Firmware 4.2.x is out as snapshot firmware

elpmeh · December 23, 2022, 3:24am

na the product is good , its changed the way I interact with VPN’s I don’t have to think about it anymore, just a shame i’m currently throttled from 750 MB’s down to 340MB’s down (over 5G WIFI)
:) they will fix it, and ill be happy wen they do!

I cant go to firmware 3.xx as I was kickd off the wifi all day everyday and i can’t risk that again, stil not found all my marbles from last time

hansome · December 23, 2022, 4:31am

Hi, could you print the following command output;

iptables-save
ip route show table 51
cat /etc/version.date

bOcy · December 23, 2022, 4:37am

Can confirm cascading VPN not working on my flint as well, flint is client to my own openwrt wg server

So when I use my phone and wg client to my flint, I can’t connect to the my openwrt

hansome · December 23, 2022, 7:43am

Hi I tested the senario and it works. is it able to ping openwrt wg server on flint?
could you show command output for analysis

lama · December 23, 2022, 10:33am

Still DMZ Enabled = Port Forwarding rules ignored

bOcy · December 23, 2022, 10:34am

slate ax (WG> flint (WG> openwrt router
console in slate ax:

root@GL-AXT1800:~# iptables-save

Generated by iptables-save v1.8.7 on Fri Dec 23 18:32:14 2022

*nat
:PREROUTING ACCEPT [607:121219]
:INPUT ACCEPT [171:12163]
:OUTPUT ACCEPT [377:28634]
:POSTROUTING ACCEPT [143:10071]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgclient_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgclient_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgclient_postrouting - [0:0]
:zone_wgclient_prerouting - [0:0]
-A PREROUTING -m comment --comment “!fw3: Custom prerouting rule chain” -j prero uting_rule
-A PREROUTING -i br-lan -m comment --comment “!fw3” -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i wwan0 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment “!fw3” -j zone_guest_prerouting
-A PREROUTING -i wgclient -m comment --comment “!fw3” -j zone_wgclient_preroutin g
-A POSTROUTING -m comment --comment “!fw3: Custom postrouting rule chain” -j pos trouting_rule
-A POSTROUTING -o br-lan -m comment --comment “!fw3” -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o wwan0 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment “!fw3” -j zone_guest_postrouting
-A POSTROUTING -o wgclient -m comment --comment “!fw3” -j zone_wgclient_postrout ing
-A zone_guest_postrouting -m comment --comment “!fw3: Custom guest postrouting r ule chain” -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment “!fw3: Custom guest prerouting rul e chain” -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment “!fw3: Custom lan postrouting rule chain” -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment “!fw3: Custom lan prerouting rule ch ain” -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment “!fw3: Custom wan postrouting rule chain” -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wan_prerouting -m comment --comment “!fw3: Custom wan prerouting rule ch ain” -j prerouting_wan_rule
-A zone_wgclient_postrouting -m comment --comment “!fw3: Custom wgclient postrou ting rule chain” -j postrouting_wgclient_rule
-A zone_wgclient_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wgclient_prerouting -m comment --comment “!fw3: Custom wgclient prerouti ng rule chain” -j prerouting_wgclient_rule
COMMIT

Completed on Fri Dec 23 18:32:14 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:32:14 2022

*raw
:PREROUTING ACCEPT [29220:24210969]
:OUTPUT ACCEPT [9256:2077641]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment “!fw3: lan CT helper assignment” -j zone_lan_helper
-A PREROUTING -i br-guest -m comment --comment "!fw3: guest CT helper assignment " -j zone_guest_helper
COMMIT

Completed on Fri Dec 23 18:32:14 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:32:14 2022

