Firewall Configuration
HopBox uses a zone-based firewall built on nftables (via the OpenWRT firewall framework). This guide covers how to configure firewall zones, traffic rules, and port forwarding — both from the local dashboard and the cloud.
Firewall Zones
Section titled “Firewall Zones”Zones define trust boundaries in your network. By default, HopBox comes with three zones:
| Zone | Networks | Default Policy |
|---|---|---|
| LAN | Internal network (192.168.1.0/24) | Accept |
| WAN | Internet-facing interfaces | Reject |
| VPN | WireGuard/OpenVPN tunnels | Accept |
Traffic between zones is controlled by forwarding rules:
- LAN → WAN: Allowed (NAT masquerading)
- LAN → VPN: Allowed
- WAN → LAN: Rejected (unless port forwarding is configured)
- VPN → LAN: Allowed
Managing Zones via Cloud Dashboard
Section titled “Managing Zones via Cloud Dashboard”- Go to Devices → [Your Device] → Firewall → Zones
- Click on a zone to edit its settings
- Configure:
- Input: Accept, Reject, or Drop incoming traffic to the device itself
- Output: Accept or Reject outgoing traffic from the device
- Forward: Accept or Reject traffic forwarded through this zone
- Click Save & Apply
Traffic Rules
Section titled “Traffic Rules”Traffic rules let you allow or block specific types of traffic based on source, destination, port, and protocol.
Adding a Rule
Section titled “Adding a Rule”Navigate to Firewall → Traffic Rules → Add Rule and configure:
Name: Allow-SSH-LANSource Zone: LANDestination: Device (input)Protocol: TCPPort: 22Action: AcceptCommon Rules
Section titled “Common Rules”| Rule | Source | Destination | Protocol/Port | Action |
|---|---|---|---|---|
| Allow DNS | LAN | Device | UDP/53 | Accept |
| Allow DHCP | LAN | Device | UDP/67-68 | Accept |
| Block IoT Internet | IOT zone | WAN | Any | Reject |
| Allow ICMP | Any | Device | ICMP | Accept |
Port Forwarding
Section titled “Port Forwarding”Port forwarding (DNAT) allows external traffic to reach internal services.
Example: Forward HTTP to Internal Server
Section titled “Example: Forward HTTP to Internal Server”Name: Web-Server-ForwardSource Zone: WANExternal Port: 8080Destination: 192.168.1.100Internal Port: 80Protocol: TCPThis forwards traffic arriving on the WAN interface at port 8080 to an internal web server at 192.168.1.100:80.
SD-WAN Firewall Integration
Section titled “SD-WAN Firewall Integration”When SD-WAN policies are active, the firewall works in coordination with the routing engine:
- Traffic matching an SD-WAN policy is routed through the designated WAN link before firewall output rules are evaluated
- VPN tunnel traffic bypasses WAN firewall rules (it’s treated as VPN zone traffic)
- QoS markings are applied after firewall acceptance
Cloud-Managed Firewall Templates
Section titled “Cloud-Managed Firewall Templates”For multi-site deployments, you can create firewall templates in the cloud dashboard:
- Go to Templates → Firewall
- Define your zones, rules, and port forwards
- Assign the template to a device group
- All devices in the group will receive the configuration on next sync
Troubleshooting
Section titled “Troubleshooting”Checking Active Rules
Section titled “Checking Active Rules”From the local dashboard, go to Status → Firewall to see all active nftables rules.
From the cloud dashboard, use Device → Terminal and run:
nft list rulesetCommon Issues
Section titled “Common Issues”- Can’t access device from WAN: Check that the WAN zone input policy isn’t set to “Drop” for your management port
- LAN devices can’t reach internet: Verify that LAN → WAN forwarding is enabled and NAT masquerading is active
- VPN clients can’t reach LAN: Ensure VPN → LAN forwarding is allowed in the zone configuration