Access point for local server

Hello, I have a lot of questions about the configuration of an access point to a local router. I'm running an apache server on a laptop and want to provide local access to this server but no internet. I configured the original firmware of a TL-WR802Nv4 as AP and UPnP did the rest. DHCP handed out an IP for the server and the clients had to enter this IP in their address bar.
This works but is inconvenient for two reasons:

  • List item The server may change frequently and I have to use a new IP with every new server.

  • List item .The use of IPs as URLs is very unhandy.

This is where I decided to give a chance to openwrt.
The router has 1 lan port and would be nice to bind a static IP to that port rather than to the mac address. I was hoping for something like 'ifname eth0 -> IP=xxxxx' - I didn't find such an option in the 'host setting' section of the dhcp file. At present I bind the static IP to the mac address of the server and can attach a name to it. That better than using the IP itself but what i really want is an automatic redirect to the server when a client logs into the wlan net.
After searching quite a while I always find these 2 suggestions:

  • List item use NAT with something like iptables -A PREROUTING -s -p tcp -m tcp --dport 80 -j DNAT --to-destination

  • List item use a captive portal

The captive portal seems to be a bit over the tops since I don't need the authentification part.

So I worked on the IP redirect with no success and a lot of confusion! As suggested in the openwrt documentation the eth0 and wlan0 interface of the router are bridged and I'm left with a single 'br-lan' interface in the firewall zone lan - there is no wan at all. I thought of the apache server playing the wan part but that's not the case. Now the big question is what can a firewall do with only one zone? I tried to set up two interfaces with eth0 and wlan0 separated but that does not work and gives the error that wlan0 does not exists. Can anyone give me a helping hand or point me in the right direction?

it's not the zone that's relavent, it's the single subnet which circumvents the layer3 function via the switching fabric...

use static ips for servers ( or a reservation )...

captive portal redirection is another issue entirely and will hit the layer3 ( ip ) fabric due to non-local ip's being directed to the default gateway... readup on nodogsplash and/or coovachilli...


I use a static IP for the server but I still have to reconfigure the the router for every new server.
I don't know what the layer3 function is but I'm aware of wifidog etc. and that's why I prefer the 'NAT' solution. However I can't get that to work.

iptables rule is missing the -t nat, by default is filter and there is no PREROUTING there.

1 Like

Sorry for that - my mistake. I tried it with -t nat and no success. Meanwhile I got more information! I put that line in the firewall.user file and when I restart the firewall on the shell I see two hopefully useful messages

  • Warning: Unable to locate ipset utility, disabling ipset support

  • iptables: No chain/target/match by that name.

The second one is strange: when I type 'ipt' and hit 'TAB' 'iptable' is completed.

About the first one I have a stupid question: How can I install the iset package? When I plug the router to the Internet via lan I can reach the Internet but I can't ssh the router ( Thanks for any advice!

What IP did you change it to?

opkg update
opkg install ipset
  • Web GUI
  • you may want to fix that access issue

Show the whole command you misunderstand the error - it's not saying the iptables command is missing.

It means you likely combined an invalid -t with an invalid -I or -A. I'm guessing since you were told to use -t nat.

1 Like

I am not sure I understand correctly, but if what you are trying to is to provide access to the server from the local machines but prevent the server from accessing Internet or being accessed from Internet?

If so, then why not just set a static IP on the server NIC (outside the router's DHCP pool) and leave the DNS fields blank?

Captive portal is really the way to do this since the key functionality that you want is for ANY site a user requests to "bounce" and instead show the home page from your private server. This is already fully implemented in a captive portal.

Within OpenWrt you would have a captive network, which is only the wireless AP and (in the case of coova-chilli) it is managed in userspace by the portal software. The web server can be on the router's LAN or even a WAN network, which would let you better firewall users out of trying to hack into the router itself.

It should not be necessary to do any low-level tinkering with iptables.

1 Like

O.K. Here we are:
iptables -t nat -I PREROUTING -s -p tcp -m tcp --dport 80 -j DNAT --to-destination

The message now is:
Running script '/etc/firewall.user'

This looks much better but still no success. I can connect to but gets a time-out. I guess ipset is needed?

The access issue: I didn't change the IP manually, how can I find out the 'new' IP?

I just wanted to point out that there is no Internet involved. For me it looks like every router configuration assumes the use of the Internet.


Can you clarify what you're trying to do?

This looks invalid.



Where did this IP come from?

ipset for what?

Also you don't have to make a post in reply to every person, we can all see.

And is there a reason you're not using the UCI syntax or file, nor web GUI? This is much easier there.

config redirect
	option target 'DNAT'
	option src_ip '192.168.1.x'
	option proto 'tcp'
	option src_dport '80'
	option dest_port '80'
	option name 'HTTP'
	option dest 'XXXXXXXX'
	option dest_ip ''

I'm also lost how the IPs in your command are in the same subnet.

Sorry but I'm new in this forum. mk24 describes what I want to achieve. The idea is that every traffic coming form a client ( is directed to the server (192.168.191). As to the capture portal: I want to avoid doing the 'authentification ' staff. And I'm still not able install packages.

You'd set up a captive portal except your server never provides the user a button, payment, etc. to connect to the Internet-- because you're not providing Internet. You can have any number of pages in your site because once they have loaded the first page, the IP (or you can use a name, and set up OpenWrt to DNS it to a fixed IP) of your server will be in their browser, and all of your links will be relative within the same site.

The opkg installation system is intended for the router to be connected to the Internet during package installation. Then it can be disconnected.


This isn't a client. It's invalid as a client IP using a subnet of It's a network address.


This is likely why your firewall rule doesn't work.



This doesn't explain why you want to install ipset; nor why you are creating a firewall rule with an invalid network address used as a client IP in the same subnet as the destination.

You need Internet, or Internet on another device to copy all the packages over. They don't magically appear.

It seems like you just need to make a domain name (e.g. and/or in the OpenWrt's DNS for the server at - and you're done! :wink: Traffic doesn't pass a firewall on the same network. :bulb:

1 Like

Obviously I'm not an expert in network stuff, that's the reason why I post my questions in this forum. I spent a few days to figure it out on my own but it is very time consuming to find each bit of information one needs. The iptables line is stolen from here:

For me it looked good enough to give a try.

You may believe it or not: I do know that packages need to be downloaded. And I do know that one needs the Internet for this. The problem seems to be that I have access to the Internet vie lan only. As mentioned earlier when plugin the router in my Internet switch I can't connect to the router anymore. I know one copy the packages to /tmp and install from there. I even managed to find out where the packages are and also the instruction set of my router. But there is not only one package but a number of them with slightly different names - which one to choose? Why I want to install ipset - well for me it sounds like set an ip and that's what I want to do.

You don't explain why you stole this...

Nonetheless, I read this:

  • This doesn't require ipset; nor a firewall setting.
  • Besides, if you're in the same physical network, you never pass the firewall :wink:
  • Usually networks are number properly in their physical space (and I assume you did too), hence your firewall rule did nothing.

I don't think you need any. I think you need this:

config domain                 
	option ip ''                                
	option name ''

config domain                 
	option ip ''                                
	option name ''

EDIT: This goes in /etc/config/dhcp

1 Like

It really works a lot better to connect to the Internet and have opkg find the packages for you.

With a single Ethernet port it is a little more difficult but still there are ways:

  • Set up a wifi AP on LAN, log into the router by wifi, reconfigure the Ethernet port as WAN
  • Set up a wifi STA as WAN (requires existing wifi network linked to Internet, or smartphone in hotspot mode). This configuration is also known as a routed client.
  • Reconfigure LAN network so OpenWrt box is an endpoint on the LAN and not the master of it. Then connect Ethernet to existing LAN. This is more difficult to undo than the options above, so should be considered mostly if you're going to permanently operate as a LAN device.
1 Like

Don't you think this is quite confusing...when the OP already has a misconception that they can make a firewall rule in LAN to redirect to a LAN web server?

I just wanted to clarify this before we added to the confusion by assisting to get packages installed they likely don't need.'ve only described a LAN, this makes sense.

  • Where'd you plug it in?
  • Does that network also happen to be (BTW /24 ==
  • Do you try from the same location?
    • You should never loose connection

You have a responsibility to be clear as well to get the best responses. Listing you want to install IPset and you gleaned a firewall rule, but don't know why - doesn't help with that. It's just gonna be ignored - as it seems to frustrate you; as if we know why you mentioned them.

  • I only realized you must have a web server on LAN and improperly making a port forward
  • @mk24 made it clear that you had no intentions to use the Internet
  • Since you control this closed network (and they have no other DNS server to access), he (and I) assume you can make a DNS entry for this server
    • every number you mentioned thus far is in the range - so again, I assume the same LAN
  • Hence they would be directed to it

If that won't work, let us know why. No packages or firewall configs are needed to implement this solution.

That's the third option, I should note it's the most complex and requires more to undo.

1 Like

I really want to mention that I felt uncomfortable with eth0 and wlan0 in the same net and I wondered what a Firewall can do right in the beginning - read first and then complain.

However, I did the suggested changes in /etc/config/dhcp with 'example' replaced by 'umfrage'. I can now access my local server with ''. That's a step in the right direction but no capturing yet. I guess I should try one of those capture portals. I can't download the package today since this reconfigure of the router seems to be to complicated for me. Tomorrow I can get the credentials of the wlan at the place I'm currently working.

Thanks so far for your input