*mangle
:PREROUTING ACCEPT [29219:24210929]
:INPUT ACCEPT [12124:12001834]
:FORWARD ACCEPT [17072:12206834]
:OUTPUT ACCEPT [9257:2080601]
:POSTROUTING ACCEPT [26211:14281299]
:VPN_SER_POLICY - [0:0]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_modem_1_1 - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_policy_default_poli_v6 - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A PREROUTING -j VPN_SER_POLICY
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “! fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “! fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment " !fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment " !fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wgclient -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --commen t “!fw3: Zone wgclient MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wgclient -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --commen t “!fw3: Zone wgclient MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A OUTPUT -m owner --gid-owner 65533 -m comment --comment “!fw3: process_mark” - j MARK --set-xmark 0x80000/0x80000
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x 3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_modem_1_1 -i wwan0 -m set --match-set mwan3_connected src -m m ark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x 3f00
-A mwan3_iface_in_modem_1_1 -i wwan0 -m mark --mark 0x0/0x3f00 -m comment --comm ent modem_1_1 -j MARK --set-xmark 0x700/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_modem_1_1
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment “mod em_1_1 3 3” -j MARK --set-xmark 0x700/0x3f00
-A mwan3_policy_default_poli_v6 -m mark --mark 0x0/0x3f00 -m comment --comment d efault -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_default_poli
COMMIT

Completed on Fri Dec 23 18:32:14 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:32:14 2022

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgclient_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgclient_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgclient_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_wgclient_dest_ACCEPT - [0:0]
:zone_wgclient_dest_DROP - [0:0]
:zone_wgclient_forward - [0:0]
:zone_wgclient_input - [0:0]
:zone_wgclient_output - [0:0]
:zone_wgclient_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment “!fw3” -j ACCEPT
-A INPUT -m comment --comment “!fw3: Custom input rule chain” -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment “!fw 3” -j syn_flood
-A INPUT -i br-lan -m comment --comment “!fw3” -j zone_lan_input
-A INPUT -i eth0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i wwan0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i br-guest -m comment --comment “!fw3” -j zone_guest_input
-A INPUT -i wgclient -m comment --comment “!fw3” -j zone_wgclient_input
-A FORWARD -m set --match-set GL_MAC_BLOCK src -j DROP
-A FORWARD -m comment --comment “!fw3: Custom forwarding rule chain” -j forwardi ng_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3 " -j ACCEPT
-A FORWARD -i br-lan -m comment --comment “!fw3” -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i wwan0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment “!fw3” -j zone_guest_forward
-A FORWARD -i wgclient -m comment --comment “!fw3” -j zone_wgclient_forward
-A FORWARD -m comment --comment “!fw3” -j reject
-A OUTPUT -o lo -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -m comment --comment “!fw3: Custom output rule chain” -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment “!fw3” -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o wwan0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment “!fw3” -j zone_guest_output
-A OUTPUT -o wgclient -m comment --comment “!fw3” -j zone_wgclient_output
-A reject -p tcp -m comment --comment “!fw3” -j REJECT --reject-with tcp-reset
-A reject -m comment --comment “!fw3” -j REJECT --reject-with icmp-port-unreacha ble
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/s ec --limit-burst 50 -m comment --comment “!fw3” -j RETURN
-A syn_flood -m comment --comment “!fw3” -j DROP
-A zone_guest_dest_ACCEPT -o br-guest -m comment --comment “!fw3” -j ACCEPT
-A zone_guest_dest_REJECT -o br-guest -m comment --comment “!fw3” -j reject
-A zone_guest_forward -m comment --comment “!fw3: Custom guest forwarding rule c hain” -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment “!fw3: Zone guest to wan forwarding p olicy” -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment “!fw3: Zone guest to wgclient forward ing policy” -j zone_wgclient_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Ac cept port forwards” -j ACCEPT
-A zone_guest_forward -m comment --comment “!fw3” -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment “!fw3: Custom guest input rule chain” - j input_guest_rule
-A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment “!fw3: Allo w-DHCP” -j ACCEPT
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment “!fw3: Allow-D NS” -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment “!fw3: Allow-D NS” -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Acce pt port redirections” -j ACCEPT
-A zone_guest_input -m comment --comment “!fw3” -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment “!fw3: Custom guest output rule chain” -j output_guest_rule
-A zone_guest_output -m comment --comment “!fw3” -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i br-guest -m comment --comment “!fw3” -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain " -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wan forwarding polic y” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wgclient forwarding policy” -j zone_wgclient_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Acce pt port forwards” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment “!fw3: Custom lan input rule chain” -j in put_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[12 ]” -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_lan_input -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment “!fw3: Custom lan output rule chain” -j output_lan_rule
-A zone_lan_output -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comm ent “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --com ment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment “!fw3” -j reject
-A zone_wan_dest_REJECT -o wwan0 -m comment --comment “!fw3” -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain " -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment “!fw3: Allow-IPSec-ESP” -j zone_ lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow- ISAKMP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Acce pt port forwards” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3” -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment “!fw3: Custom wan input rule chain” -j in put_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment “!fw3: Allow-DHC P-Renew” -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment “!fw3: Allo w-Ping” -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment “!fw3: Allow-IGMP” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[11 ]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 6000:6005 -m comment --comment “!fw3: @r ule[13]” -j DROP
-A zone_wan_input -p udp -m udp --dport 6000:6005 -m comment --comment “!fw3: @r ule[13]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment "!fw3: glservice " -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 80 -m comment --comment "!fw3: glservice " -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment “!fw3: glservic e_https” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 443 -m comment --comment “!fw3: glservic e_https” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment “!fw3: glssh” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 22 -m comment --comment “!fw3: glssh” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 6008 -m comment --comment “!fw3: @rule[1 8]” -j DROP
-A zone_wan_input -p udp -m udp --dport 6008 -m comment --comment “!fw3: @rule[1 8]” -j DROP
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wan_input -m comment --comment “!fw3” -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment “!fw3: Custom wan output rule chain” -j output_wan_rule
-A zone_wan_output -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0 -m comment --comment “!fw3” -j DROP
-A zone_wan_src_DROP -i wwan0 -m comment --comment “!fw3” -j DROP
-A zone_wgclient_dest_ACCEPT -o wgclient -m conntrack --ctstate INVALID -m comme nt --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wgclient_dest_ACCEPT -o wgclient -m comment --comment “!fw3” -j ACCEPT
-A zone_wgclient_dest_DROP -o wgclient -m comment --comment “!fw3” -j DROP
-A zone_wgclient_forward -m comment --comment “!fw3: Custom wgclient forwarding rule chain” -j forwarding_wgclient_rule
-A zone_wgclient_forward -m comment --comment “!fw3: Zone wgclient to wan forwar ding policy” -j zone_wan_dest_ACCEPT
-A zone_wgclient_forward -m comment --comment “!fw3: Zone wgclient to lan forwar ding policy” -j zone_lan_dest_ACCEPT
-A zone_wgclient_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wgclient_forward -m comment --comment “!fw3” -j zone_wgclient_dest_DROP
-A zone_wgclient_input -m comment --comment “!fw3: Custom wgclient input rule ch ain” -j input_wgclient_rule
-A zone_wgclient_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: A ccept port redirections” -j ACCEPT
-A zone_wgclient_input -m comment --comment “!fw3” -j zone_wgclient_src_ACCEPT
-A zone_wgclient_output -m comment --comment “!fw3: Custom wgclient output rule chain” -j output_wgclient_rule
-A zone_wgclient_output -m comment --comment “!fw3” -j zone_wgclient_dest_ACCEPT
-A zone_wgclient_src_ACCEPT -i wgclient -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
COMMIT

