The router firewall controls the forward packet streams from incoming network interfaces to outgoing network interfaces.
Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces and which packets are allowed to be inputted and outputted.
1 Firewall Zones
The firewall can collect interfaces into zones to filter traffic logically. A zone can be configured to any set of interfaces. This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:
A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,
A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.
After accessing the router, go to "Network > Firewall" to enter the "Firewall - Zone Settings". The "SYN-Flood Protection" is enabled by default. You can use the default firewall zone settings in most conditions.
Default firewall zone settings
2 Port Forwarding
Port forwarding applies network address translation (NAT) redirects a communication request from one address and port number combination. Port Forwarding allows remote computers to connect the outdoor router within a private local-area network (LAN).
Log in to the router, go to "Network > Firewall."
Under the tab of "General Settings," change forward to "Accept."
In the Zones section, change the Forward on the row of WAN from "Reject" to "Accept."
Click Save & Apply button on the bottom right corner.
Firewall - General Settings
Public Port Forwards
Click the tab "Port Forwards" to enter the configure section on the New port forward section:
Name: Enter the reference name. e.g., Test
Protocol: Select from "TCP, UDP, and TCP+UDP"
If you don't know the protocol, please choose TCP+UDP. Select TCP or UDP if you are aware of whether it is TCP or UDP. It can effectively reduce resource consumption.
External Zone: Select "WAN"
External Port: Set the port number want to access from the external network
Suggest selecting the WAN port between 1025~25534. Do not use the standard ports occupied by the other services such as 23, 80, 433, 3389, 7700, 10080, etc.
Internal Zone: Select "LAN"
Internal IP Address: Select from the list of connected intranet hosts.
If you can not find the host in the list, please re-check the Local network settings.
Internal Port: Enter the port number which needs to forward from the intranet host
Click the button "Save & Apply" to execute the new settings.
Firewall - New Port Forwards
The above example is forwarding a localhost 192.168.30.113:80 to WAN port 1180. So we can access the 80 port on the host of 192.168.30.113 from the public IP address plus port number 1180.
The public port forward does not change the accessing port in the local networks.
NAT Loopback is turned on after saved a new port forward rule. It allows the intranet terminal to access the local hosts by using the public IP address of the routed external network interface. To reduce the consumption of router resources, you can click the "Edit" button on the saved port forward rule list to disable it.
The public port forwarding relies on a public IP address. Most of the 4G internet connection obtains a private IP address. Please get the public IP from the 4G carrier to activate the public port forwarding.
Make sure to use a WAN port the 4G carrier has not blocked.
Except for a public 4G IP address, you can also try to forward to OpenVPN or WireGuard server through the VPN tunnel.
To access another host from the local network, we can set up intranet forwarding base on iptables on the firewall settings.
Go to "Network > Firewall," click the tab of "Custom Rules." Add the new iptable rules. Below are the example codes to forward 192.168.30.113:80 to router IP 192.168.30.1:1180.