PBR + SNAT + NFTABLES MULTI IFACE = SETUP FOR LAN HANDLING UNDER DEBIAN SERVER

i want to setup the base for my local net 10.10.0.0/16 i stuck with such initial config:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 127.0.1.0/8 scope host secondary lo
       valid_lft forever preferred_lft forever
2: main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.254.1/16 metric 5 brd 10.10.255.255 scope global noprefixroute main
       valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:2a brd ff:ff:ff:ff:ff:ff
4: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:60 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.254/16 brd 10.10.255.255 scope global noprefixroute lan
       valid_lft forever preferred_lft forever
    inet 10.10.0.253/16 brd 10.10.255.255 scope global secondary noprefixroute lan
       valid_lft forever preferred_lft forever
5: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:62 brd ff:ff:ff:ff:ff:ff
    inet 10.11.0.11/24 brd 10.11.0.255 scope global noprefixroute wan
       valid_lft forever preferred_lft forever


default via 10.11.0.254 dev wan table wan 
10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 
default via 10.10.0.254 dev lan table lan 
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 
10.10.0.0/16 dev main proto static scope link src 10.10.254.1 metric 5 
local 10.10.0.253 dev lan table local proto kernel scope host src 10.10.0.254 
local 10.10.0.254 dev lan table local proto kernel scope host src 10.10.0.254 
local 10.10.254.1 dev main table local proto kernel scope host src 10.10.254.1 
broadcast 10.10.255.255 dev lan table local proto kernel scope link src 10.10.0.254 
broadcast 10.10.255.255 dev main table local proto kernel scope link src 10.10.254.1 
local 10.11.0.11 dev wan table local proto kernel scope host src 10.11.0.11 
broadcast 10.11.0.255 dev wan table local proto kernel scope link src 10.11.0.11 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.1.0 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 

0:  from all lookup local
50: from 10.10.254.1 lookup main
100:    from all to 10.10.0.0/16 lookup lan
200:    from 10.11.0.11/24 lookup wan
300:    from all lookup wan

# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*mangle
:PREROUTING ACCEPT [1239580:605755216]
:INPUT ACCEPT [378113:49258598]
:FORWARD ACCEPT [802997:543796066]
:OUTPUT ACCEPT [319027:35084380]
:POSTROUTING ACCEPT [1121729:578854744]
:ALL_MARK - [0:0]
:ALL_MARK_BASE - [0:0]
:LAN_MARK - [0:0]
:LAN_MARK_BASE - [0:0]
:WAN_MARK - [0:0]
:WAN_MARK_BASE - [0:0]
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*raw
:PREROUTING ACCEPT [1239580:605755216]
:OUTPUT ACCEPT [319027:35084380]
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [319027:35084380]
:CONTINUE - [0:0]
:LOG_ACCEPT_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_INPUT - [0:0]
:LOG_DROP_FILTER_OUTPUT - [0:0]
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p tcp -m tcp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p udp -m udp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -f -j DROP
-A INPUT -i lan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i wan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i wan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.254/32 -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG_DROP_FILTER_INPUT
-A FORWARD -i main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate NEW -j CONTINUE
-A FORWARD -j LOG_DROP_FILTER_FORWARD
-A CONTINUE -j RETURN
-A LOG_ACCEPT_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-accepted]:" --nflog-group 23
-A LOG_ACCEPT_FILTER_FORWARD -j ACCEPT
-A LOG_DROP_FILTER_FORWARD -i main -j NFLOG --nflog-prefix "[fFWDd-main]:" --nflog-group 30
-A LOG_DROP_FILTER_FORWARD -i lan -j NFLOG --nflog-prefix "[fFWDd-lan]:" --nflog-group 32
-A LOG_DROP_FILTER_FORWARD -i wan -j NFLOG --nflog-prefix "[fFWDd-wan]:" --nflog-group 33
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 22
-A LOG_DROP_FILTER_FORWARD -j DROP
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 20
-A LOG_DROP_FILTER_INPUT -j DROP
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 21
-A LOG_DROP_FILTER_OUTPUT -j DROP
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*nat
:PREROUTING ACCEPT [133812:27567189]
:INPUT ACCEPT [5148:716974]
:OUTPUT ACCEPT [8458:1549031]
:POSTROUTING ACCEPT [6386:1419831]
:DNS_DNAT_LS_ND - [0:0]
:DNS_DNAT_NS_LD - [0:0]
:DNS_DNAT_NS_ND - [0:0]
-A POSTROUTING -s 10.10.0.0/16 -o main -j SNAT --to-source 10.10.254.1
-A POSTROUTING -s 10.10.0.254/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.253/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
COMMIT
# Completed on Wed Sep  4 21:17:39 2024

