Hi all,
I'm new on OpenWRT and I try to have some services only accessible from my private network (192.168.1.0/24) and other services that can be reached from outside, but I don't find out how.
I only have one zone:
config zone
option name 'lan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option network 'lan'
Yup sorry I have done some but since I don't know what to do with the zones I don't think it's relevant.
For example I have this one (that I want to be accessible only from local network:
config rule
option name 'Allow-SSH'
option src 'lan'
option dest_port '22'
option proto 'tcp'
option family 'ipv4'
option target 'ACCEPT'
if you only want to access things from you local network, then you don't have to do anything at all.
Coming in from internet requires rules, everything's open/allowed on the LAN side.
my pi is connected to my ISP's router and the to internet so the wan and the lan are actually on the same interface (eth0, wireless is disabled).
I think the problem comes from the zones
in that case I understand what you're trying to do.
WAN and LAN on the same interface doesn't sound very healthy.
You don't have an USB network card you can plug into the Pi ?
What you should to is set the ethernet port as WAN (once applied you will not be able
to access it anymore), and then use a console to continue with your configuration.
If supported, you could set up its WiFi as an AP for devices to connect to on the LAN side.
To restrict someone on the Internet from reaching a device on your LAN is usually the job of the firewall in the main router. By default, almost every ISP router will block all incoming connections from going to the LAN unless you specifically open ports or set up a DMZ.
Your main router may NAT ports it has open to the Internet to be from it's LAN IP (usually x.x.x.1). So when it reaches the Pi it looks like LAN originated connections.
If NAT is not involved you would want a rule on the Pi to allow connections only from source IPs within the LAN, 192.168.1.0/24.
Yep my pi is in the DMZ because I can't open some ports (443 is blocked for example) and it seems that the source IP is not changed for incoming packages.
This is my problem, I don't know how to do this, I added option list subnet '192.168.1.0/24'
to the lan zone but it changed nothing
I have a static IPv4 that I set like like shown on the first message.
I add it to the DMZ on my router and I connect through SSH from my phone which is not connected to the same network. (I do the same test from my computer which is in the same network as the pi to check if it works too)
Have you forwarded/defined any ports from internet/WAN to your Pi in your router ?
If not, you shouldn't be able to connect to it from outside, even if it's in the DMZ.
Unless DMZ means all ports are open, in your router
If your router is acting FW, then you shouldn't have to set your Pi port to WAN, as I
stated previously.