I have installed Zerotier on my Asus AX3000 router through Entware. I am able to ping and access web portal on my router through other remote ZT clients. I now want to set up my my network in such a way so that all traffic from remote ZT nodes is router through my ZT on my Asus router.
Can someone please help ? I am a complete networking noob.
I don’t know anything about the Asus routers, but here’s some basic instructions:
After that, the necessary routing will be in place. The unknown for me will be if the traffic is allowed through a firewall and property NATed. Try those first 2 steps and report back and we’ll go from there.
hi, thanks for replying.
I did try adding the 0.0.0.0/0 via route, however, it does not work.
at this point, I am wondering if the router NAT table needs to be configured, which I know nothing of 
If you can SSH into the router, you can try typing “iptables -L” and past what you have in here.
hi l0crian,
below is the my iptables output.
iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 INPUT_PING icmp -- anywhere anywhere icmp echo-request
3 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
4 DROP all -- anywhere anywhere state INVALID
5 PTCSRVWAN all -- anywhere anywhere
6 PTCSRVLAN all -- anywhere anywhere
7 DROP tcp -- anywhere anywhere tcp dpt:5152
8 ACCEPT all -- anywhere anywhere state NEW
9 ACCEPT all -- anywhere anywhere state NEW
10 ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
11 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
12 INPUT_ICMP icmp -- anywhere anywhere
13 WGSI all -- anywhere anywhere
14 WGCI all -- anywhere anywhere
15 OVPNSI all -- anywhere anywhere
16 OVPNCI all -- anywhere anywhere
17 DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 IPSEC_DROP_SUBNET_ICMP all -- anywhere anywhere
2 IPSEC_STRONGSWAN all -- anywhere anywhere
3 TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
4 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
5 WGSF all -- anywhere anywhere
6 OVPNSF all -- anywhere anywhere
7 DROP all -- anywhere anywhere
8 DROP all -- anywhere anywhere
9 ACCEPT all -- anywhere anywhere
10 DROP all -- anywhere anywhere state INVALID
11 ACCEPT all -- anywhere anywhere ctstate DNAT
12 WGCF all -- anywhere anywhere
13 OVPNCF all -- anywhere anywhere
14 VPNCF all -- anywhere anywhere
15 ACCEPT all -- anywhere anywhere
16 DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 OUTPUT_DNS udp -- anywhere anywhere udp dpt:domain u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
2 OUTPUT_DNS tcp -- anywhere anywhere tcp dpt:domain u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
3 OUTPUT_IP all -- anywhere anywhere
Chain ACCESS_RESTRICTION (0 references)
num target prot opt source destination
Chain DNSFILTER_DOT (0 references)
num target prot opt source destination
Chain FUPNP (0 references)
num target prot opt source destination
1 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:47999
2 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:48010
3 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:47998
4 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:48000
5 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:48002
6 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:41641
7 ACCEPT udp -- anywhere 192.168.1.2 udp dpt:61751
Chain IControls (0 references)
num target prot opt source destination
Chain INPUT_ICMP (1 references)
num target prot opt source destination
1 RETURN icmp -- anywhere anywhere icmp echo-request
2 RETURN icmp -- anywhere anywhere icmp timestamp-request
3 ACCEPT icmp -- anywhere anywhere
Chain INPUT_PING (1 references)
num target prot opt source destination
1 DROP icmp -- anywhere anywhere
2 DROP icmp -- anywhere anywhere
Chain IPSEC_DROP_SUBNET_ICMP (1 references)
num target prot opt source destination
Chain IPSEC_STRONGSWAN (1 references)
num target prot opt source destination
Chain OUTPUT_DNS (2 references)
num target prot opt source destination
1 logdrop_dns all -- anywhere anywhere STRING match "|10706f697579747975696f706b6a666e6603636f6d00|" ALGO name bm TO 65535 ICASE
2 logdrop_dns all -- anywhere anywhere STRING match "|0d72666a656a6e666a6e65666a6503636f6d00|" ALGO name bm TO 65535 ICASE
3 logdrop_dns all -- anywhere anywhere STRING match "|1131306166646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
4 logdrop_dns all -- anywhere anywhere STRING match "|0f376d667364666173646d6b676d726b03636f6d00|" ALGO name bm TO 65535 ICASE
