# Firewall Settings

The router firewall controls the forward packet streams from incoming network interfaces to outgoing network interfaces. It adds another layer of granularity to what can be forwarded across interfaces and which packets can be inputted and outputted.

## Firewall Zones

The firewall collects interfaces into zones to filter traffic logically. A zone can be configured to any set of interfaces. This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:

* A rule for a packet originating in a zone must enter the router on one of the zone's interfaces,
* A rule for a packet being forwarded to a zone must exit the router on one of the zone's interfaces.

To configure the firewall zones, go to "Network > Firewall" after accessing the router. The prime tab of "General Settings" allows the modification of the firewall zones. You can use the default firewall zone settings as shown below in most conditions.

<figure><img src="/files/vsSg9uq3GTly4DDtPwHN" alt=""><figcaption><p>Default Firewall Zone Settings on Cellular Router</p></figcaption></figure>

***

## Port Forwards <a href="#port-forwards" id="port-forwards"></a>

Port forwarding is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another. It allows remote computers to connect to the outdoor router within a private local-area network (LAN).

### i. General Settings <a href="#i-general-settings" id="i-general-settings"></a>

To enable port forwards, "Forward" options must be allowed under the "General Settings" tab of the firewall zones. Then click the "Save & Apply" button to take effect.

➀ Replace "Forward" with "Accept" in the general settings section.\
➁ Scroll down to the "Zones" section and update the Forward column in the WAN row to "Accept."

<div align="left"><figure><img src="/files/qDo8bqHePAtyu2QkUa5r" alt="" width="375"><figcaption><p>i – Enable Forward Options on Cellular Router Firewall</p></figcaption></figure></div>

<div align="left"><figure><img src="/files/kI3guVqa86dk2791ii1a" alt="" width="375"><figcaption><p>ii – Add New Port Forward Rule on Firewall</p></figcaption></figure></div>

### ii. Port Forward (WAN) <a href="#ii-port-forwards-wan" id="ii-port-forwards-wan"></a>

Click the second tab labeled "Port Forwards" to configure port forwarding rules. You can refer to the preset port forward rules. Below is the step-by-step guidance for setting a new port forward rule.

1. Name – Enter your custom reference name. e.g., Test
2. Protocol – Select from TCP, UDP, or both.\
   \&#xNAN;*Note: If you don't know the exact protocol, choose TCP+UDP. Please select TCP or UDP if you know whether it is TCP or UDP. It can effectively reduce resource consumption.*
3. External Port – Set the port number you want to access from the external network \
   \&#xNAN;*Note: Suggest selecting the WAN port between 1025\~25534. Do not use the standard ports occupied by the other services such as 23, 80, 433, 3389, 7700, 10080, etc.*
4. Destination Zone – Select LAN
5. Internal IP Address – Select from the list of connected intranet hosts.\
   \&#xNAN;*If you can not find the host on the list, please recheck the IP settings on the host.*
6. Internal Port – Choose the port number that needs to be forwarded from the intranet host
7. Click the "Save" button and then the "Save & Apply" button on the firewall page to execute the new settings.

**Advanced Settings > NAT Loopback**

NAT Loopback is turned on as the default setting. It allows intranet terminals to access local hosts using the public IP address of the routed external network interface. If you need to reduce the consumption of router resources, you can disable this function.

​

### iii. Local Forwards <a href="#iii-intranet-forwards" id="iii-intranet-forwards"></a>

The 5G router supports access to another connected host through the router's IP address and port number. You can set up intranet local forwarding using iptables.&#x20;

To configure local forwarding, go to the last "Custom Rules" tab to add new iptable rules. Below are example codes to forward 192.168.20.113:80 to the router's IP 192.168.20.1:1138.

<details>

<summary>Example Scripts</summary>

`iptables -t nat -A PREROUTING -d 192.168.20.1 -p tcp --dport 1138 -j DNAT --to-destination 192.168.20.113:80`&#x20;

`iptables -t nat -A POSTROUTING -d 192.168.20.113 -p tcp --dport 80 -j SNAT --to 192.168.20.1`

</details>

<div align="left"><figure><img src="/files/lKM0DCpZ89O8CFApoX8S" alt="" width="375"><figcaption><p>Custom Firewall Rules of Local Forwards</p></figcaption></figure></div>

***

## Add A New Port <a href="#open-new-port" id="open-new-port"></a>

The 5G router has no port restrictions in default settings. You may need to open a new port and configure custom rules in specific applications. Here is an essential guide for that.

Go to "Network > Firewall > Tab: Traffic Rules" after accessing the router.

* Name – Enter your custom reference name.
* Protocol – Choose from TCP or UDP.
* Source Zone – Leave the default WAN value unchanged.
* Source Address – Enter the IP according to your requirements.
* Destination Zone – Leave the default LAN value unchanged.
* Destination Address – Enter the IP according to your requirements.
* Destination Port – Enter the port according to your requirements.
* Action – Choose from "Accept" or "Reject".

After inputting the above parameters, click the "Save" button. Then click "Save & Apply". After that, you will find the newly created port on the "Traffic Rules" list.

<figure><img src="/files/RtJEaPuwfa5oxqnNMFKI" alt=""><figcaption><p>5G Router Firewall Traffic Rules - Add New Port</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://indoor.router.works/manual/advanced/firewall-settings.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.