# dual wan

## mustang01

[Moderator note: this post, and only this post, was originally attached to the Documentation, Tips, & Tricks topic HOWTO setup dual wan, but it is a support request, not documentation or a correction to that post. -Hu]

Hello, I am trying to set up a dual wan in my network.

I have two routers on 192.168.1.1/30 and 192.168.2.1/30. My ip address is 192.168.1.2 and 192.168.2.2. The lan address is 192.168.0.1/27. When I run the firewall script I get an error.

Script:

```
#!/bin/bash

#tools

IPTABLES="/sbin/iptables"

IP6TABLES="/sbin/ip6tables"

###interfaces

WAN0="enp6s0"; WAN0_IP="192.168.1.2"

WAN1="enp5s0"; WAN1_IP="192.168.2.2"

LAN="enp1s0"

###clearing iptables

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

$IPTABLES -X

$IPTABLES -t nat -X

$IPTABLES -t mangle -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

$IP6TABLES -F

$IP6TABLES -t mangle -F

$IP6TABLES -X

$IP6TABLES -t mangle -X

$IP6TABLES -P INPUT DROP

$IP6TABLES -P OUTPUT ACCEPT

$IP6TABLES -P FORWARD DROP

###nat

$IPTABLES -t nat -A POSTROUTING -o $WAN0 -j SNAT --to-source $WAN0_IP

$IPTABLES -t nat -A POSTROUTING -o $WAN1 -j SNAT --to-source $WAN1_IP

###mangle (used for load balancing)

$IPTABLES -t mangle -A POSTROUTING -o $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100

$IPTABLES -t mangle -A POSTROUTING -o $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101

$IPTABLES -t mangle -A PREROUTING -i $WAN0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100

$IPTABLES -t mangle -A PREROUTING -i $WAN1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x101

$IPTABLES -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

###must have rules

$IPTABLES  -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IPTABLES  -A INPUT -p icmp   -j ACCEPT

$IPTABLES  -A INPUT -i lo -j ACCEPT

$IPTABLES  -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IP6TABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

$IP6TABLES -A INPUT -p icmpv6   -j ACCEPT

$IP6TABLES -A INPUT -i lo -j ACCEPT

$IP6TABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

###internet access

$IPTABLES -A FORWARD -i $LAN -o $WAN0 ! -d 192.168.0.0/16 -j ACCEPT

$IPTABLES -A FORWARD -i $LAN -o $WAN1 ! -d 192.168.0.0/16 -j ACCEPT

###default reject

$IPTABLES  -A INPUT   -j REJECT

$IPTABLES  -A FORWARD -j REJECT

$IP6TABLES -A INPUT   -j REJECT

$IP6TABLES -A FORWARD -j REJECT

```

Error: 

```
iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

iptables: No chain/target/match by that name.

```

Please

help me.

----------

## Hu

 *mustang01 wrote:*   

> When I run the firewall script I get an error.

 You should not use a script to set iptables rules.  You should use iptables-restore.  By using a script, you allow failures to leave your firewall in an inconsistent state. *mustang01 wrote:*   

> 
> 
> ```
> #!/bin/bash
> ```
> ...

 Your script is missing set -e.  Under the circumstances, you may want to place that after the firewall is placed in a fail-secure state. *mustang01 wrote:*   

> 
> 
> ```
> WAN0="enp6s0"; WAN0_IP="192.168.1.2"
> 
> ...

 I hope these are placeholder addresses for the purpose of the post.  Those are still private IP addresses, and are unlikely to be real WAN addresses. *mustang01 wrote:*   

> 
> 
> ```
> ###mangle (used for load balancing)
> 
> ...

 Where do you read these marks?  I do not see any uses of -m connmark. *mustang01 wrote:*   

> 
> 
> ```
> ###default reject
> 
> ...

 Do you really want REJECT for disallowed traffic coming in from the Internet?  You originally set a policy of DROP, but this REJECT preempts that. *mustang01 wrote:*   

> Error: 
> 
> ```
> iptables: No chain/target/match by that name.
> 
> ...

 Which statements fail?  set -e would have stopped it on the first failure.  iptables-restore would tell you which line failed.  You could also use set -x to make bash print statements as it goes, so that the offending statement will be shown immediately preceding the error message.