5 logdrop_dns all -- anywhere anywhere STRING match "|0d386d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
6 logdrop_dns all -- anywhere anywhere STRING match "|0f3966646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
7 logdrop_dns all -- anywhere anywhere STRING match "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" ALGO name bm TO 65535 ICASE
8 logdrop_dns all -- anywhere anywhere STRING match "|086861636b7563647403636f6d00|" ALGO name bm TO 65535 ICASE
9 logdrop_dns all -- anywhere anywhere STRING match "|076c696e77756469056633333232036e657400|" ALGO name bm TO 65535 ICASE
10 logdrop_dns all -- anywhere anywhere STRING match "|0f6c6b6a68676664736174727975696f03636f6d00|" ALGO name bm TO 65535 ICASE
11 logdrop_dns all -- anywhere anywhere STRING match "|0b6d6e627663787a7a7a313203636f6d00|" ALGO name bm TO 65535 ICASE
12 logdrop_dns all -- anywhere anywhere STRING match "|077131313133333303746f7000|" ALGO name bm TO 65535 ICASE
13 logdrop_dns all -- anywhere anywhere STRING match "|057371353230056633333232036e657400|" ALGO name bm TO 65535 ICASE
14 logdrop_dns all -- anywhere anywhere STRING match "|077563746b6f6e6503636f6d00|" ALGO name bm TO 65535 ICASE
15 logdrop_dns all -- anywhere anywhere STRING match "|0e7a786376626d6e6e666a6a66777103636f6d00|" ALGO name bm TO 65535 ICASE
16 logdrop_dns all -- anywhere anywhere STRING match "|0a65756d6d6167766e627003636f6d00|" ALGO name bm TO 65535 ICASE
17 logdrop_dns all -- anywhere anywhere STRING match "|0b726f75746572736173757303636f6d00|" ALGO name bm TO 65535 ICASE
18 logdrop_dns all -- anywhere anywhere STRING match "|037777770b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
19 logdrop_dns all -- anywhere anywhere STRING match "|0377777709617375736c6f67696e03636f6d00|" ALGO name bm TO 65535 ICASE
20 logdrop_dns all -- anywhere anywhere STRING match "|0d72657065617461722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
21 logdrop_dns all -- anywhere anywhere STRING match "|037777310b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
Chain OUTPUT_IP (1 references)
num target prot opt source destination
1 logdrop_ip all -- anywhere 193.201.224.0/24
2 logdrop_ip all -- anywhere vriezekolk.org
3 logdrop_ip all -- anywhere li1019-134.members.linode.com
4 logdrop_ip all -- anywhere 190.115.18.28
5 logdrop_ip all -- anywhere 51-159-52-250.rev.poneytelecom.eu
6 logdrop_ip all -- anywhere 190.115.18.86
Chain OVPNCF (1 references)
num target prot opt source destination
Chain OVPNCI (1 references)
num target prot opt source destination
Chain OVPNSF (1 references)
num target prot opt source destination
Chain OVPNSI (1 references)
num target prot opt source destination
Chain PControls (0 references)
num target prot opt source destination
Chain PTCSRVLAN (1 references)
num target prot opt source destination
Chain PTCSRVWAN (1 references)
num target prot opt source destination
Chain SECURITY (0 references)
num target prot opt source destination
1 RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
2 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
3 RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
4 DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
5 RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
6 DROP icmp -- anywhere anywhere icmp echo-request
7 RETURN all -- anywhere anywhere
Chain VPNCF (1 references)
num target prot opt source destination
Chain VPNCI (0 references)
num target prot opt source destination
Chain WGCF (1 references)
num target prot opt source destination
Chain WGCI (1 references)
num target prot opt source destination
Chain WGNPControls (0 references)
num target prot opt source destination
Chain WGSF (1 references)
num target prot opt source destination
Chain WGSI (1 references)
num target prot opt source destination
Chain default_block (0 references)
num target prot opt source destination
Chain logaccept (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
2 ACCEPT all -- anywhere anywhere
Chain logdrop (0 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
2 DROP all -- anywhere anywhere
Chain logdrop_dns (21 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix "DROP_DNS "
2 DROP all -- anywhere anywhere
Chain logdrop_ip (6 references)
num target prot opt source destination
1 LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix "DROP_IP "
2 DROP all -- anywhere anywhere
I have refered to this SNB forums post upto the accept rule for setting up ZT one on my router.
