TPBR + SNAT + NFTABLES MULTI IFACE = SETUP FOR LAN HANDLING UNDER DEBIAN SERVER

i want to setup the base for my local net 10.10.0.0/16 i stuck with such initial config:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 127.0.1.0/8 scope host secondary lo
       valid_lft forever preferred_lft forever
2: main: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.254.1/16 metric 5 brd 10.10.255.255 scope global noprefixroute main
       valid_lft forever preferred_lft forever
3: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:2a brd ff:ff:ff:ff:ff:ff
4: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:60 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.254/16 brd 10.10.255.255 scope global noprefixroute lan
       valid_lft forever preferred_lft forever
    inet 10.10.0.253/16 brd 10.10.255.255 scope global secondary noprefixroute lan
       valid_lft forever preferred_lft forever
5: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 3c:d9:2b:fa:b7:62 brd ff:ff:ff:ff:ff:ff
    inet 10.11.0.11/24 brd 10.11.0.255 scope global noprefixroute wan
       valid_lft forever preferred_lft forever


default via 10.11.0.254 dev wan table wan 
10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 
default via 10.10.0.254 dev lan table lan 
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 
10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 
10.10.0.0/16 dev main proto static scope link src 10.10.254.1 metric 5 
local 10.10.0.253 dev lan table local proto kernel scope host src 10.10.0.254 
local 10.10.0.254 dev lan table local proto kernel scope host src 10.10.0.254 
local 10.10.254.1 dev main table local proto kernel scope host src 10.10.254.1 
broadcast 10.10.255.255 dev lan table local proto kernel scope link src 10.10.0.254 
broadcast 10.10.255.255 dev main table local proto kernel scope link src 10.10.254.1 
local 10.11.0.11 dev wan table local proto kernel scope host src 10.11.0.11 
broadcast 10.11.0.255 dev wan table local proto kernel scope link src 10.11.0.11 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.1.0 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 

0:  from all lookup local
50: from 10.10.254.1 lookup main
100:    from all to 10.10.0.0/16 lookup lan
200:    from 10.11.0.11/24 lookup wan
300:    from all lookup wan

# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*mangle
:PREROUTING ACCEPT [1239580:605755216]
:INPUT ACCEPT [378113:49258598]
:FORWARD ACCEPT [802997:543796066]
:OUTPUT ACCEPT [319027:35084380]
:POSTROUTING ACCEPT [1121729:578854744]
:ALL_MARK - [0:0]
:ALL_MARK_BASE - [0:0]
:LAN_MARK - [0:0]
:LAN_MARK_BASE - [0:0]
:WAN_MARK - [0:0]
:WAN_MARK_BASE - [0:0]
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*raw
:PREROUTING ACCEPT [1239580:605755216]
:OUTPUT ACCEPT [319027:35084380]
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [319027:35084380]
:CONTINUE - [0:0]
:LOG_ACCEPT_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_FORWARD - [0:0]
:LOG_DROP_FILTER_INPUT - [0:0]
:LOG_DROP_FILTER_OUTPUT - [0:0]
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p tcp -m tcp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p udp -m udp --dport 222 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.254.1/32 -i main -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -f -j DROP
-A INPUT -i lan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i wan -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i wan -m conntrack --ctstate UNTRACKED -j CONTINUE
-A INPUT -i lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.10.0.0/16 -d 10.10.0.254/32 -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 3/4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 4 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i wan -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.1/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p tcp -m tcp --sport 853 -j ACCEPT
-A INPUT -s 172.64.36.2/32 -i wan -p udp -m udp --sport 853 -j ACCEPT
-A INPUT -i lan -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i lan -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -j LOG_DROP_FILTER_INPUT
-A FORWARD -i main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o main -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wan -o lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p udp -m udp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -p tcp -m tcp -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i lan -o wan -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i lan -o wan -m conntrack --ctstate NEW -j CONTINUE
-A FORWARD -j LOG_DROP_FILTER_FORWARD
-A CONTINUE -j RETURN
-A LOG_ACCEPT_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-accepted]:" --nflog-group 23
-A LOG_ACCEPT_FILTER_FORWARD -j ACCEPT
-A LOG_DROP_FILTER_FORWARD -i main -j NFLOG --nflog-prefix "[fFWDd-main]:" --nflog-group 30
-A LOG_DROP_FILTER_FORWARD -i lan -j NFLOG --nflog-prefix "[fFWDd-lan]:" --nflog-group 32
-A LOG_DROP_FILTER_FORWARD -i wan -j NFLOG --nflog-prefix "[fFWDd-wan]:" --nflog-group 33
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_FORWARD -j NFLOG --nflog-prefix "[filter-FWD-drop]:" --nflog-group 22
-A LOG_DROP_FILTER_FORWARD -j DROP
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_INPUT -j NFLOG --nflog-prefix "[filter-IN-drop]:" --nflog-group 20
-A LOG_DROP_FILTER_INPUT -j DROP
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 12
-A LOG_DROP_FILTER_OUTPUT -j NFLOG --nflog-prefix "[filter-OUT-drop]:" --nflog-group 21
-A LOG_DROP_FILTER_OUTPUT -j DROP
COMMIT
# Completed on Wed Sep  4 21:17:39 2024
# Generated by iptables-save v1.8.10 (nf_tables) on Wed Sep  4 21:17:39 2024
*nat
:PREROUTING ACCEPT [133812:27567189]
:INPUT ACCEPT [5148:716974]
:OUTPUT ACCEPT [8458:1549031]
:POSTROUTING ACCEPT [6386:1419831]
:DNS_DNAT_LS_ND - [0:0]
:DNS_DNAT_NS_LD - [0:0]
:DNS_DNAT_NS_ND - [0:0]
-A POSTROUTING -s 10.10.0.0/16 -o main -j SNAT --to-source 10.10.254.1
-A POSTROUTING -s 10.10.0.254/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.253/32 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -o wan -j SNAT --to-source 10.11.0.11
COMMIT
# Completed on Wed Sep  4 21:17:39 2024

