diff --git a/wgengine/filter/filter.go b/wgengine/filter/filter.go
index 5e7ea3ed2..d87066c9e 100644
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -103,7 +103,8 @@ func NewAllowAllForTest(logf logger.Logf) *Filter {
 	any6 := netaddr.IPPrefixFrom(netaddr.IPFrom16([16]byte{}), 0)
 	ms := []Match{
 		{
-			Srcs: []netaddr.IPPrefix{any4},
+			IPProto: []ipproto.Proto{ipproto.TCP, ipproto.UDP, ipproto.ICMPv4},
+			Srcs:    []netaddr.IPPrefix{any4},
 			Dsts: []NetPortRange{
 				{
 					Net: any4,
@@ -115,7 +116,8 @@ func NewAllowAllForTest(logf logger.Logf) *Filter {
 			},
 		},
 		{
-			Srcs: []netaddr.IPPrefix{any6},
+			IPProto: []ipproto.Proto{ipproto.TCP, ipproto.UDP, ipproto.ICMPv6},
+			Srcs:    []netaddr.IPPrefix{any6},
 			Dsts: []NetPortRange{
 				{
 					Net: any6,
diff --git a/wgengine/filter/filter_test.go b/wgengine/filter/filter_test.go
index 00e319940..9b8e7a708 100644
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -815,3 +815,13 @@ func TestMatchesFromFilterRules(t *testing.T) {
 		})
 	}
 }
+
+func TestNewAllowAllForTest(t *testing.T) {
+	f := NewAllowAllForTest(logger.Discard)
+	src := netaddr.MustParseIP("100.100.2.3")
+	dst := netaddr.MustParseIP("100.100.1.2")
+	res := f.CheckTCP(src, dst, 80)
+	if res.IsDrop() {
+		t.Fatalf("unexpected drop verdict: %v", res)
+	}
+}