Block LAN users from accessing WAN subnet

i have an old totolink router that should act as a second router for an apartment.
it's running openwrt 14.07 with no recent update.

my main subnet is, while the subnet of the router (totolink) is
how can i block access to subnet from the lan side of the totolink router?

on tp-link default firmware, there's internet access policy feature where i can specify an ip range, and then block access on lan. that works perfectly, but i dont' want to use a tplink (more expensive) router for this specific purpose.


The totolink have a FW in place, one can hope?
Access from the 5 subnet should be blocked by it.

but how? what rules and where to put?


Wrong direction :slight_smile:

In the toto FW, block all tp-link LAN subnet traffic, but to the default gateway (of the tp-link).

tp-link was just an example.

my main router is openwrt.
totolink is, openwrt 14.07

i must block access from to and to do that i need firewall rules.
so i don't know which rules. how to do it?

Don't know what 14.07 is capable of, perhaps someone else remembers, 14.07 was a long time ago.

Trial and error.

fw should be mostly the same. rules for 21 should work on 14 too, general logic of firewall should always be the same

1 Like

Another option could be to define the IP of the totos WAN as a guest LAN, that usually disallows the traffic from accessing the LAN subnet.

Maybe…maybe not, now we are at fw3 and next major release will probably have a upgraded fw4 with new functions to solve some modern problems.

What “firewall” version do you have on 14 and what capabilities does that have?
Do you have uci on 14 or how do you write the configs?
But if your stated hypothesis is true you should be able to use the current fw manual in the user guide.
Have you tried that?

The thing is that you will not find support that easy to find because OpenWRT 14 is way beyond obsolete. Obsolete is more like OpenWRT 17.

Can’t you just place them in the same interface with the same gateway?
If you run OpenWRT 14 you are not concerned for security anyway, and not performance either?

Or upgrade to something much less obsolete like 18.06 or 19.07 so someone here actually know/remember what you are dealing with.

not really sure why such a trivial thing would need a change. it's not a complicated syntax, it's 1 rule in a very basic form.
how would it look like for openwrt 21? what should i do if i had v21 installed?

on mikrotik (rb931, so it's a 15 eur router) i got it running in 3 minutes - define gateway, define dhcp, and in firewall put a single line : drop forward connection from going to

on tp-link default firmware it's different but it's still doable by defining an ip range and then forbidding it in the access rule (like blacklisting a webpage but instead blacklisting an ip range).

this old totolink doesn't have any support for more modern openwrt except 14. it's a realtek chip and can't find any newer version for it.

uci add firewall rule
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].name='forwarding'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].dest_ip=''
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].proto='all'
uci commit firewall
/etc/init.d/firewall restart

Something might not work in that old version, but you get the point and you can do it from Luci.


Beyond all of the comments about this version being truly ancient and unsupported, have you checked that this is an official openwrt version, as compared to a vendor specific variant? That could drastically affect what features are available and the syntax they require.

Everything is subject to change in technology. Sometimes there are specific underlying reasons a change must happen (for example, VLAN configuration from swconfig to dsa), and other times it is related to having a common and consistent syntax with respect to other things throughout the uci / openwrt environment

1 Like

fw3 is a zone based firewall.

while not reading the forum i found this out but i did what i wanted in a completely different way: i have setup an interface alias on my main router , that has a different subnet. and then on the totolink router i changed the wan ip subnet to reflect the alias subnet on the main router.
i think i can now (if needed) block inter-subnet communication all on the same router.
but i also think i could setup the traffic rules in barrier breaker , i was looking in firewall zone settings all the time instead of creating a custom traffic rule.

so overall, from 0 options i ended with 2 options that both can work :slight_smile:

ps the totolink router is an n300rt, which has only some weird support for openwrt 14. original firmware is a disaster so even openwrt BB is a lot better.
would be nice to run at least openwrt 18 on it, but it's probably impossible.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.