Wireless Bridge - Is it worth disabling the Firewall?

When running a router as a Wireless Bridge is it worth disabling the Firewall or just leave it alone?

Seems a bit over the top running multiple Firewalls considering the internet facing router has one...

If you’re running WDS or a bridged protocol, you’ll need a different firewall than stock, generally much simpler.

If you’re running relayd (which I don’t suggest unless it’s the only option), it is an IPv4-only, NAT-based hack and requires a similar-to-stock firewall.

1 Like

Just the standard WDS bridge setting that comes with consumer routers on stock firmware.

You'll be ignoring the WAN-specific rules if you don't have traffic trough the WAN. They can be left for simplicity. Without VLANs over WDS or other reasons to prevent between-zone traffic, the "stock" rules are probably OK.

No such thing. While 4ADDR that WDS uses is standardized, how it is used is not. Interoperability between various implementations is far from guaranteed.

On most consumer (off the shelf) routers with stock firmware there is a box to tick to enable WDS bridge and a separate box to tick to disable the firewall/DMZ.

When you tick the box to enable the WDS bridge is it worth ticking the box to disable the firewall?

  1. Yes
  2. No
  3. Don't Know

Unless someone gives me one of those 3 options i will not have the clue into understanding your post?

In the typical WDS/ 4addr repeater case (single ESSID, everything bridged), all packets bypass the firewall anyways (all traffic remains within the same zone) - so disabling it doesn't gain you anything (well, not a lot). In more complex setups you will need the firewall.

WDS: You may or may not be able to interoperate two different firmwares (such as Brand X OEM and OpenWrt, or Brand X and Brand Y) because there is no "standard" WDS.

Firewall: Needed on the router associated with your ISP connection. Probably just fine to leave as it is with an OpenWrt device working as a slaved AP over WDS with only a single VLAN or bridge.

  1. Doesn't matter. As already mentioned, in this setup the packets will remain within the LAN zone, so no firewall rules will be triggered. It won't matter if you keep it enabled or disable it. Personally, I would keep it enabled. Should you ever redeploy it in a different situation, it's good that the firewall is already running if WAN is also involved :slight_smile:
1 Like


You don't get a Firewall on a Dongle and i'm the only one on the bridge , that's what i was thinking. :grinning:

disable it, if you know how to set static ip disable dnsamasq too. unneeded services, when disabled, free up at least some resources and allow faster device bootup

1 Like