Just ran into an issue that cost me a few hours of troubleshooting, figured I'd document it here.

Setup:

• Deco BE85 (Router mode)
• Firmware 1.2.1
• WireGuard server running on a device behind the Deco
• The option 'Client Access' is set to 'Internet and Home network' and thus it should allow connections from the public internet 

Problem: External connections to the WireGuard server failed. nmap from outside showed port 51820 as filtered. VPN server configuration was correct. I even tried an amazingly esoteric port forwarding rule, nothing.

Root cause: The "Ignore Ping from WAN" setting under More > Internet Connection was enabled. Despite the name suggesting it only blocks ICMP, disabling this immediately fixed the issue - WireGuard connections started working and the port showed as open.

This setting appears to block all unsolicited inbound WAN traffic, not just ICMP echo requests. Testing with nmap -sU -p 51820 showed the port as filtered when enabled, open when disabled. All other configuration (port forwarding, firewall rules) remained unchanged.

Solution:

Toggle "Ignore Ping from WAN" to off.

Impact:

WireGuard VPN (UDP) (confirmed)

Possible impact: anything else relying on incoming UDP (OpenVPN (UDP mode), IPSec/IKEv2 (UDP 500/4500), Self-hosted game servers, etc)

Question:

Is this the intended behavior? The name implies ICMP-only filtering.

Note: This setting may only appear when the Deco is in Router mode. Haven't tested in AP mode.