BINDINGS

10.10.0.254 .253 – unbound (lan clients dns’s)
lan – keya dhcp4/ddns
127.0.1.0 – bind0 (lan ddns/resolver)

**DON”T ASK ME WHY THE IPTABLES RULES ARE FOR .. – mainly to see where the traffic goes”

I WANT DO TRAFFIC SHAPING VIA NF TABLES [filter] IN/OUT/FORWARD FOR SERVER AND CLIENTS add some mangling with base markings to be able to look at conntrack or tcpdump traffic and see whats going on…

DO LATER MORE ADVANCED SCENARIOS – VLANS / SUBSUBNET’S DYNAMIC ROUTING, TUNNELING

the setup should also handle the dummy d0 10.100.100.100/16 [respond by self ip on lan – not by lan attached ip’s ] dummy for clients – removed to make the base work as expecded

ip route get 1.1.1.1 from 10.11.0.11
1.1.1.1 from 10.11.0.11 via 10.11.0.254 dev wan table wan uid 0 

ip route get 1.1.1.1 from 10.10.0.254 
1.1.1.1 from 10.10.0.254 via 10.11.0.254 dev wan table wan uid 0 

ip route get 1.1.1.1 from 10.10.254.1 
1.1.1.1 from 10.10.254.1 via 10.11.0.254 dev wan table wan uid 0 
    cache 

ip route get 10.10.0.254 from 10.10.254.1 
local 10.10.0.254 from 10.10.254.1 dev lo table local uid 0 
    cache <local> 

ip route get 10.10.0.254 from 10.11.0.11 
local 10.10.0.254 from 10.11.0.11 dev lo table local uid 0 
cache <local> 

ip route get 10.10.254.1  from 10.11.0.11 
local 10.10.254.1 from 10.11.0.11 dev lo table local uid 0 
cache <local> 

PROBLEM

1. - OK 

$ ping 1.1.1.1 -c 1 -I wan
PING 1.1.1.1 (1.1.1.1) from 10.11.0.11 wan: 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=52.4 ms

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 52.449/52.449/52.449/0.000 ms

2. 3. 4. - NOK

$ ping 1.1.1.1 -c 1 -I lan
PING 1.1.1.1 (1.1.1.1) from 10.10.0.254 lan: 56(84) bytes of data.
From 10.10.0.254 icmp_seq=1 Destination Host Unreachable

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I lan -B 10.10.0.254  
PING 10.10.0.254 (10.10.0.254) from 10.10.0.254 lan: 56(124) bytes of data.

