Firewall Wan (Red) Zone


Was just wondering what are the implications for deleting the Red Zone from the firewall. That zone is the one that covers the wan and looking at the default firewall in has lan (green zone) forward traffic to the wan (red zone) but what happens if I delete the wan interfaces it should delete red zone firewall so then where does the traffic go?

Just wondering because I have seen videos talking about deleting the unused wan interfaces.



1 Like

nowhere or somewhere else, depending on your network setup.

if your openwrt device isn't used as a router, it's probably pretty safe to remove the red zone.


So the firewall is only needed if the device is being used as a router?

I can see some other reasons, but in most cases, yes.


Usually, the firewall does not work with L2 traffic, so if the device is not used as a router and there are no additional services over it is unlikely any traffic to reach the firewall for processing, so there is no real gain disabling it or removing the rules, bound to non-used interfaces. However if you decide to repurpose it, for example as a spare main router, you will waste some time restoring the interface configuration and the firewall to a working condition.

1 Like

I'd recommend calling it the wan zone as it is named in the firewall, just for clarity. The color happens to be red (and it may be specifically set that way per the developers/UI designers), but it is arbitrary.

same with "green" -- call it lan zone.

Traffic traverses the firewall when you are routing between interfaces (i.e. from lan > wan) or when the traffic is destined as input to the OpenWrt device itself (for things like administration and/or other local services).

My general recommendation is that you don't delete the predefined zones. It's not so much that it will cause problems to delete them, but more about the fact that you might cause yourself extra headaches if you need to rebuild them and/or make a significant mistake in the process of deleting extra zones. If you're using the device as a dumb AP, the firewall has no impact at all anyway, and it doesn't take any extra resources for the zones to be defined vs removing them. The CPU load is related to the traffic flowing through the firewall, not the number of zones (at least any reasonable number of zones).

1 Like

Ah ok! I have been watching YouTube videos about installing and using Relayd and they suggest the wan interfaces and firewall.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.