diff --git a/files/etc/config.mesh/firewall b/files/etc/config.mesh/firewall
index 75b3ed39..a0e72f16 100644
--- a/files/etc/config.mesh/firewall
+++ b/files/etc/config.mesh/firewall
@@ -88,24 +88,6 @@ config include
option path /etc/firewall.user
option fw4_compatible 1
-config rule
- option src wan
- option dest_port 2222
- option proto tcp
- option target ACCEPT
-
-config rule
- option src wan
- option dest_port 8080
- option proto tcp
- option target ACCEPT
-
-config rule
- option src wan
- option dest_port 80
- option proto tcp
- option target ACCEPT
-
config rule
option name Allow-Ping
option src wan
diff --git a/files/etc/local/mesh-firewall/12-wan-services b/files/etc/local/mesh-firewall/12-wan-services
new file mode 100755
index 00000000..be587081
--- /dev/null
+++ b/files/etc/local/mesh-firewall/12-wan-services
@@ -0,0 +1,45 @@
+<<'LICENSE'
+ Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
+ Copyright (C) 2023 Tim Wilkinson
+ See Contributors file for additional contributors
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation version 3 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+ Additional Terms:
+
+ Additional use restrictions exist on the AREDN(TM) trademark and logo.
+ See AREDNLicense.txt for more info.
+
+ Attributions to the AREDN Project must be retained in the source code.
+ If importing this code into a new or existing project attribution
+ to the AREDN project must be added to the source code.
+
+ You must not misrepresent the origin of the material contained within.
+
+ Modified versions must be modified to attribute to the original source
+ and be marked in reasonable ways as differentiate it from the original
+ version.
+
+LICENSE
+
+MESHFW_WAN_WEB=$(/sbin/uci -q get aredn.@wan[0].web_access)
+MESHFW_WAN_SSH=$(/sbin/uci -q get aredn.@wan[0].ssh_access)
+
+if [ "${MESHFW_WAN_WEB}" = "1" ]; then
+ nft insert rule ip fw4 input_wan tcp dport 80 accept comment \"wan web access\" 2> /dev/null
+ nft insert rule ip fw4 input_wan tcp dport 8080 accept comment \"wan web access\" > /dev/null
+fi
+
+if [ "${MESHFW_WAN_SSH}" = "1" ]; then
+ nft insert rule ip fw4 input_wan tcp dport 2222 accept comment \"wan ssh access\" 2> /dev/null
+fi
diff --git a/files/www/cgi-bin/advancedconfig b/files/www/cgi-bin/advancedconfig
index 25cb656a..e3d781eb 100755
--- a/files/www/cgi-bin/advancedconfig
+++ b/files/www/cgi-bin/advancedconfig
@@ -194,6 +194,22 @@ local settings = {
postcallback = "changeWANVLAN()",
needreboot = true
},
+ {
+ category = "WAN Settings",
+ key = "aredn.@wan[0].web_access",
+ type = "boolean",
+ desc = "Enable web access to the node from the WAN interface
aredn.@wan[0].web_access",
+ default = "0",
+ needreboot = true
+ },
+ {
+ category = "WAN Settings",
+ key = "aredn.@wan[0].ssh_access",
+ type = "boolean",
+ desc = "Enable SSH access to the node from the WAN interface
aredn.@wan[0].ssh_access",
+ default = "0",
+ needreboot = true
+ },
{
category = "Power Options",
key = "aredn.@poe[0].passthrough",