Can't find guide for configuring NAT from wlan0 to eth0


Does anyone know of the method for configuring NAT from wlan0 to eth0?

The firewall configuration interface has got me scratching my head.

I couldn't find anything specific in the documentation.

Many thanks.

1 Like


What exactly are you trying to achieve? What is your setup?



Many thanks.

(My browser forgot my login name and passwd so I had to make another one.)

I want to NAT the connections from the WLAN AP on wlan0 out to the default router on the WAN-side on eth0.

eth0 DHCP; wlan0 static IP.

wlan0 net and eth0 net must be separate subnets, so the default bridged mode operation is not an option.

Setup is:

[INTERNET] <> [ROUTER] ( <> (eth0) [OPENWRT] (wlan0) <> [WIRELESS] ( ((o [WIRELESS CLIENT]

Do you need to know anything else?

I presume guest wifi is what you are looking for? There are lots of posts about that, and is converted in the documentation too.


This is the standard LAN to WAN configuration. The default firewall will do exactly what you want. It has two zones set up named "lan" and "wan", with NAT enabled on wan. So place the network with wifi in the lan firewall zone and the one with ethernet in the wan. A router with more than one Ethernet port should start configured like that anyway. If you only have one Ethernet port you should create a new network named exactly "wan" (lower case) with proto dhcp and ifname eth0. Remove eth0 from the "lan" network.

Of course since "wan" is intended to be an untrusted network such as the Internet, when you set the Ethernet port as wan the only way to log in to the router will be by wifi unless you also open port 22 and/or 80 on the wan side.


Magnificent. Would you be so kind as to share these URLs and also, out of curiosity, which terms did you use to locate them?

Many thanks.

Searching the forums for NAT with some additional terms turns up PPPoE issues.

Searching the documentation returns a summary of 'what' to do, but not how.

Searching Google returns a lot of foreign (French, Italian) pages, but nothing I would call 'instructive'.

Perfect! Thank you so much for the assistance. It is very much appreciated.

Here's a screengrab of the interface status:

Edit: XX eth0 (HOSTLAN) is in the 'lan' zone and wlan0 (WLAN) is in the 'wan' zone. XX

wlan0 (WLAN) is in the 'lan' zone and eth0 (HOSTLAN) is in the 'wan' zone. Does it matter about the interface names? (I've found that OWRT doesn't handle punctuation in the SSIDs, so I've tried to only use alphanumeric characters throughout to minimise potential issues.)

The firewall is configured thus:

When I connect an iPad, I don't get an IP address. Haven't tested if forwarding works yet.


(One picture per post, sorry)

This is the DHCP config:


Also, I have added the following rules to allow remote admin (SSH & HTTP):

From what you can see, have I done anything wrong?

Many thanks again. :slight_smile:

1 Like

I presume you mean the opposite.

Could you confirm that your device has only 1 Ethernet port and that you are trying to configure it as WAN to act as a router serving wireless clients only? Or what are you trying to do?


And in addition to that @Hegabo asked:

  • you need to show the interface's DHCP config (not the DNS/DHCP general page) :wink: ...we assume you want to set this up on LAN (if like default OpenWrt), if that's the case, LAN DHCP config is what you'd need to show us
  • Your firewall rules...I assume are to REDIRECT the traffic to a device somewhere on LAN; but you don't have a destination LAN IP/port specified
1 Like


I have been unable to reply as there appears to be an unreasonable limit on my posts and images - Quite counter-productive.

I should probably start by mentioning that I am "on the spectrum" and I find it anxiety-inducing trying to get the information I need from people.

CLI output or a WebUI page?

Depends what you are defining as 'LAN' - The firewall 'zone' or the eth0 interface?

