diff --git a/image-extras/common/root/autoprovision-stage2.sh b/image-extras/common/root/autoprovision-stage2.sh
index c127e07..c51f54a 100755
--- a/image-extras/common/root/autoprovision-stage2.sh
+++ b/image-extras/common/root/autoprovision-stage2.sh
@@ -4,6 +4,134 @@
 
 . /root/autoprovision-functions.sh
 
+check_repo() 
+{
+    printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n"
+    opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1
+}
+
+route_vpn() 
+{
+cat << EOF > /etc/hotplug.d/iface/30-rknroute
+#!/bin/sh
+
+ip route add table vpn default dev wg0
+EOF
+}
+
+add_mark() 
+{
+    grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables
+    
+    if ! uci show network | grep -q mark0x1; then
+        printf "\033[32;1mConfigure mark rule\033[0m\n"
+        uci add network rule
+        uci set network.@rule[-1].name='mark0x1'
+        uci set network.@rule[-1].mark='0x1'
+        uci set network.@rule[-1].priority='100'
+        uci set network.@rule[-1].lookup='vpn'
+        uci commit
+    fi
+}
+
+dnsmasqfull() 
+{
+		if opkg list-installed | grep -q dnsmasq-full; then
+		        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
+		else
+		        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
+		cd /tmp/ && opkg download dnsmasq-full
+		opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
+		[ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
+                /etc/init.d/dnsmasq restart
+		fi
+}
+
+dnscrypt2() 
+{
+        if opkg list-installed | grep -q dnscrypt-proxy2; then
+            printf "\033[32;1mDNSCrypt2 already installed\033[0m\n"
+        else
+            printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n"
+            opkg install dnscrypt-proxy2
+        if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then
+            sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
+        fi
+
+        printf "\033[32;1mDNSCrypt restart\033[0m\n"
+            service dnscrypt-proxy restart
+        printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n"
+            sleep 30
+
+        if [ -f /etc/dnscrypt-proxy2/relays.md ]; then
+                uci set dhcp.@dnsmasq[0].noresolv="1"
+                uci -q delete dhcp.@dnsmasq[0].server
+                uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
+                uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
+                uci commit dhcp
+                
+                printf "\033[32;1mDnsmasq restart\033[0m\n"
+
+                /etc/init.d/dnsmasq restart
+        else
+                printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n"
+        fi
+    fi
+}
+
+
+add_getdomains() 
+{
+   COUNTRY=russia_inside
+   EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
+   if [ "$COUNTRY" != '0' ]; then
+        printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n"
+
+cat << EOF > /etc/init.d/getdomains
+#!/bin/sh /etc/rc.common
+
+START=99
+
+start () {
+    $EOF_DOMAINS
+EOF
+cat << 'EOF' >> /etc/init.d/getdomains
+    count=0
+    while true; do
+        if curl -m 3 github.com; then
+            curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
+            break
+        else
+            echo "GitHub is not available. Check the internet availability [$count]"
+            count=$((count+1))
+        fi
+    done
+
+    if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
+        /etc/init.d/dnsmasq restart
+    fi
+}
+EOF
+
+        chmod +x /etc/init.d/getdomains
+        /etc/init.d/getdomains enable
+
+        if crontab -l | grep -q /etc/init.d/getdomains; then
+            printf "\033[32;1mCrontab already configured\033[0m\n"
+
+        else
+            crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains start"; } | crontab -
+            printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n"
+            /etc/init.d/cron restart
+        fi
+
+        printf "\033[32;1mStart script\033[0m\n"
+
+        /etc/init.d/getdomains start
+    fi
+}
+
+
 installPackages()
 {
     signalAutoprovisionWaitingForUser
@@ -20,37 +148,10 @@ installPackages()
 
     log "Autoprovisioning stage2 is about to install packages"
 
-    # switch ssh from dropbear to openssh (needed to install sshtunnel)
-    #opkg remove dropbear
-    #opkg install openssh-server openssh-sftp-server sshtunnel
-
-    #/etc/init.d/sshd enable
-    #mkdir /root/.ssh
-    #chmod 0700 /root/.ssh
-    #mv /etc/dropbear/authorized_keys /root/.ssh/
-    #rm -rf /etc/dropbear
-
     # CUSTOMIZE
     # install some more packages that don't need any extra steps
     #opkg install lua luci ppp-mod-pppoe screen mc unzip logrotate
-	opkg install logrotate curl sing-box dnscrypt-proxy2
-
-	dnsmasqfull() {
-		if opkg list-installed | grep -q dnsmasq-full; then
-		        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
-		else
-		        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
-		cd /tmp/ && opkg download dnsmasq-full
-		opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
-		[ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
-		fi
-	}
-
-    # this is needed for the vlans on tp-link 3020 with only a single hw ethernet port
-    #opkg install kmod-macvlan ip
-
-    # just in case if we were run in a firmware that didn't already have luci
-    #/etc/init.d/uhttpd enable
+    opkg install logrotate curl
 }
 
 autoprovisionStage2()
@@ -74,7 +175,6 @@ autoprovisionStage2()
