Possible bug with local-zone

SOLUTION: Double-check your NAT to ensure you’re not redirecting ALL traffic to the wrong device …

To start, I am running 1.3.4 getting ready to update to 1.3.6 to see if the issue resolves, but wanted to get a head start on this since it’s driving me crazy.

I have been having issues with the LOCAL zone-based firewall rules for what I believe to be quite some time now. Initially I thought it was with Wireguard as it is where I would notice the problem first when I would make a configuration change to switch between my Primary and Backup ISPs, however upon further testing I’ve noticed the following:

• tcpdump confirms the firewall is seeing WAN traffic hitting on port 51820 from mobile device.
• Confirmed Wireguard configuration is indeed correct as if I temporarily disable the firewall by flushing nftables, I am able to connect from WAN2LOCAL and ping/ssh without issue.
• Double-confirmed Wireguard configuration is indeed correct as I am able to connect via NAT inside the LAB.
• Confirmed firewall does not appear to be working AT ALL for the WAN2LOCAL zone via a TCP port-checker and the inability to ping the WAN static address despite having rules in place allowing for both conditions. (The TCP port-checker test rule has since been removed).

I am at a complete loss here. I followed Kroy’s VyOS from Scratch Part 1 blog entry then customized from there, but recall time after time again what appears to be the most innocent of changes (such as adding a new firewall rule) causes some completely unrelated portion to break. Am I crazy and messed something up in the config, or is there something more going on here???

show config | strip-private:

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        port-group 3CX {
            port 5060
            port 5090
            port 9000-9398
            port 10600-10998
            port 5001
        }
        port-group http {
            port 443
            port 8443
            port 80
            port 8080
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN2LOCAL {
        default-action accept
    }
    name LAN2WAN {
        default-action accept
    }
    name LOCAL2LAN {
        default-action accept
    }
    name LOCAL2WAN {
        default-action accept
    }
    name WAN2LAN {
        default-action drop
        rule 1 {
            action accept
            description "Allow est/related traffic"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            log enable
            protocol icmp
            state {
                new enable
            }
        }
        rule 10 {
            action accept
            destination {
                address xxx.xxx.21.2/32
                group {
                    port-group 3CX
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 100 {
            action accept
            description "Allow HTTP(s) traffic to all Exposed Services"
            destination {
                address xxx.xxx.21.0/29
                group {
                    port-group http
                }
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 101 {
            action accept
            description "Allow Minecraft traffic"
            destination {
                address xxx.xxx.30.2
                port 25565
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
    }
    name WAN2LOCAL {
        default-action drop
        rule 1 {
            action accept
            description "Allow est/related traffic"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action accept
            log enable
            protocol icmp
            state {
                new enable
            }
        }
        rule 3 {
            action accept
            description "Allow WireGuard traffic"
            destination {
                port 51820
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    bonding bond0 {
        description "Routing Backbone"
        hash-policy layer2+3
        member {
            interface eth2
            interface eth3
        }
        mode 802.3ad
        vif 10 {
            address xxx.xxx.10.1/24
            description "Physical Infrastructure"
        }
        vif 11 {
            address xxx.xxx.11.1/24
            description "Virtual Infrastructure"
        }
        vif 20 {
            address xxx.xxx.20.1/24
            description "Hosted Services"
        }
        vif 21 {
            address xxx.xxx.21.1/29
            description "Exposed Services"
        }
        vif 30 {
            address xxx.xxx.30.1/24
            description "Trusted Devices"
        }
        vif 31 {
            address xxx.xxx.31.1/24
            description "Untrusted Devices"
        }
        vif 32 {
            address xxx.xxx.32.1/24
            description "Guest Devices"
        }
        vif 200 {
            address xxx.xxx.200.1/24
            description "Testing LAN"
        }
    }
    ethernet eth0 {
        address xxx.xxx.182.76/24
        address xxx.xxx.182.77/24
        address xxx.xxx.182.78/24
        address xxx.xxx.182.79/24
        address xxx.xxx.182.80/24
        description Frontier
        hw-id xx:xx:xx:xx:xx:fa
    }
    ethernet eth1 {
        address dhcp
        description Spectrum
        hw-id xx:xx:xx:xx:xx:fb
    }
    ethernet eth2 {
        hw-id xx:xx:xx:xx:xx:71
    }
    ethernet eth3 {
        hw-id xx:xx:xx:xx:xx:72
    }
    ethernet eth4 {
        hw-id xx:xx:xx:xx:xx:74
    }
    loopback lo {
    }
    wireguard wg0 {
        address xxx.xxx.222.1/24
        address xxx.xxx.57.1/24
        description "Remote Access"
        peer RNET-R913510T {
            allowed-ips xxx.xxx.57.2/32
            preshared-key ****************
            pubkey ****************
        }
        peer grmedia {
            allowed-ips xxx.xxx.57.3/32
            pubkey ****************
        }
        port 51820
    }
}
nat {
    destination {
        rule 1 {
            description 3CX
            destination {
                address xxx.xxx.182.77
            }
            inbound-interface eth0
            translation {
                address xxx.xxx.21.2
            }
        }
        rule 2 {
            destination {
                address xxx.xxx.182.78
            }
            inbound-interface eth0
            translation {
                address xxx.xxx.21.3
            }
        }
        rule 3 {
            destination {
                address xxx.xxx.182.79
            }
            inbound-interface eth0
            translation {
                address xxx.xxx.21.4
            }
        }
        rule 4 {
            destination {
                address xxx.xxx.182.80
            }
            inbound-interface eth0
            translation {
                address xxx.xxx.21.5
            }
        }
        rule 100 {
            description "Allow Minecraft traffic"
            destination {
                address xxx.xxx.182.76
            }
            inbound-interface eth0
            translation {
                address xxx.xxx.30.2
            }
        }
    }
    source {
        rule 1 {
            description 3CX
            outbound-interface eth0
            source {
                address xxx.xxx.21.2
            }
            translation {
                address xxx.xxx.182.77
            }
        }
        rule 2 {
            outbound-interface eth0
            source {
                address xxx.xxx.21.3
            }
            translation {
                address xxx.xxx.182.78
            }
        }
        rule 3 {
            outbound-interface eth0
            source {
                address xxx.xxx.21.4
            }
            translation {
                address xxx.xxx.182.79
            }
        }
        rule 4 {
            outbound-interface eth0
            source {
                address xxx.xxx.21.5
            }
            translation {
                address xxx.xxx.182.80
            }
        }
        rule 20 {
            outbound-interface eth0
            source {
                address xxx.xxx.0.0/16
            }
            translation {
                address masquerade
            }
        }
        rule 21 {
            outbound-interface eth0
            source {
                address xxx.xxx.57.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        interface-route xxx.xxx.57.0/24 {
            next-hop-interface wg0 {
                disable
            }
        }
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.182.1 {
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name xxxxxx {
            authoritative
            description "Guest Devices"
            domain-search xxxxxx
            name-server xxx.xxx.20.2
            name-server xxx.xxx.20.3
            ntp-server xxx.xxx.20.4
            ping-check
            subnet xxx.xxx.32.0/24 {
                default-router xxx.xxx.32.1
                range 0 {
                    start xxx.xxx.32.2
                    stop xxx.xxx.32.254
                }
            }
        }
        shared-network-name xxxxxx {
            authoritative
            description "Trusted Devices"
            domain-search xxxxxx
            name-server xxx.xxx.20.2
            name-server xxx.xxx.20.3
            ntp-server xxx.xxx.20.4
            ping-check
            subnet xxx.xxx.200.0/24 {
                default-router xxx.xxx.200.1
                range 0 {
                    start xxx.xxx.200.50
                    stop xxx.xxx.200.254
                }
            }
        }
        shared-network-name xxxxxx {
            authoritative
            description "Trusted Devices"
            domain-search xxxxxx
            name-server xxx.xxx.20.2
            name-server xxx.xxx.20.3
            ntp-server xxx.xxx.20.4
            ping-check
            subnet xxx.xxx.30.0/24 {
                default-router xxx.xxx.30.1
                range 0 {
                    start xxx.xxx.30.50
                    stop xxx.xxx.30.254
                }
            }
        }
        shared-network-name xxxxxx {
            authoritative
            description "Untrusted Devices"
            domain-search xxxxxx
            name-server xxx.xxx.20.2
            name-server xxx.xxx.20.3
            ntp-server xxx.xxx.20.4
            ping-check
            subnet xxx.xxx.31.0/24 {
                default-router xxx.xxx.31.1
                range 0 {
                    start xxx.xxx.31.50
                    stop xxx.xxx.31.254
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth1 {
                service cloudflare {
                    host-name xxxxxx
                    login admin@reinitialized.net
                    password xxxxxx
                    protocol cloudflare
                    zone reinitialized.net
                }
            }
        }
    }
    ssh {
        listen-address xxx.xxx.0.0
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    domain-name xxxxxx
    host-name xxxxxx
    login {
        user xxxxxx {
            authentication {
                encrypted-password xxxxxx
            }
        }
    }
    name-server xxx.xxx.20.2
    name-server xxx.xxx.20.3
    ntp {
        server xxxxx.tld {
        }
    }
    option {
        performance latency
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone US/Central
}
zone-policy {
    zone LAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL2LAN
            }
        }
        from WAN {
            firewall {
                name WAN2LAN
            }
        }
        interface bond0.10
        interface bond0.11
        interface bond0.20
        interface bond0.21
        interface bond0.30
        interface bond0.31
        interface bond0.32
        interface bond0.200
    }
    zone LOCAL {
        default-action drop
        from LAN {
            firewall {
                name LAN2LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN2LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name LAN2WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL2WAN
            }
        }
        interface eth1
        interface eth0
    }
}

