diff --git a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
index b63f51938e21d474397431a54b00addc18392b9c..792e06a2c08337f2ecc2fc93596ce87acfceee37 100755
--- a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
+++ b/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-wan-firewall
@@ -9,6 +9,7 @@ local c = uci.cursor()
 local function reject_input_on_wan(zone)
 	if zone.name == 'wan' then
 		c:set('firewall', zone['.name'], 'input', 'REJECT')
+		c:set('firewall', zone['.name'], 'conntrack', '1')
 	end
 
 	return true