         # available default password anywhere, therefore the random here...
         #setRootPassword "AsD7fg"
 
-        installPackages
 
         crontab - <<EOF
 # */10 * * * * /root/autoprovision-stage3.py
@@ -96,4 +196,15 @@ EOF
     fi
 }
 
+installPackages
+check_repo
+route_vpn
+add_mark
+dnsmasqfull
+dnscrypt2
+add_getdomains
 autoprovisionStage2
+
+printf "\033[32;1mRestart network\033[0m\n"
+/etc/init.d/network restart
+
diff --git a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
index b54cfb0..eca2dc8 100644
--- a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
+++ b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults
@@ -70,6 +70,8 @@ uci commit uhttpd
  
 # DHCP server on/off
 uci set dhcp.lan.ignore="$dhcpsrv"
+uci set dhcp.lan.start='50'
+uci set dhcp.lan.limit='100'
 uci add host
 uci set dhcp.@host[-1].name='jeka-office'
 uci set dhcp.@host[-1].mac='4c:cc:6a:01:5d:30'
@@ -98,7 +100,467 @@ uci commit dhcp
 /etc/init.d/dnsmasq restart
 
 # Configure network
+# VPN LAN BAUMANA
+uci set network.vpn0=interface
+uci set network.vpn0.proto='wireguard'
+uci set network.vpn0.private_key='gFr1rme9kPAo6qJ4ss9wT8GYlwqIaPP0Tk+Y0VT8smo='
+uci set network.vpn0.listen_port='23555'
+uci add network wireguard_vpn0
+uci set network.@wireguard_vpn0[0].description='Site Baumana Home'
+uci set network.@wireguard_vpn0[0].public_key='ZNRTOIidJnKA34g1pDHVi0F1q2n7goNcJjDfGrTUnTM='
+uci set network.@wireguard_vpn0[0].preshared_key='qBhqDIizi2rR8DduM+LPedXcuTm02XQWSmtJ3s3r+NA='
+uci set network.@wireguard_vpn0[0].allowed_ips='192.168.75.0/24' '192.168.3.0/24'
+uci set network.@wireguard_vpn0[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn0[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn0[0].endpoint_host='wg.npau.ru'
+uci set network.@wireguard_vpn0[0].endpoint_port='23555'
+# VPN LAN ARAMIL
+uci set network.vpn1=interface
+uci set network.vpn1.proto='wireguard'
+uci set network.vpn1.private_key='uGb0lzBp6xeG3QW9YX1JOe47o9j8oY3fqtRdbH4gz3c='
+uci set network.vpn1.listen_port='23556'
+uci add network wireguard_vpn1
+uci set network.@wireguard_vpn1[0].description='Site Aramil Office'
+uci set network.@wireguard_vpn1[0].public_key='UrNRptLKi9GEKY/NgViIzK9F63oDNsMjuUgqQApQCQE='
+uci set network.@wireguard_vpn1[0].preshared_key='GdSszP+e86Vhs+/GD7uHpsLCnBCpyBZwMmOlxbS6OOg='
+uci set network.@wireguard_vpn1[0].allowed_ips='192.168.47.0/24'
+uci set network.@wireguard_vpn1[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn1[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn1[0].endpoint_host='aramil.npau.ru'
+uci set network.@wireguard_vpn1[0].endpoint_port='23556'
+# VPN LAN OLGA
+uci set network.vpn2=interface
+uci set network.vpn2.proto='wireguard'
+uci set network.vpn2.private_key='2IOKg/anbXm5yV7CteOAL02Ae6ewVIZu1E/+V/nM2lo='
+uci set network.vpn2.listen_port='23559'
+uci add network wireguard_vpn2
+uci set network.@wireguard_vpn2[0].description='Site Olga Office'
+uci set network.@wireguard_vpn2[0].public_key='SWZxuUR4tFoHbS/0jQm670X4Ex8TDyHRiW8u2D8QMHw='
+uci set network.@wireguard_vpn2[0].preshared_key='aUBTNiL5mBjMa2WXxSjdAUHkDr3laEv5py8tavNjndI='
+uci set network.@wireguard_vpn2[0].allowed_ips='192.168.97.0/24'
