amasover/firewall.sh

## firewall.sh
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

################################################################################
### Firewall rules to use an OpenWRT router at the edge of your network      ###
### instead of the Google Fiber Network Box.                                 ###
### Reference: https://pastebin.com/dWABB4ih                                 ###
### See also: https://forum.archive.openwrt.org/viewtopic.php?id=50376       ###
### https://forum.openwrt.org/t/set-vlan-cos-priority-for-google-fiber/25288 ###
################################################################################

# Note: the following requires ip-full package
ip link set eth1.2 type vlan egress 0:3
ip link set eth1.2 type vlan egress 2:2
ip link set eth1.2 type vlan egress 6:6

iptables -t mangle -A POSTROUTING -p udp -m udp --sport 68 --dport 67 -j CLASSIFY --set-class 0:2
iptables -t mangle -A POSTROUTING -p igmp -j CLASSIFY --set-class 0:6

# Note: the above rules will only be loaded on router boot if the include for firewall.rules has
# option reload set to 1. I believe this is because the eth1.2 vlan is not yet started when the
# firewall first comes up.

# To set option reload, from OpenWRT busybox shell:
# $ uci set firewall.@include[0].reload="1"
# $ uci commit firewall
# $ service firewall restart

# Or add directly to /etc/config/firewall :
# config include
#     option path '/etc/firewall.user'
#     option reload '1'

# See:
# https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes
# https://dev.archive.openwrt.org/ticket/20249.html
# https://forum.openwrt.org/t/problem-installing-custom-etc-firewall-user-file/24826/10
	# This file is interpreted as shell script.
	# Put your custom iptables rules here, they will
	# be executed with each firewall (re-)start.

	# Internal uci firewall chains are flushed and recreated on reload, so
	# put custom rules into the root chains e.g. INPUT or FORWARD or into the
	# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

	################################################################################
	### Firewall rules to use an OpenWRT router at the edge of your network ###
	### instead of the Google Fiber Network Box. ###
	### Reference: https://pastebin.com/dWABB4ih ###
	### See also: https://forum.archive.openwrt.org/viewtopic.php?id=50376 ###
	### https://forum.openwrt.org/t/set-vlan-cos-priority-for-google-fiber/25288 ###
	################################################################################

	# Note: the following requires ip-full package
	ip link set eth1.2 type vlan egress 0:3
	ip link set eth1.2 type vlan egress 2:2
	ip link set eth1.2 type vlan egress 6:6

	iptables -t mangle -A POSTROUTING -p udp -m udp --sport 68 --dport 67 -j CLASSIFY --set-class 0:2
	iptables -t mangle -A POSTROUTING -p igmp -j CLASSIFY --set-class 0:6

	# Note: the above rules will only be loaded on router boot if the include for firewall.rules has
	# option reload set to 1. I believe this is because the eth1.2 vlan is not yet started when the
	# firewall first comes up.

	# To set option reload, from OpenWRT busybox shell:
	# $ uci set firewall.@include[0].reload="1"
	# $ uci commit firewall
	# $ service firewall restart

	# Or add directly to /etc/config/firewall :
	# config include
	# option path '/etc/firewall.user'
	# option reload '1'

	# See:
	# https://openwrt.org/docs/guide-user/firewall/firewall_configuration#includes
	# https://dev.archive.openwrt.org/ticket/20249.html
	# https://forum.openwrt.org/t/problem-installing-custom-etc-firewall-user-file/24826/10