Firewall Traffic Rules
Traffic rules control which network traffic the router accepts, forwards, or drops at the firewall level. They operate between network zones — for example, blocking a specific LAN device from reaching the internet, or permitting a particular type of inbound connection from the WAN.
Traffic rules differ from Port Forwards: port forwards redirect inbound traffic to a LAN device, while traffic rules allow or block traffic without modifying its destination.
Navigation
Network > Firewall > Traffic Rules
How traffic rules work
Each rule specifies a source zone, optional match conditions (protocol, address, port), a destination zone, and an action.
| Action | Description |
|---|---|
| Accept input | Allows traffic destined for the router itself — used for management access, VPN endpoints, DHCP, and ICMP |
| Accept forward | Allows traffic to pass through the router from one zone to another — for example, LAN devices reaching the internet |
| Drop | Silently discards the packet — the sender receives no response |
| Reject | Discards the packet and sends an ICMP error to the sender |
Rule order matters: Rules are evaluated top to bottom. The first matching rule is applied; no further rules are checked for that packet. When creating block rules, they must be positioned above any broader accept rules that would otherwise match the same traffic first. Use the Sort arrows on the Traffic Rules page to reorder rules.
Default traffic rules
The router includes a set of pre-configured rules that handle essential network functions. These should not be removed unless you have a specific reason to do so.
| Rule name | Purpose |
|---|---|
| Allow-DHCP-Renew | Permits inbound DHCP renewal requests — required when the WAN interface uses DHCP for its IP address |
| Allow-Ping-WAN | Allows ICMP echo requests to the router's WAN IP — enables connectivity testing from the internet |
| Allow-IGMP | Permits IGMP traffic for multicast group membership management |
| Allow-DHCPv6 | Permits DHCPv6 link-local traffic on the WAN interface for IPv6 address assignment |
| Allow-MLD | Permits Multicast Listener Discovery (MLD) for IPv6 multicast group management |
| Allow-ICMPv6-Input | Accepts essential ICMPv6 types on the router's WAN input (rate-limited to 1,000 packets/second) |
| Allow-ICMPv6-Forward | Forwards essential ICMPv6 types between zones (rate-limited to 1,000 packets/second) |
Creating a traffic rule
At the bottom of the Traffic Rules page, the New forward rule panel provides a quick-add form. Enter a name, select the source and destination zones, then click Add and edit… to open the full configuration form.
| New forward rule | |||
| Name | Source zone | Destination zone | |
| New forward rule | lan ▼ | wan ▼ | Add and edit… |
Rule configuration fields
After clicking Add and edit…, the full configuration form opens:
| Edit traffic rule | |
| Rule is enabled | Disable |
| Name | e.g. Block-Camera-Internet |
| Restrict to address family | IPv4 and IPv6 ▼ |
| Protocol | TCP+UDP ▼ |
| Source zone | lan ▼ |
| Source MAC address | any ▼ |
| Source address | any ▼ |
| Source port | any |
| Destination zone | wan ▼ |
| Destination address | any ▼ |
| Destination port | any |
| Action | accept ▼ |
| Extra arguments | |
| Save and Apply | |
Field reference
| Field | Description |
|---|---|
| Rule is enabled | Toggles the rule on or off without deleting it — useful for temporarily suspending a rule during testing |
| Name | A descriptive label. Used for identification in the rules list only. |
| Restrict to address family | Limits matching to IPv4 only, IPv6 only, or both. For most LAN deployments, IPv4 and IPv6 is appropriate. |
| Protocol | TCP, UDP, TCP+UDP, ICMP, or Any. Narrowing this to the required protocol reduces the scope of the rule. |
| Match ICMP type | Visible only when Protocol is ICMP. Filters by specific ICMP message type (e.g. echo-request for ping). |
| Source zone | The network zone from which the traffic originates. Common values: lan for LAN-side traffic; wan for inbound traffic from the internet or mobile network. |
| Source MAC address | Optional. Restricts the rule to traffic from a specific device MAC address — useful when the device IP may change. |
| Source address | Optional. Restricts matching to a specific source IP or subnet (e.g. 192.168.8.50 or 192.168.8.0/24). |
| Source port | Optional. Restricts matching to traffic originating from a specific source port. Rarely required. |
| Destination zone | The target zone. Select Device (input) for traffic destined to the router itself; select a zone name (e.g. wan, lan) for traffic passing through the router. |
| Destination address | Optional. Restricts matching to a specific destination IP or subnet. |
| Destination port | Optional. Restricts matching to a specific destination port or port range (e.g. 443 or 8000:8080). |
| Action | accept — permit the traffic; drop — silently discard; reject — discard and send ICMP error to sender |
| Extra arguments | Advanced: raw iptables arguments appended to the rule. Leave blank unless required. |
Configuration examples
Block a specific LAN device from accessing the internet
Use case: prevent a device on the LAN — such as an IP camera, IoT sensor, or PLC — from initiating outbound connections to the internet, while all other LAN devices are unaffected.
| Field | Value |
|---|---|
| Name | Block-Camera-Internet |
| Protocol | Any |
| Source zone | lan |
| Source address | The device's fixed LAN IP — e.g. 192.168.8.50 |
| Destination zone | wan |
| Destination address | any |
| Action | drop |
Important: This rule must be positioned above the Allow-All-LAN-Ports default rule in the list. If Allow-All-LAN-Ports is evaluated first, it will match the traffic and accept it before the block rule is reached. Use the Sort arrows to move the new rule above it.
Block a LAN device by MAC address
Use case: block internet access for a device whose IP address may change — for example a mobile device or a device using DHCP without a reservation. Using the MAC address ensures the rule applies regardless of which IP the device receives.
| Field | Value |
|---|---|
| Name | Block-Device-By-MAC |
| Protocol | Any |
| Source zone | lan |
| Source MAC address | The device's MAC address — e.g. AA:BB:CC:DD:EE:FF |
| Destination zone | wan |
| Action | drop |
Disable ping responses on the WAN interface
By default, the router responds to ICMP echo requests on its WAN IP via the Allow-Ping-WAN default rule. To prevent the router from responding to pings from the internet, disable or delete this rule rather than creating a separate drop rule — the firewall silently blocks all other unmatched WAN input traffic by default.
- Locate Allow-Ping-WAN in the Traffic Rules list
- Uncheck its Enable checkbox, or click Delete to remove it permanently
- Click Save and Apply
Relationship to other firewall sections
| Section | Use for |
|---|---|
| Traffic Rules | Allowing or blocking traffic flows between zones without modifying the destination |
| Port Forwards | Redirecting inbound WAN traffic to a specific LAN device and port |
| Source NAT | Modifying the source IP of outbound traffic — advanced, rarely needed on standard deployments |
| Security | Remote access IP whitelisting, SYN flood protection, and port scan detection |
| Custom Rules | Raw iptables rules — for cases where the standard interface cannot express the required logic |