Newbie questions

Hi all, I just ordered my router! I am now trying to educate myself on openWrt to hit the ground running when it arrives.

I am pretty excited about all this, but I think I need a bit of help to figure out the basics (apologies in advance for the naive questions).

I am going through the example for basic configuration. I am trying to make sure I understand the configuration for the interfaces.

1. What is the scope of section names?
Is there any hidden impact of the section name, beyond its use in the configuration file? For example, can the section name be used in other configuration files?

In other words, can I do a sed to replace network.lan by network.mypetname in the file /etc/config/network (only this file) and everything will work exactly the same?

2. loopback interface

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

I don't see any option here that makes the ipaddr work as a loopback (i.e. redirect to the client itself). What am I missing? Is the forwarding back to itself configured someplace else?

3. lan

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option ipaddr ''

Why is the type bridge? What are the two networks this interface is bridging? A candidate would be that this interface bridges the lan and the wan, but this seems incorrect : given the following definitions it seems this interface should route and not bridge the lan network to the wan network?

It's also a bit confusing to me that this interface is called lan, given that we also have a notion of lan network. But I guess the documentation warns that wan and lan mean different things in different contexts.

4. guest network
One of my early goals (once I receive the router!) is to set up a guest wireless network. In the guest network, I want each device to only be able to have access to the internet, but not to each other. I actually think this might be a good default characteristic for any network. Only allow inter-clients communication if necessary.
What is the best way to do this?

Thanks for any pointer!

I expect yes, but only because the text network.lan doesn't appear in that file in the first place, so sed won't change anything. At least, it doesn't appear in that file on my instance of OpenWRT.

However, be aware that changing interface definitions in /etc/config/network may affect the behaviour of the firewall. Some of the entries in /etc/config/firewall depend on corresponding entries in /etc/config/network.

I suggest spinning up an instance of OpenWRT inside VMware Player/Workstation or VirtualBox (there are how-to docs for both on the OpenWRT website) so you can play with it directly and get a feel for how the various configuration files interact with each other.

It's a standard behaviour. Any address which begins with 127 refers to the host itself. I can't remember which RFC document describes it, but 127.x.x.x as a loopback address is universal, not confined solely to OpenWRT.

By default, LAN and Wireless to form one contiguous layer 2 domain.

Out of the box, OpenWRT bridges LAN and Wireless together, and segregates them from WAN via routing and the firewall.

See the contents of /etc/config/wireless to find the directive which says that the wireless interface belongs to the lan network.

Your search engine terms for the day are "private VLAN" and/or "client isolation".

I've no idea if OpenWRT supports it either natively or via additional modules; I've never investigated.


'lo' is an Ethernet-like psuedo-device in every Linux kernel. It doesn't connect to anything external but it allows looping data back.
Don't mess with 'loopback' at all. It is something that many Linux applications expect to be there.

You can change names but as noted the name is referred to in other files particularly firewall and wireless. Network names should be kept short (kernel limit 15 characters, including the br- or pppoe- etc that OpenWrt may add) and by convention lower case only.

Wireless is interesting that wifi interfaces are attached to networks in /etc/config/wireless not /etc/config/network. This leads to the situation that it appears there is a bridge with only one member, but additional wireless APs or STA(WDS) or mesh may be attached to it. brctl show can be used to examine the actual setup of bridges. There's also nothing wrong with a bridge with only one member, it keeps it simple to expand later.

A guest network starts with making a new bridge with a short lowercase name like 'guest', and a separate IP range and new matching firewall zone. Then set the firewall to forward guest only to wan not to lan. Guests can use the Internet but can't reach your LAN.

1 Like

I would suggest using UCI commands.

You can manually edit most files using your favorite editor if you like, It might be a bit difficult using sed.

You should start here to learn more

As for guest Wifi.


That's because this config only creates the "lo" interface for use by the system, the fact that it's used as loopback is a network standard so all applications just assume this is up and available and don't need additional config. It just needs to be there at all.

first, this is a physical interface bridge, not a networking bridge. It bridges phyisical ethernet ports or VLANs or wifi networks to form a single virtual interface with the same IP address and dhcp server and whatnot. see here for more info
This creates a new interface in your system, called br-NAME
so in this case br-lan.
See the output of ip a command to list all interfaces in the system, note how there is a br-lan at the end of the list (point 7). That's the interface bridge.

1: lo: <LOOPBACK,UP,LOWER_UP,80000> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP,80000> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether ac:16:2d:94:52:0c brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1280 qdisc mq state UP group default qlen 100
    link/ether ac:16:2d:94:52:0d brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth1
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1406 qdisc mq state UP group default qlen 100
    link/ether ac:16:2d:94:52:0e brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth2
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 100
    link/ether ac:16:2d:94:52:0f brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth3
       valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP,LOWER_UP,80000> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
    link/ether e8:61:1f:11:34:6c brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP,80000> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ac:16:2d:94:52:0c brd ff:ff:ff:ff:ff:ff
    inet brd scope global br-lan
       valid_lft forever preferred_lft forever

The interfaces bridged by this interface are in the ifname line, so for example if you want to have two interfaces there you would have
option ifname 'eth0 eth4'
And if you look again at the ip a command above you see that the eth0 and eth4 interfaces have no IP address but are shown as UP (active), that's because they are part of the br-lan bridge and their IP is shown in the br-lan entry.

You also need to check out the wifi config at /etc/config/wireless because it is also added to the bridge

this is my config (passwords removed obviously)

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:0c.0'
	option country 'IT'
	option cell_density '0'
	option htmode 'HT40'
	option distance '3'
	option channel 'auto'
	option hwmode '11g'
	option txpower '7'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option skip_inactivity_poll '1'
	option network 'lan'
	option ssid 'REDACTED'
	option key 'REDACTED'
	option ieee80211w '2'
	option encryption 'psk2+tkip+ccmp'
	option hidden '1'

note the
option network 'lan'
This means that the wifi should be added to the OpenWrt interface called "lan", and this can only happen if that interface is set as a "bridge".

If you look at the interface called "lan" from Luci web interface you should see both ethernet and wifi interfaces connected to it, the settings are not split like in the config files (it's joined for ease of use).

Another thing, if your device has an integrated switch the interfaces are usually set up as VLANs in the switch so you are not bridging ports here. You will get something like in the example
option ifname 'eth0.1'
that means "use VLAN 1 of eth0 interface" and in the switch config the VLAN 1 is set to use the usual 4 ports that are called "LAN" on the device's case.

It's also a bit confusing to me that this interface is called lan, given that we also have a notion of lan network.

It's called lan because this is supposed to be the bridge where all interfaces belonging to lan network go. It's the whole point of calling it like that.

There is a tutorial to do this since it's a commonly requested feature
But in general terms, you are creating a new wireless network and then not bridging it to the "lan" interface so it goes on its own "guest wifi" interface, and will therefore be isolated from whatever is in the "lan" bridge. Then in the firewall you will allow forwarding to the "wan" interface so it can access the internet.

If you also want to do this with ethernet it's a bit more complex but follows the same principle

1 Like

You lost me. The network config file is /etc/config/network - you can make copies/backups of this file.

  • Are you asking how the router knows to route to it's own loopback?
  • Or how it was configured with a loopback address?

That config is like any other machine with an lo interface.


So you can add WiFi SSID easily to an Ethernet-based LAN without needing to research/figure out you needed it. :wink:

  • Copy LAN network and dhcp config
  • Rename to guest
1 Like

@iplaywithtoys @mk24 @sml156 @lleachii @bobafetthotmail Thanks a lot! It's amazing to see how helpful this community is!

I expressed myself incorrectly with my sed example, but your reply answers my underlying question : section names span across multiple configurations.

Ah! That definitely makes sense. Now that you explain it, its obvious :grinning_face_with_smiling_eyes:

Thanks for the keyword. That led me to an article according to which it is as simple as adding option 'isolate' '1' to the wifi interface.

@mk24 : thanks for all that. It's very helpful. These conventions are very good to know.

@sml156 : thanks for the links, I'll look into these.

@bobafetthotmail thanks a lot for the very clear explanation. It's also very useful to see actual configurations.

Thanks for that. I'm sure this would have tripped me up.

The loopback is the only thing I am still unclear on. That is probably because I do not have the correct understanding of how it works. Let me try to detail how I picture it in my head, and you can let me know what I am missing.

  1. A client machine with IP sends an IP Packet P0 to destination on SSID S0, with WPA2 encryption.
  2. If there is no client isolation (which is the case by default), all client machines on this SSID can listen and decrypt this packet (this is not relevant to my question about loopback, but I just want to make sure I understand this correctly)
  3. The router that created this SSID listens to this packet, decrypts it. It sees destination IP, so it generates a new IP Packet P1 which is exactly the same as P0 except that the destination address is not but (does the destination port number stays the same as P0?). That way, the initial client receives its own packet, hence it is a loopback.

My confusion comes from the fact that I do not see anything in the config of interface lo that generates point 3.

@lleachii thanks for your help.

1 Like

No such thing...loopback packets never leave any device, in fact, they rarely (if ever) leave lo. Each device has its own lo. That IP is invalid as a DST IP on the air/wire/network.


