Understanding the Default Firewall Rules
By default, all traffic not explicitly allowed in the rules is automatically blocked, providing a strong “deny-all” security stance. Essential rules like DHCP and ICMPv6 are necessary for normal network functionality—removing them can disable address assignment or break IPv6. Optional rules such as IGMP or IPsec pass-through can be safely removed if you know you don’t need multicast or VPN services. Overall, the default firewall rules provide a secure, functional baseline that rarely requires changes in most deployments.
- DHCP (v4) and DHCPv6
- Needed if the WAN uses dynamic IP assignment (typical for cable/DSL).
- Removing these rules breaks DHCP-based address assignment, causing the router to lose internet access unless you use PPPoE or a static WAN configuration.
- ICMPv6
- Essential for IPv6 functionality (Neighbor Discovery, Router Advertisements, Path MTU Discovery).
- Blocking ICMPv6 may partially or completely break IPv6.
- The “Allow-ICMPv6-Input” and “Allow-ICMPv6-Forward” rules are especially important to keep.
- Ping (ICMPv4)
- Not strictly required, but very helpful for diagnostics.
- Removing “Allow-Ping on WAN” means external pings to the router will be dropped.
- IGMP and MLD
- Used for multicast traffic (e.g., IPTV or streaming services).
- If you do not use multicast-based services on the WAN, you can safely remove these rules. Otherwise, they’re required.
- IPsec (ESP, IKE, NAT-T)
- If you’re not using VPN or IPsec pass-through, you can remove these rules.
Proceed with caution: Removing or modifying the default rules can lead to serious network problems if your environment depends on them. We strongly recommend leaving these rules in place unless you fully understand their purpose and are completely certain you do not require them for normal operation.
Creating Filter Rules
IP Version
- IPV4
- IPV6
- Any
Source
This denotes the expected source address and port for the incoming traffic. This should be left blank in most cases where the traffic is coming from an external source such as the internet.
Destination
The destination is the address that is receiving the incoming traffic. Generally this will be your WAN IP if the incoming traffic is external, and the port associated with the respective service such as 443 for HTTPS.
Protocols
TCP and UDP are the most common protocols to filter. Multiple protocols can be added in the same rule.
- TCP - general
- UDP - general
- ICMP - ping
- IGMP - video/voice
- ESP - vpn
Zone In
Traffic coming from remote servers will be the WAN zone. Internal traffic will be LAN.
Zone Out
If the traffic is destined for an address or device on the local network, choose LAN. Anything going out instead is headed to WAN.
Interface In
It is generally recommended to leave this field blank, as most users will be fine relying on standard zone-based rules. However, advanced users who need to specify an interface can use the syntax br-lan_123 to refer to VLAN ID 123.
If you need to look up an interface name, you can check it via the shell using ifconfig or ip link show.
Interface Out
It is generally recommended to leave this field blank, as most users will be fine relying on standard zone-based rules. However, advanced users who need to specify an interface can use the syntax br-lan_123 to refer to VLAN ID 123.
If you need to look up an interface name, you can check it via the shell using ifconfig or ip link show.
Limit
Maximum number of packets per second allowed by this filter.
Policy
- Accept
- Drop
- Deny
Restore Default Filter Rules
Click the Import button and paste the following rules in order to restore the defaults.
Warning: The Reset button may also be used to restore the firmware default rules. However, this will destroy any custom rules that you have deployed at the same time.
[
{
description: 'Allow DHCP renewals',
zoneIn: 'wan',
ipVersion: 'ipv4',
destination: {
port: '68',
},
action: 'ACCEPT',
protocol: ['udp'],
},
{
description: 'Allow Ping',
zoneIn: 'wan',
protocol: ['icmp'],
icmpType: ['echo-request'],
ipVersion: 'ipv4',
action: 'ACCEPT',
},
{
description: 'Allow IGMP',
zoneIn: 'wan',
protocol: ['igmp'],
ipVersion: 'ipv4',
action: 'ACCEPT',
},
{
description: 'Allow DHCPv6',
zoneIn: 'wan',
protocol: ['udp'],
source: {
address: 'fc00::/6',
},
destination: {
address: 'fc00::/6',
port: 546,
},
ipVersion: 'ipv6',
action: 'ACCEPT',
},
{
description: 'Allow MLD',
zoneIn: 'wan',
protocol: ['icmp'],
source: {
address: 'fe80::/10',
},
icmpType: ['130/0', '131/0', '132/0', '143/0'],
ipVersion: 'ipv6',
action: 'ACCEPT',
},
{
description: 'Allow ICMPv6 input',
zoneIn: 'wan',
ipVersion: 'ipv6',
protocol: ['icmp'],
icmpType: [
'echo-request',
'echo-reply',
'destination-unreachable',
'packet-too-big',
'time-exceeded',
'bad-header',
'unknown-header-type',
'router-solicitation',
'neighbour-solicitation',
'router-advertisement',
'neighbour-advertisement',
],
limit: '1000/sec',
action: 'ACCEPT',
},
{
description: 'Allow ICMPv6 forward',
zoneIn: 'wan',
ipVersion: 'ipv6',
protocol: ['icmp'],
icmpType: [
'echo-request',
'echo-reply',
'destination-unreachable',
'packet-too-big',
'time-exceeded',
'bad-header',
'unknown-header-type',
],
limit: '1000/sec',
action: 'ACCEPT',
},
{
description: 'IPsec IKE',
zoneIn: 'wan',
protocol: ['udp'],
destination: {
port: '500',
},
action: 'ACCEPT',
},
{
description: 'IPsec NAT-T',
zoneIn: 'wan',
protocol: ['udp'],
destination: {
port: '4500',
},
action: 'ACCEPT',
},
{
description: 'IPsec ESP',
protocol: ['esp'],
zoneIn: 'wan',
action: 'ACCEPT',
},
];
Related to
Comments
0 comments
Please sign in to leave a comment.