Can't delete firewall rule on RT6600ax

Currently reading
Can't delete firewall rule on RT6600ax

  1. RT6600ax
Operating system
  1. Linux
  2. macOS
  3. Windows
Mobile operating system
  1. iOS

I been using Synology RT6600ax last few months and it works great for me :)

I just noticed one firewall rule "allow from lan" can't be deleted, can't be moved:

Everytime i try to delete or edit this rule i see "Loading button"
but nothing happens...

I tried to reset router to defaults then i used my last backup to restore (because i don't want to setup again from the begining) and this rule still can't be deleted/edited.

I hope someone can help me how to fix it.

Thank you!
Things I would try (I’m not at my router and can’t remember if somethings are supported or not, I’m having breakfast. Then I’m going for a walk before it gets too hot)…

1. Can the firewall be switched off? Switch it off and on: is the rule still there/now editable?

2. Edit the firewall rules:
Do a backup of the router, twice. Then change the extension of one of the backup files to .zip. You can now open it and find the file that has the firewall configuration with rules. See if you can find the rule with the problem. The second backup is to have an unmodified archive in case you modified the first.​

Make a new rule on the router that is configured how you would what this rule to be, with the interfaces set.​
If the firewall can be switched off: switch it off. Next SSH onto the router and go to that same file and you should be able to edit it so the rule now has the interfaces defined, as per the new rule you made. Switch on the firewall or reboot the router.​
Is the rule now editable?​
Any issues and you can restore the router from the backup Archive.​

Looking at your firewall rules I’m surprised your auto-generated rules for port forwarders are getting any hits since you have an ANY/ANY/ANY/ANY/ANY/ANY/DENY rule above them. I gave up on the auto-generated rules and made my own that are in the right place in the firewall policy, and they can have restrictions on who can access them. Once I’d created my rules I went to Port Forwarding and disable the option to add matching rules in the firewall policy.
Looking at your firewall rules I’m surprised your auto-generated rules for port forwarders are getting any hits
Most of these rules make little sense. If the OP does not understand specifically why the rule exists it should be disabled until a specific need is identified and understood. Synology has a bad habit of automatically opening far too many ports, and as a result reduces network security.

As fredbert stated, do not permit the router to self-manage port openings.
Specifically in the Port Forwarding there’s the default enabled setting to add a matching firewall rule. Without the firewall rule the forwarder won’t work, but the default rules (the grey ones without checkboxes at the end of the firewall policy) are always Any Source/Allow.

Once you have these automatically generated rules you can create matching ones but set the source to be more limited (if you like), and also you can put them in the firewall policy at the right place. When you’re happy then you can disable the Port Forwarding’s auto-firewall rule feature, and this will remove those rules from the end of the firewall ruleset.

After doing this a couple of times you’ll probably understand what it’s doing and you can add other port forward rules and know how to add the corresponding firewall rule.

Why is this useful? I have a case where I run Mail Server but only to maintain an archive of messages sent from my email service provider. So I have a port forward rule for SMTP to Mail Server but the source is restricted to only allow from my email service provider’s IP range. I can either have a next rule to deny all other sources to SMTP, or the end rule of the ruleset will catch it with and Any Source/Any Destination/Deny rule.

Plus the four rules at bottom of the Firewall window are all set to Deny. @ThinkYEAH it looks like you might have them set to Allow, at least the first rule is shown as Allow in your screenshot.

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Based on the IP address itself of x.156, it is unlikely to be your modem and will be some device on your...
All. One minute I can see where to post then I look away and its gone (ok down off the page under...
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have...
Just asking again if more in-depth information or rules are available than link posted. I keep creating...
Now I'm not looking on my phone.... The best you can do is to split the single subnet and...
  • Question
You can allow US traffic, and deny all else. That effectively denies all non-US traffic, and is superior...

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads