Allow service on local network only

Hi all,
I'm new on OpenWRT and I try to have some services only accessible from my private network ( and other services that can be reached from outside, but I don't find out how.
I only have one zone:

config zone
        option name 'lan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option network 'lan'

and ony one interface:

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ipv6 '0'
        option gateway ''
        option broadcast ''

Where's outside ?

Internet ? in that case you need to set up firewall rules, no need to touch the LAN.

1 Like

Yup sorry I have done some but since I don't know what to do with the zones I don't think it's relevant.
For example I have this one (that I want to be accessible only from local network:

config rule
        option name 'Allow-SSH'
        option src 'lan'
        option dest_port '22'
        option proto 'tcp'
        option family 'ipv4'
        option target 'ACCEPT'

if you only want to access things from you local network, then you don't have to do anything at all.
Coming in from internet requires rules, everything's open/allowed on the LAN side.

1 Like

It's not the case for me, I probably fucked up somewhere, I will try with a fresh install, thank you ^^

ssh into the router (if you're still able to) and run the firstboot command, or do a reset through LuCI in System -> Backup / Flash Firmware.

1 Like

Well after resetting I am able to access my pi with ssh even from internet.
I only set my gateway and the IP of the interface

How is the PI connected to the internet ?

my pi is connected to my ISP's router and the to internet so the wan and the lan are actually on the same interface (eth0, wireless is disabled).
I think the problem comes from the zones


in that case I understand what you're trying to do.

WAN and LAN on the same interface doesn't sound very healthy.
You don't have an USB network card you can plug into the Pi ?

What you should to is set the ethernet port as WAN (once applied you will not be able
to access it anymore), and then use a console to continue with your configuration.

If supported, you could set up its WiFi as an AP for devices to connect to on the LAN side.

1 Like

To restrict someone on the Internet from reaching a device on your LAN is usually the job of the firewall in the main router. By default, almost every ISP router will block all incoming connections from going to the LAN unless you specifically open ports or set up a DMZ.

Your main router may NAT ports it has open to the Internet to be from it's LAN IP (usually x.x.x.1). So when it reaches the Pi it looks like LAN originated connections.

If NAT is not involved you would want a rule on the Pi to allow connections only from source IPs within the LAN,

1 Like

Okay I will try that ^^

Yep my pi is in the DMZ because I can't open some ports (443 is blocked for example) and it seems that the source IP is not changed for incoming packages.

This is my problem, I don't know how to do this, I added
option list subnet ''
to the lan zone but it changed nothing


we need to back up a little bit.

Your Pi, when/if you connect it to the ISPs router, what kind if IP does it get ?

When you wrote you could connect to it "from internet", how exactly did
you verify that ?

I have a static IPv4 that I set like like shown on the first message.

I add it to the DMZ on my router and I connect through SSH from my phone which is not connected to the same network. (I do the same test from my computer which is in the same network as the pi to check if it works too)


Have you forwarded/defined any ports from internet/WAN to your Pi in your router ?
If not, you shouldn't be able to connect to it from outside, even if it's in the DMZ.
Unless DMZ means all ports are open, in your router :wink:

If your router is acting FW, then you shouldn't have to set your Pi port to WAN, as I
stated previously.

1 Like

Yes here by DMZ they mean that a packet is sent to it if it does not match a rule in port forwarding.

Can you open ports and do port forward in the router ?
So skipping DMZ all together ?

Or create a rule matching all ports and protocols ....

1 Like

If your lan and wan are on the same physical interface, you need a vlan aware (managed) switch to ‘break out’ the networks properly.

Can you draw a diagram of your physical network?

1 Like