Invalid forwards from VLANs to Gateway - Wireguard ProtonVPN interface

Notorious · March 2, 2026, 12:34pm

Hi! Unfortunately, I'm not very skilled at configuring firewalls, and this problem has overwhelmed me.

I'd like to achieve a result where VLANs with IDs 20, 30, 40, and 50 connect to the outside world through the Wireguard interface connected to ProtonVPN servers.

What's working?

Connection to the VPN server
Routing - the VLANs exit through the Wireguard interface (WG-Proton).

Unfortunately, something's not right here, and all devices connected to the VLANs are receiving invalid forwarding eg,:

invalid forward: in:vlan30-SKK(ether2-B20-BOX) out:WG-PROTON, connection-state: invalid src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK, FIN), 10.30.26.254:49707->1xx.66.x.5:80, len 40

and

invalid forward: in:vlan30-SKK(ether2-B20-BOX) out:WG-PROTON, connection-state: invalid src-mac xx:xx:xx:xx:xx:xx, proto TCP (ACK, RST), 10.30.26.254:49707->1xx.66.x.5:80 len 40

Below - the router config,

I am kindly asking for your help on how to resolve this.

Best regards,

Lukas

2026-03-02 12:01:09 by RouterOS 7.20.7

model = RB3011UiAS

/interface bridge add ingress-filtering=no name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] name=ether1-WAN
/interface ethernet set [ find default-name=ether2 ] name=ether2-
/interface ethernet set [ find default-name=ether3 ] name=ether3-
/interface ethernet set [ find default-name=ether4 ] name=ether4-
/interface ethernet set [ find default-name=ether5 ] name=ether5-
/interface wireguard add listen-port=23204 mtu=1420 name=WG-PROTON

/interface vlan add interface=bridge1 name=vlan10 vlan-id=10
/interface vlan add interface=bridge1 name=vlan20 vlan-id=20
/interface vlan add interface=bridge1 name=vlan30 vlan-id=30
/interface vlan add interface=bridge1 name=vlan40 vlan-id=40
/interface vlan add interface=bridge1 name=vlan50 vlan-id=50
/interface list add name=WAN
/interface list add name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol add comment="Block Torrents" name=torrent regexp="^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]"

/ip pool add name=dhcp_pool0 ranges=192.168.26.100-192.168.26.254
/ip pool add name=dhcp_pool2 ranges=10.10.26.100-10.10.26.254
/ip pool add name=dhcp_pool3 ranges=10.20.26.100-10.20.26.254
/ip pool add name=dhcp_pool4 ranges=10.30.26.50-10.30.26.254
/ip pool add name=dhcp_pool5 ranges=10.40.26.5-10.40.26.254
/ip pool add name=dhcp_pool6 ranges=10.50.26.100-10.50.26.254
/ip dhcp-server add address-pool=dhcp_pool0 interface=bridge1 lease-time=10m name=dhcp1
/ip dhcp-server add address-pool=dhcp_pool2 interface=vlan10 lease-script=TRANSMISJA lease-time=10m name=dhcp2-TRANS
/ip dhcp-server add address-pool=dhcp_pool3 interface=vlan20 lease-script=media lease-time=10m name=dhcp2-MEDIA
/ip dhcp-server add address-pool=dhcp_pool4 interface=vlan30 lease-script=skk-staff lease-time=10m name=dhcp2-SKK
/ip dhcp-server add address-pool=dhcp_pool5 interface=vlan40 lease-script=public lease-time=10m name=dhcp2-PUB
/ip dhcp-server add address-pool=dhcp_pool6 interface=vlan50 lease-time=10m name=dhcp2-KABEL
/ip smb users set [ find default=yes ] disabled=yes
/port set 0 name=serial0

/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/routing table add disabled=no fib name=WG-VPN_PROTON
/zerotier set zt1 disabled=no disabled=no
/zerotier interface add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=[censored]
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether2- internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether3- internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether4- internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=bridge1 ingress-filtering=no interface=ether5- internal-path-cost=10 path-cost=10 pvid=10
/interface bridge port add bridge=bridge1 interface=ether6
/interface bridge settings set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking set udp-timeout=10s
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether3-,ether2-,ether4-,ether5- vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether2-,ether3- untagged=ether4-,ether5- vlan-ids=20
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether3-,ether2- untagged=ether4-,ether5- vlan-ids=30
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether3-,ether2-,ether4- untagged=ether5- vlan-ids=40
/interface bridge vlan add bridge=bridge1 tagged=bridge1 vlan-ids=50

