diff --git a/plugins/interface/intf_base_plugin.js b/plugins/interface/intf_base_plugin.js
index 1def293a..8e16a2ef 100644
--- a/plugins/interface/intf_base_plugin.js
+++ b/plugins/interface/intf_base_plugin.js
@@ -761,6 +761,12 @@ class InterfaceBasePlugin extends Plugin {
     }
   }
 
+  async resetConnmark() {
+    // reset first bit of connmark to make packets of established connections go through iptables filter again
+    await exec(`sudo conntrack -U -m 0x00000000/0x80000000`).catch((err) => {});
+    await exec(`sudo conntrack -U -f ipv6 -m 0x00000000/0x80000000`).catch((err) => {});
+  }
+
   async updateRouteForDNS() {
     // TODO: there is no IPv6 DNS currently
     const dns = await this.getDNSNameservers();
@@ -892,6 +898,8 @@ class InterfaceBasePlugin extends Plugin {
 
     await this.changeRoutingTables();
 
+    await this.resetConnmark();
+
     if (this.isWAN()) {
       this._wanStatus = {};
       this._wanConnState = this._wanConnState || { ready: true, successCount: OFF_ON_THRESHOLD - 1, failureCount: 0 };
diff --git a/scripts/prepare_network_env.sh b/scripts/prepare_network_env.sh
index 31dcb870..208958ae 100755
--- a/scripts/prepare_network_env.sh
+++ b/scripts/prepare_network_env.sh
@@ -384,6 +384,8 @@ sudo ip -6 r flush table static
 
 # ------ initialize ip rules
 # do not touch ip rules created by Firewalla
+# intermediate state of ip rule initializaton may result in wrong routing decision and wrongly accepts a packet that should be blocked, so temporarily suspend packet forward
+sudo iptables -w -C FR_FORWARD -m comment --comment "forward temp suspend" -j DROP &> /dev/null || sudo iptables -w -I FR_FORWARD -m comment --comment "forward temp suspend" -j DROP
 rules_to_remove=`ip rule list | grep -v -e "^\(5000\|6000\|10000\):" | cut -d: -f2-`;
 while IFS= read -r line; do
   sudo ip rule del $line
@@ -396,7 +398,9 @@ sudo ip rule add pref 32767 from all lookup default
 sudo ip rule add pref 500 from all iif lo lookup global_local
 sudo ip rule add pref 4001 from all lookup static
 "
+sudo iptables -w -D FR_FORWARD -m comment --comment "forward temp suspend" -j DROP
 
+sudo ip6tables -w -C FR_FORWARD -m comment --comment "forward temp suspend" -j DROP &> /dev/null || sudo ip6tables -w -I FR_FORWARD -m comment --comment "forward temp suspend" -j DROP
 rules_to_remove=`ip -6 rule list | grep -v -e "^\(5000\|6000\|10000\):" | cut -d: -f2-`;
 while IFS= read -r line; do
   sudo ip -6 rule del $line
@@ -409,4 +413,4 @@ sudo ip -6 rule add pref 32767 from all lookup default
 sudo ip -6 rule add pref 500 from all iif lo lookup global_local
 sudo ip -6 rule add pref 4001 from all lookup static
 "
-
+sudo ip6tables -w -D FR_FORWARD -m comment --comment "forward temp suspend" -j DROP