Ysurac
commented
2 years ago This may be a firewall config not correctly reloaded.
Can you give me the result of ip6tables-save before and after problem ?
Closed datapharmer closed 1 year ago
Ysurac
commented
2 years ago This may be a firewall config not correctly reloaded.
Can you give me the result of ip6tables-save before and after problem ?
datapharmer
commented
2 years ago before:
# Generated by iptables-save v1.8.7 on Thu Nov 3 18:42:32 2022
*raw
:PREROUTING ACCEPT [546574100:353900767434]
:OUTPUT ACCEPT [461266778:287577660933]
COMMIT
# Completed on Thu Nov 3 18:42:32 2022
# Generated by iptables-save v1.8.7 on Thu Nov 3 18:42:32 2022
*nat
:PREROUTING ACCEPT [18479:2289361]
:INPUT ACCEPT [11384:719173]
:OUTPUT ACCEPT [42326:3169870]
:POSTROUTING ACCEPT [4233:254410]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_local_out - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -p tcp -j v2r_def_pre_src
-A OUTPUT -p tcp -j v2r_def_local_out
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A v2r_def_dst -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_dst -m mark --mark 0x539 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_dst -m mark --mark 0x53910 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_dst -m mark --mark 0x5398 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A v2r_def_dst -m mark --mark 0x5391201 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_dst -m mark --mark 0x5391200 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_dst -m mark --mark 0x5396 -j RETURN
-A v2r_def_dst -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_dst -m mark --mark 0x5395 -j RETURN
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p tcp -j REDIRECT --to-ports 1897
-A v2r_def_local_out -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_local_out -m mark --mark 0x53910 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5398 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5391201 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5391200 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5396 -j RETURN
-A v2r_def_local_out -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_local_out -m mark --mark 0x5395 -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -p tcp -m comment --comment "local_default: forward" -j v2r_def_forward
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x53910 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5398 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5391201 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5391200 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5396 -j RETURN
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x5395 -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p tcp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MINIUPNPD-POSTROUTING
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -j MINIUPNPD
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Nov 3 18:42:32 2022
# Generated by iptables-save v1.8.7 on Thu Nov 3 18:42:32 2022
*mangle
:PREROUTING ACCEPT [3319147:1989791906]
:INPUT ACCEPT [3465708:2037148549]
:FORWARD ACCEPT [6866:1097637]
:OUTPUT ACCEPT [3299985:1870043544]
:POSTROUTING ACCEPT [3306087:1871109331]
:dscp_mark - [0:0]
:dscp_output - [0:0]
:dscp_postrouting - [0:0]
:dscp_prerouting - [0:0]
:omr-bypass - [0:0]
:omr-bypass-dpi - [0:0]
:omr-bypass-local - [0:0]
:omr-gre-tunnel - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
-A PREROUTING -i eth0 -j dscp_prerouting
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-gre-tunnel
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A PREROUTING -i eth0 -j dscp_mark
-A PREROUTING -p udp -j v2r_def_pre_src
-A PREROUTING -j omr-bypass
-A INPUT -j omr-bypass-dpi
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 6in4-omr6in4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i 6in4-omr6in4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -j omr-bypass-dpi
-A OUTPUT -j dscp_output
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
-A POSTROUTING -j dscp_postrouting
-A POSTROUTING -j dscp_mark
-A dscp_mark -m comment --comment cs4 -m dscp --dscp 0x20 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs5 -m dscp --dscp 0x28 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs6 -m dscp --dscp 0x30 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs7 -m dscp --dscp 0x38 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_output -o tun0 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_postrouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_postrouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x30
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_prerouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_prerouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x30
