What is "reject" in the pictured firewall zone?

In the image there is a black circle on a screenshot of a firewall zone "wan => REJECT" What is the reject, what does it mean, and what does it do/how does it behave?

What the word literally means. It means any incoming traffic is rejected and sender is notified. Note this does not apply to established and related connections, so packets in response to connections initiated by devices on your LAN e.g. will be allowed through.

Accept/Reject/Drop are basic firewall concepts.


Thanks. I have the output set to accept, how can data be forwarded from reject to the wan zone?

Are you asking how it works? Or are you asking how to achieve some other forwarding?

You can think of the firewall as moderating a discussion. If the LAN starts a conversation with the WAN (so visiting a website for example), the WAN can reply as needed. But, in the other direction, the firewall has a rule that is basically "you shall not speak unless spoken to" -- in other words, the firewall will drop or reject any traffic from the WAN that is unsolicited. This is necessary to keep your network safe.

If you're asking about achieving something else with the forwarding rules, please be more specific about your goals.

The circled reject is for the forwardings (or interzone traffic), which is shown when a zone is not allowed to forward to any other zone. For intrazone traffic you can configure the FORWARD drop down menus. For INPUT and OUTPUT from and to the WAN zone (destination or source is the router) you can configure the INPUT and OUTPUT drop down menus.

1 Like

As a travel router, what should that zone be configured to?

The zones, as shown in your picture, are configured properly for most purposes (including as a travel router)


But I did just notice one thing that is wrong... masquerading should not be enabled on the LAN zone.

1 Like

The top one? What can happen if it stays on?

Yes, the top one (lan zone). I'm not entirely sure what happens if masquerading is enabled in that context -- I've never tried it. But it shouldn't be enabled. Only the wan zone needs masquerading.


In this particular case all the port forwards from the internet will have the source IP changed into the lan IP of the OpenWrt. It is also adding some extra cpu cycles to accomplish this, which is not necessary, so you can safely disable masquerade on lan.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.