It's not the case for me, I probably fucked up somewhere, I will try with a fresh install, thank you ^^
ssh into the router (if you're still able to) and run the firstboot command, or do a reset through LuCI in System -> Backup / Flash Firmware.
1 Like
Well after resetting I am able to access my pi with ssh even from internet.
I only set my gateway and the IP of the interface
How is the PI connected to the internet ?
my pi is connected to my ISP's router and the to internet so the wan and the lan are actually on the same interface (eth0, wireless is disabled).
I think the problem comes from the zones
Ok,
in that case I understand what you're trying to do.
WAN and LAN on the same interface doesn't sound very healthy.
You don't have an USB network card you can plug into the Pi ?
What you should to is set the ethernet port as WAN (once applied you will not be able
to access it anymore), and then use a console to continue with your configuration.
If supported, you could set up its WiFi as an AP for devices to connect to on the LAN side.
1 Like
To restrict someone on the Internet from reaching a device on your LAN is usually the job of the firewall in the main router. By default, almost every ISP router will block all incoming connections from going to the LAN unless you specifically open ports or set up a DMZ.
Your main router may NAT ports it has open to the Internet to be from it's LAN IP (usually x.x.x.1). So when it reaches the Pi it looks like LAN originated connections.
If NAT is not involved you would want a rule on the Pi to allow connections only from source IPs within the LAN, 192.168.1.0/24.
1 Like
Okay I will try that ^^
Yep my pi is in the DMZ because I can't open some ports (443 is blocked for example) and it seems that the source IP is not changed for incoming packages.
This is my problem, I don't know how to do this, I added
option list subnet '192.168.1.0/24'
to the lan zone but it changed nothing
OK,
we need to back up a little bit.
Your Pi, when/if you connect it to the ISPs router, what kind if IP does it get ?
When you wrote you could connect to it "from internet", how exactly did
you verify that ?
I have a static IPv4 that I set like like shown on the first message.
I add it to the DMZ on my router and I connect through SSH from my phone which is not connected to the same network. (I do the same test from my computer which is in the same network as the pi to check if it works too)
Ok,
Have you forwarded/defined any ports from internet/WAN to your Pi in your router ?
If not, you shouldn't be able to connect to it from outside, even if it's in the DMZ.
Unless DMZ means all ports are open, in your router 
If your router is acting FW, then you shouldn't have to set your Pi port to WAN, as I
stated previously.
1 Like
Yes here by DMZ they mean that a packet is sent to it if it does not match a rule in port forwarding.
Can you open ports and do port forward in the router ?
So skipping DMZ all together ?
Or create a rule matching all ports and protocols ....
1 Like
If your lan and wan are on the same physical interface, you need a vlan aware (managed) switch to ‘break out’ the networks properly.
Can you draw a diagram of your physical network?
1 Like
So finally I succeeded by removing the bridge interface (which was useless here) and I directly configured my eth0 and then I have configured my zones as follow:
config zone 'vpn'
option name 'vpn'
list subnet '10.0.0.0/24'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'lan'
option name 'lan'
list subnet '192.168.1.0/24'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list subnet '!192.168.1.0/24'
list subnet '!10.0.0.0/24'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
This works as a union of disjoint complements, that is a universal set.
I.e. the result is the same as using 0.0.0.0/0 and that looks wrong.
And is there a way to say "everything but these networks" or should I just put '0.0.0.0/0' and the traffic concerning the two other zones will be catched before this one?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.