+uci set network.@wireguard_vpn2[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn2[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn2[0].endpoint_host='olga.npau.ru'
+uci set network.@wireguard_vpn2[0].endpoint_port='23559'
+# VPN LAN PIVKO
+uci set network.vpn3=interface
+uci set network.vpn3.proto='wireguard'
+uci set network.vpn3.private_key='iJl+I4d7lako5lJuwbm3jDeuStT4SAA4AE11tStVQVc='
+uci set network.vpn3.listen_port='23560'
+uci add network wireguard_vpn3
+uci set network.@wireguard_vpn3[0].description='Site Pivko'
+uci set network.@wireguard_vpn3[0].public_key='Fa1MCMOZ5V55ApFY6OGcmg3YnWwScYH4QKpbQ9jDhzM='
+uci set network.@wireguard_vpn3[0].preshared_key='tPDt9HWswEEGyW0qjTwD7h5GMqDhitNAGojiMt2rxNI='
+uci set network.@wireguard_vpn3[0].allowed_ips='192.168.76.0/24'
+uci set network.@wireguard_vpn3[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn3[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn3[0].endpoint_host='pivko.npau.ru'
+uci set network.@wireguard_vpn3[0].endpoint_port='23560'
+# VPN OFFICE REMOTE USERS
+uci set network.wg777=interface
+uci set network.wg777.proto='wireguard'
+uci set network.wg777.private_key='QCOLeGs/F2dBSCzW677Tb7b0H2vuEkZXFsSDl6ZSoGI='
+uci set network.wg777.listen_port='27027'
+uci set network.wg777.addresses='10.14.0.1/24'
+uci add network wireguard_wg777
+uci set network.@wireguard_wg777[0].description='julia'
+uci set network.@wireguard_wg777[0].route_allowed_ips='1'
+uci set network.@wireguard_wg777[0].persistent_keepalive='25'
+uci set network.@wireguard_wg777[0].public_key='tZvwcrN/wsxq8kTWKWnueoF0LFcSg6jppbtWWnObJzo='
+uci set network.@wireguard_wg777[0].allowed_ips='10.14.0.2/32'
+uci set network.@wireguard_wg777[1]=wireguard_wg777
+uci set network.@wireguard_wg777[1].description='julia-andorid'
+uci set network.@wireguard_wg777[1].route_allowed_ips='1'
+uci set network.@wireguard_wg777[1].persistent_keepalive='25'
+uci set network.@wireguard_wg777[1].public_key='wGgvktRg+mokhs3WQu5ou0IfLp11cWRQDq/0beEQHWE='
+uci set network.@wireguard_wg777[1].allowed_ips='10.14.0.21/32'
+uci set network.@wireguard_wg777[2]=wireguard_wg777
+uci set network.@wireguard_wg777[2].description='ksusha'
+uci set network.@wireguard_wg777[2].route_allowed_ips='1'
+uci set network.@wireguard_wg777[2].persistent_keepalive='25'
+uci set network.@wireguard_wg777[2].public_key='UUpi9cY9oETIlOYtKF4HI4+peLqrBjMmIMlH8yf0NR4='
+uci set network.@wireguard_wg777[2].allowed_ips='10.14.0.3/32'
+uci set network.@wireguard_wg777[3]=wireguard_wg777
+uci set network.@wireguard_wg777[3].description='ksusha-android'
+uci set network.@wireguard_wg777[3].route_allowed_ips='1'
+uci set network.@wireguard_wg777[3].persistent_keepalive='25'
+uci set network.@wireguard_wg777[3].public_key='W0ZPGHV+jybC6Kzr279+/L+2TVjCVm8v7tHZFE6vbX4='
+uci set network.@wireguard_wg777[3].allowed_ips='10.14.0.22/32'
+uci set network.@wireguard_wg777[4]=wireguard_wg777
+uci set network.@wireguard_wg777[4].description='dan'
+uci set network.@wireguard_wg777[4].route_allowed_ips='1'
+uci set network.@wireguard_wg777[4].persistent_keepalive='25'
+uci set network.@wireguard_wg777[4].public_key='0prJyJ5Up0hXuKorhMJakvOQK/583+w1yJTxvoz+GH0='
+uci set network.@wireguard_wg777[4].allowed_ips='10.14.0.4/32'