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass -m mark --mark 0x53910 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass -m mark --mark 0x5398 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A omr-bypass -m mark --mark 0x5391201 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass -m mark --mark 0x5391200 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass -m mark --mark 0x5396 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A omr-bypass -m mark --mark 0x5395 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass -m mark --mark 0x539 -j RETURN
-A omr-bypass-dpi -m ndpi --proto disneyplus -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-dpi -m mark --mark 0x539 -j RETURN
-A omr-bypass-dpi -m ndpi --proto hulu -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-dpi -m mark --mark 0x539 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass-local -m mark --mark 0x53910 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass-local -m mark --mark 0x5398 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A omr-bypass-local -m mark --mark 0x5391201 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass-local -m mark --mark 0x5391200 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass-local -m mark --mark 0x5396 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A omr-bypass-local -m mark --mark 0x5395 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-local -m mark --mark 0x539 -j RETURN
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p udp -j TPROXY --on-port 1897 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p udp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
COMMIT
# Completed on Thu Nov 3 18:42:32 2022
# Generated by iptables-save v1.8.7 on Thu Nov 3 18:42:32 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-All-Ping" -j ACCEPT
-A FORWARD -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC All" -j DROP
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Allow-All-LAN-to-VPN" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Allow-Lan-to-Wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC Proxy" -j DROP
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o 6in4-omr6in4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o 6in4-omr6in4 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j MINIUPNPD
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -p icmp -m comment --comment "!fw3: Allow-VPN-ICMP" -j ACCEPT
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -j MINIUPNPD
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_REJECT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_vpn_src_REJECT -i 6in4-omr6in4 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Nov 3 18:42:32 2022After:
# Generated by iptables-save v1.8.7 on Fri Nov 4 10:57:30 2022
*nat
:PREROUTING ACCEPT [309:23973]
:INPUT ACCEPT [365:23851]
:OUTPUT ACCEPT [625:45886]
:POSTROUTING ACCEPT [56:3464]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_local_out - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -p tcp -j v2r_def_pre_src
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A PREROUTING -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A OUTPUT -p tcp -j v2r_def_local_out
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A POSTROUTING -o 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A v2r_def_dst -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_dst -m mark --mark 0x539 -j RETURN
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p tcp -j REDIRECT --to-ports 1897
-A v2r_def_local_out -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_local_out -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_local_out -m mark --mark 0x539 -j RETURN
-A v2r_def_local_out -p tcp -m comment --comment "local_default: forward" -j v2r_def_forward
-A v2r_def_pre_src -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p tcp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_postrouting -j MINIUPNPD-POSTROUTING
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_vpn_prerouting -j MINIUPNPD
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Nov 4 10:57:30 2022
# Generated by iptables-save v1.8.7 on Fri Nov 4 10:57:30 2022
*mangle
:PREROUTING ACCEPT [22327:12411977]
:INPUT ACCEPT [22225:12372235]
:FORWARD ACCEPT [153:40195]
:OUTPUT ACCEPT [20738:13229044]
:POSTROUTING ACCEPT [20791:13265038]
:dscp_mark - [0:0]
:dscp_output - [0:0]
:dscp_postrouting - [0:0]
:dscp_prerouting - [0:0]
:omr-bypass - [0:0]
:omr-bypass-dpi - [0:0]
:omr-bypass-local - [0:0]
:omr-gre-tunnel - [0:0]
:v2r_def_dst - [0:0]
:v2r_def_forward - [0:0]
:v2r_def_pre_src - [0:0]
:v2r_def_src - [0:0]
-A PREROUTING -i eth0 -j dscp_prerouting
-A PREROUTING -m addrtype ! --dst-type LOCAL -j omr-gre-tunnel
-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A PREROUTING -i eth0 -j dscp_mark
-A PREROUTING -j omr-bypass
-A PREROUTING -p udp -j v2r_def_pre_src
