Firewall Zones bug or am I just misunderstanding?

I do not want forwarding between various portions of the LAN zone. Specifically I do not want WiFi clients to be able to connect to a device on Ethernet LAN.

My firewall is configured as follows, with Forward set to Reject. I think this means that Wifi clients can not talk with Ethernet LAN, and vice versa.

With that setting in place, I can still connect to a LAN based web server

Am I misunderstanding what Reject means?

The router is an TP Line 3600 running 18.06.2

Unless you have customised your installation, the default "lan" zone points to the bridge between your wired ethernet and your wifi network. The firewall won't handle this case since they're on the same segment.

You could try splitting the network in a "wired-lan" and "wireless-lan" network and then create two matching firewall zones.


In that case, I really do not understand what the Forward column means. I thought it was about forwarding between the various wifi/ether interfaces contained within this LAN zone.

That means:

  • You are sending onward traffic to the router
  • It has to forward the traffic to another router in the same zone

That's it's only function; and not common in a SOHO/consumer configuration.

1 Like

It is, but only if these interfaces happen to not be bridged.

1 Like

Forwarding works between firewall zones, not within any zone.

In a default setup you have a "wan" and a "lan" zone: such a rule says any network in the "lan" zone (typically the wired switch ports and the wireless clients) is not allowed to talk to any network in the "wan" zone. Anything goes within the "lan" zone and the (normally) bridged networks that make it up.

I suppose part of the confusion is the label of the zone, give it another name if that helps you distinguish the two concepts.