diff --git a/omr-schedule/files/usr/share/omr/schedule.d/010-services b/omr-schedule/files/usr/share/omr/schedule.d/010-services
index dcb6c5ced..29462d468 100755
--- a/omr-schedule/files/usr/share/omr/schedule.d/010-services
+++ b/omr-schedule/files/usr/share/omr/schedule.d/010-services
@@ -141,8 +141,8 @@ set_lan_ips() {
     config_get ip4table "$1" ip4table
     config_get device "$1" device
     config_get proto "$1" proto
-    if [ "$ip4table" = "lan" ] && [ -n "$device" ] && ([ "$proto" = "dhcp" ] || [ "$proto" = "static" ]); then
-	[ -z "$(uci -q get shadowsocks-libev.ss_rules.ifnames | grep $device)" ] && {
+    if [ "$ip4table" != "wan" ] && [ "$ip4table" != "vpn" ] && [ -n "$ip4table" ] && [ -n "$device" ] && ([ "$proto" = "dhcp" ] || [ "$proto" = "static" ]); then
+	[ -z "$(uci -q get shadowsocks-libev.ss_rules.ifnames | grep $device)" ] && [ -z "$(uci -q get shadowsocks-rust.ss_rules.ifnames | grep $device)" ] && {
 	    uci -q add_list shadowsocks-libev.ss_rules.ifnames="$device"
 	    uci -q add_list shadowsocks-rust.ss_rules.ifnames="$device"
 	}
@@ -154,6 +154,12 @@ set_lan_ips() {
 config_load network
 config_foreach restart_omrtracker interface
 [ "$(uci -q get openmptcprouter.settings.restrict_to_lan)" = "1" ] && config_foreach set_lan_ips interface
+[ "$(uci -q get openmptcprouter.settings.restrict_to_lan)" = "0" ] && ([ -n "$(uci -q get shadowsocks-libev.ss_rules.ifnames)" ] || [ -n "$(uci -q get shadowsocks-rust.ss_rules.ifnames)" ]) && {
+	uci -q batch <<-EOF
+		delete shadowsocks-libev.ss_rules.ifnames="$device"
+		delete shadowsocks-rust.ss_rules.ifnames="$device"
+	EOF
+}
 uci -q commit shadowsocks-libev.ss_rules
 uci -q commit shadowsocks-rust.ss_rules
 multipath_fix() {
diff --git a/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall b/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall
index 486951646..3d06a87e8 100755
--- a/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall
+++ b/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall
@@ -245,12 +245,18 @@ uci -q batch <<-EOF >/dev/null
 	set firewall.@include[0].reload='1'
 	commit firewall
 EOF
-if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "" ]; then
+if [ -z "$(uci -q get openmptcprouter.settings.sipalg)" ]; then
 	uci -q batch <<-EOF >/dev/null
 		set openmptcprouter.settings.sipalg='1'
 		commit openmptcprouter
 	EOF
 fi
+if [ -z "$(uci -q get openmptcprouter.settings.restrict_to_lan)" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set openmptcprouter.settings.restrict_to_lan='1'
+		commit openmptcprouter
+	EOF
+fi
 if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "0" ]; then
 	uci -q batch <<-EOF >/dev/null
 		set firewall.zone_lan.auto_helper='0'