net.ipv4.conf.all.accept_local = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_evict_nocarrier = 1
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.disable_policy = 0
net.ipv4.conf.all.disable_xfrm = 0
net.ipv4.conf.all.drop_gratuitous_arp = 0
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.all.force_igmp_version = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.all.ignore_routes_with_linkdown = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.route_localnet = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.tag = 0
net.ipv4.conf.default.accept_local = 0
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.arp_accept = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_evict_nocarrier = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.default.arp_notify = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.default.disable_policy = 0
net.ipv4.conf.default.disable_xfrm = 0
net.ipv4.conf.default.drop_gratuitous_arp = 0
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.default.force_igmp_version = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.default.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.default.ignore_routes_with_linkdown = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.medium_id = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.route_localnet = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.default.shared_media = 1
net.ipv4.conf.default.src_valid_mark = 0
net.ipv4.conf.default.tag = 0
net.ipv4.conf.enp3s0f1.accept_local = 0
net.ipv4.conf.enp3s0f1.accept_redirects = 1
net.ipv4.conf.enp3s0f1.accept_source_route = 0
net.ipv4.conf.enp3s0f1.arp_accept = 0
net.ipv4.conf.enp3s0f1.arp_announce = 0
net.ipv4.conf.enp3s0f1.arp_evict_nocarrier = 1
net.ipv4.conf.enp3s0f1.arp_filter = 0
net.ipv4.conf.enp3s0f1.arp_ignore = 0
net.ipv4.conf.enp3s0f1.arp_notify = 0
net.ipv4.conf.enp3s0f1.bc_forwarding = 0
net.ipv4.conf.enp3s0f1.bootp_relay = 0
net.ipv4.conf.enp3s0f1.disable_policy = 0
net.ipv4.conf.enp3s0f1.disable_xfrm = 0
net.ipv4.conf.enp3s0f1.drop_gratuitous_arp = 0
net.ipv4.conf.enp3s0f1.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.enp3s0f1.force_igmp_version = 0
net.ipv4.conf.enp3s0f1.forwarding = 1
net.ipv4.conf.enp3s0f1.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.enp3s0f1.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.enp3s0f1.ignore_routes_with_linkdown = 0
net.ipv4.conf.enp3s0f1.log_martians = 0
net.ipv4.conf.enp3s0f1.mc_forwarding = 0
net.ipv4.conf.enp3s0f1.medium_id = 0
net.ipv4.conf.enp3s0f1.promote_secondaries = 1
net.ipv4.conf.enp3s0f1.proxy_arp = 0
net.ipv4.conf.enp3s0f1.proxy_arp_pvlan = 0
net.ipv4.conf.enp3s0f1.route_localnet = 0
net.ipv4.conf.enp3s0f1.rp_filter = 2
net.ipv4.conf.enp3s0f1.secure_redirects = 1
net.ipv4.conf.enp3s0f1.send_redirects = 1
net.ipv4.conf.enp3s0f1.shared_media = 1
net.ipv4.conf.enp3s0f1.src_valid_mark = 0
net.ipv4.conf.enp3s0f1.tag = 0
net.ipv4.conf.lan.accept_local = 0
net.ipv4.conf.lan.accept_redirects = 1
net.ipv4.conf.lan.accept_source_route = 0
net.ipv4.conf.lan.arp_accept = 0
net.ipv4.conf.lan.arp_announce = 0
net.ipv4.conf.lan.arp_evict_nocarrier = 1
net.ipv4.conf.lan.arp_filter = 1
net.ipv4.conf.lan.arp_ignore = 1
net.ipv4.conf.lan.arp_notify = 0
net.ipv4.conf.lan.bc_forwarding = 0
net.ipv4.conf.lan.bootp_relay = 0
net.ipv4.conf.lan.disable_policy = 0
net.ipv4.conf.lan.disable_xfrm = 0
net.ipv4.conf.lan.drop_gratuitous_arp = 0
net.ipv4.conf.lan.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.lan.force_igmp_version = 0
net.ipv4.conf.lan.forwarding = 1
net.ipv4.conf.lan.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.lan.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.lan.ignore_routes_with_linkdown = 0
net.ipv4.conf.lan.log_martians = 0
net.ipv4.conf.lan.mc_forwarding = 0
net.ipv4.conf.lan.medium_id = 0
net.ipv4.conf.lan.promote_secondaries = 1
net.ipv4.conf.lan.proxy_arp = 0
