Should I remove the wan firewall zone?

I am not using the wan port, as the router is configured as a secondary router and access point that uses the ISP router as the gateway (its IP is configured as gateway IP and the ISP router is providing DHCP).

But openWRT configures a router as a proper router that forwards traffic to the wan interface.

I have deleted the wan interface, but there is still a WAN firewall zone, configured as standard.

LAN forwrds traffic to WAN and accepts input, output and forwarding.
WAN drops traffic.

I think I should delete the wan zone as there is no such zone.
But first time I did that, the router did not reinit.

Should I first configure the interface to none in the its firewall setting?
should I delete the lan an wan rules under the firewall configuration?

Or just delete wan and configure lan to reject forwards?

  • You can simply reassign the WAN port to LAN under Network > Switch
  • Deleting the WAN Zone and Interface then becomes optional
  • Be sure to disable DHCP on LAN

Thank you.
But the Fritz!Box 4040 does not rassign the wan port to lan, it does not appear in the switch.
It seems it is phisically separated from the rest of the ports.
So the port is now unused.

DHCP is disabled, as I have configured the ISP router as DHCP server.

It surprised me that after deleting the wan interface, the wan firewall zone had not been deleted.

But if I delete it, the router seems to block and does not reboot (at least when I tried).
I don't know if I have to configure the lan zone to drop or reject forwards or I have to just delete that zone too.

Well, from what you say the router is configured (or functioning) as a switch.

May I ask, if you don't need to (or can't) re-configure the WAN port as LAN, why don't you just leabe it as it's. If no traffic go through WAN there isn't much overhead from having it, and you can also disable it if you want. That way, should at any time you need the router to actually do tottering, it's only 1 click away.

Also if your ISP modem isn't a new one, wouldn't yout consider putting it in bridge mode and have your OpenWrt Fretizbox as router? ISP routers sometimes have software based on outdated kernel and it might not be very secure.

1 Like

Yes, you are right.
It is how it is working now, with that firewall zone rules active.
But as you say, it might cause some overhead (I did not knew how much) and may be some security issues (none that I can think of) . That is why I asked.
Usually, I dón't like to have more active services than I use in a device.

But if it does not cause any problem, I can let it as it is.

Yes the router is configured as a switch in the ethernet lan. But also as a wifi access point (gateway from ethernet to wireless) and it provides local dns service to solve local ips (the isp router does not implement dns funcionality for local addresses).

I could put it in bridge (well in dmz mode, as it does not let you put in it in bridge) but then I would have to buy another router to get good wifi in other part of the house.
Now the isp router provides wifi for backside and the other one to the frontside.

I have a swithc to connect the routers and to give ethernet to other rooms.

Having three routers and a switch always on just to get internet access sounds a bit over sized for a not so big flat.

I think that would be negelectable, and maybe nothing at all if you disable the interface.

Well, if the firewall zone is assigned only to an interface that's disconnected or disabled then it's not doing anything. Moreover, the WAN zone is designed to be secure when exposed to Internet. In fact if you suspect that your ISP router's firewall isn't secure enough then you should connect it to your OpenWrt WAN not LAN!

In that case it's justified (as long as it has recent firmware).

1 Like

i hope it has.
Now i am changing my ISP, fed up of a router that let me do almost nothing, which blocks ports that i cannot open.

The router will be a modern one, with ac and recent firmware.

I would prefer the isp to just give you a ONT to convert from fibre to ethernet and let you use your own router, but it is not possible.
They want to control your voIP services and tv, as you pay for them.

i too hope we soon will emerge from the drak forrests of tripple-p(l)ay.
with analog-telephone modems most ppl already abandoned the landline availability in favor of internet service (20y ago) why are we still carrying it with us...