/interface list member add interface=ether1-WAN list=WAN
/interface list member add interface=bridge1 list=LAN
/interface list member add disabled=yes interface=vlan10 list=LAN
/interface list member add disabled=yes interface=vlan20 list=LAN
/interface list member add disabled=yes interface=vlan30 list=LAN
/interface list member add disabled=yes interface=vlan40 list=LAN
/interface list member add disabled=yes interface=vlan50 list=LAN
/interface list member add interface=zerotier1 list=LAN
/interface list member add interface=WG-PROTON list=WAN

/interface wireguard peers [all censored but the connection works]

/ip address add address=192.168.26.1/24 interface=bridge1 network=192.168.26.0
/ip address add address=10.10.26.1/24 interface=vlan10 network=10.10.26.0
/ip address add address=10.20.26.1/24 interface=vlan20 network=10.20.26.0
/ip address add address=10.30.26.1/24 interface=vlan30 network=10.30.26.0
/ip address add address=10.40.26.1/24 interface=vlan40 network=10.40.26.0
/ip address add address=10.50.26.1/24 interface=vlan50 network=10.50.26.0
/ip address add address=XX.XXX.XXX.XXX disabled=yes interface=ether1-WAN network=XX.XXX.XXX.XXX
/ip address add address=10.2.0.2/24 disabled=yes interface=WG-PROTON network=10.2.0.0

/ip dhcp-client add default-route-tables=main interface=ether1-WAN

/ip dhcp-server network add address=10.10.26.0/24 domain=transmisja.lan gateway=10.10.26.1
/ip dhcp-server network add address=10.20.26.0/24 domain=media.lan gateway=10.20.26.1
/ip dhcp-server network add address=10.30.26.0/24 domain=skk-staff.lan gateway=10.30.26.1
/ip dhcp-server network add address=10.40.26.0/24 gateway=10.40.26.1
/ip dhcp-server network add address=10.50.26.0/24 gateway=10.50.26.1
/ip dhcp-server network add address=192.168.26.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.26.1

/ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
/ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall address-list add address=10.10.26.0/24 list=VLANs
/ip firewall address-list add address=192.168.26.0/24 list=MAINLAN
/ip firewall address-list add address=10.20.26.0/24 list=VLANs
/ip firewall address-list add address=10.30.26.0/24 list=VLANs
/ip firewall address-list add address=10.40.26.0/24 list=VLANs
/ip firewall address-list add address=10.50.26.0/24 list=VLANs

/ip firewall address-list add address=10.10.26.0/24 list=LAN
/ip firewall address-list add address=192.168.26.0/24 list=LAN
/ip firewall address-list add address=10.20.26.0/24 list=LAN
/ip firewall address-list add address=10.30.26.0/24 list=LAN
/ip firewall address-list add address=10.40.26.0/24 list=LAN
/ip firewall address-list add address=10.50.26.0/24 list=LAN
/ip firewall filter add action=accept chain=forward comment="DISABLE FIREWALL" disabled=yes
/ip firewall filter add action=accept chain=input comment="DISABLE FIREWALL" disabled=yes
/ip firewall filter add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=30s chain=forward comment="Block Torrents" in-interface-list=all layer7-protocol=torrent src-address-list=!allow-bit
/ip firewall filter add action=drop chain=forward comment="Block Torrents" dst-port=!0-1023,1723,5900,5800,3389,8728,8291,14147,5222,59905 protocol=udp src-address-list=Torrent-Conn
/ip firewall filter add action=drop chain=forward comment="Block Torrents" dst-port=!0-1023,1723,5900,5800,3389,8728,8291,14147,5222,59905 protocol=tcp src-address-list=Torrent-Conn
/ip firewall filter add action=accept chain=forward comment=ZEROTIER dst-port=9993 protocol=udp
/ip firewall filter add action=accept chain=input comment=ZEROTIER dst-port=9993 protocol=udp
/ip firewall filter add action=accept chain=forward comment=ZEROTIER in-interface=zerotier1
/ip firewall filter add action=accept chain=input in-interface=zerotier1
/ip firewall filter add action=accept chain=input connection-mark=zero_tier disabled=yes in-interface-list=WAN port=49152-65535 protocol=udp
/ip firewall filter add action=accept chain=input comment=WG dst-port=[censored] protocol=udp

