diff --git a/package/secubox/secubox-core/Makefile b/package/secubox/secubox-core/Makefile
index 7ab207da..c00f8a7d 100644
--- a/package/secubox/secubox-core/Makefile
+++ b/package/secubox/secubox-core/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=secubox-core
 PKG_VERSION:=0.9.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_ARCH:=all
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=SecuBox Team
@@ -77,6 +77,13 @@ define Package/secubox-core/install
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-state $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-component $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-sync-registry $(1)/usr/sbin/
+	$(INSTALL_BIN) ./root/usr/sbin/secubox-wan-access $(1)/usr/sbin/
+
+	# WAN Access persistence (firewall include + hotplug)
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_BIN) ./root/etc/firewall.secubox-wan $(1)/etc/
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) ./root/etc/hotplug.d/iface/99-secubox-wan $(1)/etc/hotplug.d/iface/
 
 	$(INSTALL_DIR) $(1)/usr/libexec/rpcd
 	$(INSTALL_BIN) ./root/usr/libexec/rpcd/luci.secubox $(1)/usr/libexec/rpcd/
@@ -133,6 +140,15 @@ EOF
 	# Register with rpcd
 	/etc/init.d/rpcd restart
 
+	# Setup firewall include for WAN access persistence (fw4 compatible)
+	if ! uci -q get firewall.secubox_wan_include >/dev/null 2>&1; then
+		uci set firewall.secubox_wan_include=include
+		uci set firewall.secubox_wan_include.path='/etc/firewall.secubox-wan'
+		uci set firewall.secubox_wan_include.type='script'
+		uci commit firewall
+		echo "SecuBox WAN access firewall include configured"
+	fi
+
 	# Sync component registry from catalog
 	if [ -x /usr/sbin/secubox-sync-registry ]; then
 		echo "Syncing component registry..."
diff --git a/package/secubox/secubox-core/root/etc/firewall.secubox-wan b/package/secubox/secubox-core/root/etc/firewall.secubox-wan
new file mode 100644
index 00000000..96faba2a
--- /dev/null
+++ b/package/secubox/secubox-core/root/etc/firewall.secubox-wan
@@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# SecuBox WAN Access - Firewall Include Script
+# This script is called on every firewall reload to ensure WAN access rules persist
+#
+
+# Only run if secubox-wan-access exists
+[ -x /usr/sbin/secubox-wan-access ] || exit 0
+
+# Log the reload
+logger -t secubox-wan "Firewall reload detected - reapplying WAN access rules"
+
+# Apply WAN access rules from UCI config
+/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+
+exit 0
diff --git a/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan b/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
new file mode 100644
index 00000000..9f972568
--- /dev/null
+++ b/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# SecuBox WAN Access - Network Hotplug Script
+# Reapplies WAN access rules when WAN interface comes up
+#
+
+[ "$ACTION" = "ifup" ] || exit 0
+[ "$INTERFACE" = "wan" ] || [ "$INTERFACE" = "wan6" ] || exit 0
+
+# Only run if secubox-wan-access exists
+[ -x /usr/sbin/secubox-wan-access ] || exit 0
+
+logger -t secubox-wan "WAN interface $INTERFACE up - reapplying WAN access rules"
+
+# Small delay to ensure firewall is ready
+sleep 2
+
+# Apply WAN access rules
+/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+
+exit 0