--- 10.10.0.254 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

ping 1.1.1.1 -c 1 -I wan -B 10.11.0.11  
PING 10.11.0.11 (10.11.0.11) from 10.11.0.11 wan: 56(124) bytes of data.

--- 10.11.0.11 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


i've try to mark packets in mangle output and then add rule but this doesn't work also  can someone correct my solution that i will work? 

some topology related info

 MAINSERVER  - d0
   /   |         
 wan lan  main  wan2           Rap  ))    (( Cx
  |         /              / 
  R       Sstp L3   ----  Sstp L2- Cx
  |      /                
  R     Cx  Rap ))          Cx
  |
 www

Strict Reverse Path Filtering on Main Interface – ensures that main only handles traffic that is truly meant for it, preventing it from responding to packets meant for lan, traffic meant for the LAN network should be routed via lan with no interference from main

10.11.0.11     10.10.0.252/31    10.10.254.1          10.10.254.2

IN/OT          IN/OUT            IN/OUT               IN/OUT
|               |                |                    |
|    FORWARD    |                |                    |
main --------- lan              main                  enp(unused yet - WAN SEC?) 
 |              |                |                    |
 |              -----SWITCH ------------SWITCH--------
10.11.0.0/24       10.10.10.254        /
 |                                  /
10.11.0.254/24           10.10.0.0/16
 |
192.168.0.1
 |
CGN
 |
0.0.0.0/0

EDIT (detailed config):

#############################################################################################################################################################
####### START d0.cfg  #######################################################################################################################################
auto d0
iface d0 inet manual

######## UP d0 #############

    # add link d0 type dummy 
    pre-up /usr/bin/ip link add d0 type dummy || true
    # assign d0 ip 
    pre-up /usr/bin/ip address add 10.10.100.100/16  broadcast 10.10.255.255 dev d0 label d0 metric 50 noprefixroute || true
    # up d0  
        up /usr/bin/ip link set dev d0 up || true
    # rule for d0 
    up /usr/bin/ip ru add from 10.10.100.100 lookup d0 priority 1100 || true 
    # route for d0 
        up /usr/bin/ip ro add 10.10.100.100 dev d0 proto static scope host  src 10.10.100.100 table d0 || true
    # disable ipv6
    up /sbin/sysctl -w net.ipv6.conf.d0.disable_ipv6=1 || true
    # arp ignore on lan if 
    post-up /sbin/sysctl -w net.ipv4.conf.lan.arp_ignore=0 || true
    # respond arp for d0 via same segment lan if
    up /sbin/sysctl -w net.ipv4.conf.lan.arp_filter=0

##### DOWN d0 ###############

    # restore arp ignore 
        down /sbin/sysctl -w net.ipv4.conf.lan.arp_ignore=1 || true
        down /usr/bin/ip ro del 10.10.100.100 dev d0 proto static scope host src 10.10.100.100 table d0 || true
        down /usr/bin/ip ru del from 10.10.100.100 lookup d0 priority 1100 || true 
    # remove d0 address
    down /usr/bin/ip address del 10.10.100.100/255.255.0.0  dev d0 || true 
    # down d0 
        down /usr/bin/ip link set d0  down || true
    # remove d0 
    down /usr/bin/ip link del d0 type dummy || true

