diff --git a/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules b/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
index 8f76a07e..3cfac9c8 100755
--- a/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
+++ b/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
@@ -14,7 +14,7 @@ end
 
 uci:foreach('firewall', 'zone', reject_input_on_wan)
 
-for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
+for _, zone in ipairs({'mesh', 'local_client', 'wired_mesh'}) do
 	-- Other packages assign interfaces to these zones
 	uci:section('firewall', 'zone', zone, {
 		name = zone,
@@ -24,7 +24,7 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 		forward = 'REJECT',
 	})
 
-	uci:section('firewall', 'rule',  zone .. '_ICMPv6_in', {
+	uci:section('firewall', 'rule', zone .. '_ICMPv6_in', {
 		src = zone,
 		proto = 'icmp',
 		icmp_type = {
@@ -53,7 +53,7 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 	uci:delete('firewall', zone .. '_ICMPv6_out')
 end
 
-uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
+uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
 	src = 'local_client',
 	proto = 'icmp',
 	icmp_type = {
@@ -76,4 +76,22 @@ for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
 end
 
 
+-- We can't put mesh_wan into this zone, as mesh_wan is the same
+-- interface as wan, which has its own zone
+uci:set('firewall', 'wired_mesh', 'network', {'mesh_lan'})
+
+-- VXLAN for wired meshing
+for _, zone in ipairs({'wired_mesh', 'wan'}) do
+	uci:section('firewall', 'rule', zone .. '_vxlan', {
+		name =  zone .. '_vxlan',
+		src = zone,
+		family = 'ipv6',
+		src_ip = 'fe80::/64',
+		proto = 'udp',
+		dest_port = '4789',
+		target = 'ACCEPT',
+	})
+end
+
+
 uci:save('firewall')