diff --git a/net/firewall-redirect-192-168-1-1/Makefile b/net/firewall-redirect-192-168-1-1/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..6769f18361b9d82d05dcdd410457c8d253fb0bee
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/Makefile
@@ -0,0 +1,39 @@
+#
+## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
+#
+## This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+# #
+#
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall-redirect-192_168_1_1
+PKG_VERSION:=0.1.0
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/firewall-redirect-192-168-1-1
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=Firewall redirect 192.168.1.1 onto router
+  DEPENDS:=+firewall
+endef
+
+define Package/firewall-redirect-192-168-1-1/description
+  Additional firewall rule that redirects all traffic from zone 'lan' targeting IP
+  address 192.168.1.1 to local address.
+endef
+
+Build/Compile:=:
+
+define Package/firewall-redirect-192-168-1-1/install
+	$(INSTALL_DIR) $(1)/usr/libexec/
+	$(INSTALL_BIN) ./files/firewall-redirect.sh $(1)/usr/libexec/firewall-redirect-192-168-1-1.sh
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/95-firewall-redirect-192-168-1-1
+endef
+
+$(eval $(call BuildPackage,firewall-redirect-192-168-1-1))
diff --git a/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh b/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7e00daf09501d7210e1f27bafebcfd3e676e02df
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+comment="!redirect: 192.168.1.1"
+chain="zone_lan_prerouting"
+
+# Remove any existing rule
+# (firewall3 removes only fules in chains it knows so we have to do this to potentially clean after ourself)
+iptables -t nat -S \
+	| grep -F " --comment \"$comment\" " \
+	| while read -r operation rule; do
+		# Operation -A is dropped (variable 'operation' is intentionally left out)
+		echo "$rule" | xargs -x iptables -t nat -D
+		# Note: xargs is used here because it handles quotes properly over just plain expansion
+	done
+
+# Add appropriate redirect rule
+if iptables -t nat -S "$chain" >/dev/null 2>&1; then
+	iptables -t nat -I "$chain" -m comment --comment "$comment" -d 192.168.1.1 -j REDIRECT
+	echo " * Redirecting 192.168.1.1 on lan interface to router"
+else
+	echo "Warning: There is no zone 'zone_lan_prerouting' (zone 'lan' probably does not exist)"
+fi
diff --git a/net/firewall-redirect-192-168-1-1/files/uci-defaults b/net/firewall-redirect-192-168-1-1/files/uci-defaults
new file mode 100755
index 0000000000000000000000000000000000000000..9d51465fbcbd7f945a07fc4182b0adcba7c4470b
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/files/uci-defaults
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+uci -q batch <<EOT
+	delete firewall.redirect_192_168_1_1
+	set firewall.redirect_192_168_1_1=include
+	set firewall.redirect_192_168_1_1.type='script'
+	set firewall.redirect_192_168_1_1.path='/usr/libexec/firewall-redirect-192-168-1-1.sh'
+	set firewall.redirect_192_168_1_1.family='ipv4'
+	set firewall.redirect_192_168_1_1.reload='1'
+	commit firewall.sentinel_firewall
+EOT
+
+# Always reload firewall to use latest version
+/etc/init.d/firewall reload