https://www.snbforums.com/threads/a-guide-about-installing-zerotier-on-asus-ac68u-router.42648/
Can you rerun it with the -v flag? Also, can you also run one for the NAT table?:
iptables -L -v -n --line-numbers
iptables -L -v -n -t nat --line-numbers
here you go
iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1 98 ACCEPT all -- zt+ * 0.0.0.0/0 0.0.0.0/0
2 2556 510K ts-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT 2 -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 1 60 INPUT_PING icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 2234 467K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 46 4529 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
7 1113 213K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
8 906 162K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
9 0 0 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5152
10 906 162K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
11 999 197K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
13 0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
14 114 16523 WGSI all -- * * 0.0.0.0/0 0.0.0.0/0
15 114 16523 WGCI all -- * * 0.0.0.0/0 0.0.0.0/0
16 114 16523 OVPNSI all -- * * 0.0.0.0/0 0.0.0.0/0
17 114 16523 OVPNCI all -- * * 0.0.0.0/0 0.0.0.0/0
18 114 16523 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 1042 259K ts-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
3 2108 636K IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
4 2108 636K IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
5 222 12124 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
6 1816 597K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 292 38979 WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
8 292 38979 OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
9 5 260 DROP all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
11 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
12 9 396 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
13 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
14 278 38323 WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
15 278 38323 OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
16 278 38323 VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
17 278 38323 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
18 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 445 packets, 106K bytes)
num pkts bytes target prot opt in out source destination
1 197 13739 OUTPUT_DNS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
2 0 0 OUTPUT_DNS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
3 5386 1200K OUTPUT_IP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ACCESS_RESTRICTION (0 references)
num pkts bytes target prot opt in out source destination
Chain DNSFILTER_DOT (0 references)
num pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:61751
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:41641
Chain IControls (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ICMP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
2 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT_PING (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain IPSEC_DROP_SUBNET_ICMP (1 references)
num pkts bytes target prot opt in out source destination
Chain IPSEC_STRONGSWAN (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_DNS (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|10706f697579747975696f706b6a666e6603636f6d00|" ALGO name bm TO 65535 ICASE
2 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72666a656a6e666a6e65666a6503636f6d00|" ALGO name bm TO 65535 ICASE
3 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1131306166646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
4 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f376d667364666173646d6b676d726b03636f6d00|" ALGO name bm TO 65535 ICASE
5 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d386d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
6 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f3966646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
7 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" ALGO name bm TO 65535 ICASE
8 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|086861636b7563647403636f6d00|" ALGO name bm TO 65535 ICASE
9 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|076c696e77756469056633333232036e657400|" ALGO name bm TO 65535 ICASE
10 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f6c6b6a68676664736174727975696f03636f6d00|" ALGO name bm TO 65535 ICASE
11 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b6d6e627663787a7a7a313203636f6d00|" ALGO name bm TO 65535 ICASE
12 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077131313133333303746f7000|" ALGO name bm TO 65535 ICASE
13 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|057371353230056633333232036e657400|" ALGO name bm TO 65535 ICASE
14 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077563746b6f6e6503636f6d00|" ALGO name bm TO 65535 ICASE
15 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0e7a786376626d6e6e666a6a66777103636f6d00|" ALGO name bm TO 65535 ICASE
16 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0a65756d6d6167766e627003636f6d00|" ALGO name bm TO 65535 ICASE
17 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b726f75746572736173757303636f6d00|" ALGO name bm TO 65535 ICASE
18 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777770b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
19 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0377777709617375736c6f67696e03636f6d00|" ALGO name bm TO 65535 ICASE