Completed on Fri Dec 23 18:32:14 2022

root@GL-AXT1800:~# ip route show table 51
default via 10.147.79.220 dev wwan0 proto static src 10.147.79.219 metric 40
10.147.79.216/29 dev wwan0 proto static scope link metric 40
58.71.192.142 via 10.147.79.220 dev wwan0 proto static metric 40
60.50.142.77 via 10.147.79.220 dev wwan0 proto static metric 40
local 127.0.0.1 dev lo scope host src 127.0.0.1
192.168.8.1 dev wgclient scope link
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1
root@GL-AXT1800:~# cat /etc/version.date

bOcy · December 23, 2022, 10:40am

slate ax (WG> beryl ax (WG> openwrt router

in slate ax console :

root@GL-AXT1800:~# iptables-save

Generated by iptables-save v1.8.7 on Fri Dec 23 18:39:07 2022

*nat
:PREROUTING ACCEPT [573:56343]
:INPUT ACCEPT [221:14980]
:OUTPUT ACCEPT [247:19246]
:POSTROUTING ACCEPT [144:10095]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgclient_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgclient_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgclient_postrouting - [0:0]
:zone_wgclient_prerouting - [0:0]
-A PREROUTING -m comment --comment “!fw3: Custom prerouting rule chain” -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment “!fw3” -j zone_lan_prerouting
-A PREROUTING -i eth0 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i wwan0 -m comment --comment “!fw3” -j zone_wan_prerouting
-A PREROUTING -i br-guest -m comment --comment “!fw3” -j zone_guest_prerouting
-A PREROUTING -i wgclient -m comment --comment “!fw3” -j zone_wgclient_prerouting
-A POSTROUTING -m comment --comment “!fw3: Custom postrouting rule chain” -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment “!fw3” -j zone_lan_postrouting
-A POSTROUTING -o eth0 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o wwan0 -m comment --comment “!fw3” -j zone_wan_postrouting
-A POSTROUTING -o br-guest -m comment --comment “!fw3” -j zone_guest_postrouting
-A POSTROUTING -o wgclient -m comment --comment “!fw3” -j zone_wgclient_postrouting
-A zone_guest_postrouting -m comment --comment “!fw3: Custom guest postrouting rule chain” -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment “!fw3: Custom guest prerouting rule chain” -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment “!fw3: Custom lan postrouting rule chain” -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment “!fw3: Custom lan prerouting rule chain” -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment “!fw3: Custom wan postrouting rule chain” -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wan_prerouting -m comment --comment “!fw3: Custom wan prerouting rule chain” -j prerouting_wan_rule
-A zone_wgclient_postrouting -m comment --comment “!fw3: Custom wgclient postrouting rule chain” -j postrouting_wgclient_rule
-A zone_wgclient_postrouting -m comment --comment “!fw3” -j MASQUERADE
-A zone_wgclient_prerouting -m comment --comment “!fw3: Custom wgclient prerouting rule chain” -j prerouting_wgclient_rule
COMMIT

Completed on Fri Dec 23 18:39:07 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:39:07 2022

*raw
:PREROUTING ACCEPT [12434:6449452]
:OUTPUT ACCEPT [4741:1078971]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment “!fw3: lan CT helper assignment” -j zone_lan_helper
-A PREROUTING -i br-guest -m comment --comment “!fw3: guest CT helper assignment” -j zone_guest_helper
COMMIT

Completed on Fri Dec 23 18:39:07 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:39:07 2022

*mangle
:PREROUTING ACCEPT [12433:6449368]
:INPUT ACCEPT [5354:3158437]
:FORWARD ACCEPT [7019:3287879]
:OUTPUT ACCEPT [4741:1078971]
:POSTROUTING ACCEPT [11720:4365008]
:VPN_SER_POLICY - [0:0]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_modem_1_1 - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_policy_default_poli_v6 - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A PREROUTING -j VPN_SER_POLICY
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wwan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wan MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o wgclient -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wgclient MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wgclient -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment “!fw3: Zone wgclient MTU fixing” -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A OUTPUT -m owner --gid-owner 65533 -m comment --comment “!fw3: process_mark” -j MARK --set-xmark 0x80000/0x80000
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
-A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
-A mwan3_iface_in_modem_1_1 -i wwan0 -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_iface_in_modem_1_1 -i wwan0 -m mark --mark 0x0/0x3f00 -m comment --comment modem_1_1 -j MARK --set-xmark 0x700/0x3f00
-A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_modem_1_1
-A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment “modem_1_1 3 3” -j MARK --set-xmark 0x700/0x3f00
-A mwan3_policy_default_poli_v6 -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
-A mwan3_rules -m mark --mark 0x0/0x3f00 -j mwan3_policy_default_poli
COMMIT

