-
Notifications
You must be signed in to change notification settings - Fork 429
Firewall
Martin Gergeleit edited this page Mar 4, 2026
·
1 revision
The router includes a stateless packet filtering firewall with four Access Control Lists (ACLs), one for each traffic direction.
ESP32 NAT Router
┌───────────────────────┐
│ │
Internet ◄──────────►│ STA AP │◄──────────► Internal
(Upstream) │ Interface Interface │ Clients
│ │
└───────────────────────┘
ACLs are named from the perspective of each interface - "to" means traffic arriving at the interface, "from" means traffic leaving the interface:
ESP32
┌───────────────────────┐
│ │
Internet ──to_esp───►│ STA AP │◄───to_ap─── Clients
◄──from_esp─│ │───from_ap──►
│ │
└───────────────────────┘
| ACL | Interface | Direction | Description |
|---|---|---|---|
| to_esp | Uplink | Inbound | Internet → ESP32 (traffic arriving on uplink interface) |
| from_esp | Uplink | Outbound | ESP32 → Internet (traffic leaving on uplink interface) |
| to_ap | AP | Inbound | Clients → ESP32 (traffic arriving at AP interface) |
| from_ap | AP | Outbound | ESP32 → Clients (traffic leaving AP interface) |
- to_esp: Block unwanted incoming traffic from the Internet
- from_esp: Control what internal clients can access on the Internet
- to_ap: Filter traffic from specific internal clients
- from_ap: Control what traffic reaches internal clients
Access the firewall configuration at /firewall. For each ACL you can:
- Add rules with source/destination IP (CIDR notation), protocol, ports, and action
- Use device names from DHCP reservations instead of IP addresses (for single-host /32 rules)
- Enable monitoring to capture matching packets to PCAP
- View hit counters and statistics (device names shown for /32 addresses with reservations)
- Delete individual rules or clear entire lists
acl show [<list>] # Show rules and stats
acl add <list> <proto> <src> <sport> <dst> <dport> <action>
acl del <list> <index> # Delete rule by index
acl clear <list> # Clear all rules
Address formats:
-
any- matches any IP address -
192.168.4.0/24- CIDR notation (network/mask) -
192.168.4.100- single host (equivalent to /32) -
MyPhone- device name from DHCP reservations (resolved to /32)
When displaying rules, device names are shown instead of IP addresses for /32 rules that have a matching DHCP reservation with a name.
Examples:
# Block incoming traffic from a specific IP
acl add to_esp IP 203.0.113.50 * any * deny
# Block a specific device by name (from DHCP reservation)
acl add from_ap IP any * MyPhone * deny
# Allow only DNS and HTTP/HTTPS from clients to Internet
acl add to_ap UDP any * any 53 allow
acl add to_ap TCP any * any 80 allow
acl add to_ap TCP any * any 443 allow
acl add from_esp IP any * any * deny
- Rules are evaluated in order (first match wins)
- If no rule matches, the packet is allowed (permissive default)
- Non-IPv4 traffic (ARP, IPv6) passes through without filtering
- Port filters only apply to TCP/UDP packets; rules with port filters won't match ICMP or other protocols
- Rules persist in NVS storage
Each rule can have one of four actions:
| Action | Packet | Captured to PCAP |
|---|---|---|
allow |
✅ Allowed | ❌ No |
deny |
❌ Dropped | ❌ No |
allow_monitor |
✅ Allowed | ✅ Yes (in ACL mode) |
deny_monitor |
❌ Dropped | ✅ Yes (in ACL mode, before drop) |
See also: Packet Capture for details on PCAP integration with ACL monitor rules.