20 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72657065617461722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
21 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777310b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
Chain OUTPUT_IP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 logdrop_ip all -- * * 0.0.0.0/0 193.201.224.0/24
2 0 0 logdrop_ip all -- * * 0.0.0.0/0 51.15.120.245
3 0 0 logdrop_ip all -- * * 0.0.0.0/0 45.33.73.134
4 0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.28
5 0 0 logdrop_ip all -- * * 0.0.0.0/0 51.159.52.250
6 0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.86
Chain OVPNCF (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNCI (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNSF (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNSI (1 references)
num pkts bytes target prot opt in out source destination
Chain PControls (0 references)
num pkts bytes target prot opt in out source destination
Chain PTCSRVLAN (1 references)
num pkts bytes target prot opt in out source destination
Chain PTCSRVWAN (1 references)
num pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
3 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
6 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPNCF (1 references)
num pkts bytes target prot opt in out source destination
Chain VPNCI (0 references)
num pkts bytes target prot opt in out source destination
Chain WGCF (1 references)
num pkts bytes target prot opt in out source destination
Chain WGCI (1 references)
num pkts bytes target prot opt in out source destination
Chain WGNPControls (0 references)
num pkts bytes target prot opt in out source destination
Chain WGSF (1 references)
num pkts bytes target prot opt in out source destination
Chain WGSI (1 references)
num pkts bytes target prot opt in out source destination
Chain default_block (0 references)
num pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "DROP "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop_dns (21 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_DNS "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop_ip (6 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_IP "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ts-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- tailscale0 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000
3 0 0 DROP all -- * tailscale0 100.64.0.0/10 0.0.0.0/0
4 0 0 ACCEPT all -- * tailscale0 0.0.0.0/0 0.0.0.0/0
Chain ts-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 100.84.124.23 0.0.0.0/0
2 0 0 RETURN all -- !tailscale0 * 100.115.92.0/23 0.0.0.0/0
3 0 0 DROP all -- !tailscale0 * 100.64.0.0/10 0.0.0.0/0
iptables -L -v -n -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 158 packets, 16889 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
2 38 6510 GAME_VSERVER all -- * * 0.0.0.0/0 172.19.54.63
3 38 6510 VSERVER all -- * * 0.0.0.0/0 172.19.54.63
4 0 0 GAME_VSERVER all -- * * 0.0.0.0/0 169.254.146.72
5 0 0 VSERVER all -- * * 0.0.0.0/0 169.254.146.72
Chain INPUT (policy ACCEPT 29 packets, 3076 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 131 packets, 11570 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 128 packets, 11226 bytes)
num pkts bytes target prot opt in out source destination
1 586 55046 ts-postrouting all -- * * 0.0.0.0/0 0.0.0.0/0
2 492 40515 PUPNP all -- * ppp0 0.0.0.0/0 0.0.0.0/0
3 216 17520 MASQUERADE all -- * ppp0 !172.19.54.63 0.0.0.0/0 mode: fullcone
4 0 0 MASQUERADE all -- * eth0 !169.254.146.72 0.0.0.0/0 mode: fullcone
5 274 20493 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
Chain DNSFILTER (0 references)
num pkts bytes target prot opt in out source destination
Chain GAME_VSERVER (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:43680:43690 to:192.168.1.3
2 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:43680:43690 to:192.168.1.3
Chain LOCALSRV (0 references)
num pkts bytes target prot opt in out source destination
Chain MAPE (0 references)
num pkts bytes target prot opt in out source destination
Chain PCREDIRECT (0 references)
num pkts bytes target prot opt in out source destination
Chain PUPNP (1 references)
num pkts bytes target prot opt in out source destination
1 8 884 MASQUERADE udp -- * * 192.168.1.3 0.0.0.0/0 udp spt:61751 masq ports: 61751
2 0 0 MASQUERADE udp -- * * 192.168.1.3 0.0.0.0/0 udp spt:41641 masq ports: 41641
Chain VSERVER (2 references)
num pkts bytes target prot opt in out source destination
1 38 6510 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VUPNP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:61751 to:192.168.1.3:61751
2 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:41641 to:192.168.1.3:41641
Chain ts-postrouting (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000
Thank you for those, looks like you don’t have anything in your forwarding chain to allow the traffic through your router. It looks like your ZT interface name is zt+ and your WAN interface is ppp0. Assuming that’s correct, you can try adding the below (update interface names if what I assumed was incorrect):
sudo iptables -A FORWARD -i zt+ -o ppp0 -j ACCEPT
Line 6 in your forwarding chain should allow the return traffic after you create state with the initial traffic:
Give that a try, and report back. If it didn’t fix it, please provide a new output of “iptables -L -v -n --line-numbers”.
hi l0crian,
yes, ppp0 is the WAN interface, and br0 is the bridge interface as my connection is a PPPoE one.
