Firewall settings for two site-to-site OpenWrt routers

This is the first time I am learning to connect two routers to route with each other. To keep everything simple, I want the same setup on the two routers, such that:

  1. To resolve IP by hostnames, like iphone.lan1, desktop.lan2, etc.
  2. Allow all local clients to ping all device, local or remote.
  3. Allow some local clients to access Luci on the remote router
  4. Allow some local clients ssh to some remote clients

When Firewall is not running on both router, I can do 1 & 2, and ssh are open to all also.

Please help me on how to setup the Firewalls to make this work.

Thanks a lot!

  • How much do you trust the ISP and their switch?
  • Are there other clients on that switch?
  • Can someone else connect to the switch?
  • Did you consider setting up a site-to-site VPN?
1 Like

I am trying this simple setup as a start, ultimately is build a proper tunnel over Interernet between two routers (ddns with dynamic IP, etc.)

So at this moment, I will make it as simple as possible:

  1. I trust the ISP switch - such that I do not need traffic encryption between the two routers.
  2. No other clients on the ISP switch. The switch is physically inside my apartment.
  3. I consider no one (except myself) will connect to that switch
  4. Not at this moment. I want to focus on Firewall Zones/Rules in this setup.

Next stage, I will try to use what I learnt with this setup and move to wireguard tunnel over proper Internet.

1 Like

For dnsmasq you can configure forward zone with :

Then local resolution will happen...



In that line, should I use the macvlan address i.e. or LAN address ?

the one your clients will access.
the two are possible if routeur need them also.
in preference order.

you can also specify in dhcp advanced options of LAN1 these dns configs :
then clients will get forced on these parameters.
same for LAN2.

Edit : reading your draft, I mean VLAN IPs

This should be applied to the R1 starting from factory defaults:

uci -q delete network.lan_lan
uci set network.lan_lan="route"
uci set network.lan_lan.interface="wan"
uci set""
uci set network.lan_lan.gateway=""
uci commit network
/etc/init.d/network restart

uci set dhcp.@dnsmasq[0].localservice="0"
uci add_list dhcp.@dnsmasq[0].server="/lan2/"
uci commit dhcp
/etc/init.d/dnsmasq restart

uci add_list firewall.@zone[1].masq_dest="!"
uci add_list firewall.@zone[1].masq_dest="!"
uci -q delete firewall.wan_dns
uci set firewall.wan_dns="rule"
uci set"Allow-DNS-WAN"
uci set firewall.wan_dns.src="wan"
uci add_list firewall.wan_dns.src_ip=""
uci add_list firewall.wan_dns.src_ip=""
uci set firewall.wan_dns.dest_port="53"
uci set firewall.wan_dns.proto="tcp udp"
uci set"ACCEPT"
uci -q delete firewall.wan_admin
uci set firewall.wan_admin="rule"
uci set"Allow-Admin-WAN"
uci set firewall.wan_admin.src="wan"
uci set firewall.wan_admin.src_ip=""
uci set firewall.wan_admin.dest_port="22 80 443"
uci set firewall.wan_admin.proto="tcp"
uci set"ACCEPT"
uci -q delete firewall.l2l_icmp
uci set firewall.l2l_icmp="rule"
uci set"Allow-ICMP-Forward"
uci set firewall.l2l_icmp.src="wan"
uci set firewall.l2l_icmp.src_ip=""
uci set firewall.l2l_icmp.dest="lan"
uci set firewall.l2l_icmp.proto="icmp"
uci set firewall.l2l_icmp.icmp_type="echo-request"
uci set"ipv4"
uci set"ACCEPT"
uci -q delete firewall.l2l_ssh
uci set firewall.l2l_ssh="rule"
uci set"Allow-SSH-Forward"
uci set firewall.l2l_ssh.src="wan"
uci set firewall.l2l_ssh.src_ip=""
uci set firewall.l2l_ssh.dest="lan"
uci set firewall.l2l_ssh.dest_port="22"
uci set firewall.l2l_ssh.proto="tcp"
uci set"ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

The R2 should be configured symmetrically.


Please correct me if I am wrong here:

I can have two options for the hostname resolving to work:

  1. Use DHCP options to tell each client which DNS to use for the corresponding domain, lan1/lan2, etc.
  2. Local Client will only talk to the local DNS, and the local DNS will find out the correct IP and reply back. In this case, I can have a Firewall Rule restrict DNS query to local DNS only.

I want to use option 2 at the moment.

The local DNS will cache resolution, but will need to talk with the other DNS.
The clients may also need to talk to a "slave" DNS (as secondary) if the primary do not answer.
DHCP options (in advanced options of DHCP of the LAN) is just a "forced" method to push parameters to clients.
These forced options may not be necessary with the firewall rules given by @vgaetera


That is quick - let me try it out and update back.

1 Like

This is my starting interfaces, FW zone of macvlan is undefined. and can ping and ssh with each other.

Should I put macvlan into the wan zone first?

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fdce:d06a:10bd::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'
	option ifname 'eth0.101'

config device 'macvlan'
	option name 'macvlan'
	option type 'macvlan'
	option ifname 'eth0.2'

config interface 'p2p'
	option ifname 'macvlan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
1 Like

The relevant interface name is p2p and you can attach it to the wan zone.
Or create a separate zone with disabled masquerading.
But then you need to adjust the firewall rules.

1 Like

Thank you very much! Your setup works, now the two LAN segments can communicate with each other subject to firewall rules of the routers.

I am very happy to have a working setup as my reference so that I can keep learning using OpenWrt for site-2-site connections.

I changed one setting for remote hostname lookup to work:

In R1, I added lan2 to the RF1918 Domain whitelist.

uci set dhcp.@dnsmasq[0].rebind_domain='lan2'
uci commit dhcp
/etc/init.d/dnsmasq restart

And similarly for R2.

Now I need to learn the firewall rules one by one.

One side question:
why uci show for dhcp return "@dnsmasq[0]" (Is that an array?) while when showing network, it is just plain text?


Some config sections are named, while others are unnamed/anonymous:

You can name/rename it for convenience:

uci rename dhcp.@dnsmasq[0]="dnsmasq"
uci commit dhcp
1 Like

Thank you for your kind support and guidance!

I replicated the settings, via Luci, to the two routers that connected the the ISP switch. And they work flawlessly with your config.

When reading Internet posts / articles, I know it is needed to disable NAT for routed destinations, but never sure where to put it and the correct syntax. Now I know I can use '!' in front of a subnet to exclude it.

Once again, thank you for all your helps!

1 Like

In theory, you may not even need macvlan if you already have the wan interface.
Then you can use masq_dest="!p2p" with the p2p interface configured as an alias:

1 Like

Thanks for the pointer.

I will look it up and see if I can get it working.

1 Like

Hi @sampson
I have been working quite some time to setup a similar connection as you are, and I had a lot of similar issues. @vgaetera & @krazeh have been a tremendous help.
If this can help here is a link to my installation
Actually as I already planned to install this between 2 sites in different countries, I did setup all the encryption from the right beginning. WireGuard on top of OpenWrt has been the solution.
As when it will be installed I will not be able to easily access both sites at the same time, I did also setup another access through my iPhone form anywhere in the internet. So in case something goes wrong in my Site-2-Site I can still access both routers.

Have fun & it is very educational project. I'll keep a look on your DNS aspect as this is a point I haven't solved yet...

1 Like

Thanks for the link.

It will help a lot when I am trying to setup a Wireguard Tunnel version of this site-2-site setup.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.