####### END d0.cfg  ###########################################################################################################################################
###############################################################################################################################################################
####### START enp3s0f0.cfg  ###################################################################################################################################
####### enp4s0f0 BEFORE RENAME lan ###############################################################################################
# enp3s0f0 - main interface connected to switch
# see enp4s0f1.cfg for routing details 
# ALLOW SETUP WITH ifup/ifdown only when used with --allow=main
# see systemd if-main.service 
allow-main enp3s0f0
# MANUAL SETUP 
iface enp3s0f0 inet manual
    # CHANGE ORIGINAL NAME 
    pre-up ip link set enp3s0f0 name main
    # SETUP IP ADDRESS
    pre-up ip address add 10.10.254.1/16 broadcast 10.10.255.255 dev main noprefixroute label main metric 5 || true
    # LINK UP 
    up ip link set main up || true 
    # ADD ROUTE
    up ip route add 10.10.0.0/16 dev main table main proto static scope link src 10.10.254.1 metric 5 || true 
    # SETUP DEFAULT ROUTE 
#   up ip route add default via 10.10.0.254 dev main table main || true
    # main rule
        up ip rule add from 10.10.254.1 to all lookup main priority 50 || true
    # CONFIGURE 
    up echo 1 > /proc/sys/net/ipv4/conf/main/arp_ignore || true
    up echo 1 > /proc/sys/net/ipv4/conf/main/arp_filter || true
    # strict reverse path filtering on main interface 
    # ensures that main only handles traffic that is truly meant for it, 
    # preventing it from responding to packets meant for lan
    up echo 1 > /proc/sys/net/ipv4/conf/main/rp_filter || true
    # IPTABLES SETUP ON UP 
    post-up /etc/network/iptables/main_up.x4 up main || true 
    # RECONF LAN 
        post-up /etc/network/iptables/lan_up.x4 reconf main || true
        # RECONF WAN  
        post-up /etc/network/iptables/wan_up.x4 reconf main || true


# ALLOW SETUP WITH ifup/ifdown only when used with --allow=main
allow-main main
# MANUAL SETUP 
iface main inet manual
        # REMOVE RULE 
        pre-down ip rule del from 10.10.254.1 to all lookup main priority 50 || true
    # IPTABLES SETUP ON DOWN 
    pre-down /etc/network/iptables/main_up.x4 down main || true
    #  REMOVE ROUTE 
#       pre-down ip route del default via 10.10.0.254 dev main table main || true
        pre-down ip route del 10.10.0.0/16 dev main table main proto static global link src 10.10.254.1 metric 5 || true
    # LINK DOWN 
    pre-down ip link set main down || true
    # ADDRESS FLUSH 
    down ip address flush dev main || true
    # RULE REMOVE 
    down ip ru del from 10.10.254.1 lookup main || true 
    # FLUSH RO CACHE 
    post-down ip route flush cache || true 
    # REVERT ORIGINAL NAME 
    post-down ip link set main name enp3s0f0 || true 

####### END enp3s0f0.cfg #####################################################################################################################################
##############################################################################################################################################################
####### START enp4s0f0.cfg ###################################################################################################################################
# enp4s0f0 - LAN interface used for routing, DNS, and DHCP
##################
# 255   local
# 254   main
# 253   default
#
# 
# 300   wan
# 220   lan
# 200   lansec
# 150   tun
# 110   d0   
# 100   devs 
# 0     unspec
###################
# IFACE     RENAMED TABLE       IPS/CIDR | METRIC           SERVICES
# lo        lo  lo|     127.0.0.1/24 127.0.1.0/24       named,mariadb,unboud[ctrl](pri,sec)  kea-ctrl-agent
# enp3s0f0  main    main|254    10.10.254.1/16|5            
# enp3s0f1  devs    devs|100    10.10.254.2/16|6            sshd
# enp4s0f0  lan     lan|220     10.10.0.254/16|3 10.10.0.243/16|4   unbound(pri/53),kea-dhcp-ddns,nbd-server,smbd,syslog-ng,cloudflared(quic|443)  unbound(sec/53),
# enp4s0f1  wan wan|300     10.11.0.11/24|10            nginx(80,443)
# d0        d0  d0|110      10.10.100.100/16            
# tun1      tun1    tun1|150    10.10.0.252/32 (left)       
#
#  [multihomed host]
#  REGARDLESS ADDING DIFERENT SCOPE LIKE link src (ipA|ipB)  or dev (devA|devB) can't add SECOND! route for same network - need add prefix !!!) 
#  OR USE SEPARATE TABLES (each table may have his  own GW) 

# general rule: if a route does not have src specified then
#   ip with scope=host can be as backend only for a route with scope=host
#   ip with scope=link can be as backend only for a route with scope=host or scope=link
#   ip with scope=global can be as backend only for a route with any scope

# the scope of a route in Linux is an indicator of the distance to the destination network.
#   host - route has host scope when it leads to a destination address on the local host.
#   link - route has link scope when it leads to a destination address on the local network.
#   universe -  route has universe scope when it leads to addresses more than one hop away.

