routing – PBR + SNAT + NFTABLES MULTI IFACE = SETUP FOR LAN HANDLING UNDER DEBIAN SERVER

i need to setup the bottom for my native web 10.10.0.0/16 i caught with such preliminary config:

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    hyperlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft endlessly preferred_lft endlessly
    inet 127.0.1.0/8 scope host secondary lo
       valid_lft endlessly preferred_lft endlessly
2: primary:  mtu 1500 qdisc mq state UP group default qlen 1000
    hyperlink/ether 3c:d9:2b:fa:b7:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.254.1/16 metric 5 brd 10.10.255.255 scope world noprefixroute primary
       valid_lft endlessly preferred_lft endlessly
3: enp3s0f1:  mtu 1500 qdisc noop state DOWN group default qlen 1000
    hyperlink/ether 3c:d9:2b:fa:b7:2a brd ff:ff:ff:ff:ff:ff
4: lan:  mtu 1500 qdisc mq state UP group default qlen 1000
    hyperlink/ether 3c:d9:2b:fa:b7:60 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.254/16 brd 10.10.255.255 scope world noprefixroute lan
       valid_lft endlessly preferred_lft endlessly
    inet 10.10.0.253/16 brd 10.10.255.255 scope world secondary noprefixroute lan
       valid_lft endlessly preferred_lft endlessly
5: wan:  mtu 1500 qdisc mq state UP group default qlen 1000
    hyperlink/ether 3c:d9:2b:fa:b7:62 brd ff:ff:ff:ff:ff:ff
    inet 10.11.0.11/24 brd 10.11.0.255 scope world noprefixroute wan
       valid_lft endlessly preferred_lft endlessly


default by way of 10.11.0.254 dev wan desk wan 
10.11.0.0/24 dev wan desk wan proto static scope hyperlink src 10.11.0.11 metric 10 
default by way of 10.10.0.254 dev lan desk lan 
10.10.0.0/16 dev lan desk lan proto static scope hyperlink src 10.10.0.254 metric 3 
10.10.0.0/16 dev lan desk lan proto static scope hyperlink src 10.10.0.253 metric 4 
10.10.0.0/16 dev primary proto static scope hyperlink src 10.10.254.1 metric 5 
native 10.10.0.253 dev lan desk native proto kernel scope host src 10.10.0.254 
native 10.10.0.254 dev lan desk native proto kernel scope host src 10.10.0.254 
native 10.10.254.1 dev primary desk native proto kernel scope host src 10.10.254.1 
broadcast 10.10.255.255 dev lan desk native proto kernel scope hyperlink src 10.10.0.254 
broadcast 10.10.255.255 dev primary desk native proto kernel scope hyperlink src 10.10.254.1 
native 10.11.0.11 dev wan desk native proto kernel scope host src 10.11.0.11 
broadcast 10.11.0.255 dev wan desk native proto kernel scope hyperlink src 10.11.0.11 
native 127.0.0.0/8 dev lo desk native proto kernel scope host src 127.0.0.1 
native 127.0.0.1 dev lo desk native proto kernel scope host src 127.0.0.1 
native 127.0.1.0 dev lo desk native proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo desk native proto kernel scope hyperlink src 127.0.0.1 

0:  from all lookup native
50: from 10.10.254.1 lookup primary
100:    from all to 10.10.0.0/16 lookup lan
200:    from 10.11.0.11/24 lookup wan
300:    from all lookup wan

# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*mangle
:PREROUTING ACCEPT [1239580:605755216]
:INPUT ACCEPT [378113:49258598]
:FORWARD ACCEPT [802997:543796066]
:OUTPUT ACCEPT [319027:35084380]
:POSTROUTING ACCEPT [1121729:578854744]
:ALL_MARK - [0:0]
:ALL_MARK_BASE - [0:0]
:LAN_MARK - [0:0]
:LAN_MARK_BASE - [0:0]
:WAN_MARK - [0:0]
:WAN_MARK_BASE - [0:0]
COMMIT
# Accomplished on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*uncooked
:PREROUTING ACCEPT [1239580:605755216]
:OUTPUT ACCEPT [319027:35084380]
COMMIT
# Accomplished on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [319027:35084380]
:CONTINUE - [0:0]
:LOG_ACCEPT_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_INPUT - [0:0]
:LOG_DROP_FILTER_OUTPUT - [0:0]
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i primary -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i primary -p tcp -m tcp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i primary -p udp -m udp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i primary -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -f -j DROP
-A INPUT -i lan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i wan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i wan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.254/32 -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG_DROP_FILTER_INPUT
-A FORWARD -i primary -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o primary -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate NEW -j CONTINUE
-A FORWARD -j LOG_DROP_FILTER_FORWARD
-A CONTINUE -j RETURN
-A LOG_ACCEPT_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-accepted]:" --nflog-group 23
-A LOG_ACCEPT_FILTER_FORWARD -j ACCEPT
-A LOG_DROP_FILTER_FORWARD -i primary -j NFLOG --nflog-prefix "[fFWDd-main]:" --nflog-group 30
-A LOG_DROP_FILTER_FORWARD -i lan -j NFLOG --nflog-prefix "[fFWDd-lan]:" --nflog-group 32
-A LOG_DROP_FILTER_FORWARD -i wan -j NFLOG --nflog-prefix "[fFWDd-wan]:" --nflog-group 33
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 22
-A LOG_DROP_FILTER_FORWARD -j DROP
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 20
-A LOG_DROP_FILTER_INPUT -j DROP
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 21
-A LOG_DROP_FILTER_OUTPUT -j DROP
COMMIT
# Accomplished on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*nat
:PREROUTING ACCEPT [133812:27567189]
:INPUT ACCEPT [5148:716974]
:OUTPUT ACCEPT [8458:1549031]
:POSTROUTING ACCEPT [6386:1419831]
:DNS_DNAT_LS_ND - [0:0]
:DNS_DNAT_NS_LD - [0:0]
:DNS_DNAT_NS_ND - [0:0]
-A POSTROUTING -s 10.10.0.0/16 -o primary -j SNAT --to-source 10.10.254.1
-A POSTROUTING -s 10.10.0.254/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.253/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
COMMIT
# Accomplished on Wed Sep  4 21:17:39 2024

