Firewall Zone | Why can I ping a host on the LAN


why can I ping a host on the LAN from the VPN server over the VPN connection?

[VPN Server] --vpn-- [VPN Client RUTX08 LAN] --lan-- Client

No traffic rules are enabled.


Because (openvpn → lan) input is enabled and RUTX08 and host is in the same zone “LAN”?

Can not drop the openvpn input for testing since I access the RUTX08 webinterface over VPN…


Correct, you will need to remove the LAN forwarding from the VPN zone in order to make the LAN network unreachable from the VPN. To do so, edit the openvpn → LAN zone, and at the bottom you’ll see a field Allow forward to destination zones. Remove LAN from this field.
Since you want to still be able to access the RUTX08 GUI, I suggest setting the INPUT chain to Accept. This way you should be able to access the RUTX08 using it’s VPN tunnel IP address, but not the LAN network.

Let me know if any additional information is needed!

Best regards,

1 Like


thanks for the reply.

I guess the headline in combination with the default INPUT/OUTPUT/FORWARD settings is the most confusing point for me.


Should it not labeled ZONE only?
But, no issue if I know the system, what I do now hopefully :slight_smile:

To clarify (for me):

If “network package not match”:

  1. General Settings Input/Output/Forward
  2. Settings per Zone
  3. Firewall rules
  4. Drop

Is this right?



The Input/Output/Forward flags symbolize the following as per the WebUI:

  • Input - Default policy for traffic entering the zone. So if this flag is set to Accept, you’d be able to reach the WebUI of the device using it’s WAN IP address:
    However, the packets to the LAN zone will be rejected (don’t forget that a static route is needed on the uplink router):

  • Output - Default policy for traffic originating from and leaving the zone. This is quite self explanatory - packets from other zones (that can forward to WAN zone) are allowed to exit via this zone, usually, to the internet.

  • Forward - Default policy for traffic forwarded between the networks belonging to the zone. Let’s say you have multiple networks assigned to the WAN zone (e.g. two wired WANs configured for Failover). Setting this flag to Accept will simply allow to forward the packets between these WAN networks.

Now for the LAN zone to be reachable from WAN, you need to allow WAN zone to forward ALL packets with destination address within the LAN zone to the LAN network. Coming back to my Input chain example, without WAN → LAN forwarding, from WAN I will not be able to reach my PC in LAN:


But if I add LAN to the Allow forward to destination zones on the WAN firewall zone:


So your explanation:

Is mainly correct. Points 1 and 2 are very similar, but is none of these are satisfied, and if a firewall rule is not available, then the packet will be rejected (different than dropped).

Hope this explains it!

Best regards,

1 Like

Thank you @Daumantas

1 Like

This topic was automatically closed after 15 days. New replies are no longer allowed.