Sanest way to access to secondary LAN's OpenWrt router LuCi/SSH

oxwivi · July 20, 2025, 8:08am

Within the immediate primary LAN which routes to the internet service, I have a second subnet under an OpenWrt device with router function (as opposed to dumb AP). If I want to access its controls, whether LuCi or SSH, what are the recommended methods?

Right now I added a new interface over the WAN device, set static IP and assigned it under the default lan firewall. This works, but I don't like it because the default WAN interface also takes up an additional IP address for routing connections from secondary LAN to primary LAN.

The other option I know is simply forwarding LAN's port 22 and 80 to WAN, but is this the best method/standard practice for what I want to accomplish?

egc · July 20, 2025, 8:42am

That is what I do, for safety only allow (set as source address) IP addresses from you local primary lan

oxwivi · July 20, 2025, 11:49am

Can you share a screencap of the rules you implemented? I mean, I know what to do, but just in case I'm missing something.

egc · July 20, 2025, 12:23pm

For SSH I use a simple accept firewall rule, my main network is 192.168.0.0/24 so I accept only traffic coming from this main network (192.168.0.0/24 change it for your main network)
/etc/config/firewall

config rule
	option name 'Allow-SSH-v4v6'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'
	list proto 'tcp'
	list src_ip '192.168.0.0/24'

For remote admin i use a port forward to forward port 8080, my secondary router has a static lease (from the main router) of 192.168.0.6 so for remote admin I use http://192.168.0.6:8080
/etc/config/firewall

config redirect
	option dest 'wan'
	option target 'DNAT'
	option name 'Allow-httpv4v6'
	option src 'wan'
	option src_dport '8080'
	option dest_port '80'
	option family 'any'
	list proto 'tcp'
	option src_ip '192.168.0.0/24'