web.ipv4.conf.all.accept_local = 0
web.ipv4.conf.all.accept_redirects = 0
web.ipv4.conf.all.accept_source_route = 0
web.ipv4.conf.all.arp_accept = 0
web.ipv4.conf.all.arp_announce = 0
web.ipv4.conf.all.arp_evict_nocarrier = 1
web.ipv4.conf.all.arp_filter = 0
web.ipv4.conf.all.arp_ignore = 0
web.ipv4.conf.all.arp_notify = 0
web.ipv4.conf.all.bc_forwarding = 0
web.ipv4.conf.all.bootp_relay = 0
web.ipv4.conf.all.disable_policy = 0
web.ipv4.conf.all.disable_xfrm = 0
web.ipv4.conf.all.drop_gratuitous_arp = 0
web.ipv4.conf.all.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.all.force_igmp_version = 0
web.ipv4.conf.all.forwarding = 1
web.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.all.ignore_routes_with_linkdown = 0
web.ipv4.conf.all.log_martians = 0
web.ipv4.conf.all.mc_forwarding = 0
web.ipv4.conf.all.medium_id = 0
web.ipv4.conf.all.promote_secondaries = 0
web.ipv4.conf.all.proxy_arp = 0
web.ipv4.conf.all.proxy_arp_pvlan = 0
web.ipv4.conf.all.route_localnet = 0
web.ipv4.conf.all.rp_filter = 0
web.ipv4.conf.all.secure_redirects = 1
web.ipv4.conf.all.send_redirects = 1
web.ipv4.conf.all.shared_media = 1
web.ipv4.conf.all.src_valid_mark = 0
web.ipv4.conf.all.tag = 0
web.ipv4.conf.default.accept_local = 0
web.ipv4.conf.default.accept_redirects = 1
web.ipv4.conf.default.accept_source_route = 0
web.ipv4.conf.default.arp_accept = 0
web.ipv4.conf.default.arp_announce = 0
web.ipv4.conf.default.arp_evict_nocarrier = 1
web.ipv4.conf.default.arp_filter = 0
web.ipv4.conf.default.arp_ignore = 0
web.ipv4.conf.default.arp_notify = 0
web.ipv4.conf.default.bc_forwarding = 0
web.ipv4.conf.default.bootp_relay = 0
web.ipv4.conf.default.disable_policy = 0
web.ipv4.conf.default.disable_xfrm = 0
web.ipv4.conf.default.drop_gratuitous_arp = 0
web.ipv4.conf.default.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.default.force_igmp_version = 0
web.ipv4.conf.default.forwarding = 1
web.ipv4.conf.default.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.default.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.default.ignore_routes_with_linkdown = 0
web.ipv4.conf.default.log_martians = 0
web.ipv4.conf.default.mc_forwarding = 0
web.ipv4.conf.default.medium_id = 0
web.ipv4.conf.default.promote_secondaries = 1
web.ipv4.conf.default.proxy_arp = 0
web.ipv4.conf.default.proxy_arp_pvlan = 0
web.ipv4.conf.default.route_localnet = 0
web.ipv4.conf.default.rp_filter = 2
web.ipv4.conf.default.secure_redirects = 1
web.ipv4.conf.default.send_redirects = 1
web.ipv4.conf.default.shared_media = 1
web.ipv4.conf.default.src_valid_mark = 0
web.ipv4.conf.default.tag = 0
web.ipv4.conf.enp3s0f1.accept_local = 0
web.ipv4.conf.enp3s0f1.accept_redirects = 1
web.ipv4.conf.enp3s0f1.accept_source_route = 0
web.ipv4.conf.enp3s0f1.arp_accept = 0
web.ipv4.conf.enp3s0f1.arp_announce = 0
web.ipv4.conf.enp3s0f1.arp_evict_nocarrier = 1
web.ipv4.conf.enp3s0f1.arp_filter = 0
web.ipv4.conf.enp3s0f1.arp_ignore = 0
web.ipv4.conf.enp3s0f1.arp_notify = 0
web.ipv4.conf.enp3s0f1.bc_forwarding = 0
web.ipv4.conf.enp3s0f1.bootp_relay = 0
