config defaults
    option syn_flood '1'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'
    list network 'vlan2_vms'
    list network 'management'
    list network 'zerotier'
    list device 'zt7t5aodqt'

config zone
    option name 'wan'
    list network 'wan'
    list network 'lte'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'DROP'
    option masq '1'
    option mtu_fix '1'

config zone
    option name 'awg'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '0'
    list network 'awg0'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'awg'
    option dest 'lan'

config forwarding
    option src 'awg'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'awg'

# === WAN INPUT RULES ===
config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-ZeroTier-WAN'
    option src 'wan'
    option proto 'udp'
    option dest_port '9993'
    option target 'ACCEPT'

config rule
    option name 'Allow-HTTP-In'
    option src 'wan'
    option proto 'tcp'
    option dest_port '80'
    option target 'ACCEPT'

config rule
    option name 'Allow-HTTPS-In'
    option src 'wan'
    option proto 'tcp'
    option dest_port '443'
    option target 'ACCEPT'

config rule
    option name 'Allow-AWG'
    option src 'wan'
    option proto 'udp'
    option dest_port '51820'
    option target 'ACCEPT'

# === DNAT REDIRECTS ===
config redirect
    option name 'Proxy-2244'    # gitea SSH
    option src 'wan'
    option dest 'lan'
    option proto 'tcp'
    option src_dport '2244'
    option dest_ip '172.16.10.1'
    option target 'DNAT'

config redirect
    option name 'HomePC RDP'
    option src 'wan'
    option dest 'lan'
    option target 'DNAT'
    option proto 'tcp'
    option src_dport '1804'
    option dest_ip '192.168.0.11'