Setting up OpenWrt as gateway with static IPv4 address provided by the network

I‘m new to OpenWRT (installed it a few hours ago) but I‘ve just no more idea on how to configure OpenWRT for my purposes to work. I‘ll start with my requirements, then I‘ll explain what I understood from the docs so far and what I did.

I‘m living in a student‘s dorm and our internet is provided by the company offering the housing. The internet works like this:
I have one Ethernet port in my apartment which I can connect to. When connecting I‘ve to configure my devices network settings to use a static IP they assigned to me and also to use their Gateway router (same IP range, first three numbers are equal). They ask me to configure as subnet mask and told me 2 DNS servers to configure. When all that is done we still don‘t have internet here as we need to authenticate by opening an SSH connection to a server with a totally different IP. As long as exactly one connection using each student’s user and password is open, all devices connected to their Ethernet port have access to the internet (even though you only have one IP address, so connecting multiple devices needs another router, which is what I want to get done using OpenWRT).
What works but is a crappy solution: Connecting a MacBook and setting up the network settings so I‘ve internet and then sharing this connection using Internet Sharing Wifi Hotspot. But then the laptop get‘s immobile or nobody has WiFi while the laptop is needed elsewhere. When this configuration is set up the MAC does exactly what I want from OpenWRT: It connects to the internet and opens another subnet in which it acts as router, starts a DHCP server, etc.

I hope my requirements are clear, otherwise feel free to ask, I‘m happy to clarify things because I don‘t know any further.

What I did so far
I‘ve read through lots of docs, I think I need this: because I get linked there from In the second article I‘m probably either „
OpenWrt as router and having an internet ISP device configured as modem-bridge
“ or „ OpenWrt as gateway using either OpenWrt-device-built-in or external modem“ (because I want to configure OpenWRT as gateway according to the definition above). I‘ve read much more but can‘t find a solution. The bridge article only explains terms and defines them but doesn‘t explain any kind of configuration. Either I can‘t find the correct article after hours of searching and trial and error or it may doesn‘t exist (in that case I‘d like to write one as soon as my problem is solved). I bricked the router three times during trial and error but couldn‘t get it working.

I‘m using the default web interface LuCi for all kinds of configuration, but I‘m fit with SSH as well in case I need that. So far I modified the default LAN bridge between eth0 and eth1 and setup the given Gateway and added the external IP address to the list and also I tried to add an extra interface for the internet connection, which I setup using static settings according to the values that I got for internet access. But in none of my many configurations I could either ping nor ssh to the authentication server, a connection was just not possible.

Any help is highly appreciated!

Reset router configuration to default, configure WAN as static with the information supplied by the provider.
Run ssh as instructed.

1 Like

and make sure the subnet of the provided WAN IP, isn't in the same as the routers LAN subnet.

1 Like

Hey thank you for your fast reply, Andrew. I think that is what I did. I reset the router configuration and logged in to LuCi. On the Network > Interfaces page I found a pre configured device „br-lan“ in the „LAN“ firewall-zone. On the devices tab I can see that it is of type „Bridge device“ and it has the same MAC address as the eth0 port of my devolo hardware (that is intended as an WiFi Access Point only, but shouldn‘t matter?). The bridge device is configured to connect the eth1 port (to which my laptop is connected) with the eth0 port (which is connected to my Ethernet port in the apartment). By that I mean that Bridge Ports is set to both eth0 and eth1 and I‘ll probably also check the wifi networks as soon as I configured them?
I added a new interface with protocol „static address“ set, entered my public IPv4 address, entered as IPv4 netmask and my providers IPv4 gateway (which is in the same IPv4/24 subnet (so the last byte differs from my own static IP). I also entered the DNS servers in the new static interface. I set the Firewall zone to WAN and configured no DHCP server. The bridge device has a DHCP configured by presets after I reset the router and this is working (my laptop connected to the eth1 port got an IP address and I can access LuCi from the laptop‘s browser). The br-lan bridge‘s IP was set to (OpenWRT default) and I kept this. My static IP from my provider is in a absolutely different subnet (the first byte already differs). Both interfaces are configured to be in an IPv4 /24 subnet. I did not modify any firewall rules. The defaults are to allow everything from LAN to WAN zone. Masquerading is off. From WAN to „Reject“, Input and Forward are set to „Reject“ and Output is set to accept. Masquerading is ticked. I think it says „Reject“ in the overview because no firewall zone is set in the „Allow forward to destination zones“. General settings are accept for input and output and reject to forward.

