New OpenWRT user needs to be guided to disable firewall and resize partition

Hi,

I’ve never used OpenWRT before and need to be guided.
My network connects several buildings. My main router is in an office, and the APs are in each building.
A server is connected to this network and is reachable from anywhere on the network.
Each AP has a WebGUI.
Firewalls are set up on the main router and the server.

A new AP, a BananaPi R3 (https://openwrt.org/toh/sinovoip/bananapi_bpi-r3?s[]=build) complete my network.

But I’ve tried to configure it several times and failed.

I’m trying to:

• Disable the firewall. I know more security is appreciable, but I want to disable the OpenWRT firewall since my main router handles that.
• Be able to reach LuCI, even in AP mode, and even without the firewall.
• Resize the internal storage. OpenWRT is set up on a 32GB SD card, but the partition is 500MB. Resizing it to 32GB would allow me to install additional files, like services. I tried to resize it using Linux. Linux sees a 32GB partition, while OpenWRT sees only the 500MB partition, even though it’s the same partition ID.

Step I followed :

I followed this thread : https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap
My main router manages the IPs in my network, so I switched to DHCP-client afterwards. Switching at this step — "Although you could configure the wireless AP to use DHCP to obtain an address from the main router" — resulted in LuCI becoming unreachable, both on the old IP (192.168.1.1) and the IP assigned by the router to OpenWRT.
So, I first proceeded without switching to DHCP-client. After a while, I created a "fallback LAN network" (on a different subnet) using the physical WAN port to make sure I could still reach LuCI and manage my physical LAN ports. At this point, I was able to keep control over LuCI. After that, I switched to DHCP-client, with my laptop connected to the physical WAN I had just set up as an emergency LAN control. After a few reboots, LuCI became reachable from the network at the IP address assigned by the router. Disabling the firewall (in Network → Interfaces → br-lan → Firewall Settings) made LuCI unreachable. So, someone gave me these instructions: go to the firewall section, set defaults to Input/Output Accept, Forward Drop, and delete any rules and zones. Now, LuCI is still reachable.

But now, each device plugged into the physical LAN or OpenWRT Wi-Fi can see the server, but can't access it through ports (except for SMB, HTTP, HTTPS). If I connect the server to this AP and the clients to a different AP, it's the same issue.

I’m not comfortable with the CLI, and I need explanations on how OpenWRT works. I found it’s not intuitive, but I am interested in knowing how it works.

So my goal is to disable the firewall on the physical LANs and Wi-Fi. If possible, I want to keep the firewall for the physical WAN port I configured as a port for a different subnet.
Resize the system partition to allow me to install services.

Thank you

Please close the non-issue on GH first https://github.com/openwrt/openwrt/issues/20310

OpenWrt does not filter on the bridge, if ports seem firewalled it is local firewall on your “server”

My server doesn't have any firewall issues. If I plug everyone into a spare RE7000 or directly into the main router, there’s no problem, I can access all the services on my server.

So, it’s NOT a local issue.

I maintain that the configuration you gave me doesn’t do this 'OpenWrt does not filter on the bridge' at all. All devices on the LAN or Wifi of the OpenWRT can't reach the server. All devices on the LAN of anothers AP from the network CAN reach the server.

A server firewall issue should affect every AP, not only the OpenWRT AP. It's not the case here.

Currently, OpenWrt is off, my server is plugged into a Linksys AP, and there’s NO problem.

So for now, https://github.com/openwrt/openwrt/issues/20310 is not closed

Openwrt does not filter traffic on the bridge.

Try nmap -A from the client to server and tcpdump traffic near every network plug.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

OK, thanks, I will do it soon.

Thats you being burden on bug tracker. You were corrected and now able to reach luci.

It's true, you're right.
It's another problem now.

So I I will close it.

Disabling firewall is rather trivial; just disable its start already “/etc/init.d/firewall disable” and reboot. However, then you will need to define the rules yourself, i.e. within a script , called from /etc/rc.local (enable forward, masquerade, drop invalid packets, etc.). You need to be familar with standard LINUX “nft netfilter”, which is well documented. Doing it this way, you can easily develop and test your rules, without considering the specialities of openwrts firewall “fw4”. You will need to become familar with native “nft” most likely anyway, when considering to use non-standard packages. Because you might need to inject mods into the standard firewall rules yourself.

And when your privat firewall script works, you MIGHT consider to integrate the rules into fw4, which will be another learning chapter.

Hi,
Sorry for the late answer, I was in professionnal travel.

First to be sure the port 22 is well opened on my server I did Get-NetTCPConnection -LocalPort 22 from my server :

PS C:\Windows\System32> Get-NetTCPConnection -LocalPort 22

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting OwningProcess
------------                        --------- -------------                       ---------- -----       -------------- -------------
::                                  22        ::                                  0          Listen                     5516
0.0.0.0                             22        0.0.0.0                             0          Listen                     5516


PS C:\Windows\System32>
PS C:\Windows\System32>

Now nmap -a (Both server and client on my RE7000 AP). I use this confirguration for 2 years now, without problems, by this configuration I mean my server connected to my RE7000 and my clients connected everywhere.