net.ipv4.conf.lan.proxy_arp_pvlan = 0
net.ipv4.conf.lan.route_localnet = 0
net.ipv4.conf.lan.rp_filter = 1
net.ipv4.conf.lan.secure_redirects = 1
net.ipv4.conf.lan.send_redirects = 1
net.ipv4.conf.lan.shared_media = 1
net.ipv4.conf.lan.src_valid_mark = 0
net.ipv4.conf.lan.tag = 0
net.ipv4.conf.lo.accept_local = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.lo.arp_accept = 0
net.ipv4.conf.lo.arp_announce = 1
net.ipv4.conf.lo.arp_evict_nocarrier = 1
net.ipv4.conf.lo.arp_filter = 1
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_notify = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.bootp_relay = 0
net.ipv4.conf.lo.disable_policy = 1
net.ipv4.conf.lo.disable_xfrm = 1
net.ipv4.conf.lo.drop_gratuitous_arp = 0
net.ipv4.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.lo.force_igmp_version = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.lo.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.lo.ignore_routes_with_linkdown = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.medium_id = 0
net.ipv4.conf.lo.promote_secondaries = 1
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
net.ipv4.conf.lo.route_localnet = 0
net.ipv4.conf.lo.rp_filter = 2
net.ipv4.conf.lo.secure_redirects = 1
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.lo.shared_media = 1
net.ipv4.conf.lo.src_valid_mark = 0
net.ipv4.conf.lo.tag = 0
net.ipv4.conf.main.accept_local = 0
net.ipv4.conf.main.accept_redirects = 1
net.ipv4.conf.main.accept_source_route = 0
net.ipv4.conf.main.arp_accept = 0
net.ipv4.conf.main.arp_announce = 0
net.ipv4.conf.main.arp_evict_nocarrier = 1
net.ipv4.conf.main.arp_filter = 1
net.ipv4.conf.main.arp_ignore = 1
net.ipv4.conf.main.arp_notify = 0
net.ipv4.conf.main.bc_forwarding = 0
net.ipv4.conf.main.bootp_relay = 0
net.ipv4.conf.main.disable_policy = 0
net.ipv4.conf.main.disable_xfrm = 0
net.ipv4.conf.main.drop_gratuitous_arp = 0
net.ipv4.conf.main.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.main.force_igmp_version = 0
net.ipv4.conf.main.forwarding = 1
net.ipv4.conf.main.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.main.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.main.ignore_routes_with_linkdown = 0
net.ipv4.conf.main.log_martians = 0
net.ipv4.conf.main.mc_forwarding = 0
net.ipv4.conf.main.medium_id = 0
net.ipv4.conf.main.promote_secondaries = 1
net.ipv4.conf.main.proxy_arp = 0
net.ipv4.conf.main.proxy_arp_pvlan = 0
net.ipv4.conf.main.route_localnet = 0
net.ipv4.conf.main.rp_filter = 1
net.ipv4.conf.main.secure_redirects = 1
net.ipv4.conf.main.send_redirects = 1
net.ipv4.conf.main.shared_media = 1
net.ipv4.conf.main.src_valid_mark = 0
net.ipv4.conf.main.tag = 0
net.ipv4.conf.wan.accept_local = 0
net.ipv4.conf.wan.accept_redirects = 1
net.ipv4.conf.wan.accept_source_route = 0
net.ipv4.conf.wan.arp_accept = 0
net.ipv4.conf.wan.arp_announce = 0
net.ipv4.conf.wan.arp_evict_nocarrier = 1
net.ipv4.conf.wan.arp_filter = 1
net.ipv4.conf.wan.arp_ignore = 1
net.ipv4.conf.wan.arp_notify = 0
net.ipv4.conf.wan.bc_forwarding = 0
net.ipv4.conf.wan.bootp_relay = 0
net.ipv4.conf.wan.disable_policy = 0
net.ipv4.conf.wan.disable_xfrm = 0
net.ipv4.conf.wan.drop_gratuitous_arp = 0
net.ipv4.conf.wan.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.wan.force_igmp_version = 0
net.ipv4.conf.wan.forwarding = 1
net.ipv4.conf.wan.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.wan.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.wan.ignore_routes_with_linkdown = 0
net.ipv4.conf.wan.log_martians = 0
net.ipv4.conf.wan.mc_forwarding = 0
net.ipv4.conf.wan.medium_id = 0
net.ipv4.conf.wan.promote_secondaries = 1
net.ipv4.conf.wan.proxy_arp = 0
net.ipv4.conf.wan.proxy_arp_pvlan = 0
net.ipv4.conf.wan.route_localnet = 0
net.ipv4.conf.wan.rp_filter = 1
net.ipv4.conf.wan.secure_redirects = 1
net.ipv4.conf.wan.send_redirects = 1
net.ipv4.conf.wan.shared_media = 1
net.ipv4.conf.wan.src_valid_mark = 0
net.ipv4.conf.wan.tag = 0