People keep asking me what I am trying to accomplish but I can't say it any more simply:

I want DHCP to be listening on wlan0;
eth0 with DHCP client to be assigned an IP, gateway, etc;
DNS to listen on wlan0 and forward to;
Outbound connections from wlan0 to NAT through eth0 to the default router on eth0;
The NDS CP to operate on clients on wlan0;
A user accounts on the CP;

You have just confused me lol. What did I write that means I want to redirect to a device somewhere on LAN? I want it to forward outbound traffic to it's default gateway. Is that what you mean?

I am really not sure I understand what the author of the firewall UI envisaged when they wrote it. The interface does not lend itself to immediate comprehension like most others I have used.

Every install of OpenWrt starts out with:

  • a network named 'lan'
    ** with a static IP
    ** a DHCP server
    ** a local DNS server
    ** attached to at least one Ethernet port
    ** included in the 'lan' firewall zone
  • a firewall with two zones 'lan' and 'wan'
    ** lan is trusted -- full incoming or outgoing connections
    ** wan is untrusted -- outgoing connections only
    ** forward and NAT from lan to wan
  • a basic WiFi configuration
    ** AP 'OpenWrt'
    ** attached to the lan network
    ** no encryption
    ** disabled
    The wifi can be simply set to enabled and it will start working, though it is highly recommended to also set up encryption so that your neighbors can't connect to it.

Now if the hardware has more than one Ethernet port (you never said if yours does), you also get a 'wan' network:
** DHCP client
** in the wan firewall zone
** DNS configured by DHCP. The local DNS server on lan will forward to this server. A common rookie mistake is configuring a third party DNS server under the lan section. It should be set in wan.

Your setup is a lan to wan. The "local area" are your connected wifi users. The "wide area" here is the rest of the house, and ultimately the Internet.

So if you have only one Ethernet port and didn't get a wan network by default, create one. If you use the default names 'lan' and 'wan' rather than making up new names, everything is already in place.


Thank you for the information. Sorry I couldn't reply sooner - I have a limit on the number of replies I can give per day.

It's installed on a Raspberry Pi 2B v1.1.

I am 100% sure that, straight after installation, mine has a bridge (br-lan) configured in the firewall 'LAN zone' when I first booted. Do I remove that bridge?

I presume that the firewall rules won't need modifying to allow incoming DHCP requests from the firewall's 'LAN' zone?

I find that I get confused when identifying distinctly different things with the same name - There's a 'network' called a LAN, an 'interface' named 'lan' and a firewall 'zone' called 'lan'?

I will reinstall and start from the default config again. I must have misunderstood what the documentation/interface was trying to convey.

Thanks again for the clarification. You should write the documentation.

So, all I should have to do is put the LAN-side (wlan0) into the 'LAN' firewall zone (green), the WAN-side (eth0) into the 'WAN' firewall zone (red) then, secure and enable wireless?

And I don't have to mess with the firewall/NAT rules as it should already be set up to NAT the LAN zone (wlan0) to WAN zone (eth0) by default? :confused:

The LAN network is a bridge so there can be more than one interface. In a regular router that would be Ethernet and wifi and perhaps a second wifi band-- all bridged together for fast and simple operation for example you don't want to firewall a wired printer from a wireless laptop. Leave it that way even though you're going to end up with only one physical outlet from LAN, the wifi.

Do this setup in stages. First activate wifi then disconnect the Ethernet cable and connect and log in by wifi. Then you can move the Ethernet port over to wan and know you're still able to log in.


Thank you, seriously.

I understand: In case there are a number of Ethernet ports, they can act as a switch on the same LAN segment.

Still, I don't want wireless clients on wlan0's 'LAN' network to access eth0's wired 'WAN' network, only forwarding to the upstream g/w for the Internet.

I might give this a go tonight or more likely tomorrow. I will report back my progress and will feedback any issues I encounter.

Of course, unless I was sharing my Internet connection with people I don't personally know :wink: They only need Internet connectivity, not access to the home network.

Ah, then I have been doing it wrong. I'll reboot it between config updates, then lol Maybe that's what overwhelmed it?