----------

## mustang01

https://forums.gentoo.org/viewtopic-p-7411172.html

 *Quote:*   

> 
> 
> WAN0="enp6s0"; WAN0_IP="192.168.1.2"
> 
> WAN1="enp5s0"; WAN1_IP="192.168.2.2"
> ...

 

These are the IP addresses of my network cards. On the first router (192.168.1.1) gets a dynamic public ip address. The other router (192.168.2.1) is in the LTE network without a public ip address. 

I copied this script from https://forums.gentoo.org/viewtopic-p-7411172.html and I was surprised it didn't work. I don't know iptables. I copied previous iptablets rules from https://wiki.gentoo.org/wiki/Home_router and it worked. 

Can you write me new iptables rules?

PS. I used this program -> https://github.com/lstein/Net-ISP-Balance and the matter is done.

----------

## mustang01

Hello, I have a problem setting the vpn tunnel from a home gentoo router to a VPS server from archlinux. On gentoo, I have a dual wan with a vdsl (dynamic ip) connection with a modem under pppoe and an LTE router (no public ip, blocked ports). I'd like to set up an LTE connection to a VPS server on archlinux and unblock blocked ports for a gentoo webserver.

I would like to use the wireguard application because it is the fastest vpn tunnel I know. I use the Net-ISP-Balance script to set up a dualwan connection -> https://lstein.github.io/Net-ISP-Balance/.

I used the script on arch linux from https://github.com/angristan/wireguard-install to install and configure the wireguard.

I have a problem configuring the VPN connection, after establishing the connection I cannot browse www. Please help.

Gentoo configuration files(Home Router).

# cat /etc/conf.d/net

```
config_enp1s0="192.168.0.1/27"

config_enp5s0="192.168.2.2/24"

routes_enp5s0="default via 192.168.2.1"

dns_servers_enp5s0="185.89.185.1 89.108.195.20"

vlans_enp6s0="2"

config_enp6s0="null"

config_enp6s0_2="192.168.1.2/30"

config_ppp0="ppp"

link_ppp0="enp6s0"

plugins_ppp0="pppoe"

username_ppp0='*******@neostrada.pl'

password_ppp0='*******'

pppd_ppp0="

noauth

defaultroute

usepeerdns

mtu 1492

holdoff 3

child-timeout 60

lcp-echo-interval 15

lcp-echo-failure 3

noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"

rc_net_ppp0_need="net.enp6s0"
```

#cat /etc/balance.conf

```
## Net::ISP::Balance configuration file

## edit it as needed to describe your router setup

## This table defines the LAN and IP services.

## Uncomment by removing hash symbols (#) and then edit as needed

## service    device   role     ping-ip            weight  gateway

CABLE         enp5s0     isp      172.217.20.163      1       default

DSL           ppp0       isp      172.217.20.163      1       default

LAN1          enp1s0     lan

LAN2          enp6s0.2   lan

# The mode controls whether to operate in "balanced" mode in which traffic

# is distributed among the isp services proportional to the weights, or "failover"

# mode in which all traffic is routed through the highest weighted service and

# switches to lower-weighted services only when the higher one(s) are unavailable.

mode=balanced

#mode=failover

## The "forwarding_group" option gives you fine control over how

## packets are forwarded.  See the online docs for details.  :lan

## means all interfaces marked as "lan" :isp means all interfaces

## marked as "isp" the default (shown below) allows forwarding among

## all lan and isp interfaces

forwarding_group=:lan :isp

## The "mode" option, if present, selects which mode Net-ISP-Balance runs

## in. The choices are "balanced" and "failover".

##

## In "balanced" mode (the default) each interface marked as an ISP

## will be used to balance outgoing and incoming packets. If one goes

## down, the other(s) will be used as failover services.  The "weight"

## column in the table above is used to prioritize how packets are

## balanced across the (running) interfaces.

##

## In "failover" mode, only one ISP will be used at a time. The others

## will be used as backups if the primary interface fails. In this case

## the weight is used to select which interface is currently active, with

## the currently running interface with the highest weight being selected.

## These options are passed to lsm, among others.

## the defaults are shown. To change them, uncomment

## and edit.

warn_email=lukasz.mustang@gmail.com

interval_ms=1000

max_packet_loss=15

max_successive_pkts_lost=7

min_packet_loss=5

min_successive_pkts_rcvd=10

#long_down_time=120
```

