I have a router with two Ethernet interfaces (eth0 and eth1). By default, they get set up in /etc/config/network as 'lan' and 'wan'. I would like for them to be two separate lan ports. It's ok if they are two different sub-nets; I don't need to be able to communicate between them. I would like eth0 to operate as it does by default, but I would like for luci to only be accessible on the eth1 subnet. Can I do that by updating the uhttpd configuration?
Before answering your specific question, what to you want to achieve?
You could do exactly what you're asking by
- Configuring the switch to
- Only connect LAN port 1 to eth0
- Only connect LAN port 2 to eth1
- Configure uhttpd to only listen on the address assigned to eth0
- Turn off forwarding, or block it with firewall rules
However, this would mean, among other things
- No Internet connection
- No wireless
There are probably better ways to achieve your goals that preserve functionality that most people want that aren't a literal answer to your question.
2 Likes
The solution to this varies by what hardware you have. In some cases there are two CPU ports and you would software bridge them. In other cases they are VLANs on one CPU port going through a switch, so you can reconfigure the switch to hardware bridge them.
Look at the physical settings of lan and wan. In the first case you'd have eth0 (or eth0.X, x being a VLAN number) as one, and eth1 (or eth1.X) as the other. In the second case they are both eth0.X but with different VLAN numbers.
For either case (and the only way if they are separate eths) you can simply delete the port you want to re-purpose from WAN and add it to LAN. This makes a software bridge. Slightly higher performance on external LAN to external LAN traffic would be possible by setting up the hardware switch on the second type of hardware.
Before changing the Ethernet ports, make sure to set up a WiFi AP on the LAN so you can log into the router wirelessly. This solves most cases of getting locked out from misconfiguration.
1 Like
Here's what I want to achieve. I would like to have two lan ports on my router, with one of them functioning as a "guest" lan. The guest port would have access to the internet through the wan connection, but it would not permit accessing the router using ssh or the luci admin gui. The second port would have full access to ssh and luci; internet access is optional on that port (meaning whichever is easier). I don't have a Wi-Fi radio, so these would be the only connections aside from the wan.
This is a guest network.
- Create a new network interface with protocol Static IP and set the IP and netmask to something that doesn't overlap (conflict with) your other networks.
- Set up a DHCP server on the network.
- Set up a new firewall zone 'guest' and allow forwarding from guest to LAN
- Set up firewall rules to block guests from router services other than DHCP and DNS.
Then you have to attach the guest network to a physical port.
See if your model has a wiki page on openwrt.org, as these usually describe how the ports are connected. Likely you will be creating a new VLAN in the switch then connect the guest network to the new VLAN on eth0 or eth1.
1 Like