Spent a good half of the day doing further testing:

• Updated to VyOS 1.3.6, nothing changed.
• Recalled in the past having some weird issues by having my backup ISP plugged into eth1. Removed port and completely disabled interface, no change.
• Fully removed, then re-added Wireguard config and verified connectivity within LAN to confirm no keypair issues. Issue continues to persist from WAN2LOCAL.
• Ran through the commit history to see if I did something I forgot of. All I see is me modifying rule 20 to point to eth1, along with updating to a interface-route for eth1. Beyond that, NO CHANGES TO WIREGUARD.
• Did some further testing to see if ANY rules were being processed for the WAN2LOCAL zone. Despite confirming TCP ports being opened on the LAN side, WAN side reports PORTS are CLOSED.

This strongly leads me to believe there is something more going on here with how VyOS is processing the rulesets, completely breaking its ability to open ports from WAN2LOCAL. I really hope I’m just missing something obvious here, but I cannot for the life of me see what it is.

EDIT: Here is a list of changes I made when my Primary ISP went down and I switched over to my Backup. Wireguard and WAN2LOCAL zone was working as expected up until I switched over to the Backup ISP, then back to my Primary, and has not been working since. I do not see any changes I made here which should lead to the behavior I am currently experiencing. Please prove me wrong:

vyos@router1# run show system commit diff 62
[edit nat source rule 100]
>outbound-interface eth1
[edit]
vyos@router1# run show system commit diff 61
[edit protocols static]
+interface-route 0.0.0.0/0 {
+    next-hop-interface eth1 {
+    }
+}
-route 0.0.0.0/0 {
-    next-hop xxx.xxx.182.1 {
-    }
-}
[edit]
vyos@router1# run show system commit diff 60
[edit nat source rule 20]
>outbound-interface eth1
[edit nat source rule 100]
>outbound-interface eth0
[edit]
vyos@router1# run show system commit diff 59
[edit nat source rule 20 translation]
>address masquerade
[edit]
vyos@router1# run show system commit diff 58
[edit interfaces ethernet eth0]
+disable
[edit]
vyos@router1# run show system commit diff 57
[edit nat source rule 20]
>outbound-interface eth0
[edit protocols static]
-interface-route 0.0.0.0/0 {
-    next-hop-interface eth1 {
-    }
-}
+route 0.0.0.0/0 {
+    next-hop xxx.xxx.182.1 {
+    }
+}
[edit]
vyos@router1# run show system commit diff 56
[edit interfaces ethernet eth0]
-disable
[edit]
vyos@router1# run show system commit diff 55
[edit nat source rule 20]
>outbound-interface eth1
[edit protocols static route 0.0.0.0/0]
+dhcp-interface eth1
-next-hop xxx.xxx.182.1 {
-}
[edit]
vyos@router1# run show system commit diff 54
[edit protocols static route 0.0.0.0/0]
-dhcp-interface eth1
+next-hop xxx.xxx.182.1 {
+}
[edit]
vyos@router1# run show system commit diff 53
[edit nat source rule 20]
>outbound-interface eth0
[edit]

What happens if you add some rules to log denied traffic?

