Firewall Rules

Last Updated: 2025-12-26
Status: Production

---

Overview

The GL-BE3600 router firewall configuration follows a "default deny" security model. This document details all firewall rules and security settings.

---

Firewall Configuration

UPnP

• Status: OFF
• Reason: UPnP can create security vulnerabilities by automatically opening ports
• Impact: Ports must be manually configured if needed (not recommended)

Port Forwards

• Status: NONE
• Reason: Cloudflare Tunnel handles all public ingress, eliminating need for port forwarding
• Impact: No inbound ports opened on router

WAN Admin Access

• Status: OFF
• Reason: Router admin should only be accessible from local network or Tailscale
• Impact: Router configuration only accessible from trusted networks

---

Security Principles

1. Default Deny: All inbound connections denied unless explicitly allowed
2. No Port Forwards: Cloudflare Tunnel eliminates need for port forwarding
3. Local Admin Only: Router admin accessible only from local/Tailscale network
4. UPnP Disabled: Prevents automatic port opening

---

Network Access Rules

Inbound Rules

• Default: DENY ALL
• Exceptions: None (Cloudflare Tunnel handles public ingress)

Outbound Rules

• Default: ALLOW ALL
• DNS: Enforced to Cloudflare (1.1.1.1 / 1.0.0.1)

Inter-Network Rules

• BlueflySecure Bluefly-Agents: Allowed (same router)
• Guest Network: Isolated (client isolation ON)

---

Tailscale Integration

• Tailscale Traffic: Allowed (encrypted via WireGuard)
• Subnet Routing: Enabled for 192.168.8.0/24
• Access Control: Managed via Tailscale ACL policy

---

DNS Configuration

• Primary DNS: 1.1.1.1 (Cloudflare)
• Secondary DNS: 1.0.0.1 (Cloudflare)
• Enforce DNS: ON (prevents DNS hijacking)

---

Security Checklist

• UPnP disabled
• No port forwards
• WAN admin access disabled
• DNS enforced (Cloudflare)
• Default deny inbound
• Guest network isolated
• Tailscale properly configured

---

Troubleshooting

Cannot Access Router Admin

1. Verify you're on local network (192.168.8.0/24) or Tailscale
2. Check router IP: 192.168.8.1
3. Verify WAN admin access is OFF (expected)
4. Try accessing via Tailscale: https://192.168.8.1 from Tailscale device

Port Forwarding Needed

DO NOT enable port forwarding. Use Cloudflare Tunnel instead:

• Public ingress via Cloudflare Tunnel
• No router port forwarding required
• More secure (no open ports)

DNS Issues

1. Verify DNS is set to Cloudflare (1.1.1.1 / 1.0.0.1)
2. Check "Enforce DNS" is ON
3. Test DNS resolution: nslookup google.com 1.1.1.1

---

Related Documentation

• GL-BE3600 Configuration - Complete router configuration
• SSID Configuration - WiFi network details
• Network Overview - Complete network architecture
• Cloudflare Documentation - Cloudflare Tunnel (replaces port forwarding)