Change LuCI and SSH servers interface

In a Hyper-V VM I have 3 interfaces:

  • eth0: wan0
  • eth1: mng
  • br_lan: lan
    • eth2

how do I change the LuCI and SSH servers from the lan interface to the mng interface?

The Idea is to have a network with static IPs dedicated to management
(I expected it to be easier)

thanks...

You can bind uhttpd (i.e. luci) to a specific IP address by going to Services > uhttpd in LuCI. You can bind the default SSH to a specific interface by going to System > Administration > SSH Access.

2 Likes

Thank you I managed to change the SSH Server but I can't find the Services section

syntax, suggested config got wrong values.

While you can bind the services to a specific address, the preferred method is to use the firewall to block all unauthorized networks (or allow specific ones). You can do both binding and firewalling, if you want, but the firewall is the one that really matters.

This is because the binding only affects the address on which the router listens/responds, it doesn't control who can access it.

For example, let's say you have two networks

trusted lan: 192.168.1.0/24, router 192.168.1.1
guest: 10.2.3.0/24, router 10.2.3.1

If you bind to the lan's address but you don't set the firewall rule, the router would not respond to requests on 10.2.3.1. But... a host on the guest network (say 10.2.3.142) will actually be able to reach the router at 192.168.1.1. So the router hasn't been protected.

On the other hand, if you don't use the binding, but instead restrict the 10.2.3.0/24 network from accessing the router at all, you'd find that both 192.168.1.1 and 10.2.3.1 would be accessable from the 192.168.1.0/24 network, but neither address would work from the guest network.

The second scenario is usually fine as the goal is to prevent guest access to the router's admin featues and other services. While using both methods isn't necessary, it would mean the router would only listen/respond on 192.168.1.1 AND only the trusted lan would have access.

2 Likes

Thank you for everything now everything is working

for future reference the steps where:

  • in "System>Administration>SSH Access" set the interface to mng
  • in "Network>Firewall" create a new zone called mng and attribute it to the interface mng
  • in "Network>Firewall>Trafic Rules" create 2 Rules
    • a accept type from mng to (this device) from every port to any port
    • a block type from lan to (this device) from any port to ports: 22 80 443

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

The preferred method for this is usually to set the accept zone rule to drop or reject. Then add rules to allow DHCP and DNS (in most typical cases). This way, all services are blocked except those that are explicitly allowed. In your situation, you have blocked the current admin ports (ssh, http, https), but any non-default services that have been installed/enabled could still be accessable to the network.

1 Like

following @psherman advice some changes were made

Thank you for everything now everything is working

for future reference the steps where:

  • in "System>Administration>SSH Access" set the interface to mng
  • in "Network>Firewall" create a new zone called mng and attribute it to the interface mng
  • in "Network>Firewall>Trafic Rules" create 2 Rules
    • a accept type from mng to (this device) from every port to any port
    • a block type from lan to (this device) from any port to any ports
    • a allow type from lan to (this device) from any port to ports: 53(DNS), 67(DHCP)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.