I have a FritzBox responsible for the provider connection and a second one running openwrt. When I created a port forwarding in the first FritzBox I was able to see all devices connected to the openwrt router. Is it possible to avoid it or is this necessary as those devices need to receive the responses from the internet?
That depends on how you configured OpenWrt, just as well on how Fritz!OS enumerates devices.
- in a dumb-AP configuration, the Fritz!Box would have unfettered access ti all devices on the -common- LAN.
- with a unmasqueraded router + static route configuration, the Fritz!Box doesn't get ARP access, but still sees IPs generating internet traffic individually.
- in a double NAT configuration, the Fritz!Box should only get to see a single IP, that of your router.
Relaxed firewall rules might open up further access into your LAN.
Ok, I think that these devices are still enlisted from the time where I had no openwrt router because they are marked as "inactive". Still, I would like to check this. What do I need to do ensure my internal LAN is blocked?
reboot the fritz!box, and they should be gone.
it is, by default.
if you haven't played around with those settings, you're safe.