#sudo load_balance.pl -d

```
echo 0 > /proc/sys/net/ipv4/ip_forward

## Including rules from /etc/balance/pre-run/pre-run-script.pl ##

## Finished /etc/balance/pre-run/pre-run-script.pl ##

ip route flush all

ip rule flush

ip rule add from all lookup main pref 32766

ip rule add from all lookup default pref 32767

ip route flush table  1

ip route flush table  2

ip route add  192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add  83.1.4.248/32 dev ppp0 src 83.21.137.153

ip route add  192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add  192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip route add default scope global nexthop via 192.168.2.1 dev enp5s0 weight 1 nexthop via 83.1.4.248 dev ppp0 weight 1

ip route add table 1 default dev enp5s0 via 192.168.2.1

ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add table 1 83.1.4.248/32 dev ppp0 src 83.21.137.153

ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip rule add from 192.168.2.2 table 1

ip rule add fwmark 1 table 1

ip route add table 2 default dev ppp0 via 83.1.4.248

ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add table 2 83.1.4.248/32 dev ppp0 src 83.21.137.153

ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip rule add from 83.21.137.153 table 2

ip rule add fwmark 2 table 2

## Including rules from /etc/balance/routes/01.local_routes ##

# enter any routing commands you might want to go in

# for example:

# ip route add 192.168.100.1 dev eth0 src 198.162.1.14

## Finished /etc/balance/routes/01.local_routes ##

## Including rules from /etc/balance/routes/02.local_routes.pl ##

## Finished /etc/balance/routes/02.local_routes.pl ##

## Including rules from /etc/balance/routes/03.noip.conf ##

ip rule add ipproto UDP dport 7777 table 2

ip rule add to 176.9.5.77 table 2

## Finished /etc/balance/routes/03.noip.conf ##

iptables -F

iptables -X

iptables -t nat    -F

iptables -t nat    -X

iptables -t mangle -F

iptables -t mangle -X

iptables -P INPUT    DROP

iptables -P OUTPUT   DROP

iptables -P FORWARD  DROP

iptables -N REJECTPERM

iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "

iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable

iptables -N DROPGEN

iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "

iptables -A DROPGEN -j DROP

iptables -N DROPINVAL

iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "

iptables -A DROPINVAL -j DROP

iptables -N DROPPERM

iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "

iptables -A DROPPERM -j DROP

iptables -N DROPSPOOF

iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "

iptables -A DROPSPOOF -j DROP

iptables -N DROPFLOOD

iptables -A DROPFLOOD -m limit --limit 1/minute  -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "

iptables -A DROPFLOOD -j DROP

iptables -N DEBUG

iptables -A DEBUG  -j LOG --log-level 3 --log-prefix "DEBUG: "

iptables -t mangle -N MARK-CABLE

iptables -t mangle -A MARK-CABLE -j MARK     --set-mark 1

iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark

iptables -t mangle -N MARK-DSL

iptables -t mangle -A MARK-DSL -j MARK     --set-mark 2

iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL

iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -A INPUT  -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT   -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD

iptables -A INPUT   -i enp1s0 -s 192.168.0.0/27 -j ACCEPT

iptables -A OUTPUT  -o enp1s0 -d 192.168.0.0/27  -j ACCEPT

iptables -A OUTPUT  -o enp1s0 -d 255.255.255.255/32  -j ACCEPT

iptables -A OUTPUT  -p udp -s 192.168.0.0/27 -j ACCEPT

iptables -A INPUT   -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT

iptables -A OUTPUT  -o enp6s0.2 -d 192.168.1.0/30  -j ACCEPT

iptables -A OUTPUT  -o enp6s0.2 -d 255.255.255.255/32  -j ACCEPT

iptables -A OUTPUT  -p udp -s 192.168.1.0/30 -j ACCEPT

iptables -A OUTPUT -o enp5s0 -j ACCEPT

iptables -A OUTPUT -o ppp0 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT

iptables -A OUTPUT  -j DROPSPOOF

iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Including rules from /etc/balance/firewall/01.accept ##

## This file contains iptables statements that add additional firewall rules

# allow incoming domain packets -- needed for DNS resolution

iptables -A INPUT   -p udp --source-port domain -j ACCEPT

# allow incoming NTP packets -- needed for net time protocol

iptables -A INPUT   -p udp --source-port ntp -j ACCEPT

## Finished /etc/balance/firewall/01.accept ##

## Including rules from /etc/balance/firewall/01.accept.pl ##

iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT

## Finished /etc/balance/firewall/01.accept.pl ##

## Including rules from /etc/balance/firewall/02.forward.pl ##

iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -p udp --source-port ntp    -d 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -p udp --source-port ntp    -d 192.168.1.0/30 -j ACCEPT

## Finished /etc/balance/firewall/02.forward.pl ##

## Including rules from /etc/balance/firewall/04.webserver.conf ##

iptables -A INPUT -p tcp --syn --dport 8885  -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT

## Finished /etc/balance/firewall/04.webserver.conf ##

echo 1 > /proc/sys/net/ipv4/ip_forward

## Including rules from /etc/balance/post-run/post-run-script.pl ##

## Finished /etc/balance/post-run/post-run-script.pl ##

lsm process killed

Starting lsm link status monitoring daemon

