Traffic rules setting

Hi everyone, I was looking at the traffic rules section of the firewall. If I wanted to block all the traffic that goes from the wan to the lan through port 80, I ask if the rule setting is correct as in the picture. Thank you.


By default no traffic is allowed from wan to lan. If you added a forwarding from wan to lan and you want to block specifically port 80, then this looks correct. Do a uci export firewall and paste it here in preformatted text </> to make sure though.


By default the firewall is blocking any incomming traffic from WAN. Beside some sort of ICMP/IGMP types/ports and DHCP ports needed. So I wonder why you want to block this.

If you want to block port 80 in general you have to block traffic which is related or established already (initiated by a client using port 80 outgoing/forwarding; this is allowed by default) also (from LAN to WAN). So you have to reject forward from LAN to WAN on port 80.


So any ip address that matches an external address so non-LAN is automatically recognized as a Man / Wan range? And if before the WRT router I have another router in cascade with a LAN address in DMZ, do I have to block that IP address as well? I ask this because the first router is the one provided by the provider that theoretically the provider could connect for remote assistance. But in this case it would not enter the second router with a WAN ip but with the IP of the first router which is a Lan address.

config rule
option dest_port '5000 5001 9997-9999 20-23 518 137-139 111 892 2049 69 5005-5006 445'
option src 'wan'
option name 'rule4'
option dest 'lan'
option target 'DROP'
list dest_ip '' <----IP of device to block from lan
list dest_ip '' <----IP router WRT "DMZ side"

It is more general than IPs. It works with zones. WAN firewall zone is considered untrusted, be it directly connected to the internet or to the modem of your ISP.

The rule will not work, unless you have disabled the nat on wan zone (or at least excluded the destination DMZ IPs from nat). Otherwise the DMZ host will see a reply from an invalid source.


Yes any address hitting WAN is treated as external. Even if it is within private ranged IPs. That is what you want to achive using a router. Otherwise you would just use a Switch/Hub. It is like a black box with connections to your LAN devices and to the "outer world". If you cascade them the WAN IP is usually (by default; using DHCP) in range of the defined LAN of the upstream device.

ISP Box (a public IP) -> LAN IP range -> WRT Box (an IP out of range -> LAN IP range

If you would "bridge" ISP Box the LAN IP range would be omitted and WRT Box is getting public IP on WAN interface. Usually you want avoid double NAT. But not every ISP box is supporting bridge mode.


Well, many thank's

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.