AR.150 3.201 not natting/forwarding traffic since firmware install

noyolo · May 15, 2021, 5:28pm

Hi everyone, I have a gl-ar150 which has always worked well. I changed to a DIY firmware for a community project, and reverted back by changing the firmware to the latest available 3.201.

Whatever the WAN connection is :

WAN Cable
Repeater
Tethering

It will not forward traffic, I ping to 8.8.8.8 from my laptop, if I ssh into the little machine itself I can reach 8.8.8.8 without issues.

/etc/config/network:
config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’

config globals 'globals'
	option ula_prefix 'fd9e:3250:a429::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR150-2da'
	option ipaddr '192.168.80.1'

config interface 'wan'
	option ifname 'eth0'
	option hostname 'GL-AR150-2da'
	option metric '10'
	option proto 'dhcp'
	option peerdns '1'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'tethering'
	option proto 'dhcp'
	option ifname 'eth2'
	option metric '30'
	option disabled '0'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

iptables-save
# Generated by iptables-save v1.8.3 on Sat May 15 11:53:34 2021
*nat
:PREROUTING ACCEPT [636:65148]
:INPUT ACCEPT [290:19588]
:OUTPUT ACCEPT [600:47193]
:POSTROUTING ACCEPT [3:740]
:GL_SPEC_DMZ - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wireguard_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wireguard_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wireguard_postrouting - [0:0]
:zone_wireguard_prerouting - [0:0]
-A PREROUTING -j GL_SPEC_DMZ
-A PREROUTING -m comment --comment “!fw3: Custom prerouting rule chain” -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment “!fw3” -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i eth2 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i wlan-sta -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment “!fw3” -j zone_guestzone_prerouting
-A PREROUTING -i wg0 -m comment --comment “!fw3” -j zone_wireguard_prerouting
-A POSTROUTING -m comment --comment “!fw3: Custom postrouting rule chain” -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment “!fw3” -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o eth2 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o wlan-sta -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment “!fw3” -j zone_guestzone_postrouting
-A POSTROUTING -o wg0 -m comment --comment “!fw3” -j zone_wireguard_postrouting
-A zone_guestzone_postrouting -m comment --comment “!fw3: Custom guestzone postrouting rule chain” -j postrouting_guestzone_rule
-A zone_guestzone_prerouting -m comment --comment “!fw3: Custom guestzone prerouting rule chain” -j prerouting_guestzone_rule
-A zone_lan_postrouting -m comment --comment “!fw3: Custom lan postrouting rule chain” -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment “!fw3: Custom lan prerouting rule chain” -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment “!fw3: Custom wan postrouting rule chain” -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wan_prerouting -m comment --comment “!fw3: Custom wan prerouting rule chain” -j prerouting_wan_rule
-A zone_wireguard_postrouting -m comment --comment “!fw3: Custom wireguard postrouting rule chain” -j postrouting_wireguard_rule
-A zone_wireguard_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wireguard_prerouting -m comment --comment “!fw3: Custom wireguard prerouting rule chain” -j prerouting_wireguard_rule
COMMIT
# Completed on Sat May 15 11:53:34 2021
# Generated by iptables-save v1.8.3 on Sat May 15 11:53:34 2021
*raw
:PREROUTING ACCEPT [2716:322719]
:OUTPUT ACCEPT [1953:580729]
:zone_guestzone_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment “!fw3: lan CT helper assignment” -j zone_lan_helper
-A PREROUTING -i br-guest -m comment --comment “!fw3: guestzone CT helper assignment” -j zone_guestzone_helper
-A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
-A zone_guestzone_helper -p udp -m comment --comment “!fw3: Amanda backup and archiving proto” -m udp --dport 10080 -j CT --helper amanda
-A zone_guestzone_helper -p tcp -m comment --comment “!fw3: FTP passive connection tracking” -m tcp --dport 21 -j CT --helper ftp
-A zone_guestzone_helper -p udp -m comment --comment “!fw3: RAS proto tracking” -m udp --dport 1719 -j CT --helper RAS
-A zone_guestzone_helper -p tcp -m comment --comment “!fw3: Q.931 proto tracking” -m tcp --dport 1720 -j CT --helper Q.931
-A zone_guestzone_helper -p tcp -m comment --comment “!fw3: IRC DCC connection tracking” -m tcp --dport 6667 -j CT --helper irc
-A zone_guestzone_helper -p tcp -m comment --comment “!fw3: PPTP VPN connection tracking” -m tcp --dport 1723 -j CT --helper pptp
-A zone_guestzone_helper -p tcp -m comment --comment “!fw3: SIP VoIP connection tracking” -m tcp --dport 5060 -j CT --helper sip
-A zone_guestzone_helper -p udp -m comment --comment “!fw3: SIP VoIP connection tracking” -m udp --dport 5060 -j CT --helper sip
-A zone_guestzone_helper -p udp -m comment --comment “!fw3: SNMP monitoring connection tracking” -m udp --dport 161 -j CT --helper snmp