/ip firewall filter add action=accept chain=input in-interface=WG-PROTON

/ip firewall filter add action=accept chain=forward connection-state="" in-interface=WG-PROTON
/ip firewall filter add action=accept chain=input comment=VPN dst-port=500 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input connection-nat-state="" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input disabled=yes protocol=gre
/ip firewall filter add action=accept chain=input disabled=yes dst-port=51820 protocol=udp
/ip firewall filter add action=accept chain=input disabled=yes dst-port=8291 protocol=tcp
/ip firewall filter add action=accept chain=forward disabled=yes dst-port=19503 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="MIKROTIK Neghbor Discovery" port=5678 protocol=udp
/ip firewall filter add action=accept chain=input comment="MIKROTIK Neghbor Discovery" port=5678 protocol=udp
/ip firewall filter add action=accept chain=input comment="-----START-UNIVERSAL-FIREWALL-RULES----Accept DNS - UDP" port=53 protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
/ip firewall filter add action=accept chain=input comment="Accept Mikrotik DHCP" port=67 protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept Mikrotik DHCP CLIENT" port=68 protocol=udp
/ip firewall filter add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=5,5 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
/ip firewall filter add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
/ip firewall filter add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall filter add action=accept chain=input comment="INPUT: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="INPUT: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="INPUT: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
/ip firewall filter add action=fasttrack-connection chain=forward comment="Fasttrack z pomini\EAciem VLANs" connection-state=established,related dst-address-list=!VLANs hw-offload=yes src-address-list=!VLANs
/ip firewall filter add action=accept chain=forward comment="MAINLAN access to VLANs (new connections)" connection-state=new dst-address-list=VLANs src-address-list=MAINLAN
/ip firewall filter add action=accept chain=forward comment="ZEROTIER access to LAN (new connections)" connection-state=new dst-address-list=LAN in-interface=zerotier1
/ip firewall filter add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
/ip firewall filter add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
/ip firewall filter add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
/ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
/ip firewall filter add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" log=yes log-prefix=LAN_!LAN src-address-list=!LAN
/ip firewall filter add action=drop chain=forward comment="Separate all VLANs" dst-address-list=VLANs src-address-list=VLANs
/ip firewall filter add action=reject chain=forward comment="BLOCK LAN OUT TO ZEROTIER" connection-state=new log=yes log-prefix="LAN  to ZEROTIER [BLOCKED]" out-interface=zerotier1 reject-with=icmp-admin-prohibited src-address-list=LAN
/ip firewall filter add action=reject chain=forward comment="BLOCK MAINLAN access from VLANs (new connections)" connection-state=new dst-address-list=MAINLAN log=yes log-prefix="VLAN to MAINLAN [BLOCKED]" reject-with=icmp-admin-prohibited src-address-list=VLANs
/ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
/ip firewall filter add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
/ip firewall filter add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
/ip firewall filter add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
/ip firewall filter add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
/ip firewall filter add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
/ip firewall filter add action=drop chain=forward comment="Drop to bogon list" dst-address-list=not_in_internet in-interface-list=WAN log=yes log-prefix=drop_to_bogon_check
/ip firewall filter add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
/ip firewall filter add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log-prefix="DROP SOMETING ELSE"
/ip firewall mangle add action=mark-connection chain=prerouting disabled=yes new-connection-mark=under_protonvpn src-address-list=under_protonvpn
/ip firewall mangle add action=mark-routing chain=prerouting disabled=yes dst-address-list=!PROTON_VPN log=yes log-prefix=VLANS_PROTON new-routing-mark=WG-VPN_PROTON src-address-list=PROTON_VPN
/ip firewall mangle add action=mark-connection chain=prerouting disabled=yes in-interface=zerotier1 new-connection-mark=zero_tier port="" protocol=udp
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port set sip disabled=yes

