Isolate Firewall Zones

Installing and Using OpenWrt
1

Hello,

I'm having difficulty understanding how firewall zones work for isolating networks. I have attempted to isolate the default OpenWrt 'lan' network from a wireless network (interface) as pictured below:

Screenshot from 2025-04-09 11-55-19
Screenshot from 2025-04-09 11-55-19999×398 34.9 KB

I am able to receive a ping from a network address in the 'lan' zone and receive a response from a network address in the 'wirelesszone'. There is only one interface in the 'lan' zone operating as 192.168.8.0/24 and only one interface in the 'wirelesszone' operating as 192.168.12.0/24.
Why am I able to successfully ping from an address in 192.168.8.0/24 to an address in 192.168.12.0/24 with these zone rules?
Since I was not successful with the firewall zone rules, I tried a traffic rule rejecting any protocol from 'lan' as source and 'wirelesszone' as destination.
That did not work either. I would appreciate your help in understanding how to isolate firewall zones. I have done some forum searching and I apologize if the answer is there, but I didn't find any clear answer.

2

What specific addresses were you using for the tests?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
3

Check conntrack -E while pinging

4

If the config files are a must have, I will have to get that information later.
Last test was a ping from 192.168.8.213 (a DHCP client) of 192.168.8.0/24 to 192.168.12.1

5

To clarify my original post - I should have written: I am able to ping from a network address in the 'lan' zone and receive a response from a network address in the 'wirelesszone'.

6

Seems you are pinging routers other IP address which is totally permitted as input from lan zone.

7

As stated by @brada4 , it does seem that you are testing against the router itself. To add a bit more detail — when you test pinging or accessing the router, this does not actually represent an inter-subnet routing test. It is instead input to the router itself. What you need to test is one host on the lan to another host on the wifi network subnet — i.e. computers, etc. on those subnets, not the router itself.

1 Like