diff --git a/package/gluon-mesh-batman-adv/Makefile b/package/gluon-mesh-batman-adv/Makefile
index 2e99dfa0..a800f975 100644
--- a/package/gluon-mesh-batman-adv/Makefile
+++ b/package/gluon-mesh-batman-adv/Makefile
@@ -12,7 +12,7 @@ define Package/gluon-mesh-batman-adv
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for batman-adv meshing
-  DEPENDS:=+gluon-core +kmod-batman-adv
+  DEPENDS:=+gluon-core +kmod-batman-adv +firewall +kmod-ipt-nathelper
 endef
 
 define Package/gluon-mesh-batman-adv/description
diff --git a/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh b/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
index d721264f..3e3da515 100755
--- a/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
+++ b/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
@@ -18,6 +18,14 @@ uci_set network client peerdns '0'
 uci_set network client macaddr "$(sysconfig primary_mac)"
 uci_commit network
 
+uci_add firewall zone client
+uci_set firewall client name 'client'
+uci add_list firewall.client.network='client'
+uci_set firewall client input 'ACCEPT'
+uci_set firewall client output 'ACCEPT'
+uci_set firewall client forward 'REJECT'
+uci_commit firewall
+
 uci_add dhcp dhcp client
 uci_set dhcp client interface 'client'
 uci_set dhcp client ignore '1'
diff --git a/package/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node b/package/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
index 445b6d46..bec0e1c1 100755
--- a/package/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
+++ b/package/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
@@ -34,3 +34,12 @@ uci_set network local_node_route6 target '@prefix6@'
 uci_set network local_node_route6 gateway '::'
 
 uci_commit network
+
+uci_remove firewall local_node
+uci_add firewall zone local_node
+uci_set firewall local_node name 'local_node'
+uci add_list firewall.local_node.network='local_node'
+uci_set firewall local_node input 'ACCEPT'
+uci_set firewall local_node output 'ACCEPT'
+uci_set firewall local_node forward 'REJECT'
+uci_commit firewall