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG-PROTON routing-table=WG-VPN_PROTON suppress-hw-offload=no
/ip route add comment="PROTON USING WAN" disabled=yes distance=1 dst-address=[censored, ProtonVPN endpoint wireguard] /32 gateway=[censored, but it is eth1-WAN] routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set ftp disabled=yes
/ip service set telnet disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=/pub
/ip ssh set forwarding-enabled=both
/ip upnp interfaces add interface=ether1-WAN type=external
/ip upnp interfaces add interface=bridge1 type=internal
/lcd set read-only-mode=yes
/lcd pin set pin-number=1925

/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule add action=lookup-only-in-table comment="enable local traffic" disabled=no min-prefix=0 table=main
/routing rule add action=lookup-only-in-table disabled=no interface=WG-PROTON table=main
/routing rule add action=lookup-only-in-table disabled=no interface=vlan20 table=WG-VPN_PROTON
/routing rule add action=lookup-only-in-table disabled=no interface=vlan40 table=WG-VPN_PROTON
/routing rule add action=lookup-only-in-table disabled=no interface=vlan50 table=WG-VPN_PROTON
/routing rule add action=lookup-only-in-table disabled=no interface=vlan30 table=WG-VPN_PROTON

/system script add dont-require-permissions=no name=skk-staff owner=skkpolonia policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local queueName "Client- $leaseActMAC";\r
\n \r
\n:if ($leaseBound = "1") do={\r
\n    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=512k/512k max-limit=200M/200M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];\r
\n} else={\r
\n    /queue simple remove $queueName\r
\n}\r
\n"
/system script add dont-require-permissions=no name=public owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local queueName "Client- $leaseActMAC";\r
\n \r
\n:if ($leaseBound = "1") do={\r
\n    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=512k/512k max-limit=1M/1M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];\r
\n} else={\r
\n    /queue simple remove $queueName\r
\n}\r
\n"
/system script add dont-require-permissions=no name=media owner=skkpolonia policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local queueName "Client- $leaseActMAC";\r
\n \r
\n:if ($leaseBound = "1") do={\r
\n    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=512k/512k max-limit=20M/20M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];\r
\n} else={\r
\n    /queue simple remove $queueName\r
\n}\r
\n"
/system script add dont-require-permissions=no name=50 owner=skkpolonia policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local queueName "Client- $leaseActMAC";\r
\n \r
\n:if ($leaseBound = "1") do={\r
\n    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=512k/512k max-limit=100M/100M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];\r
\n} else={\r
\n    /queue simple remove $queueName\r
\n}\r
\n"
/system script add dont-require-permissions=no name=TRANSMISJA owner=skkpolonia policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local queueName "Client- $leaseActMAC";\r
\n \r
\n:if ($leaseBound = "1") do={\r
\n    /queue simple add name=$queueName target=($leaseActIP . "/32") limit-at=512k/512k max-limit=200M/200M comment=[/ip dhcp-server lease get [find where active-mac-address=$leaseActMAC && active-address=$leaseActIP] host-name];\r
\n} else={\r
\n    /queue simple remove $queueName\r
\n}\r
\n"

CGGXANNX · March 2, 2026, 1:11pm

I've not read your full configuration (and honestly, your FW needs a clean up to remove all the bogus "hardenings"), but whenever you see ="" in a firewall rule that has nothing to do with a comment or a log prefix, then that rule has most probably become useless.

See another thread posted at the same time:

Notorious · March 2, 2026, 1:21pm

Many thanks!

The connection-state="" in forward chain via in-interface WG-PROTON could be crucial. I corrected it and currently doing testing.

I guess I should do a clean up, but I am not an expert. I've just used the firewall examples from Building Advanced Firewall - RouterOS - MikroTik Documentation …

Notorious · March 2, 2026, 3:28pm

It didn’t solve the issue. I am still getting invalid forwards.

CGGXANNX · March 2, 2026, 6:51pm

It's probably time to clean up your firewall. You could maybe summon @anav and he'll probably propose you a saner and more compact firewall configuration.

It's really not necessary to apply all the example from the documentation.

anav · March 5, 2026, 7:57pm

Concur, post your latest config and I will take a look and go to 7.21.3 firmware as I dont trust anything earlier at the moment. or you can use the long term version forget the number.