web.ipv4.conf.enp3s0f1.disable_policy = 0
web.ipv4.conf.enp3s0f1.disable_xfrm = 0
web.ipv4.conf.enp3s0f1.drop_gratuitous_arp = 0
web.ipv4.conf.enp3s0f1.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.enp3s0f1.force_igmp_version = 0
web.ipv4.conf.enp3s0f1.forwarding = 1
web.ipv4.conf.enp3s0f1.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.enp3s0f1.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.enp3s0f1.ignore_routes_with_linkdown = 0
web.ipv4.conf.enp3s0f1.log_martians = 0
web.ipv4.conf.enp3s0f1.mc_forwarding = 0
web.ipv4.conf.enp3s0f1.medium_id = 0
web.ipv4.conf.enp3s0f1.promote_secondaries = 1
web.ipv4.conf.enp3s0f1.proxy_arp = 0
web.ipv4.conf.enp3s0f1.proxy_arp_pvlan = 0
web.ipv4.conf.enp3s0f1.route_localnet = 0
web.ipv4.conf.enp3s0f1.rp_filter = 2
web.ipv4.conf.enp3s0f1.secure_redirects = 1
web.ipv4.conf.enp3s0f1.send_redirects = 1
web.ipv4.conf.enp3s0f1.shared_media = 1
web.ipv4.conf.enp3s0f1.src_valid_mark = 0
web.ipv4.conf.enp3s0f1.tag = 0
web.ipv4.conf.lan.accept_local = 0
web.ipv4.conf.lan.accept_redirects = 1
web.ipv4.conf.lan.accept_source_route = 0
web.ipv4.conf.lan.arp_accept = 0
web.ipv4.conf.lan.arp_announce = 0
web.ipv4.conf.lan.arp_evict_nocarrier = 1
web.ipv4.conf.lan.arp_filter = 1
web.ipv4.conf.lan.arp_ignore = 1
web.ipv4.conf.lan.arp_notify = 0
web.ipv4.conf.lan.bc_forwarding = 0
web.ipv4.conf.lan.bootp_relay = 0
web.ipv4.conf.lan.disable_policy = 0
web.ipv4.conf.lan.disable_xfrm = 0
web.ipv4.conf.lan.drop_gratuitous_arp = 0
web.ipv4.conf.lan.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.lan.force_igmp_version = 0
web.ipv4.conf.lan.forwarding = 1
web.ipv4.conf.lan.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.lan.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.lan.ignore_routes_with_linkdown = 0
web.ipv4.conf.lan.log_martians = 0
web.ipv4.conf.lan.mc_forwarding = 0
web.ipv4.conf.lan.medium_id = 0
web.ipv4.conf.lan.promote_secondaries = 1
web.ipv4.conf.lan.proxy_arp = 0
web.ipv4.conf.lan.proxy_arp_pvlan = 0
web.ipv4.conf.lan.route_localnet = 0
web.ipv4.conf.lan.rp_filter = 1
web.ipv4.conf.lan.secure_redirects = 1
web.ipv4.conf.lan.send_redirects = 1
web.ipv4.conf.lan.shared_media = 1
web.ipv4.conf.lan.src_valid_mark = 0
web.ipv4.conf.lan.tag = 0
web.ipv4.conf.lo.accept_local = 0
web.ipv4.conf.lo.accept_redirects = 0
web.ipv4.conf.lo.accept_source_route = 0
web.ipv4.conf.lo.arp_accept = 0
web.ipv4.conf.lo.arp_announce = 1
web.ipv4.conf.lo.arp_evict_nocarrier = 1
web.ipv4.conf.lo.arp_filter = 1
web.ipv4.conf.lo.arp_ignore = 1
web.ipv4.conf.lo.arp_notify = 0
web.ipv4.conf.lo.bc_forwarding = 0
web.ipv4.conf.lo.bootp_relay = 0
web.ipv4.conf.lo.disable_policy = 1
web.ipv4.conf.lo.disable_xfrm = 1
web.ipv4.conf.lo.drop_gratuitous_arp = 0
web.ipv4.conf.lo.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.lo.force_igmp_version = 0
web.ipv4.conf.lo.forwarding = 1
web.ipv4.conf.lo.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.lo.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.lo.ignore_routes_with_linkdown = 0
web.ipv4.conf.lo.log_martians = 0
