Firewall is blocking connections from WAN

Hi, I have three routers:

  1. ISP's Router (Public IP - AKA 1.0/24
  2. Dev Router ( - AKA 100.0/24
  3. Play Zone Router ( - AKA 101.0/24
    And they're connected like this:

ISP's Router -> Internet
Dev Router -> ISP's Router
Play Zone Router -> ISP's Router

Only Dev router has OpenWRT and I use it for developing. It has DMZ from the ISP and some ports open for my web server, while I generally use my ISP' router and the Play Zone one for connecting all my devices (phones, computers, consoles, TVs, etc.)

Currently I added some services which I'd like to access from my devices without needing to connect to my Dev Router directly, so I added a routing from my ISP to the Dev Router:

ip route add via

But every time a device connected to 1.0/24 or 101.0/24 tries to reach my server ( or LuCi (, it gets a Timed Out error. But, if I disable the firewall through LuCi (System -> Startup -> Firewall -> Stop), the same devices will be able to connect to both my server and LuCi without any problem.

The issue with disabling the firewall is the DMZ that I set up in my ISP Router. If I leave the Firewall disabled, I'll leave my entire Dev subnet exposed to the internet, which I don't want to do.

What should I do?

The firewall is operating as intended.

Did you set the DMZ on the ISP router to point to the OpenWrt router? If so, why? What is your intent here?

You could create a set of firewall rules in this order:

  • Drop connections to from (Assuming that is the router, from which the DMZ traffic would be coming)
  • Allow connections to from

This should stop the DMZ'd traffic while allowing connections from the .1.0/24 LAN. This should be at the bottom of the firewall rulesets to make sure that you don't stop valid established/related traffic from the upstream router.

1 Like

Did you set the DMZ on the ISP router to point to the OpenWrt router? If so, why? What is your intent here?

Yes, because I have almost no control over my ISP router (I was lucky to set some routing rules). In fact, I shouldn't have opened ports in a first place, but I was able to found a hacky way to do it, and I enabled the DMZ so I don't have to open up my ISP router everytime I need to modify a port (and I do that a lot)

You could create a set of firewall rules in this order

I tried to add those lines in Traffic rules, but it doesn't work. It stills giving me Timed Out everytime I want to connect outside from 100.1/24

Even if I set the allowing rule at the top (or at the bottom) of everything, it won't let me thru

Have you turned off NAT Masquerading?

RELATED/ESTABLISHED should be fine when using native UCI syntax.
It's always created automatically on top of each core chain preceding other rules.

1 Like

Not sure what happened. I tried every possible configuration without success.
Then, bored about this, I just did a Factory Reset and testing with the default settings. After a while, I got it working correctly by just allowing forward traffic in Firewall's general settings and everything else in default.
After that I just needed to add my forward rules and the psherman's traffic rules so I can control the traffic coming from DMZ but allowing anything else coming from my local networks.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.