Completed on Fri Dec 23 18:39:07 2022

Generated by iptables-save v1.8.7 on Fri Dec 23 18:39:07 2022

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgclient_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgclient_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgclient_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_wgclient_dest_ACCEPT - [0:0]
:zone_wgclient_dest_DROP - [0:0]
:zone_wgclient_forward - [0:0]
:zone_wgclient_input - [0:0]
:zone_wgclient_output - [0:0]
:zone_wgclient_src_ACCEPT - [0:0]
-A INPUT -i lo -m comment --comment “!fw3” -j ACCEPT
-A INPUT -m comment --comment “!fw3: Custom input rule chain” -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment “!fw3” -j syn_flood
-A INPUT -i br-lan -m comment --comment “!fw3” -j zone_lan_input
-A INPUT -i eth0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i wwan0 -m comment --comment “!fw3” -j zone_wan_input
-A INPUT -i br-guest -m comment --comment “!fw3” -j zone_guest_input
-A INPUT -i wgclient -m comment --comment “!fw3” -j zone_wgclient_input
-A FORWARD -m set --match-set GL_MAC_BLOCK src -j DROP
-A FORWARD -m comment --comment “!fw3: Custom forwarding rule chain” -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A FORWARD -i br-lan -m comment --comment “!fw3” -j zone_lan_forward
-A FORWARD -i eth0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i wwan0 -m comment --comment “!fw3” -j zone_wan_forward
-A FORWARD -i br-guest -m comment --comment “!fw3” -j zone_guest_forward
-A FORWARD -i wgclient -m comment --comment “!fw3” -j zone_wgclient_forward
-A FORWARD -m comment --comment “!fw3” -j reject
-A OUTPUT -o lo -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -m comment --comment “!fw3: Custom output rule chain” -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment “!fw3” -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment “!fw3” -j zone_lan_output
-A OUTPUT -o eth0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o wwan0 -m comment --comment “!fw3” -j zone_wan_output
-A OUTPUT -o br-guest -m comment --comment “!fw3” -j zone_guest_output
-A OUTPUT -o wgclient -m comment --comment “!fw3” -j zone_wgclient_output
-A reject -p tcp -m comment --comment “!fw3” -j REJECT --reject-with tcp-reset
-A reject -m comment --comment “!fw3” -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment “!fw3” -j RETURN
-A syn_flood -m comment --comment “!fw3” -j DROP
-A zone_guest_dest_ACCEPT -o br-guest -m comment --comment “!fw3” -j ACCEPT
-A zone_guest_dest_REJECT -o br-guest -m comment --comment “!fw3” -j reject
-A zone_guest_forward -m comment --comment “!fw3: Custom guest forwarding rule chain” -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment “!fw3: Zone guest to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment “!fw3: Zone guest to wgclient forwarding policy” -j zone_wgclient_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_guest_forward -m comment --comment “!fw3” -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment “!fw3: Custom guest input rule chain” -j input_guest_rule
-A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment “!fw3: Allow-DHCP” -j ACCEPT
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment “!fw3: Allow-DNS” -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment “!fw3: Allow-DNS” -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_guest_input -m comment --comment “!fw3” -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment “!fw3: Custom guest output rule chain” -j output_guest_rule
-A zone_guest_output -m comment --comment “!fw3” -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i br-guest -m comment --comment “!fw3” -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment “!fw3” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Custom lan forwarding rule chain” -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment “!fw3: Zone lan to wgclient forwarding policy” -j zone_wgclient_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_lan_forward -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment “!fw3: Custom lan input rule chain” -j input_lan_rule
-A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[12]” -j ACCEPT