Nothing at all. Verified logging is enabled for rules 2 and 3, ran run monitor firewall name WAN2LOCAL and its completely blank when I try to connect via my cellular connection. Same result when I attempt to ping, nothing.

To confirm logging is working as intended, I tested with rules on firewall WAN2LAN, and it is generating logs as expected.

vyos@router1# run monitor firewall name WAN2LAN
Notice: monitoring information is displayed only for rules with enabled logging
  Firewall-WAN2LAN: [11828.722104] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9a:ac:bb:08:00 SRC=xxx.xxx.212.75 DST=xxx.xxx.21.3 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=58233 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
  Firewall-WAN2LAN: [11834.826706] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9c:9a:ac:bb:08:00 SRC=xxx.xxx.127.46 DST=xxx.xxx.21.3 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=33822 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
  Firewall-WAN2LAN: [11843.141270] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9c:9a:ac:bb:08:00 SRC=xxx.xxx.127.46 DST=xxx.xxx.21.5 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=57127 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
  Firewall-WAN2LAN: [11847.716589] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9c:9a:ac:bb:08:00 SRC=xxx.xxx.181.118 DST=xxx.xxx.21.3 LEN=60 TOS=0x00 PREC=0x00 TTL=236 ID=0 PROTO=TCP SPT=28539 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
  Firewall-WAN2LAN: [11848.614283] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9c:9a:ac:bb:08:00 SRC=xxx.xxx.181.118 DST=xxx.xxx.21.3 LEN=60 TOS=0x00 PREC=0x00 TTL=236 ID=0 PROTO=TCP SPT=25269 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
  Firewall-WAN2LAN: [11851.333973] [WAN2LAN-100-A] IN=eth0 OUT=bond0.21 MAC=xxx:9c:9a:ac:bb:08:00 SRC=xxx.xxx.127.46 DST=xxx.xxx.21.2 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=53933 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
^C
[edit]
vyos@router1# run monitor firewall name WAN2LOCAL
Notice: monitoring information is displayed only for rules with enabled logging
^C
[edit]

As a last resort, I am considering upgrading to 1.4.0-epa2 before I go a complete rebuild since I know a lot of work was done toward full support against nftables, but I am still hesitate as it’s not a full “stable” release.

But TCP dump on the WAN interface shows the traffic coming in, even though the FW logging rule doesn’t show it up?

I think it would be better to stay on 1.3.6 for the moment so we can at least try and understand the problem, before you throw more variables at it

Yes, tcpdump shows the system is seeing the traffic hit eth0, but after that I cannot see any additional flow of traffic.

vyos@router1# tcpdump -i eth0 udp port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:02:56.285959 IP xxx.xxx.196.128.58895 > xxx.xxx.182.76.51820: UDP, length 148
14:03:01.312216 IP xxx.xxx.196.128.58895 > xxx.xxx.182.76.51820: UDP, length 148

OK that’s wireguard traffic.
What about simple ICMP to the WAN interface?

Can confirm eth0 is seeing ICMP requests coming from the same device with no reply. Oddly, there are requests AND replies occurring for one.one.one.one. Shortly after grabbing this log snippet, I saw a bunch of request and reply from amazonaws.com as well. Gonna test on a whole different connection real quick. I swear if this is just an issue with T-Mobile LOL.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:24.032755 IP xxx.xxx.182.76 > one.one.one.one: ICMP echo request, id 1, seq 1343, length 40
14:08:24.036561 IP one.one.one.one > xxx.xxx.182.76: ICMP echo reply, id 1, seq 1343, length 40
14:08:24.151396 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 7, length 64
14:08:25.183535 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 8, length 64
14:08:26.224077 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 9, length 64
14:08:27.285629 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 10, length 64
14:08:27.617542 IP xxx.xxx.159.2 > xxx.xxx.182.78: ICMP echo request, id 37498, seq 46089, length 38
14:08:27.617700 IP xxx.xxx.182.78 > xxx.xxx.159.2: ICMP echo reply, id 37498, seq 46089, length 38
14:08:28.324774 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 11, length 64
14:08:29.344312 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 12, length 64
14:08:30.393274 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 13, length 64
14:08:31.424026 IP xxx.xxx.180.92 > xxx.xxx.182.76: ICMP echo request, id 31584, seq 14, length 64
14:08:39.066715 IP xxx.xxx.182.76 > one.one.one.one: ICMP echo request, id 1, seq 1344, length 40
14:08:39.071940 IP one.one.one.one > xxx.xxx.182.76: ICMP echo reply, id 1, seq 1344, length 40
14:08:54.105039 IP xxx.xxx.182.76 > one.one.one.one: ICMP echo request, id 1, seq 1345, length 40
14:08:54.108724 IP one.one.one.one > xxx.xxx.182.76: ICMP echo reply, id 1, seq 1345, length 40
14:09:09.144372 IP xxx.xxx.182.76 > one.one.one.one: ICMP echo request, id 1, seq 1346, length 40
14:09:09.148334 IP one.one.one.one > xxx.xxx.182.76: ICMP echo reply, id 1, seq 1346, length 40

