Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

EdgeRouter - How to Create a WAN Firewall Rule

Overview

Readers will learn how to create firewall rules that protect the router and the Local Area Network (LAN). 

NOTES & REQUIREMENTS:
  • Applicable to the latest EdgeOS firmware on all EdgeRouter models.
  • The rules that are manually created using this article can also be automatically created by running the Basic Setup wizard.
  • The latest EdgeOS firmware can be downloaded from the EdgeRouter Downloads page.

Adding Firewall Rules

Back to Top

topology.gif

Firewall policies are used to allow traffic in one direction and block it in another.

The EdgeRouter uses a stateful firewall, which means the router firewall rules can match on different connection states. The traffic states are:

  • new The incoming packets are from a new connection.
  • established The incoming packets are associated with an already existing connection.
  • related The incoming packets are new, but associated with an already existing connection.
  • invalid The incoming packets do not match any of the other states.

Using these firewall states, the router can accept/drop traffic in different directions depending on the state of the connection. For example, the router can block all traffic from WAN to LAN, unless it is return traffic associated with a already existing connection. The Basic Setup wizard in EdgeOS adds the following firewall rules to the router:

  • WAN_IN Matches on established/related and invalid traffic that is passed through the router (WAN to LAN).
  • WAN_LOCAL Matches on established/related and invalid traffic that is destined for the router itself (WAN to LOCAL).

Follow the steps below to manually create the firewall policies from the Basic Setup wizard:

GUI: Access the EdgeRouter Web UI.

1. Navigate to the Firewall/NAT tab.

2. Add a WAN_IN firewall policy and set the default action to drop.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: WAN_IN
Description: WAN to internal
Default action:
Drop

2. Add two firewall rules to the newly created firewall policy.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > + Add New Rule

Description: Allow established/related
Action: Accept
Protocol: All protocols
Advanced > State: Established / Related

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Edit Ruleset > + Add New Rule

Description: Drop invalid state
Action: Drop
Protocol: All protocols
Advanced > State: Invalid

3. Attach the firewall policy to the WAN interface in the inbound direction.

Firewall/NAT > Firewall Policies > WAN_IN > Actions > Interfaces

Interface: eth0
Direction: in

4. Add a WAN_LOCAL firewall policy and set the default action to drop.

Firewall/NAT > Firewall Policies > + Add Ruleset

Name: WAN_LOCAL
Description: WAN to router
Default action:
Drop

5. Add two firewall rules to the newly created firewall policy.

Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: Allow established/related
Action: Accept
Protocol: All protocols
Advanced > State: Established / Related

Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Edit Ruleset > + Add New Rule

Description: Drop invalid state
Action: Drop
Protocol: All protocols
Advanced > State: Invalid

6. Attach the firewall policy to the WAN interface in the local direction.

Firewall/NAT > Firewall Policies > WAN_LOCAL > Actions > Interfaces

Interface: eth0
Direction: local
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Configure the WAN_IN firewall policy.

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'

set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable

set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable

3. Configure the WAN_LOCAL firewall policy.

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'

set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable

set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable

4. Attach the firewall policies to the WAN interface in the inbound and local direction.

set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
NOTE: EdgeRouter firewall policies only become active when they are attached to an interface + direction.

5. Commit the changes and save the configuration.

commit ; save

Full CLI configuration below:

configure

set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable

set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL

commit ; save

Related Articles

Back to Top

EdgeRouter - How to Create a Guest\LAN Firewall Rule

Intro to Networking - Network Firewall Security

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
217 out of 284 found this helpful