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_lan_input -m comment --comment “!fw3” -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment “!fw3: Custom lan output rule chain” -j output_lan_rule
-A zone_lan_output -m comment --comment “!fw3” -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_ACCEPT -o wwan0 -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wan_dest_ACCEPT -o wwan0 -m comment --comment “!fw3” -j ACCEPT
-A zone_wan_dest_REJECT -o eth0 -m comment --comment “!fw3” -j reject
-A zone_wan_dest_REJECT -o wwan0 -m comment --comment “!fw3” -j reject
-A zone_wan_forward -m comment --comment “!fw3: Custom wan forwarding rule chain” -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment “!fw3: Allow-IPSec-ESP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment “!fw3: Allow-ISAKMP” -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wan_forward -m comment --comment “!fw3” -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment “!fw3: Custom wan input rule chain” -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment “!fw3: Allow-DHCP-Renew” -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment “!fw3: Allow-Ping” -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment “!fw3: Allow-IGMP” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 137 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 138 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 139 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p udp -m udp --dport 445 -m comment --comment “!fw3: @rule[11]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 6000:6005 -m comment --comment “!fw3: @rule[13]” -j DROP
-A zone_wan_input -p udp -m udp --dport 6000:6005 -m comment --comment “!fw3: @rule[13]” -j DROP
-A zone_wan_input -p tcp -m tcp --dport 80 -m comment --comment “!fw3: glservice” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 80 -m comment --comment “!fw3: glservice” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 443 -m comment --comment “!fw3: glservice_https” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 443 -m comment --comment “!fw3: glservice_https” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 22 -m comment --comment “!fw3: glssh” -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 22 -m comment --comment “!fw3: glssh” -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 6008 -m comment --comment “!fw3: @rule[18]” -j DROP
-A zone_wan_input -p udp -m udp --dport 6008 -m comment --comment “!fw3: @rule[18]” -j DROP
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wan_input -m comment --comment “!fw3” -j zone_wan_src_DROP
-A zone_wan_output -m comment --comment “!fw3: Custom wan output rule chain” -j output_wan_rule
-A zone_wan_output -m comment --comment “!fw3” -j zone_wan_dest_ACCEPT
-A zone_wan_src_DROP -i eth0 -m comment --comment “!fw3” -j DROP
-A zone_wan_src_DROP -i wwan0 -m comment --comment “!fw3” -j DROP
-A zone_wgclient_dest_ACCEPT -o wgclient -m conntrack --ctstate INVALID -m comment --comment “!fw3: Prevent NAT leakage” -j DROP
-A zone_wgclient_dest_ACCEPT -o wgclient -m comment --comment “!fw3” -j ACCEPT
-A zone_wgclient_dest_DROP -o wgclient -m comment --comment “!fw3” -j DROP
-A zone_wgclient_forward -m comment --comment “!fw3: Custom wgclient forwarding rule chain” -j forwarding_wgclient_rule
-A zone_wgclient_forward -m comment --comment “!fw3: Zone wgclient to wan forwarding policy” -j zone_wan_dest_ACCEPT
-A zone_wgclient_forward -m comment --comment “!fw3: Zone wgclient to lan forwarding policy” -j zone_lan_dest_ACCEPT
-A zone_wgclient_forward -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port forwards” -j ACCEPT
-A zone_wgclient_forward -m comment --comment “!fw3” -j zone_wgclient_dest_DROP
-A zone_wgclient_input -m comment --comment “!fw3: Custom wgclient input rule chain” -j input_wgclient_rule
-A zone_wgclient_input -m conntrack --ctstate DNAT -m comment --comment “!fw3: Accept port redirections” -j ACCEPT
-A zone_wgclient_input -m comment --comment “!fw3” -j zone_wgclient_src_ACCEPT
-A zone_wgclient_output -m comment --comment “!fw3: Custom wgclient output rule chain” -j output_wgclient_rule
-A zone_wgclient_output -m comment --comment “!fw3” -j zone_wgclient_dest_ACCEPT
-A zone_wgclient_src_ACCEPT -i wgclient -m conntrack --ctstate NEW,UNTRACKED -m comment --comment “!fw3” -j ACCEPT
COMMIT

