diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index 3b2cb03f1..e55602ed6 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -57,6 +57,7 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
 my $errormessage='';
 my $orange;
 my $green;
+my $blue;
 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
 my $CHAIN="FORWARDFW";
 
@@ -96,15 +97,21 @@ if($param eq 'flush'){
 			&p2pblock;
 			system ("/usr/sbin/firewall-forward-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+			$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+			$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
 			if ($defaultNetworks{'ORANGE_DEV'}){
 				$defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
-				$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
 				$orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
-				$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
 				#set default rules for DMZ
 				system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
-				&p2pblock;
 			}
+			if ($defaultNetworks{'BLUE_DEV'}){
+				$defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
+				$blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
+				#set default rules for BLUE
+				system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
+			}
+			&p2pblock;
 			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
 			system ("/usr/sbin/firewall-forward-policy");
 		}
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 18ed594ca..2b84d1773 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -731,9 +731,9 @@ sub checktarget
 		$ip=&General::ip2dec($ip);
 		$ip=&General::dec2ip($ip);
 
-		#check if net
+		#check if net or broadcast
 		my @tmp= split (/\./,$ip);
-		if ($tmp[3] eq "0")
+		if ($tmp[3] eq "0" || ($tmp[3] eq "255"))
 		{
 			$errormessage=$Lang::tr{'fwhost err hostip'}."<br>";
 		}
@@ -876,7 +876,7 @@ sub checkrule
 					$hint.=$Lang::tr{'fwdfw hint ip2'}." Source: $networkip1/$scidr Target: $networkip2/$tcidr<br>";
 				}
 		}else{
-			if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) && $tcidr ne '32' ){
+			if ( &General::IpInSubnet($networkip2,$sip,&General::iporsubtodec($scidr)) ){
 			$errormessage.=$Lang::tr{'fwdfw err samesub'};
 			}
 		}
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 0dbb25feb..8333c4df7 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -353,6 +353,7 @@ case "$1" in
 	$0 stop
 	$0 start
 	/usr/local/bin/forwardfwctrl
+	/usr/local/bin/setportfw
 	/usr/local/bin/openvpnctrl -s > /dev/null 2>&1
 	/usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
 	;;