For some reason this common operation is undocumented and I'm quite sure I'm not the only one who wants to do this. I did try using the Zones section although that resulted in no traffic going anywhere.
Keep in mind that you still need to have firewall rules in place above this line if you want any outgoing traffic to be passed out such as http etc.


  • Login and navigate using the Menu: Network --> Firewall and after that Traffic Rules
  • Go to "New forward rule:", name it WAN Block or whetever you prefer.
  • Enter the rest as below:
Restrict to address family: IPv4 and IPv6
Protocol: TCP + UDP
Match ICMP type: any
Source zone: lan
Source MAC address: any
Source address: any
Source port: any (empty)
Desination zone: wan
Destination address: any
Distination port any (empty)
Action: reject
  • Done

Remember that it should always be placed last.