An external network scanner appeared as a client on the internal network

Hi~ I'm just a beginner with openwrt.
My network structure is Internet Service Provider Router - My Router - openwrt(ADguardHome) on RP3.
I was surprised to open the AD Guard Home dashboard today.
A strange IP address is appearing in the internal client list.
Like the picture below.

The list of IPs displayed as clients is as follows.

After looking at a few, I can see that they are network scanning companies. But I don't understand how they can be my internal clients.
Can someone explain this case?
I am very perplexed.


Taking in consideration that RPi3 has one LAN port only, are you using that to connect to the lan network of your router?
Are you allowing any traffic from the ISP router/ your router inbound?

RP3 is OpenWrt connected to my main router ( by wire and is used only as ADGUARDHOME.

The ISP router provided by the Internet company is a device I cannot access.
My main router ( is in the default state without any inbound settings.

A quick way to verify is to connect from the internet on your public IP and try to query something. At the same time monitor on RPi what you can see coming.
opkg update; opkg install tcpdump; tcpdump -i eth0 -n port 53

I have port forwarded port 53 on the main router ( to port 5353 on OpenWrt (

The port forward of port 53 means that you are allowing hosts on the internet to use dns on your network. Seems logical that you would see external hosts show up in your client list.

Is there a reason you have opened this port? Normally you do not want to run any port forwards for services that don’t need inbound connectivity from the internet.

1 Like

When internal clients connect to the main router ( and request DNS, port forwarding is done so that the main router leads to OpenWrt ( Is this a risk factor?

Port forwarding works from the wan, not the lan.

Can you show us a screenshot of the port forwarding rule you setup?

1 Like


If port forwarding is to forward ports only for external access, I guess I was wrong.
I found that forwarding was also needed for access from internal clients.
If so, can I just delete the forwarding and set the DNS server setting to ""?

Since the port forwarding screenshot is not in English, I can't read the headings (I wish I could... language was never my strength)... but it does look like that is a standard port forwarding screen for many routers.

What that is doing is explicitly allowing inbound access on port 53 (i.e. from the internet) to This does not affect the way that LAN clients get their DNS. I would recommend disabling these rules.

You probably want to set the DNS on your router's DHCP server to point to, but if it is running over port 5353 (and not port 53), it might not work as expected.

1 Like

Port forwarding forwards a port from an outside interface to an inside.

Normally not the case.

You can and you should.


The only thing connected to the ISP router must be the WAN port of your main router. If the ISP router has WiFi access points, turn them off or if they can't be turned off, don't connect anything to them. Treat the ISP router as an untrusted part of the Internet and keep it entirely on the WAN side of your OpenWrt firewall.

This necessarily means the IP range use by the ISP router (often must not overlap the LAN range used by your main router. If the ISP router is (using IPs in the range 192.168.1.X) and you cannot change it, you need to set the OpenWrt LAN to something different, such as


One memory came to mind because of your kind explanation.
I have operated a real DNS server inside in the past.
At this time, the exposed IP is the public IP of the current main router.
So, a large network scan company tried to scan with the cached IP, and it is guessed that it was redirected to 5353 of by the port forwarding of my main router.
I will delete port forwarding according to your kind guide.
And to use ADGUARDHOME service, I need to set the DNS server of the main router to

Then, even if an external network scan comes in, it doesn't seem to be redirected to

thank you.

Thanks YOU~

Thanks for the friendly guide.
Your advice makes sense to protect the firewall settings (here by changing the IP band.
Let's try that too.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.