The WAN interface is set to DHCP client and passes the WAN connection test
in reForis admin webpage.
The problem is not with the WAN connection, which passes the diagnostic ping test, but
with the LAN connection. When a ping is attempted from a device on the LAN to
a DNS server, this test fails. The error message is (Destination Host Unreachable)
So the question is, why is the WAN connection ping working fine, but the ping from
within the LAN fails?
I suspect NAT is the problem. Check if you have Masquerade enabled on WAN zone in Firewall settings. Also you posted a link to private address in your network and nobody but you can access that. Its not public IP.
you are correct that masquerading was turned off. what does this setting do exactly?
is there a wiki article on this? Also, is there a wiki article on how to setup the firewall settings?
If you are unsure about the setting you should stick with defaults. That are sufficiently secure. Mark topic as solved if you think it solved your issue
There is no good settings. Depends on what you are trying to achieve. These are the defaults. There is ongoing debate if one should use Drop or Reject on Input. But should be ok with Reject. Also the rest of the settings are safe defaults.
Which partially seems to be based on misinformation… the difference is:
drop: will silently ignore unsolicited packets for which no exempting rules exist in the firewall configuration
reject: additionally will tell the sender that a packet was rejected
One big argument for “drop” seems to be that that way the existence of an address can be hidden or “stealthed” however many ISPs will generate differential responses whether an IP address is in use or not, so “drop” will not make your router invisible. (It will still offer less information for fingerprinting so a remote party will have a harder time figuring out what OS that router is using).