It took me a long time to understand Zone-based firewalls, as I only experienced them in LEDE.
- Recall that all firewall locations are determined by zones
- Anything that doesn't fall in one of the listed and defined zones will be covered by the General Zone Setting
- The first things on the GUI to define is where the Zone can forward to by default (i.e. LAN => WAN)
- You then define rules for the zone:
- Input to router from Zone LAN
- Output from router on Zone LAN
- Forwarding from this zone to a router in same zone
- Masquerade (use router assigned IP when sending traffic out this interface)
- MSS Clamping - (Google is your friend on this one, lol)
- Lastly, if you need to make a rule that doesn't follow the pattern (i.e. WAN IP to HTTP server in LAN), you make a Port Forward or Traffic Rule
The information in the firewall Wiki is quite dense, but extremely informative.
Hope this helps.