The IQrouter has a built-in Firewall status tool, accessed from the Status->Firewall menu, that displays your Firewall Rules and PortForwards (redirect) along with information found for individual rules.

Firewall rules are used to define basic accept, drop, or reject rules to allow or restrict access to specific ports or hosts. The rules can be configured through the Advanced Menu “Network ⇒ Firewall” menu option in the “Traffic Rules” tab.

For details on how to create firewall rules se:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules.

 The configuration pages do a good job of error-checking for basic issues with firewall rules. However, mistakes can still be made when creating firewall rules that can cause the firewall to work incorrectly, cause performance issues or create a vulnerability in your network.

 In some cases, mistakes made creating firewall rules through the command line can cause the configuration pages to crash. If you experience a crash in the Advanced Menu “Network ⇒ Firewall” menu, it is recommended that you delete the command line changes and try to add the rule/redirect through the configuration pages.

The following describes the Status->Firewall page and how it highlights potential or actual problems with your current firewall configuration.

The page has two sections, the first is the Traffic Rules, and the next is the Port Forwards section.

 Each rule shows a status of “Running” or “Error”.

 
 

 An error status indicates the firewall rule could not be loaded by the firewall engine. The specific reason the rule failed to load is shown by clicking the “Error” status text. If other rule details are highlighted in red, more help is shown when you click on the highlighted text. 

 A running firewall rule indicates the firewall engine successfully loaded the rule. A running firewall rule may still have configuration issues that can cause the firewall to work incorrectly, cause performance issues or create a vulnerability in your network. These possible issues are highlighted in red. Clicking on the highlighted text will show additional help text about the potential issue found.

 

Clicking on the red ‘DVRAccess’ text

 
 

Clicking on the red ‘guest’ text

 

 Some highlighted issues may be correct for your specific firewall implementation. This page simply tries to highlight the potential problems. The following types of firewall rules will be highlighted.

  • Switching WAN and LAN zones. All outbound ports are usually open, so a new rule opening ports from lan to wan usually indicates incorrect selection for source and destination zones.

  • Opening inbound dangerous ports. Application guides will often list all ports used with no mention of direction. This can result in all listed ports open for inbound traffic.

    • Ports such as http, https, ssh, ftp are flagged.

    • These ports can be open for legitimate reasons. If you are confident that you need this port open and have secured access, then you can ignore this warning.

  • Allow GUEST to LAN zone traffic. It can sometimes be legitimate to open a port to a specific server, such as a camera DVR, but this is usually an error.

  • Setting a DSCP classification rule to CS7. Pushing everything into the voice tier can result in the ISP stripping DSCP if the packets are too long. It might even wash all DSCP from your traffic. Only actual voice/audio traffic should get this mark.

  • Port forwarding to more than one target. Only the first target will get the traffic.

  • Interzone forwards with multiple sources and / or destinations will be warned as a caution.

  • Malformed rule. The firewall configuration page will usually catch missing entries and other rule errors. However, rules can be created using the command line interface, which has no error checking. These issues will be highlighted by the “Error” status.

  • Default rule changes. The IQrouter has several default rules configured out of the box. In most cases, these rules should not be changed. Any changes to these rules will be highlighted. You can rename the Firewall Rule if you meant to change the default rule and want to clear the highlights.

 Typical things we expect a user to do with the firewall are things like marking certain specific outbound traffic with a traffic rule to elevate the priority of certain time-sensitive traffic to specific target ports, or to create a Port Forward so a particular service can be reachable from the internet.
This article on optimizing for Jamulus (a music jamming app) shows examples of both.

Most games use UpNP to dynamically open ports when necessary, and some consoles now will mark time-sensitive traffic with appropriate DSCP. See the documentation for your console.

Please be very careful making changes to the Firewall; it can lead to vulnerabilities or malfunctions if done incorrectly. The Status->Firewall page is here to help spot or warn about the more common issues, but it might not catch all of them.