BINDINGS

10.10.0.254 .253 – unbound (lan clients dns’s)
lan – keya dhcp4/ddns
127.0.1.0 – bind0 (lan ddns/resolver)

**DON”T ASK ME WHY THE IPTABLES RULES ARE FOR .. – mainly to see where the traffic goes”

I WANT DO TRAFFIC SHAPING VIA NF TABLES [filter] IN/OUT/FORWARD FOR SERVER AND CLIENTS add some mangling with base markings to be able to look at conntrack or tcpdump traffic and see whats going on…

DO LATER MORE ADVANCED SCENARIOS – VLANS / SUBSUBNET’S DYNAMIC ROUTING, TUNNELING

the setup should also handle the dummy d0 10.100.100.100/16 [respond by self ip on lan – not by lan attached ip’s ] dummy for clients – removed to make the base work as expecded

ip route get 1.1.1.1 from 10.11.0.11
1.1.1.1 from 10.11.0.11 via 10.11.0.254 dev wan table wan uid 0 

ip route get 1.1.1.1 from 10.10.0.254 
1.1.1.1 from 10.10.0.254 via 10.11.0.254 dev wan table wan uid 0 

ip route get 1.1.1.1 from 10.10.254.1 
1.1.1.1 from 10.10.254.1 via 10.11.0.254 dev wan table wan uid 0 
    cache 

ip route get 10.10.0.254 from 10.10.254.1 
local 10.10.0.254 from 10.10.254.1 dev lo table local uid 0 
    cache <local> 

ip route get 10.10.0.254 from 10.11.0.11 
local 10.10.0.254 from 10.11.0.11 dev lo table local uid 0 
cache <local> 

ip route get 10.10.254.1  from 10.11.0.11 
local 10.10.254.1 from 10.11.0.11 dev lo table local uid 0 
cache <local> 

PROBLEM

1. - OK 

$ ping 1.1.1.1 -c 1 -I wan
PING 1.1.1.1 (1.1.1.1) from 10.11.0.11 wan: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=52.4 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 52.449/52.449/52.449/0.000 ms

2. 3. 4. - NOK

$ ping 1.1.1.1 -c 1 -I lan
PING 1.1.1.1 (1.1.1.1) from 10.10.0.254 lan: 56(84) bytes of data.
From 10.10.0.254 icmp_seq=1 Destination Host Unreachable

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I lan -B 10.10.0.254  
PING 10.10.0.254 (10.10.0.254) from 10.10.0.254 lan: 56(124) bytes of data.

--- 10.10.0.254 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I wan -B 10.11.0.11  
PING 10.11.0.11 (10.11.0.11) from 10.11.0.11 wan: 56(124) bytes of data.

--- 10.11.0.11 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


i've try to mark packets in mangle output and then add rule but this doesn't work also  can someone correct my solution that i will work? 

some topology related info

 MAINSERVER  - d0
   /   |         
 wan lan  main  wan2           Rap  ))    (( Cx
  |         /              / 
  R       Sstp L3   ----  Sstp L2- Cx
  |      /                
  R     Cx  Rap ))          Cx
  |
 www

Strict Reverse Path Filtering on Main Interface – ensures that main only handles traffic that is truly meant for it, preventing it from responding to packets meant for lan, traffic meant for the LAN network should be routed via lan with no interference from main

10.11.0.11     10.10.0.252/31    10.10.254.1          10.10.254.2

IN/OT          IN/OUT            IN/OUT               IN/OUT
|               |                |                    |
|    FORWARD    |                |                    |
main --------- lan              main                  enp(unused yet - WAN SEC?) 
 |              |                |                    |
 |              -----SWITCH ------------SWITCH--------
10.11.0.0/24       10.10.10.254        /
 |                                  /
10.11.0.254/24           10.10.0.0/16
 |
192.168.0.1
 |
CGN
 |
0.0.0.0/0