EDIT: Just tested from a third-party VPS, same issue with ICMP echo request but no replies.

Ok what does
show ip route xxx.xxx.180.92 show you, is the right return route installed in the table?"

Then what does the conntrack table look like for one of your source/destination IPs?

sudo conntrack -L -s xxx.xxx.180.92

I think you can ignore the 1.1.1.1 stuff, it’s replies, something within your network is sending the requests.

Finally, if nothing obvious pops up it would be good to dump the full iptables rules and log a Phabriactor bug. I wonder if it’s something relating to the fact you have multiple IP’s on your eth0 interface.

Here’s the results. I do notice in the conntrack destination appears to be going to xxx.xxx.182.77, which is one of my 5 static IPs. Though I don’t know why it would, I have 1:1 mapping those to internal IPs, and everything else going through xxx.xxx.182.76 …

vyos@router1# run show ip route xxx.xxx.180.92
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  Last update 04:04:49 ago
  * xxx.xxx.182.1, via eth0, weight 1

[edit]
vyos@router1# sudo conntrack -L -s xxx.xxx.180.92
tcp      6 431999 ESTABLISHED src=xxx.xxx.180.92 dst=xxx.xxx.182.77 sport=41840 dport=5090 src=xxx.xxx.21.2 dst=xxx.xxx180.92 sport=5090 dport=41840 [ASSURED] mark=0 use=1
icmp     1 29 src=xxx.xxx.180.92 dst=xxx.xxx.182.76 type=8 code=0 id=41761 [UNREPLIED] src=xxx.xxx.30.2 dst=xxx.xxx.180.92 type=0 code=0 id=41761 mark=0 use=1
conntrack v1.4.6 (conntrack-tools): 2 flow entries have been shown.

EDIT: Realized it’s the 3CX app running on my phone, so nothing out of the ordinary there.
EDIT2: Updated to show conntrack while running a ICMP ping. Showing as expected, with the exception of “UNREPLIED”.

For the heck of it, here’s a full iptables dump as well:

vyos@router1# sudo iptables -S | strip-private
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N VYATTA_PRE_FW_IN_HOOK
-N VYATTA_PRE_FW_FWD_HOOK
-N VYATTA_PRE_FW_OUT_HOOK
-N VYATTA_POST_FW_IN_HOOK
-N VYATTA_POST_FW_FWD_HOOK
-N VYATTA_POST_FW_OUT_HOOK
-N VYATTA_FW_OUT_HOOK
-N VYATTA_FW_IN_HOOK
-N VYATTA_FW_LOCAL_HOOK
-N LOCAL2LAN
-N LAN2WAN
-N LAN2LOCAL
-N WAN2LOCAL
-N WAN2LAN
-N LOCAL2WAN
-N VZONE_LAN
-N VZONE_LOCAL_IN
-N VZONE_LOCAL_OUT
-N VZONE_WAN
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_FW_LOCAL_HOOK
-A INPUT -j VZONE_LOCAL_IN
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_FW_IN_HOOK
-A FORWARD -j VYATTA_FW_OUT_HOOK
-A FORWARD -o bond0.10 -j VZONE_LAN
-A FORWARD -o bond0.11 -j VZONE_LAN
-A FORWARD -o bond0.20 -j VZONE_LAN
-A FORWARD -o bond0.21 -j VZONE_LAN
-A FORWARD -o bond0.30 -j VZONE_LAN
-A FORWARD -o bond0.31 -j VZONE_LAN
-A FORWARD -o bond0.32 -j VZONE_LAN
-A FORWARD -o bond0.200 -j VZONE_LAN
-A FORWARD -o eth0 -j VZONE_WAN
-A FORWARD -o wg0 -j VZONE_LAN
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VZONE_LOCAL_OUT
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A LOCAL2LAN -m comment --comment "LOCAL2LAN-1000000 default-action accept" -j RETURN
-A LAN2WAN -m comment --comment "LAN2WAN-1000000 default-action accept" -j RETURN
-A LAN2LOCAL -m comment --comment "LAN2LOCAL-1000000 default-action accept" -j RETURN
-A WAN2LOCAL -m state --state RELATED,ESTABLISHED -m comment --comment WAN2LOCAL-1 -j LOG --log-prefix "[WAN2LOCAL-1-A] "
-A WAN2LOCAL -m state --state RELATED,ESTABLISHED -m comment --comment WAN2LOCAL-1 -j RETURN
-A WAN2LOCAL -p icmp -m state --state NEW -m comment --comment WAN2LOCAL-2 -j LOG --log-prefix "[WAN2LOCAL-2-A] "
-A WAN2LOCAL -p icmp -m state --state NEW -m comment --comment WAN2LOCAL-2 -j RETURN
-A WAN2LOCAL -p udp -m state --state NEW -m udp --dport 51820 -m comment --comment WAN2LOCAL-3 -j LOG --log-prefix "[WAN2LOCAL-3-A] "
-A WAN2LOCAL -p udp -m state --state NEW -m udp --dport 51820 -m comment --comment WAN2LOCAL-3 -j RETURN
-A WAN2LOCAL -m comment --comment "WAN2LOCAL-1000000 default-action drop" -j DROP
-A WAN2LAN -m state --state RELATED,ESTABLISHED -m comment --comment WAN2LAN-1 -j RETURN
-A WAN2LAN -p icmp -m state --state NEW -m comment --comment WAN2LAN-2 -j RETURN
-A WAN2LAN -d xxx.xxx.21.2/32 -p tcp -m state --state NEW -m set --match-set 3CX dst -m comment --comment WAN2LAN-10 -j RETURN
-A WAN2LAN -d xxx.xxx.21.2/32 -p udp -m state --state NEW -m set --match-set 3CX dst -m comment --comment WAN2LAN-10 -j RETURN
-A WAN2LAN -d xxx.xxx.21.0/29 -p tcp -m state --state NEW -m set --match-set http dst -m comment --comment WAN2LAN-100 -j LOG --log-prefix "[WAN2LAN-100-A] "
-A WAN2LAN -d xxx.xxx.21.0/29 -p tcp -m state --state NEW -m set --match-set http dst -m comment --comment WAN2LAN-100 -j RETURN
-A WAN2LAN -d xxx.xxx.21.0/29 -p udp -m state --state NEW -m set --match-set http dst -m comment --comment WAN2LAN-100 -j LOG --log-prefix "[WAN2LAN-100-A] "
-A WAN2LAN -d xxx.xxx.21.0/29 -p udp -m state --state NEW -m set --match-set http dst -m comment --comment WAN2LAN-100 -j RETURN
-A WAN2LAN -d xxx.xxx.30.2/32 -p tcp -m state --state NEW -m tcp --dport 25565 -m comment --comment WAN2LAN-101 -j RETURN
-A WAN2LAN -d xxx.xxx.30.2/32 -p udp -m state --state NEW -m udp --dport 25565 -m comment --comment WAN2LAN-101 -j RETURN
-A WAN2LAN -m comment --comment "WAN2LAN-1000000 default-action drop" -j DROP
-A LOCAL2WAN -m comment --comment "LOCAL2WAN-1000000 default-action accept" -j RETURN
-A VZONE_LAN -i wg0 -j RETURN
-A VZONE_LAN -i bond0.200 -j RETURN
-A VZONE_LAN -i bond0.32 -j RETURN
-A VZONE_LAN -i bond0.31 -j RETURN
-A VZONE_LAN -i bond0.30 -j RETURN
-A VZONE_LAN -i bond0.21 -j RETURN
-A VZONE_LAN -i bond0.20 -j RETURN
-A VZONE_LAN -i bond0.11 -j RETURN
-A VZONE_LAN -i bond0.10 -j RETURN
-A VZONE_LAN -i eth0 -j WAN2LAN
-A VZONE_LAN -i eth0 -j RETURN
