Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces and additionally which packets are allowed to be inputted and outputted.

5.1.1 - Firewall Zones

The firewall can collect interfaces into zones to filter traffic logically. A zone can be configured to any set of interfaces. This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:

• A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,

• A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.

After accessing the router, go to Network > Firewall to enter the Firewall - Zone Settings.The SYN-flood protection is enabled by default. You can use the below default firewall zone settings in most of the conditions.

5.1.2 - Port Forwards

Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another. Port Forwarding allows remote computers to connect the outdoor router within a private local-area network (LAN).

i. General Settings

Log in to the router, go to Network > Firewall. ➀ Under the tab of General Settings, change forward to accept. ➁ In the Zones section, change the Forward on the row of WAN from reject to accept. Click Save & Apply button on the bottom right corner.

ii. Port Forwards (WAN)

Click the tab Port Forwards to enter the configure section, on the New port forward section:

1. Name : Enter the reference name. e.g., Test

2. Protocol: Select from TCP, UDP, and TCP+UDP

   📌 If you don't know the protocol, please choose TCP+UDP. Please select TCP or UDP if you are aware of whether it is TCP or UDP, it can effectively reduce resource consumption.

3. External zone : Select WAN

4. External port : Set the port number want to access from the external network 📌 Suggest selecting the WAN port between 1025~25534. Do not use the standard ports occupied by the other services such as 23, 80, 433, 3389, 7700, 10080, etc.

5. Internal zone : Select LAN

6. Internal IP Address : Select from the list of connected intranet hosts 📌 If can not find the host on the list, please recheck the IP settings on the host.

7. Internal port : Choose the port number which needs to forward from the intranet host

8. Click the button Save & Apply

The below example was forwarded localhost 192.168.30.113:80 to WAN port 1180. You can access the 80 port on the host of 192.168.30.113 from the public IP address plus port number 1180. It's NOT accessible from the router's local IP, eg. 192.168.30.1:1180.

NAT Loopback is turned on after saved a new port forward rule. It allows the intranet terminal to access the local hosts by using the public IP address of the routed external network interface. To reduce the consumption of router resources, you can click the Edit button on the saved port forward rule list to disable it.

​

iii. Intranet Forwards

To access another host from the router IP address, we can set up intranet forwarding base on iptables. Go to the tab Custom Rules, add the new iptable rules. Below is the example codes to forward 192.168.30.113:80 to router IP 192.168.30.1:1180.

iptables -t nat -A PREROUTING -d 192.168.30.1 -p tcp --dport 1180 -j DNAT --to-destination 192.168.30.113:80 iptables -t nat -A POSTROUTING -d 192.168.30.113 -p tcp --dport 80 -j SNAT --to 192.168.30.1

5.1.3 - Open New Port

After accessing the router, go to Network > Firewall > Traffic Rules: Open port on router. You can add a new port on the router.

• Name: Input name of the new port

• Protocol: Choose from TCP or UDP

• External port: The new port number

After input the above parameters, click the Add button. Then click Save & Apply button on the bottom right corner. You will find the new port on the Traffic Rules list.