Completed on Fri Dec 23 18:39:07 2022

root@GL-AXT1800:~# ip route show table 51
default via 10.147.79.220 dev wwan0 proto static src 10.147.79.219 metric 40
10.147.79.216/29 dev wwan0 proto static scope link metric 40
58.71.192.142 via 10.147.79.220 dev wwan0 proto static metric 40
60.50.142.77 via 10.147.79.220 dev wwan0 proto static metric 40
local 127.0.0.1 dev lo scope host src 127.0.0.1
192.168.28.0/24 dev br-lan proto kernel scope link src 192.168.28.1
192.168.48.1 dev wgclient scope link
root@GL-AXT1800:~# cat /etc/version.date

K3rn3l_Ku5h · December 23, 2022, 1:07pm

Are you using iperf3 to test between access points or speedtest.com type service?

lama · December 23, 2022, 1:58pm

bOcy Dude,… I couldn’t find my own post. That’s a nasty log you posted

K3rn3l_Ku5h · December 23, 2022, 5:55pm

UPGRADE you can’t migrate settings again and can’t reuse a previous config file. Need to setup everything from default.

lama · December 24, 2022, 9:49am

I managed to upgrade without issues,… Though I was panicking to Not find “Backup configuration” anywhere,…

Also as usual,… Port Forwarding rules are still ignored for other ip addresses if DMZ is enabled

So can’t use my NAS

jdub · December 24, 2022, 11:10am

I mean, that’s kind of the definition of DMZ, right?

What do you need DMZ for? Convenience?

