Relationship between firewall rules and SSID Firewall Mode?

I’m configuring my Surf SOHO MK3 router, and trying to understand the relationship between the main firewall (Advanced —> Access Rules) and the SSID “Firewall Mode”.

Do SSID Firewall Mode rules augment or override or replace the main firewall rules for the SSID in question? And which rules have higher precedence?

My question overlaps with Surf SOHO Firewall Mode in SSID Settings, but @TK_Liew’s reply on that thread simply described the function of each firewall rule group in isolation, and also described SSID Firewall Mode setting in isolation.

Suppose I have the main firewall configured with rules. What happens in the following scenarios?

  • Main firewall configured. SSID Firewall Mode set to Disable. Does this disable all firewall rules for the SSID or does it behave exactly as the main firewall rules specify?
  • Main firewall configured. SSID Firewall Mode set to Flexible – Allow all except… Do rules specified here add to the main firewall rules for this SSID, or do they replace the main firewall ruleset for this SSID?
  • Main firewall configured. SSID Firewall Mode set to Lockdown – Block all except… Do rules specified here add to the main firewall rules for this SSID, or do they replace the main firewall ruleset to this SSID?

For the benefit of anyone else with this question, here is the response I received from my Peplink Certified Partner (minor formatting added):

The SSID Firewall rules augment the main firewall. That is to say that they are applied first for clients which are connected to the SSID in question and then the main firewall rules are applied.

  • As for the scenarios you laid out in your forum posts, if the main firewall has rules configured and the SSID firewall is disabled, the wireless clients will be subject to the main firewall rules.
  • If the main firewall is configured and there is flexible rules set configured on the SSID, the flexible SSID firewall is checked and then the main firewall is checked and if traffic does not match on either list, it would be permitted (additive to the main firewall).
  • If the main firewall is configured and the SSID firewall is set to lockdown, the traffic will be checked to ensure it is on the approved list of the SSID firewall and then checked against the main firewall to ensure its permitted (additive to the main firewall).