1 Like

I see. So does that mean the process is actually like this:

  1. On my device with IP address, I open a programming language, open a socket, and send IP Packet P0 to destination
  2. My OS will see the destination and know not to send any packet.
  3. My OS will simulate the arrival of a packet P1 which is identical to P0 but with destination IP

If that is the correct scenario, why do we need to specify the lo interface on the router? It seems it's never used in that scenario.

No simulations...the destination is and likely the source too.

This is the tcpdump output of a device's ping

user@machine:~$ tcpdump -i lo -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
17:12:27.947904 IP > ICMP echo request, id 11, seq 1, length 64
17:12:27.947917 IP > ICMP echo reply, id 11, seq 1, length 64
17:12:28.967076 IP > ICMP echo request, id 11, seq 2, length 64
17:12:28.967093 IP > ICMP echo reply, id 11, seq 2, length 64
17:12:29.991170 IP > ICMP echo request, id 11, seq 3, length 64
17:12:29.991200 IP > ICMP echo reply, id 11, seq 3, length 64


It sends a real packet on lo. Simply consider loopback an internal test interface that doesn't send traffic anywhere by default.

But you don't understand the concept of lo???

You may need to see:

:bulb: Are you asking about a routable loopback address???

1 Like

Even an endpoint device (smartphone or laptop etc) has more than one interface. In this case the packet addressed to will be dispatched to the interface and immediately return on that same interface. An interface set up as an external connection, i.e. a wifi card, will not be involved at all.

An example would be a local instance of a mySQL server listening on port 3306. When another application accesses the database, it sends a packet from localhost:50123 to localhost:3306. The mysqld process receives this packet, and returns the answer to the originating application on localhost:50123. (Like any other TCP, the originator of a connection chooses a random high port number for itself, 50123 in this example) All this happens on the network.

The advantage here is that this client and server application with exactly the same code can be re-used and set up as a remote server merely by changing the IP addresses to something that will route to the other box. (There are faster ways to move data between local processes but it becomes OS specific.)

1 Like

Loopback is a virtual interface that mirrors packets coming from the same machine. You don't need to do anything, for the application this looks like network traffic.

It's useful to run normal network services that shouldn't be accessed from outside the system (or have no need to actually go out, do a trip to the switch and then turn back since they are contacting another service on the same system) without need to modify them to talk to another local application directly.

It's a little trick like doing symbolic links or bind mounts on a filesystem.

For example Syncthing (and other applications) use it to show a web interface for the user of the PC (since it's far easier to make a cross-platform GUI with web technologies than using 5 different OS-specific GUI toolkits). You point your web browser to and the system will bounce the packets to the local Syncthing application that is listening on and will send its web interface to the browser through that.

This will work on all OSes because every operating system with network access will have a loopback interface.

1 Like

That prompted me to take a closer look at mine. If it's in the config file, it might be exposed in the GUI. Turns out it is:

1 Like

@iplaywithtoys @bobafetthotmail @mk24 @lleachii Thanks a lot for that.

I understand now where my confusion is. I was mistakenly assuming that the clients's packets addressed to would be addressed to the router, which would send them back to the client. In fact, that's not what happens. Each client creates its own loopback interface, so messages addressed to actually never reach the router.

So the loopback network interface on the router is actually meant only for itself, not for the clients. There is no need for any specific configuration in the loopback's config of the router that redirects packets seen by the router with destination IP (from clients), because packets like these are never seen.
OpenWrt, like all other OSes, knows to simply send back to itself packets send to

This article though does not fit well into that explanation, since it says :

  • As the loopback address never changes, it is the best way to identify a device in the network.
  • The loopback interface is always up and it is reachable as long as the route to that IP address is available in the IP routing table. Hence you can use the loopback interface for diagnostics and troubleshooting purposes.

I am guessing this article talks about a different mechanism for loopback? Maybe one closer to my original understanding?

Welcome to the joys of dealing with enterprise networking.

There is a distinction to be drawn between the loopback interface (lo0) and the loopback network (

From the perspective of any device on the network, any address in the range 127.x.x.x is always "me", i.e. traffic is always handled internally and never leaves the device. It's not possible to talk to 127.x.x.x on another device. Some of the other posts before this one give real-world examples of where the loopback address might be used in practice.

Juniper's documentation illustrates how Juniper equipment supports configuring the loopback interface with a real, routable IP address so that it can be used for out-of-band management and for other services/protocols which may require a loopback address.


Yes. Each client will have its own loopback interface and will do this on its own. The loopback of the router is only used by the router, packets never leave the system.

No it's telling how to use this internal loopback interface on their own equipment to do troubleshooting tests. All the pinging and whatnot they tell to do must be done from the Juniper device itself, not from another device in the network.

1 Like

@iplaywithtoys @bobafetthotmail ok, thanks, that makes sense.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.