+uci set network.@wireguard_wg777[5]=wireguard_wg777
+uci set network.@wireguard_wg777[5].description='dan-android'
+uci set network.@wireguard_wg777[5].route_allowed_ips='1'
+uci set network.@wireguard_wg777[5].persistent_keepalive='25'
+uci set network.@wireguard_wg777[5].public_key='VGPLY5IB/Ml35UJwhAOdT54hH+obEXGfaDZvi1QMwkQ='
+uci set network.@wireguard_wg777[5].allowed_ips='10.14.0.23/32'
+uci set network.@wireguard_wg777[6]=wireguard_wg777
+uci set network.@wireguard_wg777[6].description='lev'
+uci set network.@wireguard_wg777[6].route_allowed_ips='1'
+uci set network.@wireguard_wg777[6].persistent_keepalive='25'
+uci set network.@wireguard_wg777[6].public_key='D2FU7Za9VLcHvh6gp+vqViSYsiZY4BOjleVzBm2gx0E='
+uci set network.@wireguard_wg777[6].allowed_ips='10.14.0.5/32'
+uci set network.@wireguard_wg777[7]=wireguard_wg777
+uci set network.@wireguard_wg777[7].description='lev-android'
+uci set network.@wireguard_wg777[7].route_allowed_ips='1'
+uci set network.@wireguard_wg777[7].persistent_keepalive='25'
+uci set network.@wireguard_wg777[7].public_key='LS2C/943tsBS0SdtU4aRCYJAFOfCW93hsNF+9WdwZSc='
+uci set network.@wireguard_wg777[7].allowed_ips='10.14.0.27/32'
+uci set network.@wireguard_wg777[8]=wireguard_wg777
+uci set network.@wireguard_wg777[8].description='natasha'
+uci set network.@wireguard_wg777[8].route_allowed_ips='1'
+uci set network.@wireguard_wg777[8].persistent_keepalive='25'
+uci set network.@wireguard_wg777[8].public_key='BAPSq8QDxVSRsB3jFDFlWygh3dXoWeBF0WkV6W7ljEk='
+uci set network.@wireguard_wg777[8].allowed_ips='10.14.0.6/32'
+uci set network.@wireguard_wg777[9]=wireguard_wg777
+uci set network.@wireguard_wg777[9].description='natasha-android'
+uci set network.@wireguard_wg777[9].route_allowed_ips='1'
+uci set network.@wireguard_wg777[9].persistent_keepalive='25'
+uci set network.@wireguard_wg777[9].public_key='CFH22K5ji7bDuhON2ELxVhn41bvJjy6aZC1nILNZeAg='
+uci set network.@wireguard_wg777[9].allowed_ips='10.14.0.24/32'
+uci set network.@wireguard_wg777[10]=wireguard_wg777
+uci set network.@wireguard_wg777[10].description='sia'
+uci set network.@wireguard_wg777[10].route_allowed_ips='1'
+uci set network.@wireguard_wg777[10].persistent_keepalive='25'
+uci set network.@wireguard_wg777[10].public_key='H4xEoK4mqf01i/8AAgkYbLAc0px7K/zoFk8gpkbqX3Q='
+uci set network.@wireguard_wg777[10].allowed_ips='10.14.0.7/32'
+uci set network.@wireguard_wg777[11]=wireguard_wg777
+uci set network.@wireguard_wg777[11].description='tonya'
+uci set network.@wireguard_wg777[11].route_allowed_ips='1'
+uci set network.@wireguard_wg777[11].persistent_keepalive='25'
+uci set network.@wireguard_wg777[11].public_key='5qgq0gGJ4xBcVLA3qU4oi7YmQMkdix62Br5NXvO0xGc='
+uci set network.@wireguard_wg777[11].allowed_ips='10.14.0.8/32'
+uci set network.@wireguard_wg777[12]=wireguard_wg777
+uci set network.@wireguard_wg777[12].description='lva-android'
+uci set network.@wireguard_wg777[12].route_allowed_ips='1'
+uci set network.@wireguard_wg777[12].persistent_keepalive='25'
+uci set network.@wireguard_wg777[12].public_key='heWrgu7oPmpYIqT0WbziNZ0tZUFTOp7rPCz7Su8yM3g='
+uci set network.@wireguard_wg777[12].allowed_ips='10.14.0.25/32'
+# VPN ANTIZAPRET