-A VZONE_LAN -j DROP
-A VZONE_LOCAL_IN -i lo -j RETURN
-A VZONE_LOCAL_IN -i bond0.10 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.10 -j RETURN
-A VZONE_LOCAL_IN -i bond0.11 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.11 -j RETURN
-A VZONE_LOCAL_IN -i bond0.20 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.20 -j RETURN
-A VZONE_LOCAL_IN -i bond0.21 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.21 -j RETURN
-A VZONE_LOCAL_IN -i bond0.30 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.30 -j RETURN
-A VZONE_LOCAL_IN -i bond0.31 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.31 -j RETURN
-A VZONE_LOCAL_IN -i bond0.32 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.32 -j RETURN
-A VZONE_LOCAL_IN -i bond0.200 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i bond0.200 -j RETURN
-A VZONE_LOCAL_IN -i eth0 -j WAN2LOCAL
-A VZONE_LOCAL_IN -i eth0 -j RETURN
-A VZONE_LOCAL_IN -i wg0 -j LAN2LOCAL
-A VZONE_LOCAL_IN -i wg0 -j RETURN
-A VZONE_LOCAL_IN -j DROP
-A VZONE_LOCAL_OUT -o lo -j RETURN
-A VZONE_LOCAL_OUT -o bond0.10 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.10 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.11 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.11 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.20 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.20 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.21 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.21 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.30 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.30 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.31 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.31 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.32 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.32 -j RETURN
-A VZONE_LOCAL_OUT -o bond0.200 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o bond0.200 -j RETURN
-A VZONE_LOCAL_OUT -o eth0 -j LOCAL2WAN
-A VZONE_LOCAL_OUT -o eth0 -j RETURN
-A VZONE_LOCAL_OUT -o wg0 -j LOCAL2LAN
-A VZONE_LOCAL_OUT -o wg0 -j RETURN
-A VZONE_LOCAL_OUT -j DROP
-A VZONE_WAN -i eth0 -j RETURN
-A VZONE_WAN -i bond0.10 -j LAN2WAN
-A VZONE_WAN -i bond0.10 -j RETURN
-A VZONE_WAN -i bond0.11 -j LAN2WAN
-A VZONE_WAN -i bond0.11 -j RETURN
-A VZONE_WAN -i bond0.20 -j LAN2WAN
-A VZONE_WAN -i bond0.20 -j RETURN
-A VZONE_WAN -i bond0.21 -j LAN2WAN
-A VZONE_WAN -i bond0.21 -j RETURN
-A VZONE_WAN -i bond0.30 -j LAN2WAN
-A VZONE_WAN -i bond0.30 -j RETURN
-A VZONE_WAN -i bond0.31 -j LAN2WAN
-A VZONE_WAN -i bond0.31 -j RETURN
-A VZONE_WAN -i bond0.32 -j LAN2WAN
-A VZONE_WAN -i bond0.32 -j RETURN
-A VZONE_WAN -i bond0.200 -j LAN2WAN
-A VZONE_WAN -i bond0.200 -j RETURN
-A VZONE_WAN -i wg0 -j LAN2WAN
-A VZONE_WAN -i wg0 -j RETURN
-A VZONE_WAN -j DROP

So hang on I’ve just looked at this more.

You are saying that xx.xx.182.76 is assigned to your eth0 port, but you ALSO have a NAT rule saying “NAT all traffic coming to xx.xx.182.76 to xxx.xxx.30.2.”

That doesn’t make sense? Remove the NAT rule and I expect that PING will work just fine.

I had to go outside and SCREAM cause of how long I’ve been trying to resolve this, LOL. Yep, that fixed it. Thanks for the second pair of eyes, cause I glossed over that so many times not thinking about needing to specify the destination and translation address…

Weeee. Good to hear

You are saying that xx.xx.182.76 is assigned to your eth0 port, but you ALSO have a NAT rule saying “NAT all traffic coming to xx.xx.182.76 to xxx.xxx.30.2.”

That sounds to me like some regular DNAT of incoming traffic where you portforward everything.

Basically whatever arrives at WAN interface forward that to a dedicated client on LAN.

The above will of course be tricky if you at the same time have other clients other than x.x.30.2 on your LAN which you wish to be able to communicate to the WAN.