Can I disable the LAN interface(s)?

l3u · March 12, 2023, 7:45pm

Hi all,

I have a charging station with only WLAN I want to connect to my network. The WLAN inside my garage is a bit too weak to work reliably, so I configured a GL-inet AR-150 to act as as WLAN repeater. I followed the Wi-Fi extender / repeater / bridge configuration howto, with the only difference that I added a second wireless device to act as WLAN access point.

This works fine, but I have one question:

The current state is that when connecting to the router, it doesn't matter if the LAN port is used or the WLAN, the connecting device gets an IP address from my uplink router, which is of course also the desirable behavior for such a WLAN bridge/repeater setup.

But – theoretically – if I leave my garage open, somebody could simply plug in a LAN cable and get access to my network. The LAN port is never used in my case. So I wonder if it's possible to either disable the LAN port completely, or to only allow access to the (not used) 192.168.1.0 network of the router, but not the 192.168.178.0 network to which it bridges (so that one could reach the router's interface in case the WLAN connection doesn't work).

Is it possible to configure the router this way? Thanks for all help

fakemanhk · March 13, 2023, 1:46am

If your WiFi/physical LAN port are not bridged together, then you should be able to isolate them.

stangri · March 13, 2023, 2:07am

That's your biggest concern with someone trespassing on your property/in your garage? What kind of high-tech criminal area do you live in?

l3u · March 13, 2023, 6:01am

It's more a theoretical thing. If course this is very unlikely to happen. I'm just wondering if it's possible.

l3u · March 13, 2023, 6:07am

I tried to add the access point to the wwan interface of the client connection and to remove the lan bridge from the repeater_bridge interface (names according to the howto), but then, the DHCP assignment wouldn't work anymore.

How exactly would you isolate the LAN? Sorry, I'm not really used to configure OpenWRT in deep yet …

mindwolf · March 13, 2023, 6:15am

You're being too paranoid
Setup ssh keys for root and add a user with limited privledges
It can be done with the correct firewall rules for src and dst networks/interfaces
Don't lock yourself out.

fakemanhk · March 13, 2023, 8:40am

My comment has the answer already, just take away the physical LAN interface from the default LAN bridge.

l3u · March 13, 2023, 8:41am

Okay, I'll try that. Thanks for the hint!