```

#ifconfig 

```
enp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.0.1  netmask 255.255.255.224  broadcast 192.168.0.31

        inet6 fe80::523e:aaff:fe02:d989  prefixlen 64  scopeid 0x20<link>

        ether 50:3e:aa:02:d9:89  txqueuelen 1000  (Ethernet)

        RX packets 876523  bytes 110763076 (105.6 MiB)

        RX errors 0  dropped 56347  overruns 0  frame 0

        TX packets 1475342  bytes 1856439602 (1.7 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255

        inet6 fe80::12bf:48ff:fe4d:2685  prefixlen 64  scopeid 0x20<link>

        ether 10:bf:48:4d:26:85  txqueuelen 1000  (Ethernet)

        RX packets 677118  bytes 793192929 (756.4 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 330002  bytes 36277871 (34.5 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17  memory 0xf7a00000-f7a20000

enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::12bf:48ff:fe4d:243d  prefixlen 64  scopeid 0x20<link>

        ether 10:bf:48:4d:24:3d  txqueuelen 1000  (Ethernet)

        RX packets 870456  bytes 1114483756 (1.0 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 527544  bytes 64500032 (61.5 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 18  memory 0xf7900000-f7920000

enp6s0.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.2  netmask 255.255.255.252  broadcast 192.168.1.3

        inet6 fe80::12bf:48ff:fe4d:243d  prefixlen 64  scopeid 0x20<link>

        ether 10:bf:48:4d:24:3d  txqueuelen 1000  (Ethernet)

        RX packets 1  bytes 42 (42.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1830  bytes 374900 (366.1 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 118283  bytes 32662516 (31.1 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 118283  bytes 32662516 (31.1 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492

        inet 83.21.137.153  netmask 255.255.255.255  destination 83.1.4.248

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 864803  bytes 1091641285 (1.0 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 520044  bytes 50226273 (47.8 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

```

# cat /etc/wireguard/wg0-client.conf

```
[Interface]

PrivateKey = +BQDgkcjvjic3XYHeiDxthuwyep+UA7arnByYpbvxV0=

Address = 10.66.66.2/24,fd42:42:42::2/64

DNS = 176.103.130.130,176.103.130.131

[Peer]

PublicKey = 9WebKmUim9bgZCoMCqGeKpEU+0l1yehGuWsYqUyp+Hk=

Endpoint = 51.38.131.234:1194

AllowedIPs = 0.0.0.0/0

PresharedKey = /J1j0uj8ka/Wen/qgFhBP4ii13PpWglsY5TFBfZrZ4c=
```

Archlinux configuration files (VPS server).