+uci set network.wg0=interface
+uci set network.wg0.proto='wireguard'
+uci set network.wg0.listen_port='51820'
+uci set network.wg0.private_key='WFmfbE7X7MJ/769Ifd9ENEgkyzuWJItKErOht4X3iG8='
+uci set network.wg0.addresses='192.168.100.2/24'
+uci add network wireguard_wg0
+uci set network.@wireguard_wg0[0].name='wg0_client'
+uci set network.@wireguard_wg0[0].route_allowed_ips='0'
+uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
+uci set network.@wireguard_wg0[0].endpoint_host='88.210.11.80'
+uci set network.@wireguard_wg0[0].endpoint_port='51820'
+uci set network.@wireguard_wg0[0].public_key='E/3AhjY3/nteAEy7uPR72kKbXwyJL3ANEhsEoMHP43o='
+uci set network.@wireguard_wg0[0].preshared_key='tI8KGVUFcPRn0h9BPXlr8gccVJqsxAsXgZPTWHsnUDI='
+uci commit network
 /etc/init.d/network restart
 
 # Configure firewall
+uci set firewall.@defaults[0].drop_invalid='1'
+uci set firewall.@defaults[0].synflood_protect='1'
+# ADD ZONES
+uci add firewall zone
+uci set firewall.@zone[2].name='vpn0'
+uci set firewall.@zone[2].input='ACCEPT'
+uci set firewall.@zone[2].forward='ACCEPT'
+uci set firewall.@zone[2].device='vpn0'
+uci set firewall.@zone[2].output='ACCEPT'
+uci set firewall.@zone[2].network='vpn0'
+uci add firewall zone
+uci set firewall.@zone[3].name='vpn1'
+uci set firewall.@zone[3].input='ACCEPT'
+uci set firewall.@zone[3].forward='ACCEPT'
+uci set firewall.@zone[3].device='vpn1'
+uci set firewall.@zone[3].output='ACCEPT'
+uci set firewall.@zone[3].network='vpn1'
+uci add firewall zone
+uci set firewall.@zone[4].name='vpn2'
+uci set firewall.@zone[4].input='ACCEPT'
+uci set firewall.@zone[4].forward='ACCEPT'
+uci set firewall.@zone[4].device='vpn2'
+uci set firewall.@zone[4].output='ACCEPT'
+uci set firewall.@zone[4].network='vpn2'
+uci add firewall zone
+uci set firewall.@zone[5].name='vpn3'
+uci set firewall.@zone[5].input='ACCEPT'
+uci set firewall.@zone[5].forward='ACCEPT'
+uci set firewall.@zone[5].device='vpn3'
+uci set firewall.@zone[5].output='ACCEPT'
+uci set firewall.@zone[5].network='vpn3'
+uci add firewall zone
+uci set firewall.@zone[6].name='wg777'
+uci set firewall.@zone[6].input='ACCEPT'
+uci set firewall.@zone[6].forward='ACCEPT'
+uci set firewall.@zone[6].output='ACCEPT'
+uci set firewall.@zone[6].network='wg777'
+uci add firewall zone
+uci set firewall.@zone[7].name='wg'
+uci set firewall.@zone[7].family='ipv4'
+uci set firewall.@zone[7].masq='1'
+uci set firewall.@zone[7].output='ACCEPT'
+uci set firewall.@zone[7].forward='REJECT'
+uci set firewall.@zone[7].input='REJECT'
+uci set firewall.@zone[7].mtu_fix='1'
+uci set firewall.@zone[7].network='wg0'
+
+# ADD RULES
+uci add firewall rule
+uci set firewall.@rule[10].target='ACCEPT'
+uci set firewall.@rule[10].src='wan'
+uci set firewall.@rule[10].proto='tcp udp'
+uci set firewall.@rule[10].dest_port='5001'
+uci set firewall.@rule[10].name='iperf '
+uci add firewall rule
+uci set firewall.@rule[11].target='ACCEPT'
+uci set firewall.@rule[11].proto='udp'
+uci set firewall.@rule[11].dest_port='23555'
+uci set firewall.@rule[11].name='Allow-Baumana-Elmash-Inbound'
+uci set firewall.@rule[11].src='wan'
+uci add firewall rule 
+uci set firewall.@rule[12].target='ACCEPT'
+uci set firewall.@rule[12].proto='udp'
