GITBOOK-409: disable FW management on gateway

defguard-community · gitbook-bot · commit 18a027608651 · 2025-06-24T12:08:18.000Z
diff --git a/configuration.md b/configuration.md
@@ -127,6 +127,15 @@ If you're using docker image you can pass this value as environmental variables
 * `DEFGUARD_GATEWAY_NAME`, `--name <NAME>` - (optional) human-readable gateway name that will be displayed in defguard webapp
 * `-s, --use-syslog` - enable logging to syslog
 * `RUST_LOG` : Logger log level, default: `info`, supported: `debug`, `warn`, `error`
+* `DEFGUARD_MASQUERADE`  - controls whether the gateway automatically applies masquerade NAT firewall rule; defaults to `false`
+*   `DEFGUARD_DISABLE_FW_MGMT`  - disables all firewall management by the gateway; this overrides `DEFGUARD_MASQUERADE` setting; defaults to `false` \
+
+
+    {% hint style="warning" %}
+    `DEFGUARD_DISABLE_FW_MGMT` is meant as a workaround for running in incompatible environments, where our [default firewall integration](enterprise/all-enteprise-features/access-control-list/firewall-internals.md) is not supported.
+
+    As a consequence, enabling this option disables [ACL functionality](enterprise/all-enteprise-features/access-control-list/) on a given gateway.
+    {% endhint %}
 
 #### Executing custom commands on VPN up/down
 
diff --git a/deployment-strategies/gateway/running-gateway-on-mikrotik-routers.md b/deployment-strategies/gateway/running-gateway-on-mikrotik-routers.md
@@ -6,6 +6,14 @@ By leveraging the ability of some MikroTik routers to run Docker containers it i
 Proceed with extra caution when working with your core infrastructure. All official [RouterOS containers warnings](https://help.mikrotik.com/docs/display/ROS/Container#Container-Disclaimer) still apply.
 {% endhint %}
 
+{% hint style="danger" %}
+Running the gateway on a MikroTik router is not fully supported.
+
+Due to custom RouterOS kernel incompatibility this kind of deployment does not support [Access Control List](../../enterprise/all-enteprise-features/access-control-list/) functionality.
+
+To run the gateway you must explicitly disable firewall management using the [`DEFGUARD_DISABLE_FW_MGMT` option](../../configuration.md#gateway-configuration).
+{% endhint %}
+
 ## Prerequisites
 
 * RouterOS device with ARM or ARM64 architecture (popular homelab choices include RB4011 or RB5009)
@@ -79,6 +87,7 @@ Container port being forwarded to must match your public WireGuard port.
 ```
 /container/envs/add name=defguard_env key=DEFGUARD_TOKEN value=<YOUR TOKEN>
 /container/envs/add name=defguard_env key=DEFGUARD_GRPC_URL value=<YOUR DEFGUARD GRPC URL>
+/container/envs/add name=defguard_env key=DEFGUARD_DISABLE_FW_MGMT value=true
 ```
 
 * (optional) to use SSL for communication between the gateway and your defguard instance copy the root certificate to your router's filesystem and add a following mount and environment variable:
