Configuration issue raspberry Pi 3B

Hello everybody,
I had setup my raspberry Pi 3B with OpenWRT, I can access it through SSH and the LuCi interface. I connect it to Internet through an Ethernet cable using the Ethernet port. I connect a device using one USB port through an USB-Ethernet adapter.
I want to test the case of when my device is not working. To do this I tried to block the access to the port using IPTABLES. Even I block every port and the mac and the IP it's still working.

This is at this point I need some help to understand.

  1. I removed all the firewall on OpenWRT to restart from scratch and I can't create new one, when I create one and apply the change it doesn't add it.

  2. I have 2 interfaces : br-WAN and LAN, but I don't get any IP attributed to the LAN one. The device is still working. I setup WAN at eth0 and LAN at eth1. From the UI it says "Connected : No" for the LAN interface. But the device is connected and I know his IP :

  1. Could you explian to me why the Firewall can't be created anymore ?
  2. Could you explain to me why I don't have an IP attributed to the LAN interface on the UI ?
  3. Could you explain to me why the firewall could not have been applied to my network ?

Thank you !


LAN and WAN interfaces are not assigned to any firewall zone, so they will use the default values. I think they are ACCEPT for INPUT and OUTPUT.

How did you remove the firewall exactly?

I don't see the point of bridging eth0 and eth1 under WAN, then having another interface (LAN) using eth1, and both interfaces running DHCP protocol.

My suggestion is to restore factory defaults as soon as possible before you lose access to the device.
Then explain what would you like to achieve and we'll help you with the configuration.

1 Like

I factory reset and now I got this :

My device communicate with my amazon server using 443 TCP, 123 UDP and 53 UDP ports. I would like to test the effects of blocking them to see the behavior . From this, when the device is not working I want to make a diagnostic tool running on the device which could say "443 TCP" is not enable.
This is why I need to setup a firewall to blocks the data coming from and going to the device :slight_smile:

Is it working with the current config that's shown in your last screenshot?

Typically, with the default config, the LAN zone should have green colour, and the WAN should have red.

Click Edit on each interface, then go to Firewall Settings and assign the proper zone to each.


Something is wrong here. The factory reset didn't work. You should have in LAN and DHCP in WAN. LAN should be assigned to LAN firewall zone so it should be green color and WAN should be red.
Which image did you flash?


Also how can you have both WAN and LAN on the same subnet? That's essentially wrong!


I (re)-flashed :


Now I attributed the firewall and I got it :

Yes it's working, I have internet.

The next step is to make the Iptables firewall working by blocking the ports. I'll post the commands later when you don't have more interrogations :slight_smile:


FYI, it's good practice to mask out your MAC address (and global IP if it's static).

Also, out of curiosity, where is your LAN interface getting IP from? What is its IP now? Ideally you would want a static IP for the LAN interface (not in the same subnet as the WAN interface).

1 Like

It still doesn't look right.
WAN is bridging the eth0 and eth1, while LAN is also using DHCP on the eth0. I hope you didn't keep the settings after reflashing.


I edited, just in case.

The LAN is interfacing to the WAN I guess ? This is where I have some trouble to understand. It's connect to internet via the WAN to another switch then to another box.

The IP is using the following command :

nmap -sn |grep OpenWrt

I setup the LAN to STATIC IP then applied, the result is I can't connect to it anymore (try to connect to the IP). I can have access to the RPI with the monitor and the keyboard.

If I understand well I should have :

  • WAN on ETH1 with DHCP
  • LAN on ETH0 with STATIC IP
  • WAN bridging eth0 to eth1

Why I can't connect to the LuCi interface anymore ? How can I reconfigure it using the commands ?

This is wrong.

WAN is now part of the WAN firewall zone, which by default doesn't let any inbound connections, unless opened from firewall.
What you can do is remove the cable from WAN port, plug it in LAN, wait till LAN gets IP from router DHCP and connect to that IP.

1 Like

So it must be LAN that bridge eth0 and eth1 ?

I connected the cable from the WAN interface(ethernet port) to the LAN interface (USB ports), did the same commands, get the same IP, try to connect to it still not possible.

