EdgeRouter - How to Create a WAN Firewall Rule
Overview
Readers will learn how to create firewall rules that protect the router and the Local Area Network (LAN).
- Applicable to the latest EdgeOS firmware on all EdgeRouter models.
- The rules that are manually created using this article can also be automatically created by running the Basic Setup wizard.
- The latest EdgeOS firmware can be downloaded from the EdgeRouter Downloads page.
Adding Firewall Rules
Firewall policies are used to allow traffic in one direction and block it in another.
The EdgeRouter uses a stateful firewall, which means the router firewall rules can match on different connection states. The traffic states are:
new
The incoming packets are from a new connection.established
The incoming packets are associated with an already existing connection.related
The incoming packets are new, but associated with an already existing connection.invalid
The incoming packets do not match any of the other states.
Using these firewall states, the router can accept/drop traffic in different directions depending on the state of the connection. For example, the router can block all traffic from WAN to LAN, unless it is return traffic associated with a already existing connection. The Basic Setup wizard in EdgeOS adds the following firewall rules to the router:
WAN_IN
Matches on established/related and invalid traffic that is passed through the router (WAN to LAN).WAN_LOCAL
Matches on established/related and invalid traffic that is destined for the router itself (WAN to LOCAL).
Follow the steps below to manually create the firewall policies from the Basic Setup wizard:
1. Navigate to the Firewall/NAT tab.
2. Add a WAN_IN firewall policy and set the default action to drop.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: WAN_IN
Description: WAN to internal
Default action: Drop
2. Add two firewall rules to the newly created firewall policy.
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > + Add New Rule
Description: Allow established/related
Action: Accept
Protocol: All protocols
Advanced > State: Established / Related
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > + Add New Rule
Description: Drop invalid state
Action: Drop
Protocol: All protocols
Advanced > State: Invalid
3. Attach the firewall policy to the WAN interface in the inbound direction.
Firewall/NAT > Firewall Policies > WAN_IN > Actions > Interfaces
Interface: eth0
Direction: in
4. Add a WAN_LOCAL firewall policy and set the default action to drop.
Firewall/NAT > Firewall Policies > + Add Ruleset
Name: WAN_LOCAL
Description: WAN to router
Default action: Drop
5. Add two firewall rules to the newly created firewall policy.
Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > + Add New Rule
Description: Allow established/related
Action: Accept
Protocol: All protocols
Advanced > State: Established / Related
Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > + Add New Rule
Description: Drop invalid state
Action: Drop
Protocol: All protocols
Advanced > State: Invalid
6. Attach the firewall policy to the WAN interface in the local direction.
Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Interfaces
Interface: eth0
Direction: local
The above configuration can also be set using the CLI:
1. Enter configuration mode.
configure
2. Configure the WAN_IN firewall policy.
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
3. Configure the WAN_LOCAL firewall policy.
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
4. Attach the firewall policies to the WAN interface in the inbound and local direction.
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
5. Commit the changes and save the configuration.
commit ; save
Full CLI configuration below:
configure
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
commit ; save
Related Articles
EdgeRouter - How to Create a Guest\LAN Firewall Rule
Intro to Networking - Network Firewall Security
Intro to Networking - How to Establish a Connection Using SSH