+uci set firewall.@rule[12].dest_port='23556'
+uci set firewall.@rule[12].name='Allow-Elmash-Aramil-Inbound'
+uci set firewall.@rule[12].src='wan'
+uci add firewall rule
+uci set firewall.@rule[13].target='ACCEPT'
+uci set firewall.@rule[13].proto='udp'
+uci set firewall.@rule[13].dest_port='23559'
+uci set firewall.@rule[13].name='Allow-Elmash-Olga-Inbound'
+uci set firewall.@rule[13].src='wan'
+uci add firewall rule
+uci set firewall.@rule[14].target='ACCEPT'
+uci set firewall.@rule[14].proto='udp'
+uci set firewall.@rule[14].dest_port='51820'
+uci set firewall.@rule[14].name='Allow-Wireguard-Hetzner'
+uci set firewall.@rule[14].src='wan'
+uci add firewall rule 
+uci set firewall.@rule[15].target='ACCEPT'
+uci set firewall.@rule[15].proto='udp'
+uci set firewall.@rule[15].dest_port='26261'
+uci set firewall.@rule[15].name='Allow-Wireguard-VPS'
+uci set firewall.@rule[15].src='wan'
+uci add firewall rule
+uci set firewall.@rule[16].target='ACCEPT'
+uci set firewall.@rule[16].proto='udp'
+uci set firewall.@rule[16].dest_port='23560'
+uci set firewall.@rule[16].name='Allow-Elmash-Pivko-Inbound'
+uci set firewall.@rule[16].src='wan'
+uci add firewall rule 
+uci set firewall.@rule[17].target='ACCEPT'
+uci set firewall.@rule[17].proto='udp'
+uci set firewall.@rule[17].dest_port='27027'
+uci set firewall.@rule[17].src='wan'
+uci set firewall.@rule[17].name='Allow-Remote-Jurists-Inbound'
+
+#ADD IPSET
+uci add firewall ipset
+uci set firewall.@ipset[-1].name='vpn_domains'
+uci set firewall.@ipset[-1].match='dst_net'
+
+#ADD MARK
+uci add firewall rule
+uci set firewall.@rule[-1]=rule
+uci set firewall.@rule[-1].name='mark_domains'
+uci set firewall.@rule[-1].src='lan'
+uci set firewall.@rule[-1].dest='*'
+uci set firewall.@rule[-1].proto='all'
+uci set firewall.@rule[-1].ipset='vpn_domains'
+uci set firewall.@rule[-1].set_mark='0x1'
+uci set firewall.@rule[-1].target='MARK'
+uci set firewall.@rule[-1].family='ipv4'
+
+# ADD REDIRECT
+uci add firewall redirect
+uci set firewall.@redirect[0].target='DNAT'
+uci set firewall.@redirect[0].src='wan'
+uci set firewall.@redirect[0].dest='lan'
+uci set firewall.@redirect[0].proto='tcp'
+uci set firewall.@redirect[0].src_dport='5222'
+uci set firewall.@redirect[0].dest_port='5222'
+uci set firewall.@redirect[0].name='jabber1'
+uci set firewall.@redirect[0].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[1].target='DNAT'
+uci set firewall.@redirect[1].src='wan'
+uci set firewall.@redirect[1].dest='lan'
+uci set firewall.@redirect[1].proto='tcp'
+uci set firewall.@redirect[1].src_dport='5223'
+uci set firewall.@redirect[1].dest_port='5223'
+uci set firewall.@redirect[1].name='jabber2'
+uci set firewall.@redirect[1].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[2].target='DNAT'
+uci set firewall.@redirect[2].src='wan'
+uci set firewall.@redirect[2].dest='lan'
+uci set firewall.@redirect[2].proto='tcp'
+uci set firewall.@redirect[2].src_dport='5269'
+uci set firewall.@redirect[2].dest_port='5269'
+uci set firewall.@redirect[2].name='jabber3'
+uci set firewall.@redirect[2].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[3].target='DNAT'
+uci set firewall.@redirect[3].src='wan'
+uci set firewall.@redirect[3].dest='lan'