# ifconfig

```
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 51.38.131.234  netmask 255.255.255.255  broadcast 0.0.0.0

        inet6 fe80::f816:3eff:fe26:17c2  prefixlen 64  scopeid 0x20<link>

        ether fa:16:3e:26:17:c2  txqueuelen 1000  (Ethernet)

        RX packets 123692  bytes 13733337 (13.0 MiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 131469  bytes 20185711 (19.2 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 15  bytes 1456 (1.4 KiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 15  bytes 1456 (1.4 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420

        inet 10.66.66.1  netmask 255.255.255.0  destination 10.66.66.1

        inet6 fd42:42:42::1  prefixlen 64  scopeid 0x0<global>

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)

        RX packets 357  bytes 17804 (17.3 KiB)

        RX errors 233  dropped 0  overruns 0  frame 233

        TX packets 86  bytes 6244 (6.0 KiB)

        TX errors 7  dropped 0 overruns 0  carrier 0  collisions 0
```

# cat /etc/wireguard/wg0.conf

```
[Interface]

Address = 10.66.66.1/24,fd42:42:42::1/64

ListenPort = 1194

PrivateKey = IJTTRAA7yHuiT4dCco7LgVCMpxplM43fgBa/LwPjQXg=

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]

PublicKey = eq6igMfkwk8oKdpqsQSbGlaOIWIXyqYLi2Q60FK0E00=

AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

PresharedKey = 8qYmRTAo+wVKhIzYYyvA+AFqD7oAveGs5LSa8UVA694=
```

----------

## mustang01

how to unlock ping from wan port?

#sudo iptables -L

```
Hasło: 

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

DROPPERM   all  --  anywhere             127.0.0.0/8         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere             tcp flags:SYN,ACK/ACK

DROPFLOOD  icmp --  anywhere             anywhere             icmp echo-request

ACCEPT     all  --  192.168.0.0/27       anywhere            

ACCEPT     all  --  192.168.1.0/30       anywhere            

ACCEPT     udp  --  anywhere             anywhere             udp spt:domain

ACCEPT     udp  --  anywhere             anywhere             udp spt:ntp

ACCEPT     tcp  --  192.168.0.0/27       anywhere             tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  192.168.1.0/30       anywhere             tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8885 flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:18081 flags:FIN,SYN,RST,ACK/SYN

Chain FORWARD (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere             tcp flags:SYN,ACK/ACK

ACCEPT     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST

ACCEPT     all  --  192.168.0.0/27       anywhere            

ACCEPT     all  --  192.168.0.0/27       anywhere            

ACCEPT     all  --  192.168.1.0/30       anywhere            

ACCEPT     all  --  192.168.1.0/30       anywhere            

ACCEPT     all  --  192.168.0.0/27       192.168.1.0/30      

ACCEPT     all  --  192.168.1.0/30       192.168.0.0/27      

ACCEPT     udp  --  anywhere             192.168.0.0/27       udp spt:domain

ACCEPT     udp  --  anywhere             192.168.0.0/27       udp spt:ntp

ACCEPT     udp  --  anywhere             192.168.1.0/30       udp spt:domain

ACCEPT     udp  --  anywhere             192.168.1.0/30       udp spt:ntp

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/27      

ACCEPT     all  --  anywhere             255.255.255.255     

ACCEPT     udp  --  192.168.0.0/27       anywhere            

ACCEPT     all  --  anywhere             192.168.1.0/30      

ACCEPT     all  --  anywhere             255.255.255.255     

ACCEPT     udp  --  192.168.1.0/30       anywhere            

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

DROPSPOOF  all  --  anywhere             anywhere            

Chain DEBUG (0 references)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere             LOG level error prefix "DEBUG: "

Chain DROPFLOOD (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain DROPGEN (0 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain DROPINVAL (0 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain DROPPERM (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain DROPSPOOF (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

Chain REJECTPERM (0 references)

target     prot opt source               destination         

REJECT     all  --  anywhere             anywhere             reject-with icmp-net-unreachable
```

