WAN DHCP and LAN DHCP.
note that WAN DHCP input is already given by openwrt default.
uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='lan-dhcp-in-dst68'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='68'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].family='ipv4'
uci add firewall rule
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].name='lan-dhcp-out-src68'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src_port='68'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].family='ipv4'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='wan-dhcp-out-dst68'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='68'
uci set firewall.@rule[-1].target='ACCEPT'
prevent lock-out (you may disable and check the counter by nft list ruleset later), and dns, ntp
uci add firewall rule
uci set firewall.@rule[-1].name='allow80'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow80lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow22lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='allow53lan'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='udp'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='allow53out'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='53'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='allow123out'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].dest_port='123'
uci set firewall.@rule[-1].target='ACCEPT'
lan-device ICMPv6. note: types? copy from Allow-ICMPv6-Input? maybe someone also needs wan dest icmpv6.
uci add firewall rule
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].name='device-lan-icmpv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='lan-device-icmpv6'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'
ipv6 tcp/udp forwarding(if works as router)
uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='lan-wan-ipv6-forwarding-tcp-udp-should-be-last'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].target='ACCEPT'
uci add_list firewall.@rule[-1].proto='tcp'
uci add_list firewall.@rule[-1].proto='udp'
only for ipv6 bridge users (Allow-ICMPv6-Forward):
uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].name='icmpv6 bridge'
uci set firewall.@rule[-1].family='ipv6'
uci set firewall.@rule[-1].proto='icmp'
uci set firewall.@rule[-1].target='ACCEPT'
uci add_list firewall.@rule[-1].icmp_type='neighbour-advertisement'
uci add_list firewall.@rule[-1].icmp_type='neighbour-solicitation'
uci add_list firewall.@rule[-1].icmp_type='router-advertisement'
uci add_list firewall.@rule[-1].icmp_type='router-solicitation'
then you are able to add wan out rules for device. and finally set
#uci set firewall.@zone[1].input='REJECT'
#uci set firewall.@zone[1].output='REJECT'
#uci set firewall.@zone[1].forward='REJECT'
remember to uci commit.