Please help with Firewall setting

Hi All,

i have issues understanding the Firewall concept of my Turris Omnia (6.3.3)

My environment is like this:
Internet - IPS Router (x.x.1.1)
ISP Router - Turris (x.x.2.1)
static IP for Playstation x.x.2.40 (connected by wifi)

I want to access to my Playstation from Outside (using wake on lan with the remote play app)
Everything else shout not be able to connect.

My Turris Firewall Setting is like this:
General Settings:

  • Input: Reject
  • Output: Reject
  • Forward: Reject

Zone WAN - Reject:

  • Input: Reject
  • Output: Reject
  • Forward: Reject

Zone LAN - WAN:

  • Input: Accept
  • Output: Accept
  • Forward: Accept

Traffic Rule:

  • None Rules

Based on this settings connection (from mobile) can be established to playstation.
And I don’t understand why? For my understanding is should blocked, right?
Can anyone please please help here :slight_smile:

Thanks a lot OI

Simple question - is the first router in gateway mode (it should be) ?
The first router “Internet - IPS Router (x.x.1.1)” is necessary ? Why ?

Hi @JardaB ,
thanks a lot for your replay.

No, the IPS Router do not support gateway mode. I have a static route to the turris.
Why: I need it because of my ISP TV over IP. I also use the ISP Router for Guest-Wifi and Surveillance Cam net. Turris is for Internal and IT devices.

Therefor, as an Test i would like to block every incomming request from WAN to LAN, beside my specificaitons. As an test: access to my playstation.

I tried a lot of configs, but it doesnt make any sense for me.
Thanks for your help.
best regards,

I’m trying to understand our setup. Do you have multiple Public IPv4 addresses? Or do you have NAT runniung on boith routers? If (x.x.1.1) is like or you don’t need to hide the numbers, it is common addressing plan.
If you have two NATs, and no port forwarding, and still able to connect from public Internet to LAN devices, then there is something really wrong in your network setup.
If you are Rejecting all traffic on WAN, you are effectively blocking any traffic on the interface.
How do you connect your mobile to your playstation? Does not playstation have some kind of tunneling that would make it work automatically behind NAT?

Let me try to explain in more detail.
My ISP-Router has the IP and is connected to the internet
At the WAN Port of the ISP-Router my Turris is wired with a static IP

From ISP-Router to Turris is a static route: Target Network forward to
On my Turris I have the interface WAN and LAN (Internal IT Devices and Playstation)
The Turris Network setting is (<- it is a different IP “internal”, then the static IP from the ISP-Router)

My Aim is to block every connection from WAN to the LAN. As long as I don’t set a specific policy to allow traffic.

And what i dont understand is my settings.
wan > drop: input output and forward is drop
lan ( every eth and wifi) > wan: is allow

for my understanding, every connection from WAN to LAN should now be stopped and so the connection from ISP over WAN to my LAN should also be blocked right?

maybe i do not understand the concept of zoning. The gui is a bit strange. specially within the zone settings.

//Edit: Let my test something else.
I have my ipad over Wifi at the ISP with a static IP:
With the current setting, i am not allowed to connect to the turris

Now i create a Traffic policy: from WAN - IP to LAN: Destination to allow. but connection is not working.

I tried also these settings:
Zone Wan to LAN: Input output forward to drop
Traffic Policy: From WAN (Source ip Ipad to source LAN (IP Allow
→ it create a allow forward policy (why forward?!)
Result: I can NOT access the Turris (

When I create a Policy
WAN (Des IP IPAD) to “this device” des port
→ it creates a allow output
Result: My IPAD can access to all IPs, not only the… this is really strange to me.

@JardaB and @xsys: any idea?

well, I’m not sure, thinking about following:

  • make sure you have NAT turned off on Omnia
  • during Omnia initial setup wizard you can choose if it will work as NAT Router, simple router or Client, so maybe you have choosen wrong type, I would suggest performing factory reset (use current image) and try again
  • try turning Firewall completely off and see if routing works as expected first

Btw. I’m not too familiar with Omnia’s Firewall…