----------

## mustang01

My current configuration. I unblocked 1194 ports for the VPN tunnel. Connection to the Wireguard server is working.

```
sudo load_balance.pl  -d

echo 0 > /proc/sys/net/ipv4/ip_forward

## Including rules from /etc/balance/pre-run/pre-run-script.pl ##

## Finished /etc/balance/pre-run/pre-run-script.pl ##

ip route flush all

ip rule flush

ip rule add from all lookup main pref 32766

ip rule add from all lookup default pref 32767

ip route flush table  1

ip route flush table  2

ip route add  192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add  83.1.4.248/32 dev ppp0 src 83.23.86.188

ip route add  192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add  192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip route add default scope global nexthop via 83.1.4.248 dev ppp0 weight 1 nexthop via 192.168.2.1 dev enp5s0 weight 1

ip route add table 1 default dev enp5s0 via 192.168.2.1

ip route add table 1 192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add table 1 83.1.4.248/32 dev ppp0 src 83.23.86.188

ip route add table 1 192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add table 1 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip rule add from 192.168.2.2 table 1

ip rule add fwmark 1 table 1

ip route add table 2 default dev ppp0 via 83.1.4.248

ip route add table 2 192.168.2.0/24 dev enp5s0 src 192.168.2.2

ip route add table 2 83.1.4.248/32 dev ppp0 src 83.23.86.188

ip route add table 2 192.168.0.0/27 dev enp1s0 src 192.168.0.1

ip route add table 2 192.168.1.0/30 dev enp6s0.2 src 192.168.1.2

ip rule add from 83.23.86.188 table 2

ip rule add fwmark 2 table 2

## Including rules from /etc/balance/routes/01.local_routes ##

# enter any routing commands you might want to go in

# for example:

# ip route add 192.168.100.1 dev eth0 src 198.162.1.14

## Finished /etc/balance/routes/01.local_routes ##

## Including rules from /etc/balance/routes/02.local_routes.pl ##

## Finished /etc/balance/routes/02.local_routes.pl ##

## Including rules from /etc/balance/routes/03.noip.conf ##

ip rule add ipproto UDP dport 7777 table 2

ip rule add to 176.9.5.77 table 2

## Finished /etc/balance/routes/03.noip.conf ##

iptables -F

iptables -X

iptables -t nat    -F

iptables -t nat    -X

iptables -t mangle -F

iptables -t mangle -X

iptables -P INPUT    DROP

iptables -P OUTPUT   DROP

iptables -P FORWARD  DROP

iptables -N REJECTPERM

iptables -A REJECTPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "REJECTED: "

iptables -A REJECTPERM -j REJECT --reject-with icmp-net-unreachable

iptables -N DROPGEN

iptables -A DROPGEN -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "GENERAL: "

iptables -A DROPGEN -j DROP

iptables -N DROPINVAL

iptables -A DROPINVAL -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "INVALID: "

iptables -A DROPINVAL -j DROP

iptables -N DROPPERM

iptables -A DROPPERM -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "ACCESS-DENIED: "

iptables -A DROPPERM -j DROP

iptables -N DROPSPOOF

iptables -A DROPSPOOF -j LOG -m limit --limit 1/minute --log-level 4 --log-prefix "DROP-SPOOF: "

iptables -A DROPSPOOF -j DROP

iptables -N DROPFLOOD

iptables -A DROPFLOOD -m limit --limit 1/minute  -j LOG --log-level 4 --log-prefix "DROP-FLOOD: "

iptables -A DROPFLOOD -j DROP

iptables -N DEBUG

iptables -A DEBUG  -j LOG --log-level 3 --log-prefix "DEBUG: "

iptables -t mangle -N MARK-CABLE

iptables -t mangle -A MARK-CABLE -j MARK     --set-mark 1

iptables -t mangle -A MARK-CABLE -j CONNMARK --save-mark

iptables -t mangle -N MARK-DSL

iptables -t mangle -A MARK-DSL -j MARK     --set-mark 2

iptables -t mangle -A MARK-DSL -j CONNMARK --save-mark

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp1s0 -s 192.168.0.0/27 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 1 -j MARK-DSL

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate NEW -m statistic --mode random --probability 0.5 -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp6s0.2 -s 192.168.1.0/30 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate NEW -j MARK-CABLE