# The scope influences source address selection for connections/associations where the source address is not yet fixed (e.g. initiating a TCP connection, but not when reacting to an incoming packet), 
# the source address will be selected depending on the scope of the route the packet is about to hit.  This is why addresses also have a scope attribute.

# (The kernel needs to perform this check during ip route add because route gateways (nexthops) must be directly reachable on the same L2 connection 
# – they cannot be behind another gateway. That is, the gateway must be in your subnet.
# Route scopes are a generic mechanism to express this restriction: the new route's nexthop needs to be reachable through an existing route with a lower scope. 
# In other words, you must go through a local host (link scope) before you can reach a remote host (global scope).)

##########################################################################################################################################################
# enp4s0f0 - LAN interface used for routing, DNS, and DHCP
####### enp4s0f0 BEFORE RENAME lan ###############################################################################################
auto enp4s0f0
iface enp4s0f0 inet manual    
############################# UP ##############################################
        # CHANGE ORIGINAL enp4s0f0 NAME to lan  
        pre-up ip link set enp4s0f0 name lan    
    # lan SETUP IP PRIMARY 
    pre-up ip address add 10.10.0.254/16 broadcast 10.10.255.255 dev lan noprefixroute || true
    # lan SETUP IP SECONDARY 
    pre-up ip address add 10.10.0.253/16 broadcast 10.10.255.255 dev lan noprefixroute || true
    # lan IFACE UP 
    up ip link set lan up || true 
    # lan table ROUTE FOR PRIMARY IP  
    up ip route add 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 || true
    # lan table ROUTE FOR SECONDARY IP 
    up ip route add 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 || true
    # DEFAULT ROUTE FOR lan table 
        up ip route add default via 10.10.0.254 dev lan table lan || true 
        # ALL -> LAN RULE 
        up ip rule add from all to 10.10.0.0/16 lookup lan priority 100 || true
    # SETUP INTERFACE 
    up echo 1 > /proc/sys/net/ipv4/conf/lan/arp_ignore || true 
    up echo 1 > /proc/sys/net/ipv4/conf/lan/arp_filter || true
    up echo 1 > /proc/sys/net/ipv4/conf/lan/rp_filter || true
    # up echo 1 > /proc/sys/net/ipv4/conf/default/arp_ignore || true
        # SETUP IPTABLES FOR LAN 
    post-up /etc/network/iptables/lan_up.x4 up lan || true 
    # RECONF MAIN RULES 
        post-up /etc/network/iptables/wan_up.x4 reconf lan || true
        # RECONF WAN RULES 
    post-up /etc/network/iptables/main_up.x4 reconf lan || true
    # not used anymore but for precaution 
    post-up ip route flush cache || true 

####### enp4s0f0 RENAMED lan ###############################################################################################
auto lan
iface lan inet manual
############################# DOWN ##############################################
        # DEL RULE  lan lookup 
        pre-down ip rule del from all to 10.10.0.0/16 lookup lan priority 100 || true
    # DEL DEFAULT lan table ROUTE 
        pre-down ip route del default via 10.10.0.254 dev lan table lan  || true
        # REMOVE lan ROUTES
        pre-down ip route del 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.253 metric 4 || true
        pre-down ip route del 10.10.0.0/16 dev lan table lan proto static scope link src 10.10.0.254 metric 3 || true
    # lan LINK DOWN 
    down ip link set lan down || true
    # lan ADDR FLUSH 
    post-down ip address flush dev lan || true 
    # lan REVERT TO ORGINAL ENAME enp4s0f0 
        post-down ip link set lan name enp4s0f0