So, to clarify, the order of play might be something like:

  1. Write OpenWRT img;
  2. Initial boot & set LAN IP;
  3. Update opkg and install wireless drivers;
  4. Reboot;
  5. Enable existing Wi-Fi AP, SSID 'OpenWRT';
  6. Test Wi-Fi association;
  7. Reboot;
  8. Add/move wlan0 to 'LAN' zone & configure DHCP;
  9. Move br-lan to 'WAN' zone;
  10. Reboot;
  11. Allow SSH & HTTP(S) to OWRT from WAN zone;
  12. Deny SSH & HTTP(S) to OWRT from LAN zone;
  13. Reboot;
  14. Test Wi-Fi association and Internet connectivity (dig, ping, traceroute, etc);
  15. Configure wireless SSID, encryption, channel, etc;
  16. Reboot;
  17. Test Wi-Fi association, Internet connectivity and web UI login;
  18. Install NDS;
  19. Configure NDS & enable BinAuth;
  20. Reboot;
  21. Create auth list;
  22. Write auth bash script;
  23. Test auth script at CLI;
  24. Reboot;
  25. Test Wi-Fi association, user authentication and Internet connectivity;
  26. Backup the SD card;

I can't thank you enough!

Edit: Got to #9 and when connecting to test I failed to get an IP address. I'll leave it for tonight.


Gave it several honest goes but couldn't get DNS working, DHCP worked this time, so I connected a keyboard and rebooted, when this happened:

Did changing the USB port add the same physical controller as a new controller to the OS??? (Edit: Yes. Yes it did. I have to delete the phantom adapter after reconnecting the real controller to it's original USB port and rebooting. Edit 2: I can't delete the phantom controller - No delete button.) It has the same serial number, though and the old one isn't physically there... How do you think it got so mixed-up?

Note to self (and fresh folk): Connect any USB devices to the final ports and DO NOT CHANGE PORTS! However, you can simply move them back and it apparently has no ill effects.

I am at a loss for words. Ah, well... Start again tomorrow.

No offence, but I have heard that many places before. I was following the 'documentation', here:

It needs a bit of updating, IMO.

Edit: Also getting a repeating console error:
br-lan: received packet on eth0 with own address as source address (addr:*MA:CM:AC:MA:CM:AC*, vlan: 0)

The extra radio can be deleted by editing the /etc/config/wireless file with CLI. There's no harm in leaving it there though. As you said, make sure to always plug the dongle into the same port that corresponds with your active config.

You don't need a guest network yet (or at all); get lan and wan working first.

That error means that another device on the network has the same IP address as the interface on the Pi. For example the eth port is still in LAN which runs on and the main router is also

Note that when you do routing the two networks need to be different IP ranges, so if your main router is indeed you need to change either it or your Pi lan to something like


Hi, mk24.

I've been doing it bit by bit like you suggested :+1: . I took images along the way so I could rollback when a change broke something.

I have a LAN (wlan0) and a WAN (eth0) all set up and working correctly. DHCP and DNS are working after a recent rollback when I installed nodogsplash.

I had just tried installing NDS When it errored, expecting the interface br-lan - I had just removed the bridge (oops :sweat_smile:)

I quickly reinstated the br-lan with only wlan0 and reinstalled nodogsplash. After a quick look at the config and splash html file, I did a reboot to get the NDS to kick in and then I failed to get a DHCP address when I associated. It seems to be when I instate that bridge of just wlan0.

Incidentally, I had previously modified the config to allow SSH on an alternative port - removing the old entry from the list. Also, I have installed SQM for bandwidth management.

It's getting there.

NDS doesn't seem to be working. I wonder if NDS must be installed on a bridge?

I think it may be a case of troubleshooting NDS, next.

I have also read that it's caused by a loop, but my LAN is fine. My network is on a non-default 192.168 net and OpenWRT on the Pi has a DHCP address on eth0 and can't ping the IP after powering-off the Pi and removing it from my ARP cache :confused:

I thank you for the advice you have given me :hugs:

Best regards.