iptables -t mangle -A PREROUTING -i enp5s0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate NEW -j MARK-DSL

iptables -t mangle -A PREROUTING -i ppp0 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

iptables -t mangle -A POSTROUTING -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -A INPUT  -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -d 127.0.0.0/8 -j DROPPERM

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT   -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK ACK -j ACCEPT

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j DROPFLOOD

iptables -A INPUT   -i enp1s0 -s 192.168.0.0/27 -j ACCEPT

iptables -A OUTPUT  -o enp1s0 -d 192.168.0.0/27  -j ACCEPT

iptables -A OUTPUT  -o enp1s0 -d 255.255.255.255/32  -j ACCEPT

iptables -A OUTPUT  -p udp -s 192.168.0.0/27 -j ACCEPT

iptables -A INPUT   -i enp6s0.2 -s 192.168.1.0/30 -j ACCEPT

iptables -A OUTPUT  -o enp6s0.2 -d 192.168.1.0/30  -j ACCEPT

iptables -A OUTPUT  -o enp6s0.2 -d 255.255.255.255/32  -j ACCEPT

iptables -A OUTPUT  -p udp -s 192.168.1.0/30 -j ACCEPT

iptables -A OUTPUT -o enp5s0 -j ACCEPT

iptables -A OUTPUT -o ppp0 -j ACCEPT

iptables -A OUTPUT -o wg0 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp5s0 -s 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o ppp0 -s 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o enp5s0 -s 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o ppp0 -s 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp1s0 -o enp6s0.2 -s 192.168.0.0/27 -d 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -i enp6s0.2 -o enp1s0 -s 192.168.1.0/30 -d 192.168.0.0/27 -j ACCEPT

iptables -A OUTPUT  -j DROPSPOOF

iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Including rules from /etc/balance/firewall/01.accept ##

## This file contains iptables statements that add additional firewall rules

# allow incoming domain packets -- needed for DNS resolution

iptables -A INPUT   -p udp --source-port domain -j ACCEPT

# allow incoming NTP packets -- needed for net time protocol

iptables -A INPUT   -p udp --source-port ntp -j ACCEPT

## Finished /etc/balance/firewall/01.accept ##

## Including rules from /etc/balance/firewall/01.accept.pl ##

iptables -A INPUT -p tcp -s 192.168.0.0/27 --syn --dport ssh -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.1.0/30 --syn --dport ssh -j ACCEPT

## Finished /etc/balance/firewall/01.accept.pl ##

## Including rules from /etc/balance/firewall/02.forward.pl ##

iptables -A FORWARD -p udp --source-port domain -d 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -p udp --source-port ntp    -d 192.168.0.0/27 -j ACCEPT

iptables -A FORWARD -p udp --source-port domain -d 192.168.1.0/30 -j ACCEPT

iptables -A FORWARD -p udp --source-port ntp    -d 192.168.1.0/30 -j ACCEPT

## Finished /etc/balance/firewall/02.forward.pl ##

## Including rules from /etc/balance/firewall/04.webserver.conf ##

iptables -A INPUT -p tcp --syn --dport 8885  -j ACCEPT

iptables -A INPUT -p tcp --syn --dport 18081 -j ACCEPT

## Finished /etc/balance/firewall/04.webserver.conf ##

## Including rules from /etc/balance/firewall/99.vpn.pl ##

iptables -I INPUT -p udp --dport 1194 -j ACCEPT

iptables -I INPUT -p tcp --dport 1194 -j ACCEPT

iptables -I INPUT  -i wg0 -j ACCEPT

iptables -I OUTPUT -o wg0 -j ACCEPT

iptables -I FORWARD -i wg0 -o enp1s0 -j ACCEPT

iptables -I FORWARD -o wg0 -i enp1s0 -j ACCEPT

iptables -I FORWARD -i wg0 -o enp6s0.2 -j ACCEPT

iptables -I FORWARD -o wg0 -i enp6s0.2 -j ACCEPT

## Finished /etc/balance/firewall/99.vpn.pl ##

echo 1 > /proc/sys/net/ipv4/ip_forward

## Including rules from /etc/balance/post-run/post-run-script.pl ##

## Finished /etc/balance/post-run/post-run-script.pl ##

lsm process killed

Starting lsm link status monitoring daemon

```

----------

## mustang01

I created a script in the / etc / balance / post-run directory containing:

```
iptables -D INPUT -p icmp --icmp-type echo-request -j DROPFLOOD

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
```

 .

Pings are working thank you for helping the script author.

----------

