Got it. Thanks alot.
I am trying to understand those firewall rules, but I'm not there yet. Maybe after you sleep, you can tell me the high level concept.
Thanks again.
Well, I am by no means an expert at iptables. I learn as I go and I use Mr. Google a lot.
I use this link quite a bit. The pictorial representation in the link that shows the flow of network traffic through the router and how each of the tables and chains are work is my main goto when I have to figure out where to start.
The Linux kernel comes with a packet filtering framework named netfilter. It allows you to allow, drop and modify traffic leaving in and out of a system. A tool, iptables builds upon this functionality to
www.booleanworld.com
The
start_wg1.sh
script should probably be renamed
restart_wg1.sh
as the the script actually tears down the wireguard interface first, if it exists, then rebuilds the interface. The script then deletes all the related firewall rules, if they exist (the -D option in the iptables commands), then re-adds the firewall rules (the -I option).
Since we do not know when nat-start gets called and if the router wipes the iptables rules with each call, we need to delete the rules first. If we did not, and the router did not rebuild its firewall rules, we would end up duplicate rule entries. Over the course of many months between router restarts, the list of rules would grow massive and tie the router up in knots working each packet through the list of rules.
The various iptables rules are there to allow the router to accept wireguard traffic and to allow the wireguard traffic to be forwarded so that you can talk to your lan. That is the INPUT, FORWARD, and OUTPUT chains of the "filter" table. Note, if you don't specify a table in the iptables command (-t option), then the "filter table is used.
The mangle table rules is where you can "alter" the packets. Here we are clamping the packets so that their size does not exceed our MTU (badly explained here, hope you get the jist) and also to mark the packets so that they bypass the router's hardware nat-acceleration as wireguard does not play well with nat-acceleration. Lots of forum discussion as to rather or not the marking is required or not now adays. Back in 2018 when the first wireguard kernel module came to the AC86U via a form member, this was required. Now, with later firmware versions, it was been reported that it is not required by some routers (such as the AC86U) and some say that the marks don't work anymore at all. If marking the inbound packets don't work and you find your wireguard throughput is in the dumpster, you are left with having to disable nat-acceleration altogether , but that creates other issues if your ISP speed is above 300mbits/s. You really just have to experiment with leaving these lines in or out. Some router functions, when set, disables nat-acceleration anyway. Also, the latest alpha and beta firmware have ASUS upsteam fixes that does the bypassing for you. In deed, you should soon be able to remove these marking rules altogether.
The last rule is to add a rule to the PREROUTING chain of the NAT table to allow inbound packets to reach the FORWARD chain of the filer table.
For clarity, here is the flow picture from the link I posted above;
Hope this helps.