The default rule for any/all is ALLOW, rather than DENY, which is clearly counterintuitive if one assumes the rules in that table reflect what is advertised (Inbound Rules),but I also recall Sit Loong stating they don’t, and instead only apply to the following cases:
- Inbound WAN 1 traffic where the WAN 1 is in drop-in mode
- Inbound traffic that is defined in Inbound Services
- Inbound traffic that is defined in Inbound NAT Mappings
…and that there is a stealth DENY ANY rule in place for all other inbound traffic.
Setting aside how counterintuitive and non-standard that usage seems to be, I’m still confused, because this Peplink video seems to contradict Sit Loong’s explanation. I think.
That video seems to explain the impact of the inbound rules in the way I would expect them to function.
What am I missing?
Hi! I can understand where the confusion comes from, though I believe the tooltip explains the use cases for these rules pretty well:

Basically traffic forwarded to the WAN to the LAN is blocked by default, unless one of these mechanisms is enabled:
- Drop-In Mode
- Inbound Services
- NAT Mappings
If one or more of these are enabled - you can fine grain the access with the Inbound Firewall Rules.
Peplink firewall rules are somewhat different from the traditional IPTables input, output and forward chains.
1 Like
Understood, and thanks for the reply, but the situation still seems very counterintuitive to me, especially with regards to external access to the web admin dashboard, which folks new to the platform would likely assume is accessible externally via the WAN IP if the default inbound rule is not DENY. To understand why that is not the case, you’d need to know there is what I tend to think of as a “stealth inbound rule” for that top-level resource that is not visible in the rules table but is instead controlled by the “Web Admin Access” selection in a completely different section of the admin UI (i.e., on the System tab).
And based on my searches, this issue has confused new peplink admins for years.
Thus, seems like some static text in the UI on the Access Rules page, explaining what controls inbound access to the top-level web admin resource, would be pretty useful. Even better if it isn’t hidden behind an icon. 
Thanks again.