Isolate OpenWRT network from ISP network

Hi all, this is my first time using OpenWRT and I would like to use it to isolate devices from the ISP's network. OpenWRT is installed on a VM on Proxmox and has IP interface br-lan (eth0) 10.0.0.1, this interface is bridged to a Linux Bridge created by Proxmox (vmbr1) which is a bridge to a physical port on the server where i connected my desktop computer. Instead, the WAN interface (eth1) is bridged to Proxmox's vmbr0 which is itself a bridge to another physical port on the server where the ISP's router is connected. I don't know if I explained myself well, but the thing I would like to know is: how to isolate the two networks, because at the moment my computer, connected to the OpenWRT network, is able to ping the ISP router and any other device connected to it, while devices connected to the ISP's network are unable to ping any device on the OpenWRT network. So how do I isolate these two things? Thank you!

It is strange idea. So in your configuration Linux host is just container for VM, running OpenWRT with WAN, and LAN. Replace it by hardware router for simplicity. So you want to 'isolate' LAN from WAN, it is nonsense. You can remove forwarding, but in this case there is no Internet access at all.

You have discovered how OpenWrt works by default. It forwards traffic (initiated) from LAN to WAN, but not from WAN to LAN.

If you go to the firewall settings (Network-Firewall) in LuCI, it is shown in the table under "Zones". "lan => wan" means that traffic initiated in lan is allowed to go to wan. The "Forward" column is just about what happens between interfaces that belong to the lan zone. You can edit this and remove wan from "Allow forward to destination zones". If you started from default settings, you will now have a router that does not route.

Note the "masquerade" box on the WAN line. This causes NAT to be applied to traffic going TO the wan zone. I don't think this user interface is super-intuitive.

All of this is explained better in the OpenWrt firewall wiki page.

1 Like

Ok I'll read the firewall wiki for more info, thanks.