I added the rule iptables -A FORWARD -i zt+ -o ppp0 -j ACCEPT.
below is the new iptables output
iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- zt+ * 0.0.0.0/0 0.0.0.0/0
2 196K 40M ts-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT 2 -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 1 60 INPUT_PING icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
5 118K 24M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 77 3991 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
7 51455 9690K PTCSRVWAN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
8 28930 6656K PTCSRVLAN all -- br0 * 0.0.0.0/0 0.0.0.0/0
9 0 0 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5152
10 28930 6656K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
11 51443 9688K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
13 0 0 INPUT_ICMP icmp -- * * 0.0.0.0/0 0.0.0.0/0
14 12 2105 WGSI all -- * * 0.0.0.0/0 0.0.0.0/0
15 12 2105 WGCI all -- * * 0.0.0.0/0 0.0.0.0/0
16 12 2105 OVPNSI all -- * * 0.0.0.0/0 0.0.0.0/0
17 12 2105 OVPNCI all -- * * 0.0.0.0/0 0.0.0.0/0
18 12 2105 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 255K 90M ts-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
3 257K 91M IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
4 257K 91M IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
5 23895 1384K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
6 240K 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 17250 2946K WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
8 17250 2946K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
9 0 0 DROP all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
10 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
11 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
12 807 42954 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
13 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
14 16443 2903K WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
15 16443 2903K OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
16 16443 2903K VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
17 16443 2903K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
18 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
19 0 0 ACCEPT all -- zt+ ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 358 packets, 62712 bytes)
num pkts bytes target prot opt in out source destination
1 7737 543K OUTPUT_DNS udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
2 0 0 OUTPUT_DNS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
3 348K 91M OUTPUT_IP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ACCESS_RESTRICTION (0 references)
num pkts bytes target prot opt in out source destination
Chain DNSFILTER_DOT (0 references)
num pkts bytes target prot opt in out source destination
Chain FUPNP (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.219 udp dpt:41641
2 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:47999
3 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48010
4 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:47998
5 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48000
6 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48002
7 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:61751
8 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.117 udp dpt:44168
9 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:47999
10 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48010
11 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:47998
12 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48000
13 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:48002
14 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.3 udp dpt:61751
Chain IControls (0 references)
num pkts bytes target prot opt in out source destination
Chain INPUT_ICMP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
2 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13
3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT_PING (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain IPSEC_DROP_SUBNET_ICMP (1 references)
num pkts bytes target prot opt in out source destination
Chain IPSEC_STRONGSWAN (1 references)
num pkts bytes target prot opt in out source destination
Chain OUTPUT_DNS (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|10706f697579747975696f706b6a666e6603636f6d00|" ALGO name bm TO 65535 ICASE
2 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72666a656a6e666a6e65666a6503636f6d00|" ALGO name bm TO 65535 ICASE
3 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1131306166646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
4 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f376d667364666173646d6b676d726b03636f6d00|" ALGO name bm TO 65535 ICASE
5 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d386d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
6 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f3966646d617361787373736171726b03636f6d00|" ALGO name bm TO 65535 ICASE
7 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" ALGO name bm TO 65535 ICASE
8 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|086861636b7563647403636f6d00|" ALGO name bm TO 65535 ICASE
9 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|076c696e77756469056633333232036e657400|" ALGO name bm TO 65535 ICASE
10 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0f6c6b6a68676664736174727975696f03636f6d00|" ALGO name bm TO 65535 ICASE
11 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b6d6e627663787a7a7a313203636f6d00|" ALGO name bm TO 65535 ICASE
12 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077131313133333303746f7000|" ALGO name bm TO 65535 ICASE
13 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|057371353230056633333232036e657400|" ALGO name bm TO 65535 ICASE
14 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|077563746b6f6e6503636f6d00|" ALGO name bm TO 65535 ICASE
15 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0e7a786376626d6e6e666a6a66777103636f6d00|" ALGO name bm TO 65535 ICASE
16 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0a65756d6d6167766e627003636f6d00|" ALGO name bm TO 65535 ICASE
17 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0b726f75746572736173757303636f6d00|" ALGO name bm TO 65535 ICASE
18 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777770b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
19 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0377777709617375736c6f67696e03636f6d00|" ALGO name bm TO 65535 ICASE
20 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|0d72657065617461722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
21 0 0 logdrop_dns all -- * * 0.0.0.0/0 0.0.0.0/0 STRING match "|037777310b726f757465722d6173757303636f6d00|" ALGO name bm TO 65535 ICASE
Chain OUTPUT_IP (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 logdrop_ip all -- * * 0.0.0.0/0 193.201.224.0/24
2 0 0 logdrop_ip all -- * * 0.0.0.0/0 51.15.120.245
3 0 0 logdrop_ip all -- * * 0.0.0.0/0 45.33.73.134
4 0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.28
5 0 0 logdrop_ip all -- * * 0.0.0.0/0 51.159.52.250
6 0 0 logdrop_ip all -- * * 0.0.0.0/0 190.115.18.86
Chain OVPNCF (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNCI (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNSF (1 references)
num pkts bytes target prot opt in out source destination
Chain OVPNSI (1 references)
num pkts bytes target prot opt in out source destination
Chain PControls (0 references)
num pkts bytes target prot opt in out source destination
Chain PTCSRVLAN (1 references)
num pkts bytes target prot opt in out source destination
Chain PTCSRVWAN (1 references)
num pkts bytes target prot opt in out source destination
Chain SECURITY (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 1/sec burst 5
2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02
3 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04 limit: avg 1/sec burst 5
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x04
5 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
6 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
7 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain VPNCF (1 references)
num pkts bytes target prot opt in out source destination
Chain VPNCI (0 references)
num pkts bytes target prot opt in out source destination
Chain WGCF (1 references)
num pkts bytes target prot opt in out source destination
Chain WGCI (1 references)
num pkts bytes target prot opt in out source destination
Chain WGNPControls (0 references)
num pkts bytes target prot opt in out source destination
Chain WGSF (1 references)
num pkts bytes target prot opt in out source destination
Chain WGSI (1 references)
num pkts bytes target prot opt in out source destination
Chain default_block (0 references)
num pkts bytes target prot opt in out source destination
Chain logaccept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "ACCEPT "
2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "DROP "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop_dns (21 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_DNS "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop_ip (6 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix "DROP_IP "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ts-forward (1 references)
num pkts bytes target prot opt in out source destination
1 180 183K MARK all -- tailscale0 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x40000/0xff0000
2 180 183K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x40000/0xff0000
3 0 0 DROP all -- * tailscale0 100.64.0.0/10 0.0.0.0/0
4 192 86533 ACCEPT all -- * tailscale0 0.0.0.0/0 0.0.0.0/0
Chain ts-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- lo * 100.84.124.23 0.0.0.0/0
2 0 0 RETURN all -- !tailscale0 * 100.115.92.0/23 0.0.0.0/0
3 0 0 DROP all -- !tailscale0 * 100.64.0.0/10 0.0.0.0/0
thanks for all your support on this
I needed to have you insert and not add, my apologies. We need to delete the rule you just created and then add it back earlier:
iptables -D FORWARD 19
iptables -I FORWARD 9 -i zt+ -o ppp0 -j ACCEPT
no worries at all.
I’ve made the edits now. here’s the new extract of the forward table
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 33621 11M ts-forward all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- eth0 * 0.0.0.0/0 224.0.0.0/4
3 306K 107M IPSEC_DROP_SUBNET_ICMP all -- * * 0.0.0.0/0 0.0.0.0/0
4 306K 107M IPSEC_STRONGSWAN all -- * * 0.0.0.0/0 0.0.0.0/0
5 29935 1734K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
6 282K 103M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 23187 4062K WGSF all -- * * 0.0.0.0/0 0.0.0.0/0
8 23187 4062K OVPNSF all -- * * 0.0.0.0/0 0.0.0.0/0
9 2 104 ACCEPT all -- zt+ ppp0 0.0.0.0/0 0.0.0.0/0
10 2064 286K DROP all -- !br0 ppp0 0.0.0.0/0 0.0.0.0/0
11 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
12 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
13 978 51318 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
14 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
15 20143 3725K WGCF all -- * * 0.0.0.0/0 0.0.0.0/0
16 20143 3725K OVPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
17 20143 3725K VPNCF all -- * * 0.0.0.0/0 0.0.0.0/0
18 19987 3717K ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
19 156 8160 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
this worked !!! 
my remote device’s IPv4 address is now same as my home router’s one. this is what I wanted.
thanks a lot l0crian. this was really helpful to me !!!
appreciate all the support on this one ! 
No problem, glad you got it working!
One thing to add:
If you want to be able to access non-ZT devices on your LAN, you’ll need to add one more rule allowing zt+ to br0. You can add it right after the rule you just created (or before).
so something like this you mean ?
iptables -I FORWARD 10 -i zt+ -o br0 -j ACCEPT
Yep, that should do it.