Single port devices - define WAN port?


Can some kind person explain on a single NIC device such as a Ubiquiti Unifi AC lite how the single port can be defined as the WAN port so that it acts as a true router rather the port being defined as a LAN port.

kind regards


1 Like

The simplest way to achieve this is to declare a wan interface and move the ethernet device to it. This is best done while connected via wifi to avoid locking oneself out.

It is also adviseable to first open ports in the firewall wan zone to be able to access the device via ethernet later.

Assuming you're connected to SSH via Wifi, the command sequence would be:

uci add firewall rule
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci set firewall.@rule[-1].target=ACCEPT
uci commit firewall

uci set network.wan=interface
uci set network.wan.proto=dhcp
uci set network.wan.ifname=$(uci get network.lan.ifname)
uci delete network.lan.ifname
uci commit network

fw3 reload; ifup -a
1 Like


So, I managed to make an a5-v11 device ( running and "standart" LEDE 17.01.4 release act "like a router" using your suggested uci commands, but I'm now unable to access the device through the ethernet port.

Could you help me diagnose what exactly is going wrong? What kind of data could I provide so anyone could help me?

Thanks for your attention =D

Provide your complete /etc/config/network. Also the above will change the sole ethernet port to DHCP mode, so make sure it is connected to a DHCP server.

Thanks for your prompt response. Here it is my /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fd28:6f53:7iea::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config device 'lan_dev'
	option name 'eth0'
	option macaddr '2c:67:dc:47:7e:74'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'

My a5-v11 is connected to a DHCP server and al the devices connected to it have been assigned an local IP address and have internet access...

If the DHCP server also giving out 192.168.7.* IP addresses?

The DHCP server that the a5-v11 is connected to is giving 192.168.0.* IPs, but the single port device is giving 192.168.7.* IPs.

I would like to use this device plugged in other routers too, tho...

Your network configuration looks fine. Did you adjust your firewall configuration? Since the eth0 is wan now, all access to it will be rejected unless you set the input policy to ALLOW or make specific exceptions for port 22 (SSH), 80 and 443 (HTTP, HTTPS).

I was running a different setup when stumbled upon this thread. So I made a clean installation of LEDE, configured wifi and applied your uci commands through ssh. That were my only modifications to the system...

In my /etc/config/firewall I can find this entries:

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

I believe the last block is a result of the configuration made by your first uci commands...

I'm not well versed in firewall configuration. If you could guide me through it I would be very pleased :slight_smile:

This means that right now you can only access the ethernet port via SSH. Set the option input REJECT to option input ACCEPT to allow all incoming traffic. Otherwise, if you just want to open single ports, copy-paste the port 22 rule and change the port number in each copy.

But my point is that I cannot access the ethernet port via SSH. In fact I cannot even ping the device when connected through ethernet. My plan is to run a copy off LEDE without luci in the future. SSH through ethernet is the sole priority ...

Sorry if I wasn't clear on that point...

Did you provide it DHCP on the ethernet port? Can you confirm, when connected via wifi, that the ethernet port recieved a DHCP lease?

So, something very strange occurred right now. I rebooted both devices, the ethernet port of the a5-v11 received a DHCP lease and I can now connect through ssh using the provided IP =P

I don't know why it wasn't working before, but apparently it is now.

Thank you very much for your attention an patience...