IPTABLES no internet access from lan with default FORWARD rule set to DROP

I'm trying to set up ubuntu server 22.04 (virtualized) as a router with one wan interface (ens18) and several lan interfaces ens19:ens23 & ens1.

Here is what im trying to achieve:

• allow ens19:ens21 access to internet
• allow ens23 access to internet
• allow ens22 access to internet, but only during working hours on weekdays
• deny ens1 access to internet.
• allow all lan interfaces, including ens1 access to ens19
• block access between lans other than access to ens19

Here is the problem I'm facing. For some reason when I have the default forwarding rule set to DROP, the client networks have no access to the internet at all, nor do they have access to ens19. I tried setting the default forward rule to accept and then I have full internet access from every network.

I take it I'm missing some rules in the forward chain or are using incorrect rules. Any constructive input here is much appreciated.

Here's the commands I have used for setting up iptables:

#flush existing config
sudo iptables -F
sudo iptables -X

#temporary rules for configuration purposes
sudo iptables -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT
sudo iptables -A FORWARD -i ens18 -o ens19 -p tcp --dport 3306 -j ACCEPT
sudo iptables -A FORWARD -i ens18 -o ens19 -p tcp --dport 33060 -j ACCEPT
sudo iptables -A FORWARD -i ens18 -o ens19 -p tcp --dport 80 -j ACCEPT

##set default policies
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP

#allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

#allowe established and related incoming traffic
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow access to WAN
sudo iptables -A FORWARD -i ens19 -o ens18 -j ACCEPT
sudo iptables -A FORWARD -i ens20:ens21 -o ens18 -j ACCEPT
sudo iptables -A FORWARD -i ens22 -o ens18 -m time --timestart $(date -u -d @$(date "+%s" -d "07:00") +%H:%M) --timestop $(date -u -d @$(date "+%s" -d "20:00") +%H:%M) --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
sudo iptables -A FORWARD -i ens23 -o ens18 -j ACCEPT

#Allow Access from LAN to DMZ
sudo iptables -A FORWARD -i ens20:ens23 -o ens19 -j ACCEPT
sudo iptables -A FORWARD -i ens1 -o ens19 -j ACCEPT
#deny access to WAN from the lan connected to ens1
sudo iptables -A FORWARD -i ens1 -o ens18 -j DROP

#deny communication between interfaces ens20:ens23, ens1
sudo iptables -A FORWARD -i ens20 -o ens21 -j DROP
sudo iptables -A FORWARD -i ens20 -o ens22 -j DROP
sudo iptables -A FORWARD -i ens20 -o ens23 -j DROP
sudo iptables -A FORWARD -i ens21 -o ens20 -j DROP
sudo iptables -A FORWARD -i ens21 -o ens22 -j DROP
sudo iptables -A FORWARD -i ens21 -o ens23 -j DROP
sudo iptables -A FORWARD -i ens22 -o ens20 -j DROP
sudo iptables -A FORWARD -i ens22 -o ens21 -j DROP
sudo iptables -A FORWARD -i ens22 -o ens23 -j DROP
sudo iptables -A FORWARD -i ens23 -o ens20 -j DROP
sudo iptables -A FORWARD -i ens23 -o ens21 -j DROP
sudo iptables -A FORWARD -i ens23 -o ens22 -j DROP
sudo iptables -A FORWARD -i ens1 -o ens20 -j DROP
sudo iptables -A FORWARD -i ens1 -o ens21 -j DROP
sudo iptables -A FORWARD -i ens1 -o ens22 -j DROP
sudo iptables -A FORWARD -i ens1 -o ens23 -j DROP

#enable masquerading on port ens18
sudo iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE

##save and reload
sudo netfilter-persistent save
sudo netfilter-persistent reload

Here's the output of iptables -nvL:

henrik@server0router:~$ sudo iptables -nvL
Chain INPUT (policy DROP 3 packets, 939 bytes)
 pkts bytes target     prot opt in     out     source               destination
  104  7488 ACCEPT     tcp  --  ens18  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP 58 packets, 4640 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  ens18  ens19   0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
    0     0 ACCEPT     tcp  --  ens18  ens19   0.0.0.0/0            0.0.0.0/0            tcp dpt:33060
    0     0 ACCEPT     tcp  --  ens18  ens19   0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  ens19  ens18   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens20:ens21 ens18   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens22  ens18   0.0.0.0/0            0.0.0.0/0            TIME from 05:00:00 to 18:00:00 on Mon,Tue,Wed,Thu,Fri UTC
    0     0 ACCEPT     all  --  ens23  ens18   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens20:ens23 ens19   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  ens1   ens19   0.0.0.0/0            0.0.0.0/0
    6   450 DROP       all  --  ens1   ens18   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens20  ens21   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens20  ens22   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens20  ens23   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens21  ens20   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens21  ens22   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens21  ens23   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens22  ens20   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens22  ens21   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens22  ens23   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens23  ens20   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens23  ens21   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens23  ens22   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens1   ens20   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens1   ens21   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens1   ens22   0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  ens1   ens23   0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 984 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
   54  5744 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
henrik@server0router:~$ ^C

OK, so I think I found the solution.

To clarify, my setup is a couple ubuntu servers running as Qemu/KVM on Proxmox VE in addition to a few desktop vms to emulate differnt network clients.

These machines use network bridges set up in proxmox to connect each client and "server1" to "server0router". the problem here is that when a network interface is added to a VM in proxmox, the firewall function in the hypervisor is enabled by default to allow creating firewall rules for a VM in the web interface.

After unticking the "Firewall" checkbox in the network interfaces for the server0router vm in proxmox, everything seems to work as specified in the rules set inside the VM.

EDIT: also had to switch to individual rules per port instead of using ens20:ens23, as the range did not seem to work even though no error was given entering the command.