web.ipv4.conf.lo.mc_forwarding = 0
web.ipv4.conf.lo.medium_id = 0
web.ipv4.conf.lo.promote_secondaries = 1
web.ipv4.conf.lo.proxy_arp = 0
web.ipv4.conf.lo.proxy_arp_pvlan = 0
web.ipv4.conf.lo.route_localnet = 0
web.ipv4.conf.lo.rp_filter = 2
web.ipv4.conf.lo.secure_redirects = 1
web.ipv4.conf.lo.send_redirects = 0
web.ipv4.conf.lo.shared_media = 1
web.ipv4.conf.lo.src_valid_mark = 0
web.ipv4.conf.lo.tag = 0
web.ipv4.conf.primary.accept_local = 0
web.ipv4.conf.primary.accept_redirects = 1
web.ipv4.conf.primary.accept_source_route = 0
web.ipv4.conf.primary.arp_accept = 0
web.ipv4.conf.primary.arp_announce = 0
web.ipv4.conf.primary.arp_evict_nocarrier = 1
web.ipv4.conf.primary.arp_filter = 1
web.ipv4.conf.primary.arp_ignore = 1
web.ipv4.conf.primary.arp_notify = 0
web.ipv4.conf.primary.bc_forwarding = 0
web.ipv4.conf.primary.bootp_relay = 0
web.ipv4.conf.primary.disable_policy = 0
web.ipv4.conf.primary.disable_xfrm = 0
web.ipv4.conf.primary.drop_gratuitous_arp = 0
web.ipv4.conf.primary.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.primary.force_igmp_version = 0
web.ipv4.conf.primary.forwarding = 1
web.ipv4.conf.primary.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.primary.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.primary.ignore_routes_with_linkdown = 0
web.ipv4.conf.primary.log_martians = 0
web.ipv4.conf.primary.mc_forwarding = 0
web.ipv4.conf.primary.medium_id = 0
web.ipv4.conf.primary.promote_secondaries = 1
web.ipv4.conf.primary.proxy_arp = 0
web.ipv4.conf.primary.proxy_arp_pvlan = 0
web.ipv4.conf.primary.route_localnet = 0
web.ipv4.conf.primary.rp_filter = 1
web.ipv4.conf.primary.secure_redirects = 1
web.ipv4.conf.primary.send_redirects = 1
web.ipv4.conf.primary.shared_media = 1
web.ipv4.conf.primary.src_valid_mark = 0
web.ipv4.conf.primary.tag = 0
web.ipv4.conf.wan.accept_local = 0
web.ipv4.conf.wan.accept_redirects = 1
web.ipv4.conf.wan.accept_source_route = 0
web.ipv4.conf.wan.arp_accept = 0
web.ipv4.conf.wan.arp_announce = 0
web.ipv4.conf.wan.arp_evict_nocarrier = 1
web.ipv4.conf.wan.arp_filter = 1
web.ipv4.conf.wan.arp_ignore = 1
web.ipv4.conf.wan.arp_notify = 0
web.ipv4.conf.wan.bc_forwarding = 0
web.ipv4.conf.wan.bootp_relay = 0
web.ipv4.conf.wan.disable_policy = 0
web.ipv4.conf.wan.disable_xfrm = 0
web.ipv4.conf.wan.drop_gratuitous_arp = 0
web.ipv4.conf.wan.drop_unicast_in_l2_multicast = 0
web.ipv4.conf.wan.force_igmp_version = 0
web.ipv4.conf.wan.forwarding = 1
web.ipv4.conf.wan.igmpv2_unsolicited_report_interval = 10000
web.ipv4.conf.wan.igmpv3_unsolicited_report_interval = 1000
web.ipv4.conf.wan.ignore_routes_with_linkdown = 0
web.ipv4.conf.wan.log_martians = 0
web.ipv4.conf.wan.mc_forwarding = 0
web.ipv4.conf.wan.medium_id = 0
web.ipv4.conf.wan.promote_secondaries = 1
web.ipv4.conf.wan.proxy_arp = 0
web.ipv4.conf.wan.proxy_arp_pvlan = 0
web.ipv4.conf.wan.route_localnet = 0
web.ipv4.conf.wan.rp_filter = 1
web.ipv4.conf.wan.secure_redirects = 1
web.ipv4.conf.wan.send_redirects = 1
web.ipv4.conf.wan.shared_media = 1
web.ipv4.conf.wan.src_valid_mark = 0
web.ipv4.conf.wan.tag = 0

BINDINGS

10.10.0.254 .253 – unbound (lan shoppers dns’s)
lan – keya dhcp4/ddns
127.0.1.0 – bind0 (lan ddns/resolver)

**DON”T ASK ME WHY THE IPTABLES RULES ARE FOR .. – primarily to see the place the visitors goes”

I WANT DO TRAFFIC SHAPING VIA NF TABLES [filter] IN/OUT/FORWARD FOR SERVER AND CLIENTS add some mangling with base markings to have the ability to take a look at conntrack or tcpdump visitors and see whats occurring…

DO LATER MORE ADVANCED SCENARIOS – VLANS / SUBSUBNET’S DYNAMIC ROUTING, TUNNELING

the setup must also deal with the dummy d0 10.100.100.100/16 [respond by self ip on lan – not by lan attached ip’s ] dummy for shoppers – eliminated to make the bottom work as expecded

ip route get 1.1.1.1 from 10.11.0.11
1.1.1.1 from 10.11.0.11 by way of 10.11.0.254 dev wan desk wan uid 0 

ip route get 1.1.1.1 from 10.10.0.254 
1.1.1.1 from 10.10.0.254 by way of 10.11.0.254 dev wan desk wan uid 0 

ip route get 1.1.1.1 from 10.10.254.1 
1.1.1.1 from 10.10.254.1 by way of 10.11.0.254 dev wan desk wan uid 0 
    cache 

ip route get 10.10.0.254 from 10.10.254.1 
native 10.10.0.254 from 10.10.254.1 dev lo desk native uid 0 
    cache  

ip route get 10.10.0.254 from 10.11.0.11 
native 10.10.0.254 from 10.11.0.11 dev lo desk native uid 0 
cache  

ip route get 10.10.254.1  from 10.11.0.11 
native 10.10.254.1 from 10.11.0.11 dev lo desk native uid 0 
cache  

PROBLEM

1. - OK 

$ ping 1.1.1.1 -c 1 -I wan
PING 1.1.1.1 (1.1.1.1) from 10.11.0.11 wan: 56(84) bytes of knowledge.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=52.4 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 acquired, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 52.449/52.449/52.449/0.000 ms

2. 3. 4. - NOK

$ ping 1.1.1.1 -c 1 -I lan
PING 1.1.1.1 (1.1.1.1) from 10.10.0.254 lan: 56(84) bytes of knowledge.
From 10.10.0.254 icmp_seq=1 Vacation spot Host Unreachable

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 acquired, +1 errors, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I lan -B 10.10.0.254  
PING 10.10.0.254 (10.10.0.254) from 10.10.0.254 lan: 56(124) bytes of knowledge.

--- 10.10.0.254 ping statistics ---
1 packets transmitted, 0 acquired, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I wan -B 10.11.0.11  
PING 10.11.0.11 (10.11.0.11) from 10.11.0.11 wan: 56(124) bytes of knowledge.

--- 10.11.0.11 ping statistics ---
1 packets transmitted, 0 acquired, 100% packet loss, time 0ms


i've attempt to mark packets in mangle output after which add rule however this does not work additionally  can somebody right my resolution that i'll work? 

some topology associated information

 MAINSERVER  - d0
   /   |         
 wan lan  primary  wan2           Rap  ))    (( Cx
  |         /              / 
  R       Sstp L3   ----  Sstp L2- Cx
  |      /                
  R     Cx  Rap ))          Cx
  |
 www

Strict Reverse Path Filtering on Foremost Interface – ensures that primary solely handles visitors that’s really meant for it, stopping it from responding to packets meant for lan, visitors meant for the LAN community needs to be routed by way of lan with no interference from primary

10.11.0.11     10.10.0.252/31    10.10.254.1          10.10.254.2

IN/OT          IN/OUT            IN/OUT               IN/OUT
|               |                |                    |
|    FORWARD    |                |                    |
primary --------- lan              primary                  enp(unused but - WAN SEC?) 
 |              |                |                    |
 |              -----SWITCH ------------SWITCH--------
10.11.0.0/24       10.10.10.254        /
 |                                  /
 0.0.0.0/0               10.10.0.0/16