-A INPUT -j omr-bypass-dpi
-A FORWARD -j omr-bypass-dpi
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o 6in4-omr6in4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i 6in4-omr6in4 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j dscp_output
-A OUTPUT -m addrtype ! --dst-type LOCAL -j omr-bypass-local
-A POSTROUTING -j dscp_postrouting
-A POSTROUTING -j dscp_mark
-A dscp_mark -m comment --comment cs4 -m dscp --dscp 0x20 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs5 -m dscp --dscp 0x28 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs6 -m dscp --dscp 0x30 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_mark -m comment --comment cs7 -m dscp --dscp 0x38 -j MARK --set-xmark 0x7874756e/0xffffffff
-A dscp_output -o tun0 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_postrouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_postrouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_postrouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_postrouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_postrouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_postrouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_postrouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_postrouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_postrouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_postrouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_postrouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x30
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_postrouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_postrouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j DSCP --set-dscp 0x00
-A dscp_prerouting -m set --match-set omr_dscp-cs0 src,dst -m comment --comment cs0 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j DSCP --set-dscp 0x08
-A dscp_prerouting -m set --match-set omr_dscp-cs1 src,dst -m comment --comment cs1 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j DSCP --set-dscp 0x10
-A dscp_prerouting -m set --match-set omr_dscp-cs2 src,dst -m comment --comment cs2 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j DSCP --set-dscp 0x18
-A dscp_prerouting -m set --match-set omr_dscp-cs3 src,dst -m comment --comment cs3 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j DSCP --set-dscp 0x20
-A dscp_prerouting -m set --match-set omr_dscp-cs4 src,dst -m comment --comment cs4 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j DSCP --set-dscp 0x28
-A dscp_prerouting -m set --match-set omr_dscp-cs5 src,dst -m comment --comment cs5 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j DSCP --set-dscp 0x30
-A dscp_prerouting -m set --match-set omr_dscp-cs6 src,dst -m comment --comment cs6 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j DSCP --set-dscp 0x38
-A dscp_prerouting -m set --match-set omr_dscp-cs7 src,dst -m comment --comment cs7 -j RETURN
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j DSCP --set-dscp 0x2e
-A dscp_prerouting -m set --match-set omr_dscp-ef src,dst -m comment --comment ef -j RETURN
-A dscp_prerouting -p icmp -m comment --comment ICMP -j DSCP --set-dscp 0x38
-A dscp_prerouting -p icmp -m comment --comment ICMP -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p udp -m multiport --sports 53,123,5353 -m multiport --dports 0:65535 -m comment --comment "DNS udp and NTP" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p tcp -m multiport --sports 53,5353 -m multiport --dports 0:65535 -m comment --comment "DNS tcp" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j DSCP --set-dscp 0x30
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65500 -m comment --comment "OMR API" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65001,65301,65401,65011 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j DSCP --set-dscp 0x38
-A dscp_prerouting -p udp -m multiport --sports 0:65535 -m multiport --dports 65001,65301 -m comment --comment "OMR vpn" -j RETURN
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j DSCP --set-dscp 0x30
-A dscp_prerouting -p tcp -m multiport --sports 0:65535 -m multiport --dports 65101,65228 -m comment --comment "OMR proxy" -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass -m mark --mark 0x53910 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass -m mark --mark 0x5398 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A omr-bypass -m mark --mark 0x5391201 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass -m mark --mark 0x5391200 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass -m mark --mark 0x5396 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A omr-bypass -m mark --mark 0x5395 -j RETURN
-A omr-bypass -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass -m mark --mark 0x539 -j RETURN
-A omr-bypass-dpi -m ndpi --proto disneyplus -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-dpi -m mark --mark 0x539 -j RETURN