WARNING: Could not import all necessary Npcap functions. You may need to upgrade to the latest version from https://npcap.com. Resorting to connect() mode -- Nmap may not function completely
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-26 12:22 +0100
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Initiating NSE at 12:22
Completed NSE at 12:22, 0.00s elapsed
Initiating Ping Scan at 12:22
Scanning 192.168.1.100 [2 ports]
Completed Ping Scan at 12:22, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:22
Completed Parallel DNS resolution of 1 host. at 12:22, 0.01s elapsed
Initiating Connect Scan at 12:22
Scanning serveur-nas-3.home (192.168.1.100) [1000 ports]
Discovered open port 445/tcp on 192.168.1.100
Discovered open port 135/tcp on 192.168.1.100
Discovered open port 443/tcp on 192.168.1.100
Discovered open port 21/tcp on 192.168.1.100
Discovered open port 1723/tcp on 192.168.1.100
Discovered open port 139/tcp on 192.168.1.100
Discovered open port 3389/tcp on 192.168.1.100
Discovered open port 8080/tcp on 192.168.1.100
Discovered open port 22/tcp on 192.168.1.100
Discovered open port 2179/tcp on 192.168.1.100
Discovered open port 992/tcp on 192.168.1.100
Discovered open port 5555/tcp on 192.168.1.100
Discovered open port 5357/tcp on 192.168.1.100
Discovered open port 5985/tcp on 192.168.1.100
Discovered open port 8200/tcp on 192.168.1.100
Completed Connect Scan at 12:23, 35.06s elapsed (1000 total ports)
Initiating Service scan at 12:23

I use my server as remote disk, using SFTP, so as SFTP is based on SSH, and use port 22, I can confirme my server has port 22 opened, server firewall well configured. I use my server for 2 years now without any problems.

here is the returns of commands using SSH with (both server and client on the OpenWRT AP) :

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.93",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Bananapi BPI-R3",
        "board_name": "bananapi,bpi-r3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.2",
                "revision": "r28739-d9340319c6",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.2 r28739-d9340319c6",
                "builddate": "1750711236"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd08:2b23:34e5::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '72:6e:76:35:3f:ac'

config device
        option name 'wan'
        option macaddr '72:6e:76:35:3f:ac'

config interface 'Adminitration'
        option proto 'static'
        option device 'wan'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'Adminitration'
        option interface 'Adminitration'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

root@OpenWrt:~#

nmap -a (both server and client on the OpenWRT AP) :

WARNING: Could not import all necessary Npcap functions. You may need to upgrade to the latest version from https://npcap.com. Resorting to connect() mode -- Nmap may not function completely
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-26 12:17 +0100
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating Ping Scan at 12:17
Scanning 192.168.1.100 [2 ports]
Completed Ping Scan at 12:17, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:17
Completed Parallel DNS resolution of 1 host. at 12:17, 0.00s elapsed
Initiating Connect Scan at 12:17
Scanning serveur-nas-3.home (192.168.1.100) [1000 ports]
Discovered open port 8080/tcp on 192.168.1.100
Discovered open port 443/tcp on 192.168.1.100
Discovered open port 139/tcp on 192.168.1.100
Discovered open port 21/tcp on 192.168.1.100
Discovered open port 3389/tcp on 192.168.1.100
Discovered open port 445/tcp on 192.168.1.100
Discovered open port 1723/tcp on 192.168.1.100
Discovered open port 135/tcp on 192.168.1.100
Discovered open port 5985/tcp on 192.168.1.100
Discovered open port 2179/tcp on 192.168.1.100
Discovered open port 5555/tcp on 192.168.1.100
Discovered open port 992/tcp on 192.168.1.100
Discovered open port 8200/tcp on 192.168.1.100
Completed Connect Scan at 12:17, 35.05s elapsed (1000 total ports)
Initiating Service scan at 12:17

According to it port 22 is not opened in the server.

All devices are in the same sub-network.

I was unable to setup OpenWRT as I wanted using LuCi.

Instead I used uCi command lines to configure my AP. I found script on internet, I modified for my configuration.

# ========================================================
# Setup a Dumb AP for OpenWRT by google
# ========================================================
# Disable IPv6
# ========================================================
uci del network.lan.ip6assign
uci set network.lan.delegate='0'
uci del dhcp.lan.dhcpv6
uci del dhcp.lan.ra
uci del dhcp.odhcpd
uci del network.globals.ula_prefix
uci set network.lan.ipv6='0'
/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
uci commit


# ========================================================
# To identify better when connected to SSH and when seen on the network
# ========================================================
uci set system.@system[0].hostname='BananaPi_R3'
uci set network.lan.hostname="`uci get system.@system[0].hostname`"
uci commit system

# ========================================================
# Wi-Fi configuration
# ========================================================
[....]

