Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; accept WireGuard
      chain=input action=accept protocol=udp dst-port=13231 

 5    ;;; drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; drop invalid
      chain=forward action=drop connection-state=invalid 

 7    ;;; fasttrack established,related
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

 8    ;;; accept established,related,untracked
      chain=forward action=accept connection-state=established,related,untracked 

 9    ;;; accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

10    ;;; accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

11    ;;; drop all from WAN not DSTNATed
      chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN