To protect your home network from attacks and intrusions from the Internet, the Keenetic router series has a firewall activated by default.

In most cases, the default settings are sufficient for security and no additional firewall configuration is required. But if it is necessary for solving certain tasks, Keenetic provides flexible options for security settings to allow or deny access to specific hosts or network services.

NOTE: Important! By default, your home network is protected from external attacks, and access to the router's management (web interface) is blocked from the Internet.

Simply, the firewall can be seen as a set of pre-configured and user-defined filters, with rules set by the user having a higher priority.

Firewall rules are executed in the order they are specified in the list: the top one is the first and then down. For any rule, the interface (connection) on which it will be executed must be defined.

In each of the rules there must be specified:

- the traffic source network and its destination (IP addresses of hosts or subnets);
- the protocol for which the setup will work (TCP, UDP, ICMP, etc.);
- The port number must be specified for TCP and UDP protocols;
- action to take on a packet: Deny or Allow.

NOTE: Important! In Keenetic routers, firewall rules are processed after network address translation (NAT) rules. Therefore, when creating firewall rules, you should specify the IP address of the host after the address translation.

Keenetic's web configurator offers the most convenient way to manage firewall rules.

NOTE: Important! Rules created through the web configurator apply only to incoming traffic of the public (WAN) or local (LAN) interface.
It is possible to create rules for any direction through the command line interface (CLI) of the router.

Setting up firewall rules is done on the 'Firewall' page.

To add a firewall rule, select the interface where incoming traffic will be tracked from the list and click 'Create rule'. The rules apply in the order they are located in the list. To change the order of the rules, drag and drop the rows in the table.

NOTE: Important! Rules should be created for the interface where the filtered traffic is inbound (initiating the session).


In the 'Firewall rule' window that appears, select the action to be performed for incoming packets and specify the conditions under which the action should be performed. In our example, for the 'Home segment' interface, we'll create a 'Prohibit' rule where we'll specify the source IP address (the IP address of the computer that will be denied access). As a result, this rule will block access to the Internet only for one host on the local network with the IP address of


In the 'Action' field, select the action - 'Allow' traffic or 'Prohibit', and then specify the criteria and conditions, coinciding with which these actions will be performed.

In the 'Work schedule' field you can add a schedule, according to which this rule will work.

NOTE: Important! When creating blocking rules, the allowing rules must be placed above the prohibiting ones.

In our example, the following 'Prohibit' rule was created for the Home segment interface:


TIP: Tip: We recommend that you read the instructions:

Since KeeneticOS 2.14, the web configurator has implemented group copying, moving and deleting of firewall rules: 'Copying, moving and deleting multiple firewall rules'

'How is the firewall implemented?'

'Firewall rules examples'

'When should port forwarding and firewall rules be used?'


Have more questions? Submit a request



Please sign in to leave a comment.