-A zone_guestzone_helper -p udp -m comment --comment “!fw3: TFTP connection tracking” -m udp --dport 69 -j CT --helper tftp
-A zone_lan_helper -p udp -m comment --comment “!fw3: Amanda backup and archiving proto” -m udp --dport 10080 -j CT --helper amanda
-A zone_lan_helper -p tcp -m comment --comment “!fw3: FTP passive connection tracking” -m tcp --dport 21 -j CT --helper ftp
-A zone_lan_helper -p udp -m comment --comment “!fw3: RAS proto tracking” -m udp --dport 1719 -j CT --helper RAS
-A zone_lan_helper -p tcp -m comment --comment “!fw3: Q.931 proto tracking” -m tcp --dport 1720 -j CT --helper Q.931
-A zone_lan_helper -p tcp -m comment --comment “!fw3: IRC DCC connection tracking” -m tcp --dport 6667 -j CT --helper irc
-A zone_lan_helper -p tcp -m comment --comment “!fw3: PPTP VPN connection tracking” -m tcp --dport 1723 -j CT --helper pptp
-A zone_lan_helper -p tcp -m comment --comment “!fw3: SIP VoIP connection tracking” -m tcp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment “!fw3: SIP VoIP connection tracking” -m udp --dport 5060 -j CT --helper sip
-A zone_lan_helper -p udp -m comment --comment “!fw3: SNMP monitoring connection tracking” -m udp --dport 161 -j CT --helper snmp
-A zone_lan_helper -p udp -m comment --comment “!fw3: TFTP connection tracking” -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Sat May 15 11:53:34 2021
# Generated by iptables-save v1.8.3 on Sat May 15 11:53:34 2021
*mangle
:PREROUTING ACCEPT [2716:322719]
:INPUT ACCEPT [1599:185704]
:FORWARD ACCEPT [958:103788]
:OUTPUT ACCEPT [1953:580729]
:POSTROUTING ACCEPT [2911:684517]
:WG_DDNS - [0:0]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_tethering - [0:0]
:mwan3_iface_in_wwan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j WG_DDNS
-A PREROUTING -j WG_DDNS
-A PREROUTING -j mwan3_hook
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wlan-sta -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wlan-sta -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wireguard MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wireguard MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A WG_DDNS -s 192.168.80.0/24 -d 3.123.22.90/32 -i br-lan -j MARK --set-xmark 0x60000/0xffffffff
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_tethering -i eth2 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_tethering -i eth2 -m mark --mark 0x0/0x3f00 -m comment --comment tethering -j MARK --set-xmark 0x300/0x3f00
-A mwan3_iface_in_wwan -i wlan-sta -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_wwan -i wlan-sta -m mark --mark 0x0/0x3f00 -m comment --comment wwan -j MARK --set-xmark 0x200/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_tethering
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wwan
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment “wwan 3 3” -j MARK --set-xmark 0x200/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Sat May 15 11:53:34 2021
# Generated by iptables-save v1.8.3 on Sat May 15 11:53:34 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wireguard_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wireguard_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wireguard_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wireguard_dest_ACCEPT - [0:0]
:zone_wireguard_dest_DROP - [0:0]
:zone_wireguard_forward - [0:0]
:zone_wireguard_input - [0:0]
:zone_wireguard_output - [0:0]
:zone_wireguard_src_DROP - [0:0]
-A INPUT -j GL_SPEC_OPENING
-A INPUT -i lo -m comment --comment “!fw3” -j ACCEPT
-A INPUT -m comment --comment “!fw3: Custom input rule chain” -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment “!fw3” -j syn_flood
-A INPUT -i br-lan -m comment --comment “!fw3” -j zone_lan_input
-A INPUT -i eth0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i eth2 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i wlan-sta -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i br-guest -m comment --comment “!fw3” -j zone_guestzone_input
-A INPUT -i wg0 -m comment --comment “!fw3” -j zone_wireguard_input
-A FORWARD -m comment --comment “!fw3: Custom forwarding rule chain” -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A FORWARD -i br-lan -m comment --comment “!fw3” -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i eth2 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i wlan-sta -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment “!fw3” -j zone_guestzone_forward
-A FORWARD -i wg0 -m comment --comment “!fw3” -j zone_wireguard_forward
-A FORWARD -m comment --comment “!fw3” -j reject
-A OUTPUT -o lo -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -m comment --comment “!fw3: Custom output rule chain” -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment “!fw3” -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o eth2 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o wlan-sta -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment “!fw3” -j zone_guestzone_output
-A OUTPUT -o wg0 -m comment --comment “!fw3” -j zone_wireguard_output
-A reject -p tcp -m comment --comment “!fw3” -j REJECT --reject-with tcp-reset