-A omr-bypass-dpi -m ndpi --proto hulu -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-dpi -m mark --mark 0x539 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0_2 dst -j MARK --set-xmark 0x53910/0xffffffff
-A omr-bypass-local -m mark --mark 0x53910 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0_3 dst -j MARK --set-xmark 0x5398/0xffffffff
-A omr-bypass-local -m mark --mark 0x5398 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_6in4-omr6in4 dst -j MARK --set-xmark 0x5391201/0xffffffff
-A omr-bypass-local -m mark --mark 0x5391201 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_tun0 dst -j MARK --set-xmark 0x5391200/0xffffffff
-A omr-bypass-local -m mark --mark 0x5391200 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_eth0 dst -j MARK --set-xmark 0x5396/0xffffffff
-A omr-bypass-local -m mark --mark 0x5396 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_lo dst -j MARK --set-xmark 0x5395/0xffffffff
-A omr-bypass-local -m mark --mark 0x5395 -j RETURN
-A omr-bypass-local -m set --match-set omr_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A omr-bypass-local -m mark --mark 0x539 -j RETURN
-A v2r_def_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_dst -m set --match-set ssr_def_dst_forward dst -j v2r_def_forward
-A v2r_def_dst -m comment --comment "dst_default: forward" -j v2r_def_forward
-A v2r_def_forward -p udp -j TPROXY --on-port 1897 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass_ dst -j RETURN
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-xmark 0x539/0xffffffff
-A v2r_def_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
-A v2r_def_pre_src -m set --match-set ssr_def_dst_bypass dst -j RETURN
-A v2r_def_pre_src -m mark --mark 0x539 -j RETURN
-A v2r_def_pre_src -p udp -j v2r_def_src
-A v2r_def_src -m set --match-set ssr_def_src_bypass src -j RETURN
-A v2r_def_src -m set --match-set ssr_def_src_forward src -j v2r_def_forward
-A v2r_def_src -m set --match-set ssr_def_src_checkdst src -j v2r_def_dst
-A v2r_def_src -m comment --comment "src_default: forward" -j v2r_def_forward
COMMIT
# Completed on Fri Nov 4 10:57:30 2022
# Generated by iptables-save v1.8.7 on Fri Nov 4 10:57:30 2022
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_input
-A INPUT -m comment --comment "!fw3" -j reject
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-All-Ping" -j ACCEPT
-A FORWARD -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC All" -j DROP
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -i 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -o 6in4-omr6in4 -m comment --comment "!fw3" -j zone_vpn_output
-A OUTPUT -m comment --comment "!fw3" -j reject
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Allow-All-LAN-to-VPN" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Allow-Lan-to-Wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -p udp -m udp --dport 443 -m comment --comment "!fw3: Block QUIC Proxy" -j DROP
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o 6in4-omr6in4 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o 6in4-omr6in4 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -j MINIUPNPD
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -p icmp -m comment --comment "!fw3: Allow-VPN-ICMP" -j ACCEPT
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -j MINIUPNPD
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_REJECT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
-A zone_vpn_src_REJECT -i 6in4-omr6in4 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Nov 4 10:57:30 2022@Ysurac any thoughts? this is causing me some big headaches because dns and connections time out/fail most of the time when ipv6 is enabled ont he client.
datapharmer
commented
2 years ago Should OMR6IN4 and WAN connections have Delegate IPv6 prefixes enabled? It is enabled for OMR6IN4 but thinking maybe that is the problem since I'm seeing it set a default route on the client and seems like sometimes it isn't passing traffic and sometimes it is.
datapharmer
commented
2 years ago Ok I've found some of the problems here and I think have it mostly fixed.
OMR6IN4 didn't have an IPv6 assignment length set and this was being used for DHCP assignment (not sure that's right, but that's what's happening) so only one device at a time was getting an address.
Once I changed that and set Delegate IPv6 prefixes on for OMR6IN4 and the wan connections everyone is getting a valid IPv6 address and generally traffic is passing through the tunnel. However occasionally I'm still seeing IPv6 stop routing which you can also see on the router as it can't ping anything outside the lan either. I tried restarting interfaces etc. to no avail for this scenario. A full reboot brings it back to working so I think this may be a firewall issue or problem with v2ray?
