diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
index 7bb82b17..56543331 100644
--- a/src/packages/fff/fff-firewall/Makefile
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
index 50fa087b..aa04ce93 100644
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -1,6 +1,8 @@
 # If an router has a direct internet connection simple attack act as DOS attack
-iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i $IF_WAN -j REJECT
+if [ -n "$IF_WAN" ]; then
+	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+	iptables -A INPUT -i $IF_WAN -j REJECT
+fi
 
 # Limit ssh to 6 new connections per 60 seconds
 /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
diff --git a/src/packages/fff/fff-gateway/Makefile b/src/packages/fff/fff-gateway/Makefile
index 7a10544c..71075858 100644
--- a/src/packages/fff/fff-gateway/Makefile
+++ b/src/packages/fff/fff-gateway/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-gateway
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
 
diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
index f989d6be..2d4ee926 100644
--- a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
+++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
@@ -1,3 +1,5 @@
 # Ensure nothing is forwarded onto WAN interface
-iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
-ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+if [ -n "$IF_WAN" ]; then
+	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+fi