+uci set firewall.@redirect[3].proto='tcp'
+uci set firewall.@redirect[3].src_dport='5280'
+uci set firewall.@redirect[3].dest_port='5280'
+uci set firewall.@redirect[3].name='jabber4'
+uci set firewall.@redirect[3].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[4].target='DNAT'
+uci set firewall.@redirect[4].src='wan'
+uci set firewall.@redirect[4].dest='lan'
+uci set firewall.@redirect[4].proto='tcp'
+uci set firewall.@redirect[4].src_dport='5443'
+uci set firewall.@redirect[4].dest_port='5443'
+uci set firewall.@redirect[4].name='jabber5'
+uci set firewall.@redirect[4].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[5].target='DNAT'
+uci set firewall.@redirect[5].src='wan'
+uci set firewall.@redirect[5].dest='lan'
+uci set firewall.@redirect[5].proto='udp'
+uci set firewall.@redirect[5].dest_ip='192.168.77.3'
+uci set firewall.@redirect[5].name='rtp'
+uci set firewall.@redirect[5].src_dport='10000-20000'
+uci set firewall.@redirect[5].dest_port='10000-20000'
+uci add firewall redirect
+uci set firewall.@redirect[6].dest='lan'
+uci set firewall.@redirect[6].target='DNAT'
+uci set firewall.@redirect[6].name='stunt'
+uci set firewall.@redirect[6].src='wan'
+uci set firewall.@redirect[6].src_dport='3478'
+uci set firewall.@redirect[6].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[7].dest='lan'
+uci set firewall.@redirect[7].target='DNAT'
+uci set firewall.@redirect[7].name='stunts'
+uci set firewall.@redirect[7].proto='tcp'
+uci set firewall.@redirect[7].src='wan'
+uci set firewall.@redirect[7].src_dport='5349'
+uci set  firewall.@redirect[7].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[8].dest='lan'
+uci set firewall.@redirect[8].target='DNAT'
+uci set firewall.@redirect[8].name='turn'
+uci set firewall.@redirect[8].src='wan'
+uci set firewall.@redirect[8].src_dport='3478'
+uci set firewall.@redirect[8].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[9].dest='lan'
+uci set firewall.@redirect[9].target='DNAT'
+uci set firewall.@redirect[9].name='turns'
+uci set firewall.@redirect[9].proto='tcp'
+uci set firewall.@redirect[9].src='wan'
+uci set firewall.@redirect[9].src_dport='5349'
+uci set firewall.@redirect[9].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[10].dest='lan'
+uci set firewall.@redirect[10].target='DNAT'
+uci set firewall.@redirect[10].name='ejabb-stunt'
+uci set firewall.@redirect[10].src='wan'
+uci set firewall.@redirect[10].src_dport='49152-65535'
+uci set firewall.@redirect[10].dest_ip='192.168.77.2'
+uci add firewall redirect
+uci set firewall.@redirect[11].dest='lan'
+uci set firewall.@redirect[11].target='DNAT'
+uci set firewall.@redirect[11].src='wan'
+uci set firewall.@redirect[11].src_dport='80'
+uci set firewall.@redirect[11].dest_ip='192.168.77.2'
+uci set firewall.@redirect[11].dest_port='5280'
+uci set firewall.@redirect[11].name='acme_ejabberd_http'
+uci set firewall.@redirect[11].enabled='0'
+uci add firewall redirect
+uci set firewall.@redirect[12].dest='lan'
+uci set firewall.@redirect[12].target='DNAT'
+uci set firewall.@redirect[12].proto='udp'
+uci set firewall.@redirect[12].src='wan'
+uci set firewall.@redirect[12].src_dport='49152-65535'
+uci set firewall.@redirect[12].dest_ip='192.168.77.2'