The bridge device has no gateway set and therefore automatically uses the new interfaces gateway by default. I also tried to set the new interfaces IP address as Gateway but none worked. I can ping the and my static public IP address set in the new interface on eth0 from my connected laptop but I can‘t ping my provider‘s gateway IP address nor ping the ssh server required for authentication. Pings are sent using the laptop connected to eth1. Error message is that the host can‘t be reached.

I think I did what you told me (did the same previously before asking my question) but it doesn‘t work. I hope somebody can help using the more information I posted.

I replied to AndrewZ and explained in more detail what I did. I think I did so but it still doesn‘t work. Maybe I get something wrong or whatever :slight_smile:

I assume you don't have a public IP on your WAN/upstream interface,
you don't need to keep the IPs secret/omitting them in your posts.
You could however mask any DNS IPs, if public, and MACs, if attaching
screen shots.

Post a screen shot of your interfaces screen in openwrt.

What's the intended router device ?

I didn‘t know of the private subnet – you are right it‘s not a public IP, my bad. I‘ll share screenshots attached to this post. Thank you for your quick reply and your help so far!
The DNS servers (blacked out) and the ssh server for authentication are in the same a.b.0.0 subnet. The subnet belongs to our university.

I‘ll share more configurations if needed. If it‘s easier for somebody to help: I can also share config files, just tell me which one is interesting for you :wink:

Can you ping the WAN gateway IP, from the router, and any client ?

What DNS IPs does you clients get from the openwrt host ?

Is the site used for authentication, an IP, or a DNS name ?

Please post the screen shot from openwrt, displaying all interfaces, not only the detail views.

I connect to the router device using SSH: „ssh root@“ and execute „ping“. I get „ping: sendto: Network unreachable“
I expect here is the problem?

For obvious reasons I can‘t ping the WAN gateway from my laptop connected to eth1 either.

The client gets DNS IP
The site used for authentication is an IPv4 address.

Screenshot from all interfaces is attached:

your own WAN IP is, you were pinging,
is the the 172 IP the default GW, or a typo ?
it's also different to what you previously posted in the screen shots....

This was a typo. I updated my WAN IP to the correct one Had a copy paste error in the ping command, I‘m very sorry for wasting your precious time on my typos. I did this configuration lots of times over and over again since yesterday and I‘m quite sure it wasn‘t always a typo, though. Thank you very much for being so observant and spot my typos^^

I did update the WAN IP to the correct one and restarted the router. I connected via SSH „ssh root@“ and pinged the WAN Gateway „ping“. I don‘t get an error message anymore but also the ping is not successful. Maybe the gateway just doesn‘t answer pings at all. I‘m still connected via ssh to the router on and then I tried to ssh to the authentication server: „ssh user@ip“ and I receive the error message „ssh: Connection to user@ip:22 exited: Connect failed: Host is unreachable“
I also can‘t ssh from my laptop to the authentication server directly getting the same error message „Network is unreachable“

Here is a new screenshot from the WAN interface config:

yeah, the GW IP might not be pingable, what about the DNS IPs, and the ssh authentication host ?

ssh back to the router, run logread -f, then unplug the WAN port network cable, and put it back in, what does the log say ?

you can stop logread using Ctrl-C.

I‘m still connected to the router via ssh on
Executing ping (ip of the authentication host) results in the same behavior as pinging the gateway, the server doesn‘t respond but I don‘t get a network error or so.
Here is a screenshot of the log output:

Pinging the DNS servers behaves the same btw. No network error message but no response to ping packages as well.
I thought it might be interesting to ping the auth host from my laptop connected to the router on eth1, that results in the output from the following screenshot (some timeouts mixed with some destination host unreachable error messages, can‘t really imagine what happens here.

eth0 seems to be assigned to both LAN and WAN ?

Enable masquerade on WAN.

Had the default WAN been used (or existed) that's already setup.

How should the config look like? Yes the LAN is a bridge device on eth0 and eth1 as shown in the above screenshots (Pasting it here again for reference):

remove eth0 from br-lan, if eth0 is the WAN port.

You mean on the lan -> wan firewall zone rule? I did so but that didn‘t change anything

Disregard, I see it's already enabled.


My bad.

(I meant on WAN, do not enable on LAN.)

Try from default settings again.
Create a wan network interface named exactly 'wan' (must be defined in lower case, LuCI will uppercase it but ignore that). Naming it exactly wan will match the default firewall file and to do what you want.
Reassign one of the Ethernet ports to be the wan device. Remove that port from br-lan.
Install static IP, gateway, and DNS servers on wan. In lan, leave the gateway and DNS blank.

What make and model router is this? I ask because the firstboot scripts are supposed to detect any hardware having more than one Ethernet port and configure one of the ports wan by default.