CORRECT...except WAN output policy part (@trendy 's explanation of WAN output is correct) . The LAN WiFi packet goes to WAN because Forward was permitted to WAN. The output setting on WAN is for the WAN interface output only.Wrong, this would imply no firewall.
Also, see this postings I made on the topic:
First of all, that isn't a LAN to WAN setting of Reject. The enable LAN to WAN is the graphic to the Left of that - under the column "Zone => Forwardings". That entire row is the Zone-based firewall settings for LAN. Each row configures the Zone named on its extreme Left. I believe LAN was accept intra-zone forwarding by default (more on how to find out below).
Nonetheless, what you circled is the forwarding of a packet FROM THE LEDE TO ANOTHER ROUTER IN THE SAME ZONE. Most consumers don't use…
It took me a long time to understand Zone-based firewalls, as I only experienced them in LEDE.
Recall that all firewall locations are determined by zones
Anything that doesn't fall in one of the listed and defined zones will be covered by the General Zone Setting
The first things on the GUI to define is where the Zone can forward to by default (i.e. LAN => WAN)
You then define rules for the zone:
Input to router from Zone LAN
Output from router on Zone LAN
Forwarding from this zone to a route…
2 Likes