Firewall blocking SSH

I am new to OpenWRT. I have installed the latest version of 18.06 on an old Linksys E3000 router. Installation was fairly easy as compared to your competitors. I have for now disabled the WIFI on this router as it would interfere with my primary router WIFI. I have set up the OpenWRT up to use LAN only under IPv4 and one host Raspberry Pi computer. I have let DHCP be the handout for the IP's. My objective is to open the command line in the router to later set up DNS. My problem is the use of SSH to the router is being refused by the router firewall. I have tried reading the LUCI instruction for the firewall and set up what I believed to be the correct procedure to open the firewall for an SSH from my Raspberry Pi. The following is from LUCI Firewall menu selection to tab:

Firewall Traffic Rules:
Name: SSH access
Match: IPv4 tcp From any host in lan to any host port 22 in any zone
action: accept forward
Enable is checked

After this instruction was saved and applied, I rebooted the router and verified the rule was in place as the first rule of the list of rules on the Firewall Traffic Rules. I tried again to login via the raspberry pi and was rejected again. So, I need a little help here to get to the command line.

What you are doing here is letting SSH from LAN zone to any host in any other zone, while what you want is to allow SSH to the device itself.
By default everything is allowed from LAN zone to the device itself and to the WAN zone.
So, if the Raspi is connected on the LAN interface, it can SSH to the Openwrt.
If it is connected on the WAN zone, you need to allow it.


Thank you for responding to my question. I set up my OpenWRT to the configuration you show in the reply. Seen below as follows with the match changed all other remain the same:

Match: Any tcp
From any host in wan
To any router IP at port 22 on this device.

There is no change in the SSH execution.

May I ask, how the general settings tab is supposed to be setup for the lan and the wan?


Zone -> Forwardings: lan green to wan red
Input: accept
Output: accept
Forward: accept
Masquerading: unchecked
MSS Clamping: unchecked

Zone -> Forwardings: wan red -> accept (grayed out)
Input: accept
Output: accept
Forward: accept
Masquerading: checked
MSS Clamping: checked

Thank you!

Input and Forward are supposed to be REJECT. So it seems that you have played quite a lot with it. Can you login with SSH from the same host that you are connecting to the Luci web interface at least?

I tried setting the wan zone to the settings you suggested. Unfortunately, I am locked out of both the LUCI and the ssh, now. I may have to reset the router now back to factory defaults.

One additional note. The raspberry pi mentioned in the 3rd note is the only machine that is connected to this router. I did place a secondary pi on the network and before the change was made, I was able to ssh into it. However, now the ping is very slow to trigger off the router with the suggested settings and the secondary pi will not accept my ssh.

Sounds like the only way around, if you cannot connect console.

1 Like

Believe it or not, I was able to connect to the router from Putty on my primary network. Now, I'll have to find the right commands to correct my router access from the Pi and turn on LUCI again. Then proceed with setting up a DNS.

Reset to factory defaults with firstboot command.
Keep in mind what we mentioned in here for global access from LAN zone and restricted from WAN.

Is there away to fix the router without resorting to the firstboot command?

Have you done so many configurations that it will take you a lot of time to restore to defaults and start from scratch?
In other circumstances it might be fixable, but you managed to lock yourself outside, so better not risk it.
In any case you have something important there, a backup is not so difficult to take.

Yes, I agree, a backup should have been preformed before the changes were invoked. Never-the-less, I made correction to the /etc/config/firewall by resetting the two rejected items back to reset and rebooting. The LUCI is now working along with the ping. SSH from the pi is still blocked, however, login vi the primary network is still open. Thank you for your time patience. I just have to learn this UCI language and primary configurations.

Can you confirm that your LAN interface is assigned the correct zone? If so, it should look green in Network > Interfaces in LuCI

If that's the case and you still have no SSH access, it might be worth to send an image of your Network > Switch in LuCI

Mr. Hegab:

Thank you for your responses. I was able as I mentioned in a reply to ssh into the router from my primary network and correct the firewall issue that prevented the router from functioning under LUCI. In addition, I reviewed the documentation and found that the dropbear controls the wan/lan connectivity. I added a lan option to the file, which opened a way to connect via the raspberry pi.

In the documented backup procedure, the cat<< EOF>> /etc/sysupgrade.conf, the EOF needs a delimiter of either double quotes or forward slash. I used the forward slash to change the sysupgrade.conf and it worked.

Again, I thank you for your time that you devoted to my issue. I just have to learn how to properly configure this router for the responses I seek.

Alexander Jackson

1 Like

Great! You are welcome.

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.