Can access OpenWrt ssh/luci UI over WAN in LXC Container on Ubuntu Raspberry Pi

I would like to run openwrt inside a lxc container on ubuntu on a rpi4. Openwrt should assign an ip address to the host rpi and other devices on the lan (switch, AP, etc).

I'm able to run the container and assign IPs to clients on the lan fine. The wan is also assigned an IP address.

The problem is I'm able to access the openwrt container from the wan (luci UI, ssh) without making any changes to the firewall settings. I have not changed or set any additional firewall rules set in openwrt or the host. The only setting I've changed is changing the default static ip for the lan in the openwrt container

Does this setup require some additional settings on the host?


  • USB ethernet adapter on rpi connected to the ONT from my ISP
    • while testing this is connected to old router running openwrt acting as wan (to be replaced with this lxc container setup). old router is connected to ONT and lan port is connected to USB ethernet adapter
  • rpi4 running ubuntu 21.04.
    • lxc container running openwrt router on ubuntu host
  • Ethernet port on rpi is connected to POE switch.
    • Switch is connected to dumb AP running openwrt.

Using openwrt v21.02.0rc3 armvirt

lxd version 4.16

roughly following the steps here

# init container
lxc image import openwrt-meta.tar default-rootfs.tar.gz  --alias openwrt_aarch64
lxc init local:openwrt_aarch64 router

# assign profile with eth0 and eth1 interfaces
lxc profile assign router owrt-router

# adding eth1 to router container instance config
lxc config edit router
  volatile.eth0.hwaddr: xx:xx:xx:xx:xx:xx
  volatile.eth1.hwaddr: xx:xx:xx:xx:xx:xx # added this line

lxc start router


            dhcp4: true
            optional: false
            dhcp4: true
            optional: false
            dhcp4: true
            dhcp6: true
                stp: false
                forward-delay: 0
                - eth0
    version: 2

lxc container owrt-router profile

config: {}
description: openwrt router
    name: eth0
    nictype: bridged
    parent: br0
    type: nic
    name: eth1
    nictype: physical
    parent: enx7cc2c61ee390
    type: nic
    path: /
    pool: default
    type: disk
name: owrt-router

I've also tried a variety of configurations:

  • setting container eth1 nictype as bridged and creating corresponding br1 in netplan
  • setting lxc config set router security.privileged true
  • tried with older versions of ubuntu (18.04, 20.04), openwrt (19.07.7), lxd (3.0.3)

but I'm still able to access the luci UI over the wan. Appreciate any help on this.


armvirt does not appear to contain board.d 02_network... thus no 'uci_def wan'... thus no auto setup of wan firewalling etc. etc.

  • did you need to add the wan interface when you initially set it up in luci?
  • did you create a wan zone and assign the interface to it in luci? etc. etc. etc.
1 Like

Thanks for your reply.

I did not need to add the wan interface, it is set up automatically on container start after adding volatile.eth1.hwaddr in the container config. Without that change the wan interface will not be created.

The wan zone is correctly assigned to the wan and wan6 interfaces and both are assigned IPs from the upstream router. At a quick glance through the luci UI everything appears to be initialized as expected. I have not changed any settings in openwrt other than the static ip address

Fwiw I do see in /etc/board.d/ directory with two files, 00_model and 99-default_network, but as you said 02_network does not exist

1 Like

ok found it now apologies...


iptables -I INPUT -i eth1 -j DROP

block stuff?

ahh yes, can no longer access the luci UI after adding that rule.

another bit if interesting info:

root@router:~# iptables -S
-A INPUT -i eth1 -j DROP

so looks like iptables are not set up

1 Like

right... so it's a lack of (running of) init.d/firewall thing...

1 Like

great thank you! that appears to be it.

I ran /etc/init.d/firewall restart and now iptables are populated and I am no longer able to access the router over the wan. thank you so much for your help and quick replies.

any idea why the firewall was not running or how to debug? how can I find what services should run on boot? now I'm curious if there are other services which should be running but aren't. I want to make sure I don't introduce some security holes by switching to this new setup