-A reject -m comment --comment “!fw3” -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment “!fw3” -j RETURN
-A syn_flood -m comment --comment “!fw3” -j DROP
-A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment “!fw3” -j ACCEPT
-A zone_guestzone_dest_REJECT -o br-guest -m comment --comment “!fw3” -j reject
-A zone_guestzone_forward -m comment --comment “!fw3: Custom guestzone forwarding rule chain” -j forwarding_guestzone_rule
-A zone_guestzone_forward -m comment --comment “!fw3: Zone guestzone to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_guestzone_forward -m comment --comment “!fw3: Zone guestzone to wireguard forwarding policy” -j zone_wireguard_dest_ACCEPT
-A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_guestzone_forward -m comment --comment “!fw3” -j zone_guestzone_dest_REJECT
-A zone_guestzone_input -m comment --comment “!fw3: Custom guestzone input rule chain” -j input_guestzone_rule
-A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment “!fw3: guestzone_DHCP” -j ACCEPT
-A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment “!fw3: guestzone_DNS” -j ACCEPT
-A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment “!fw3: guestzone_DNS” -j ACCEPT
-A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_guestzone_input -m comment --comment “!fw3” -j zone_guestzone_src_REJECT
-A zone_guestzone_output -m comment --comment “!fw3: Custom guestzone output rule chain” -j output_guestzone_rule
-A zone_guestzone_output -m comment --comment “!fw3” -j zone_guestzone_dest_ACCEPT
-A zone_guestzone_src_REJECT -i br-guest -m comment --comment “!fw3” -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Custom lan forwarding rule chain” -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wireguard forwarding policy” -j zone_wireguard_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment “!fw3: Custom lan input rule chain” -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_lan_input -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment “!fw3: Custom lan output rule chain” -j output_lan_rule
-A zone_lan_output -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o eth2 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan-sta -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o wlan-sta -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment “!fw3” -j reject
-A zone_wan_dest_REJECT -o eth2 -m comment --comment “!fw3” -j reject
-A zone_wan_dest_REJECT -o wlan-sta -m comment --comment “!fw3” -j reject
-A zone_wan_forward -m comment --comment “!fw3: Custom wan forwarding rule chain” -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment “!fw3: Allow-IPSec-ESP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-ISAKMP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3” -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment “!fw3: Custom wan input rule chain” -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment “!fw3: Allow-DHCP-Renew” -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment “!fw3: Allow-Ping” -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment “!fw3: Allow-IGMP” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 48051 -m comment --comment “!fw3: Allow-Wireguard” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 48051 -m comment --comment “!fw3: Allow-Wireguard” -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wan_input -m comment --comment “!fw3” -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment “!fw3: Custom wan output rule chain” -j output_wan_rule
-A zone_wan_output -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0 -m comment --comment “!fw3” -j reject
-A zone_wan_src_REJECT -i eth2 -m comment --comment “!fw3” -j reject
-A zone_wan_src_REJECT -i wlan-sta -m comment --comment “!fw3” -j reject
-A zone_wireguard_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wireguard_dest_ACCEPT -o wg0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wireguard_dest_DROP -o wg0 -m comment --comment “!fw3” -j DROP
-A zone_wireguard_forward -m comment --comment “!fw3: Custom wireguard forwarding rule chain” -j forwarding_wireguard_rule
-A zone_wireguard_forward -m comment --comment “!fw3: Zone wireguard to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_wireguard_forward -m comment --comment “!fw3: Zone wireguard to guestzone forwarding policy” -j zone_guestzone_dest_ACCEPT
-A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wireguard_forward -m comment --comment “!fw3” -j zone_wireguard_dest_DROP
-A zone_wireguard_input -m comment --comment “!fw3: Custom wireguard input rule chain” -j input_wireguard_rule
-A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wireguard_input -m comment --comment “!fw3” -j zone_wireguard_src_DROP
-A zone_wireguard_output -m comment --comment “!fw3: Custom wireguard output rule chain” -j output_wireguard_rule
-A zone_wireguard_output -m comment --comment “!fw3” -j zone_wireguard_dest_ACCEPT
-A zone_wireguard_src_DROP -i wg0 -m comment --comment “!fw3” -j DROP
COMMIT

alzhao · May 17, 2021, 11:30am

Did you reserve sttings? Maybe just clear the settings and reset again?

Seems caused by multiple wan