I did not this in the logs which seems to point to an issue with OMR6IN4:
Fri Nov 11 14:52:26 2022 kern.err kernel: [ 847.767702] __mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13
Fri Nov 11 14:52:27 2022 kern.err kernel: [ 848.620114] __mptcp_init6_subsockets: token 0x78d93d7d bind() to [OMR6IN4 Interface IP] index 22 failed, error -99Ok if I reload the firewall from the cli it gives this:
datapharmer
commented
2 years ago This let me to this known bug that was never addressed: https://github.com/openwrt/openwrt/issues/8534 But I found another reference here: https://forum.openwrt.org/t/firewall-gives-warning-msgs-when-kmod-ipt-nat6-is-installed/71285/2
Which suggests this as a potential fix: https://openwrt.org/docs/guide-user/network/ipv6/ipv6.nat6#nat6_simplified but would it be better to run relay mode or stuck with server mode and use this nat fix?
datapharmer
commented
1 year ago I've determined this is a problem with route announcement. It seems the ipv6 routes are expiring and not renewing. Restarting the network brings them back for a bit then they expire again.
@Ysurac Any suggestion on how to get a new ra or something to prevent them from being withdrawn? I tried the openwrt allmulti suggestion related to vlan (https://github.com/openwrt/openwrt/issues/9827) as I thought this would apply to my scenario, but it doesn't seem to have solved it.
I can see that the routes to omr6in4 seems to get lost and the ipv6 dns server is missing from dhcp lease when this happens. Once the network is restarted and a lease renewal requested it returns to normal for a little while until the ra gets lost again.
This is just a problem for the dhcp clients as the router can still ping an ipv6 address.
I've tried running the lan in both server and with pd/relay mode and experience the same route loss regardless
kevinh-csalabs
commented
1 year ago After a ton of digging I found that setting noserverunicast on the wan connections seems to be the solution:
option noserverunicast '1'
https://blog.printk.io/2018/08/ipv6-renew-issue-with-fiber7-and-openwrt/
After setting this I've had ipv6 working for a few days with the exception if the vpn tunnel is down. When that's the case ipv6 ping doesn't work on clients or from the router, but that appears to be a separate bug.
Leaving this open for now as it might be good to set the noserverunicast option by default as it isn't immediately apparent things aren't working unless you happen to check after things have been running for a while.
kevinh-csalabs
commented
1 year ago Ok, so follow up that this isn't a total fix, but I know another bug was found and fixed in dev but I don't have a means of testing that.
github-actions[bot]
commented
1 year ago This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days
Expected Behavior
Connecting a client via dual stack ipv4 and ipv6 or just ipv6 should result in getting an ipv6 address issued with valid gateway
Current Behavior
Upon first starting or restarting LAN interface clients can get a dhcpv6 address issued that is within the range found listed under wizard > IPv6 settings and ipv6 gateway and dns servers are included and functional. Everything works. After a few minutes any clients trying to lease or renew a lease only get IPv4 if dual stack or if IPv6 only they get a link local address no gateway and invalid dns such as fec0:0:0:ffff::1%1 and clients that already have a lease stop passing ipv6 traffic (see ping example below)
Possible Solution
Restart the LAN connection if status of one of the other wan interfaces changes?.... this seems a bit disruptive
Steps to Reproduce the Problem
Context (Environment)
dual wan set to restart interface if it is detected as down.
Ping on IPv4 works reliably, but here is an example of a long ping running IPv6 from a dhcp client:
I'm also seeing an IPv6 related error in the logs though it doesn't seem to be directly related to when the failures start as it happens before and after as well: Thu Nov 3 15:12:41 2022 kern.err kernel: [2119543.645889] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:41 2022 kern.err kernel: [2119543.654023] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:42 2022 kern.err kernel: [2119545.453091] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:42 2022 kern.err kernel: [2119545.462228] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:42 2022 kern.err kernel: [2119545.470133] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:42 2022 kern.err kernel: [2119545.478266] mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13 Thu Nov 3 15:12:43 2022 kern.err kernel: [2119546.404484] __mptcp_init6_subsockets: MPTCP subsocket connect() failed, error -13
Specifications