diff --git a/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network b/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
index 3cfaec2c..cb626814 100755
--- a/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
+++ b/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
@@ -51,14 +51,9 @@ uci:section('firewall', 'zone', 'drop', {
 	forward = 'DROP',
 })
 
-uci:section('firewall', 'zone', 'local_client', {
-	name = 'local_client',
-	network = {'local_node'},
-	input = 'REJECT',
-	output = 'ACCEPT',
-	forward = 'REJECT',
-})
-
+local networks = uci:get_list('firewall', 'local_client', 'network')
+util.add_to_set(networks, 'local_node')
+uci:set_list('firewall', 'local_client', 'network', networks)
 
 
 local dnsmasq = uci:get_first('dhcp', 'dnsmasq')
diff --git a/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules b/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
index 7ebc80b5..8f76a07e 100755
--- a/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
+++ b/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
@@ -14,40 +14,16 @@ end
 
 uci:foreach('firewall', 'zone', reject_input_on_wan)
 
--- the client zone is set up by gluon-client-bridge
---
-uci:section('firewall', 'zone', 'mesh', {
-	name = 'mesh',
-	network = {},
-	input = 'REJECT',
-	output = 'ACCEPT',
-	forward = 'REJECT',
-})
-
--- allow inbound ssh from anywhere
-for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
-	uci:section('firewall', 'rule', zone .. '_ssh', {
-		name =  zone .. '_ssh',
-		src = zone,
-		dest_port = '22',
-		proto = 'tcp',
-		target = 'ACCEPT',
-	})
-end
-
-
--- allow icmp in/out on all relevant zones
-uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
-	src = 'local_client',
-	proto = 'icmp',
-	icmp_type = {
-		'echo-request',
-	},
-	family = 'ipv4',
-	target = 'ACCEPT',
-})
-
 for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
+	-- Other packages assign interfaces to these zones
+	uci:section('firewall', 'zone', zone, {
+		name = zone,
+		network = {},
+		input = 'REJECT',
+		output = 'ACCEPT',
+		forward = 'REJECT',
+	})
+
 	uci:section('firewall', 'rule',  zone .. '_ICMPv6_in', {
 		src = zone,
 		proto = 'icmp',
@@ -77,4 +53,27 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 	uci:delete('firewall', zone .. '_ICMPv6_out')
 end
 
+uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
+	src = 'local_client',
+	proto = 'icmp',
+	icmp_type = {
+		'echo-request',
+	},
+	family = 'ipv4',
+	target = 'ACCEPT',
+})
+
+
+-- allow inbound SSH from anywhere
+for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
+	uci:section('firewall', 'rule', zone .. '_ssh', {
+		name =  zone .. '_ssh',
+		src = zone,
+		dest_port = '22',
+		proto = 'tcp',
+		target = 'ACCEPT',
+	})
+end
+
+
 uci:save('firewall')