# ========================================================
# Set DHCP client
# 192.168.1.1 is the Main Router
# ========================================================
uci del network.lan.broadcast
uci del network.lan.dns
uci del network.lan.gateway
uci del network.lan.ipaddr
uci del network.lan.netmask
uci set network.lan.proto='dhcp'
uci commit network

# ========================================================
# Disable firewall
# ========================================================
/etc/init.d/firewall disable
/etc/init.d/firewall stop
mv /etc/config/firewall /etc/config/firewall.unused

# ========================================================
# Disable Dnsmasq completely and discard dhcp
# ========================================================
uci commit dhcp; echo '' > /etc/config/dhcp
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop


echo '====================================================================='
echo 'Reboot your router'
echo 'you can now connect the LAN port of this device to the LAN port'
echo 'of your main router.'
echo '====================================================================='
sync
reboot

My access point is working as expected for now. I still need to test all my services to be sure.

I'm trying to convert the WAN RJ45 1GbE port into a LAN port on OpenWrt, create a subnet in 192.168.2.0/24, enable the DHCP server on that subnet, and ensure that OpenWrt is accessible via 192.168.2.1.

For now, I’ve found a script for that. I’m continuing my research.

First time you mention Dumb AP.
It is immoral under Berne convention 1886 to remove authorship from authors works.

I didn't understand.

You found and use someone else work without providing the source nor the name of the author.

And if your setup serves a building with actual users then please take a basic course in networking or reach out for professional help but your posts rise so many red flags for me...

Seriously!!!

I need help and this is your only words?

So I would like to thanks Google for the help and source it

Main source :

Google :
script openwrt dumb ap

Additionnal sources :

I thought that by coming to this forum, I would find people willing to help someone who's just starting out with OpenWRT, but clearly I came to the wrong forum.

No need to get upset, you did not ask for Dumb AP - https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedap

If you ask unspecified questions and show that you are totally clueless how would we do even start to help you?

Even a dump AP would and should have a firewall. It just does no routing.
But even that would be possible.
But if you were ask to do the job of a netadmin without any knowledge it's no good combination.

And btw. Google is no source.

And people over here are willing to help you but nobody will do the work and job for you. That's why I said reach out to professional help if you are overwhelmed.

If you show that you have actually have read what was given to you, and you show that you have even spent a little bit of trying it by yourself, many here are happy to guide you on the path of learning.
If OpenWrt is to complicated to you then go with pfsense or ubnt products or buy the whole Cisco all in one package.
I do not want to offense you but speak it out directly that you start to think for yourself and If you are really capable of doing it.
And again, if this is not your private network.... Please be careful ok?

Thanks for this honest and direct anwser.

I can admit that my thread wasn’t very clear. I eventually resolved my questions and needs thanks to the internet. It’s true that convenience led me to this forum, as I’m starting from scratch when it comes to routing and router configuration. I’m using OpenWRT for the first time.

My Banana Pi R3 is intended to replace my RE7000, as I wanted an access point offering advanced features: logging, monitoring, the ability to host a VPN server (rather than doing it on my main server), and to take advantage of the options OpenWRT can offer.

The network in question is my private, home network. It consists of a SagemCom router wired to various access points. The firewall is centralized on the SagemCom, and to avoid redundancy, I disable the firewalls on the access points. My server (web, SFTP, DLNA, Samba) is connected to one of these APs. I’ve configured a firewall on the server to add an extra layer of security.

The SagemCom router manages static IPs, monitors connected devices, and handles port forwarding (DLNA, file access, Joplin, Vikunja, etc.). To avoid having to open ports on yet another firewall, I didn’t want my APs — including the one running OpenWRT — to have their own firewall. By simplifying security to two nodes in the network, I make my life easier.

It’s true that by searching online, you can find what you need (“Help yourself and heaven will help you”). The script I was able to create is made up of pieces from other users’ scripts. I didn’t think it necessary to cite them, and I apologize if that’s offensive. But since I’m only describing what I did, without claiming to have originated the solutions, I thought it was acceptable.

I find OpenWRT powerful and practical, but not very intuitive if you don’t have a background in network computing.

This thread can be closed, as my issues have been resolved.

I also managed to resize the main OpenWRT partition using the following procedure (which I saw somewhere—I don’t claim to have invented it, I’m simply reusing it):

I flashed the downloaded image for my device using Balena, writing it to a storage medium. Before inserting it into the OpenWRT system, I used Ubuntu’s Disk utility to resize the desired partition. Then I inserted the SD card into my Banana Pi R3.

What I had previously tried was resizing the partition after inserting the SD card into the Banana Pi R3. The result was that Ubuntu accepted the resize, but OpenWRT continued to see only the original size. I wasn’t able to resize it in a way that OpenWRT would recognize the changes.