You need to tell us what your aim is. What your bigger network is like.

Technically, a router is a device that does the routing between the Wide Area Network (WAN) and the Local Area Network (LAN), or the outside an inside in plain English. If you don't want that separation, then you need to set the device as switch not router, so you have both ports at the LAN side.

If you want to bridge WAN and LAN then why make WAN in the first place?


You still have not explained what are you trying to achieve, so I cannot answer that yet.
If you want to separate the broadcast domains from wan side to lan side you don't need bridge.
If you want to have one broadcast domain between eth0 and eth1 make a bridge on LAN that covers both eth0 and eth1.

Verify that the LAN interface has go the IP address and not WAN, because WAN is blocking everything by default.

My suggestion is to restore factory defaults and start from scratch with a solid plan of what you want to achieve.


I make a draw of what I want to achieve :

The RBPi is a router with which I want to control the data going to and from the device. The purpose of it is to understand the behavior of when I can't reach the device. From it, I'll make a tool to say "This port not activted" or "This domain is blacklisted". To do this I want to use the Firewall functionality. To me IPTABLES is a good start to DROP the packets going to certain ports or to certain web address to see the behavior of when something is not working. I tested the commands on another router but couldn't monitor what was going on so I know it's possible. Now with this setup I have been able to redirect the packet to my computer using :

sudo ssh root@<IP_ADRESS_DEVICE_TO_MONITOR> tcpdump -i eth<X> -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

Where IP_ADRESS_DEVICE_TO_MONITOR is mostly everything that comes to and from the router. But I can't use the Firewall nor IPTABLES properly and didn't understand why.

I don't know how to make it more clear but I can ask your questions.

I will restart over again but I need to know :

  • Do I need a WAN network ?
  • WAN can be eth0 and LAN is eth1 ?
  • Do I need to bridge my eth0 and eth1 so my LAN is connected to the internet through the WAN ?

Thanks for your patience.

I'm not entirely sure what DEvice on your graph is, but I will assume it's a laptop that you want it to take internet form the Pi via ethernet cable.

If your Pi is what connects your network to the outer world then yes, you need the WAN port and you need the firewall.

Yes. Though I'm not sure if it's fine like this or if you better make the USB adapter for the WAN and keep the on-board network port for the LAN to ensure access to the Pi even if the USB adaptor or driver misbehaves.

NO. You only bridge the LAN interface (whichever eth0 or eth1 you use for that) with the WiFi interface.

1 Like

I reflashed, and I restart from scratch.

My router is still inside a larger but local network, so I don't need a WAN ?

I think I start understanding my mistakes. I still need ETH0 and ETH1 because they are two different interfaces.
I have LAN wich is DHCP and ETH0. Now I need another interface let's call it DEVICE with DHCP and ETH1 ?

In the scenario depicted above you can do the following:
LAN eth1 and DHCP if device runs DHCP server. Then you would have to switch off DHCP server on LAN port of Openwrt. If there is no other DHCP server, you need to assign static IP.
WAN eth0 and DHCP or PPPoE, depends on the provider. Allow port 22 on WAN interface in firewall section.

1 Like

My mistakes came from the WAN. On the diagram "internet" isn't the provider connection, it's another LAN.
This is what I have and I can communicate with the device. I will try to drop the connections and If it works the problem will be solved :slight_smile:

Your configuration still doesn't make sense. You have eth1 as interface DEVICE and also included in LAN interface.

OK, from the beginning:

  • You have internet connection, coming from a router right?
  • You want to connect the Pi to the router via an Ethernet cable?
  • You want to connect the Pi to another device by cable
  • And you want also to access the Pi by WiFi, right?

If you want the Pi network to be separate from the bigger network, then make one of the eth as WAN, and connect it to the bigger network. Bridge the other eth with the WiFi.

Else, if you want the Pi network to be part of the bigger network, then make one bridged interface of both eth0 an eth1, plus the WiFi.

It's essential to make sure that you have proper configuration as base case before you get into "what if" scenarios.