Openwrt Firewall Double Router Managed Switch on which zones?

Hey :slight_smile: I'm just wondering if the firewall zone is set to the correct interface.
First the setup is a double router. Family gateway (not allowed to bridge or dmz).
Family gateway/combo connected ethernet cable to openwrt router, openwrt router connected ethrnet cable to my managed switch. LAN "br-lan" is where the openwrt motherboard ethernet port that connects to the router. WAN is my usb ethernet adapter that connects to the managed switch. Should the firewall setup to reject on the LAN or WAN zone to protect my devices from outside traffic?

I'm having trouble following your topology... why is your WAN connected to the switch?

Could you draw a digram of your network? A simple photo of a sketch on paper is sufficient.

For what it's worth, the screenshots you've posted are effectively the default configuration -- and this is good for many situations.

I will try and do a sketch.
My x86 router only has one built in ethernet port (brlan).
brlan is connected to the gateway.
The usb to ethernet is (wan).
The wan is connected to the switch for all my devices.

It's kinda like this:

(Familys Gateway/Router) <-Ethernet Cable-> (openwrt router) <-ethernet cable-> switch

This doesn't match your diagram (or at least it wouldn't make sense)... the WAN is the untrusted interface. The LAN is the trusted interface. Your devices should be connected to the LAN.

So basically, i got my setup backwards?


Can you remove the ISP combo router device? If not, just make sure that the subnet that is used on the LAN of that device is not the same as what you have on your OpenWrt router... if it is the same, routing will not work. You can easily change the OpenWrt subnet to something that doesn't overlap.

Thank you :slight_smile:
I can not remove the ISP combo router device.
Its my familys and they are not okay with me bridging or or dmz.
Learning about networking so this is why ill be going through all the trouble.
Im not sure if the comcast gateway xb7 (TG4482A) will allow me to assign anything that is not a address.

I just tried to assign the openwrt router a dhcp reversed ip address from the comcast gateway and got this error

"Reserved IP Address is not in valid range: ~"

If it is using, you can use on your OpenWrt router. Or you can use basically any RFC1918 address that doesn't conflict with the upstream router.

The address for the OpenWrt WAN will necessarily be in the same subnet as the upstream router's LAN. Therefore, if the upstream uses, it must have an address in that range. Then, on your OpenWrt LAN you'll want another non-overlapping address. is fine ( for the router address -- this is the default configuration).

I would set the on the openwrt router for the interface that is handing out ips (for example the interface connecting to the switch)?

oh didnt see the edit till i posted lol. thank you :slight_smile:

I have been having problems with trying to resolve this problem.
Tried changing the brlan from lan to wan and get this issue.

Wan firewall zone is now showing up as empty.

I have also tried setting the other interface as lan with a static ip and plugging directly into the other usb ethernet interface, luci does not load with and without firewall zones on the interface.

In the link I sent earlier, you will find the solution:

That is fine -- you are assigning the wan interface to the wan firewall zone. Currently it shows empty, but once you save the changes, it will be associated properly.

I have read the link. The thing that confuses me though is that its talking about changing the ip, where I'm trying to change the zone from br-lan to wan.

Now I'm even more confused... I don't understand what you are trying to do. Why are you changing zones around? You should leave the network and zone associations alone, and simply change the address method for your networks.

the lan network should be associated with the lan firewall zone. It should have a protocol of "static IP" and then an address like (net mask

Your wan network should be associated with the wan firewall zone. It should probably have a protocol of "DHCP'.

That's it.

Might have miss misinterpreted what you said.
I thought you ment, the interfaces where setup backwards and the br-lan (the on board ethernet adapter) needed to be changed to wlan since this is where openwrt is connecting to the isp router, and that my usb adapter wlan needed to be changed to lan in order to fix this.
And by change I mean edited in luci so LAN is changed to WAN and WAN and change to LAN.
Picture of how it was setup:

Quick definitions:
LAN = Local Area Network (i.e. your network), trusted
WAN = Wide Area Network (i.e. the internet), untrusted.

When I said your setup was backwards, I meant that you were tying to connect your devices to the wan side of your router... this won't work. Your devices must be connected to the lan side of the router (via the switch), while the WAN connects upstream.

The simple solution would be to leave your configuration as it is in the picture you've posted in #15 and switch the connections you've made on your router (i.e. take the cable that is currently plugged into the normal ethernet port and connect it instead to the USB-ethernet adapter and vice versa.

If you really want to keep the physical connections the same, you need to change the ethernet assignments into br-lan (currently, I'd guess, it's eth0) and wan (currently eth1).

When looking at the firewall zones though it looks like its showing that you connect from lan to wan and then wan to reject. With lan being ontop and the arrows pointing. Is this not what it's showing?

When trying to do this I come accross this issue unfortunately.

The firewall zone picture shows that traffic is allowed to be forwarded from the lan to the wan and that traffic from the wan is rejected (not forwarded anywhere). In practical terms, this means a host on the lan can initiate a connection (for example, to these forums). Return connections (responses) are therefore allowed. But the hosts on the wan cannot initiate a connection to hosts on your lan. This is how it should be for security reasons.

For the error you are encountering, you may need to use the command line interface if it won’t apply correctly when using LuCI (due to the auto rollback). But that link describes how to deal with this issue.

Gotcha. So basically the easiest way to do this is

  • swap the cables around
  • follow the link you sent about changing ips for the lan side

When doing so, would luci need any extra configuration?

By trying to change the firewall zones on the adapter settings and seeing how wan was empty I then went into the firewall rules settings and pressed reset. Did I change anything to be worried about?

Aside from swapping the Ethernet cables, you don’t need any changes from the default configuration of OpenWrt. I don’t know if you have made any other changes (accidentally or intentionally in an effort to set things up), so I will say that your best option is to reset to defaults/start fresh.