndsINC
COMMIT
# Completed on Sun Dec 19 21:07:15 2021
# Generated by iptables-save v1.8.7 on Sun Dec 19 21:07:15 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_resident_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_resident_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:ndsAUT - [0:0]
:ndsNET - [0:0]
:ndsRTR - [0:0]
:ndsTRT - [0:0]
:ndsTRU - [0:0]
:ndsULR - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_resident_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_resident_dest_ACCEPT - [0:0]
:zone_resident_dest_REJECT - [0:0]
:zone_resident_forward - [0:0]
:zone_resident_input - [0:0]
:zone_resident_output - [0:0]
:zone_resident_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[423:41429] -A INPUT -i br-11 -j ndsRTR
[22834:1529598] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[15076:7346091] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3281:349097] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[19:1212] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[169:13331] -A INPUT -i br-16 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-11 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-12 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[11626:6983663] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.7 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-15 -m comment --comment "!fw3" -j zone_resident_input
[12:608] -A FORWARD -i br-11 -j ndsNET
[11662:4604851] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[11659:4603684] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:1167] -A FORWARD -i br-16 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-11 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-12 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.7 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-15 -m comment --comment "!fw3" -j zone_resident_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[22837:1530849] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[18634:3450706] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[16357:3287013] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-16 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-11 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-12 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[2277:163693] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.7 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-15 -m comment --comment "!fw3" -j zone_resident_output
[0:0] -A ndsNET -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsNET -m conntrack --ctstate INVALID -j DROP
[12:608] -A ndsNET -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A ndsNET -m mark --mark 0x20000/0x30000 -j ACCEPT
[0:0] -A ndsNET -m mark --mark 0x30000/0x30000 -j RETURN
[12:608] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsNET -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsRTR -m mark --mark 0x10000/0x30000 -j DROP
[0:0] -A ndsRTR -m conntrack --ctstate INVALID -j DROP
[151:13606] -A ndsRTR -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP
[25:1432] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 2050 -j ACCEPT
[0:0] -A ndsRTR -m mark --mark 0x20000/0x30000 -j ACCEPT
[0:0] -A ndsRTR -p tcp -m tcp --dport 53 -j ACCEPT
[35:2269] -A ndsRTR -p udp -m udp --dport 53 -j ACCEPT
[6:2016] -A ndsRTR -p udp -m udp --dport 67 -j ACCEPT
[3:1005] -A ndsRTR -p udp -m udp --dport 68 -j ACCEPT
[0:0] -A ndsRTR -m mark --mark 0x30000/0x30000 -j RETURN
[203:21101] -A ndsRTR -j REJECT --reject-with icmp-port-unreachable
[0:0] -A ndsULR -j RETURN
[2:128] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[9521:6889578] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[19:1212] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -d 192.168.0.0/16 -m comment --comment "!fw3: guest forward block" -j DROP
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 68 -m comment --comment "!fw3: guest DNS DHCP" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-16 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-11 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-12 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[3:1167] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3:1167] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[169:13331] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[169:13331] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[169:13331] -A zone_lan_src_ACCEPT -i br-16 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-11 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-12 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_resident_dest_ACCEPT -o br-15 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_resident_dest_REJECT -o br-15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_resident_forward -m comment --comment "!fw3: Custom resident forwarding rule chain" -j forwarding_resident_rule
[0:0] -A zone_resident_forward -d 192.168.0.0/16 -m comment --comment "!fw3: resident forward drop" -j DROP
[0:0] -A zone_resident_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_resident_forward -m comment --comment "!fw3" -j zone_resident_dest_REJECT
[0:0] -A zone_resident_input -m comment --comment "!fw3: Custom resident input rule chain" -j input_resident_rule
[0:0] -A zone_resident_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -p tcp -m tcp --dport 67 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -p tcp -m tcp --dport 68 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -p udp -m udp --dport 53 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -p udp -m udp --dport 67 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -p udp -m udp --dport 68 -m comment --comment "!fw3: resident DHCP DNS" -j ACCEPT
[0:0] -A zone_resident_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_resident_input -m comment --comment "!fw3" -j zone_resident_src_REJECT
[0:0] -A zone_resident_output -m comment --comment "!fw3: Custom resident output rule chain" -j output_resident_rule
[0:0] -A zone_resident_output -m comment --comment "!fw3" -j zone_resident_dest_ACCEPT
[0:0] -A zone_resident_src_REJECT -i br-15 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[2280:164860] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.7 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.7 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.7 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[11626:6983663] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[31:10673] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[2055:82200] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[17:1084] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[9523:6889706] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2277:163693] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2277:163693] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[9523:6889706] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.7 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Dec 19 21:07:15 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.1.101/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
74: br-11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-11
       valid_lft forever preferred_lft forever
76: br-12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-12
       valid_lft forever preferred_lft forever
78: br-15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-15
       valid_lft forever preferred_lft forever
80: br-16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-16
       valid_lft forever preferred_lft forever
83: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth1 proto static src 192.168.1.101 metric 10 
192.168.1.0/24 dev eth1 proto static scope link metric 10 
192.168.2.0/24 dev br-11 proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-15 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev br-12 proto kernel scope link src 192.168.4.1 
192.168.9.0/24 dev vpn proto kernel scope link src 192.168.9.1 
192.168.10.0/24 dev br-16 proto kernel scope link src 192.168.10.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.101 
local 192.168.1.101 dev eth1 table local proto kernel scope host src 192.168.1.101 
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.101 
broadcast 192.168.2.0 dev br-11 table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-11 table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-11 table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev br-15 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev br-15 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-15 table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev br-12 table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev br-12 table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev br-12 table local proto kernel scope link src 192.168.4.1 
broadcast 192.168.9.0 dev vpn table local proto kernel scope link src 192.168.9.1 
local 192.168.9.1 dev vpn table local proto kernel scope host src 192.168.9.1 
broadcast 192.168.9.255 dev vpn table local proto kernel scope link src 192.168.9.1 
broadcast 192.168.10.0 dev br-16 table local proto kernel scope link src 192.168.10.1 
local 192.168.10.1 dev br-16 table local proto kernel scope host src 192.168.10.1 
broadcast 192.168.10.255 dev br-16 table local proto kernel scope link src 192.168.10.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
root@OpenWrt2:~#

On Raspi:

This route is wrong, delete it.

Has no member interfaces.
Same for IoT.

On FB4020:

This wrong, delete it.

This should be a rule to allow port 80, not a port forward. You can have only one device listening to port 80, the other rules you have later for pap2t will not work.

This should also be a rule, not port forward. SSH works with tcp only.

1 Like

Thank you very much for checking and correction!

This was for Wireguard to FB4020 from outside (i.e. other net), and not for accessing 192.168.10.xx from Raspi. It was working OK for that purpose. Is it still wrong?

Otherwise, I managed to straighten up and make it work as I wanted; 192.168.10.1 for luci of FB4020, 192.168.10.118 for Pap2t, accessible from Raspi.
I think I got the point, I was confused about port-forwarding and allowing access to a port: "forwarding", for example, if I want wireguard access from outside to FB4020 through Raspi: from outside something comes to port 51820, but the first router is Raspi, so raspi will have to "forward" it to Fb4020, and on FB4020, that port has to be open by a traffic rule.
And what I'm trying to do now is just accessing from Raspi to FB4020, so there is nothing about port forwarding, the port I need has to be just open.

Did I get it right?

It is conflicting with the subnet you are using for the wg.

I think so too. Anyway my advice was not to bother implementing all this until you get the second internet connection.