Wild_Spy · December 24, 2022, 11:21am

I’m not sure if this is the problem of this particular version, but I recently purchased the device and ran into a problem using this and maybe previous version.

I am using WireGuard client with a list of domains that use VPN. I noticed that sometimes the traffic to these domains stops going through the VPN, I had to reset the device and configure it again.

But I think I found a problem in vpnpolicy file.
It works when it is like this:

config policy 'global'
	option kill_switch '0'
	option wan_access '0'
	option service_policy '1'
	option vpn_server_policy '1'

config service 'route_policy'
	option proxy_mode '3'

config policy 'vlan'
	option private '1'
	option guest '1'

config policy 'domain'
	option domain '
>>HERE IS MY DOMAINS LIST<<
'
	option default_policy '0'

but sometimes it changes to this one and stop working:

config policy 'global'
	option kill_switch '0'
	option wan_access '0'
	option service_policy '1'
	option vpn_server_policy '1'

config service 'route_policy'
	option proxy_mode '3'

config policy 'vlan'
	option private '1'
	option guest '1'

config policy 'domain'
	option default_policy '0'
	option domain '
>>HERE IS MY DOMAINS LIST<<
'

so I think that problem is in line option default_policy '0'

can someone please confirm this problem or propose a way to fix it?

GL-AX1800

Wild_Spy · December 24, 2022, 11:27am

Also I can’t connect to router using SFTP. The default settings are set. SSH connection is working. But SFTP fails, I tried Cyberduck, Terminus and Fugu clients. They give me different errors. Cyberduck tell something about “EOF while reading packet”. Fugu just cant connect. And Terminus freezes and throw me EOF error too.

GL-AX1800

lama · December 24, 2022, 5:09pm

If only you were part of previous discussions related to this jdub, you would’ve known that i need DMZ Enabled on one NAS address and rest others to follow port forwarding rules (instead of getting blocked). This is nothing new, most of my previous routers allowed me this type of setting,…

jdub · December 24, 2022, 7:01pm

So in reviewing the discussion, you don’t need DMZ - you just have a lot of ports you want to forward, so it’s more convenient. Gotcha.

I stand by my statement.

(p.s., just because “most of [your] previous routers allowed [you] this type of setting,…” doesn’t mean they were implementing it correctly. There are tradeoffs to both approaches, but the way it’s currently implemented here is the way it’s typically done)

lama · December 24, 2022, 8:38pm

I’m my situation, Any solution, which come from other router guy’s approach or your “Typical” router guys, is welcomed (and a win-win for other end user ). You can sit or stand by your statements all you want, just know I’m more interested in firmware getting better.

I would’ve preferred Dynamic Port Triggering implementation (which is again typically available in most modern routers )

jdub · December 24, 2022, 9:02pm

Sounds like you would be better off with a Synology router then?

Maybe I’m being dense here, but I don’t understand the problem with forwarding ports, even if there are a lot of them. There are always tradeoffs between security and convenience, and the words “dynamic” used alongside “firewall” would give any cyber security person pause.

There are a lot of features I’d like to see implemented, but I don’t use words like “disgusted” because I bought a product that doesn’t implement something like I think it should. If you really need that functionality, it seems like you know where you can get it.

lama · December 24, 2022, 9:58pm

Synology router? Yep,… having my eye on it for quite some time. I did wait till 4.2 version,…

Port Triggering is dynamic in nature it sure didn’t give Synology guys pause.

Maybe in your arrival things are better so you’re not disgusted but in my arrival I was disgusted by many annoying bugs etc in version 3.xx, and whenever someone pointed me to LuCi,… It eventually felt like go to hell (as I mostly ended up factory resets )

Yes I know where to get it,… “Here” is preferred first because I already have the Ax1800 (and someone did say it was in to-do list).

Even if I opt of Synology, it will be when I’m sure no solution is coming out of here,…

my use of words are my way of getting attention and I’m not going to stop typing for your likings

jdub · December 24, 2022, 10:06pm

I’ve been here since 2015 with the 6416, but whatever.

There are plenty of things routers like this don’t do well, which is why I don’t use one for my main router. If the software doesn’t meet your needs, it’s not hard to find one that does. Never buy a product based on a promised future update.

I mean, I’m a voting member on three IEEE cyber security committees, but I’m sure you know better.