+uci set firewall.@redirect[12].dest_port='49152-65535'
+uci set firewall.@redirect[12].name='stun_udp_RANGE'
+uci add firewall redirect
+uci set firewall.@redirect[13].dest='lan'
+uci set firewall.@redirect[13].target='DNAT'
+uci set firewall.@redirect[13].name='stun_tcp_RANGE'
+uci set firewall.@redirect[13].proto='tcp'
+uci set firewall.@redirect[13].src='wan'
+uci set firewall.@redirect[13].src_dport='49152-65535'
+uci set firewall.@redirect[13].dest_ip='192.168.77.2'
+uci set firewall.@redirect[13].dest_port='49152-65535'
+uci add firewall redirect
+uci set firewall.@redirect[14].dest='lan'
+uci set firewall.@redirect[14].target='DNAT'
+uci set firewall.@redirect[14].name='NPM-80'
+uci set firewall.@redirect[14].src='wan'
+uci set firewall.@redirect[14].src_dport='80'
+uci set firewall.@redirect[14].dest_ip='192.168.77.191'
+uci set firewall.@redirect[14].dest_port='80'
+uci add firewall redirect
+uci set firewall.@redirect[15].dest='lan'
+uci set firewall.@redirect[15].target='DNAT'
+uci set firewall.@redirect[15].name='NPM-443'
+uci set firewall.@redirect[15].src='wan'
+uci set firewall.@redirect[15].src_dport='443'
+uci set firewall.@redirect[15].dest_ip='192.168.77.191'
+uci set firewall.@redirect[15].dest_port='443'
+uci add firewall redirect
+uci set firewall.@redirect[16].dest='lan'
+uci set firewall.@redirect[16].target='DNAT'
+uci set firewall.@redirect[16].name='gitea_SSH'
+uci set firewall.@redirect[16].src='wan'
+uci set firewall.@redirect[16].src_dport='2222'
+uci set firewall.@redirect[16].dest_ip='192.168.77.193'
+uci set firewall.@redirect[16].dest_port='22'
+
+# ADD FORWARD ZONES
+uci add firewall forwarding
+uci set firewall.@forwarding[1].dest='lan'
+uci set firewall.@forwarding[1].src='vpn0'
+uci add firewall forwarding
+uci set firewall.@forwarding[2].dest='vpn0'
+uci set firewall.@forwarding[2].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[3].dest='lan'
+uci set firewall.@forwarding[3].src='vpn1'
+uci add firewall forwarding
+uci set firewall.@forwarding[4].dest='vpn1'
+uci set firewall.@forwarding[4].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[5].src='vpn2'
+uci set firewall.@forwarding[5].dest='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[6].src='lan'
+uci set firewall.@forwarding[6].dest='vpn2'
+uci add firewall forwarding
+uci set firewall.@forwarding[7].dest='lan'
+uci set firewall.@forwarding[7].src='vpn3'
+uci add firewall forwarding
+uci set firewall.@forwarding[8].dest='vpn3'
+uci set firewall.@forwarding[8].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[9].src='wg777'
+uci set firewall.@forwarding[9].dest='wan'
+uci add firewall forwarding
+uci set firewall.@forwarding[10].src='wan'
+uci set firewall.@forwarding[10].dest='wg777'
+uci add firewall forwarding
+uci set firewall.@forwarding[11].dest='lan'
+uci set firewall.@forwarding[11].src='wg777'
+uci add firewall forwarding
+uci set firewall.@forwarding[12].dest='wg777'
+uci set firewall.@forwarding[12].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[13].family='ipv4'
+uci set firewall.@forwarding[13].src='lan'
+uci set firewall.@forwarding[13].dest='wg'
+
+uci commit firewall
 /etc/init.d/firewall restart
+
+echo "All done"
+