####### END enp4s0f0.cfg #####################################################################################################################################
##############################################################################################################################################################
####### START enp4s0f1.cfg ###################################################################################################################################
####### enp4s0f1 BEFORE RENAME wan ###############################################################################################
auto enp4s0f1
iface enp4s0f1 inet manual
    # RENAME TO WAN 
    pre-up ip link set enp4s0f1 name wan
    # SETUP WAN IP
    pre-up ip address add 10.11.0.11/24 broadcast 10.11.0.255 dev wan  noprefixroute || true
    # UP WAN IF 
    pre-up ip link set dev wan up || true
    # ROUTE WAN NET VIA WAN LINK  USING TABLE WAN
    up ip route add 10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 || true 
    # DEFAULT WAN ROUTE NEXT HOOP
    up ip route add default via 10.11.0.254 table wan dev wan || true
    # RULE FROM WAN NET
    up ip rule add from 10.11.0.11/24 lookup wan priority 200 || true 
    # TO WWW
    up ip rule add to 0.0.0.0/0 lookup wan priority 300 || true 
    # CONF IFACE
        up echo 1 > /proc/sys/net/ipv4/conf/wan/rp_filter || true
    up echo 1 > /proc/sys/net/ipv4/conf/wan/arp_filter || true 
    up echo 1 > /proc/sys/net/ipv4/conf/wan/arp_ignore || true
    # iptables restore 
    post-up /etc/network/iptables/wan_up.x4 up wan || true
    # REINIT WAN/MAIN 
        post-up /etc/network/iptables/lan_up.x4 reconf wan || true
        post-up /etc/network/iptables/main_up.x4 reconf wan || true
    # enable forwarding 
    post-up echo 1 >  /proc/sys/net/ipv4/ip_forward || true 
    # flush cache routes 
    post-up ip route flush cache || true 

############################################
# REVERT ORIGINAL NAME FROM lan TO enp4s0f1 
auto wan
iface wan inet manual
######################### DOWN ############################################
        # DISABLE FORWARDING 
        pre-down echo 0 > /proc/sys/net/ipv4/ip_forward || true
        # REMOVE RULE TO WWW
        pre-down ip rule del to 0.0.0.0/0 lookup wan priority 300 || true 
        # RULE FROM WAN NET
        pre-down ip rule del from 10.11.0.11/24 lookup wan priority 200 || true
        # REMOVE MERGED TABLES DEFAULT WAN ROUTE 
        pre-down ip route del default via 10.11.0.254 table wan dev wan || true
    # DELETE WAN NET ROUTE 
        pre-down ip route del 10.11.0.0/24 dev wan table wan proto static scope link src 10.11.0.11 metric 10 || true
    # SET WAN LINK DOWN 
    down ip link set dev wan down || true
    # FLUSH WAN IFACE ADDRESS
    post-down ip address flush dev wan || true
    # REVERT wan TO  ORIGINAL NAME enp4s0f0
    post-down ip link set wan name enp4s0f1 || true 


####### END enp4s0f1.cfg  ###################################################################################################################################
#############################################################################################################################################################
####### START lo.cfg  #######################################################################################################################################
####### lo ###############################################################################################
# /8 ensures comm between lo ips ? or /32 is enough ?
 
auto lo
iface lo inet loopback
    up /usr/bin/ip addr add 127.0.1.0/8 dev lo || true 
        up /sbin/sysctl -w net.ipv6.conf.lo.disable_ipv6=1 || true
        post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_filter=1 || true
        post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_ignore=1 || true
        post-up /sbin/sysctl -w net.ipv4.conf.lo.accept_redirects=0 || true
        post-up /sbin/sysctl -w net.ipv4.conf.lo.send_redirects=0 || true
        post-up /sbin/sysctl -w net.ipv4.conf.lo.arp_announce=1 || true
    down /usr/bin/ip addr dele 127.0.1.0/8 dev lo || true 
    down /usr/bin/ip l set dev lo down || true 

####### END lo.cfg  #########################################################################################################################################

/etc/network/interfaces

# ORDER MATTERS FIRST UP FIRST
#source /etc/network/interfaces.d/*.cfg
# LO FIRST
source /etc/network/interfaces.d/lo.cfg
# MAIN 
source /etc/network/interfaces.d/enp3s0f0.cfg
# LAN NEXT 
source /etc/network/interfaces.d/enp4s0f0.cfg
# D0 using LAN
#source /etc/network/interfaces.d/d0.cfg
# WAN
source /etc/network/interfaces.d/enp4s0f1.cfg
# TUN (no place left....)