GL.inet MT6000, openwrt snapshot fresh install. 192.168.1.1 is on lan interface, which sits on br-lan and includes all 5 lan ports.
I am trying to make it a dumb AP so I changed the firewall zone of the lan interface from 'lan' to 'unspecified', and this locked myself out. DHCP and ARP all stopped on that interface, and I can't even see this neighbor using 'ip neigh' anymore. On Belkin3200 using openwrt 23.05 this would not cause a problem.
Did I miss something here?
This is expected as the unspecified zone rules do not allow input to the router by default. And the router's management is handled by the lan zone by default (which has input = accept).
There is no need to mess with the firewall (relative to the defaults) when you are making a dumb AP. You can leave it enabled as it is. That is because the firewall doesn't interact with the traffic when you're using it in dumb AP mode -- it only affects things when you are routing (L3).
It is necessary, however, to stop the DHCP server. The best way to do this is to explicitly disable DHCP on the lan interface (option ignore '1'). Once that is done, you don't need to do anything else with the dnsmasq service.
Your explanation makes sense, but I am still puzzled by the fact that this only happened to me on mt6000, not belkin3200, where I have some interfaces on VLAN, and all interfaces are on unspecified, and I can still access luci. So previously I thought there is no specific rules that disallow L3 traffic to reach the router.
We'd have to see the specifics of each of the config files...
but fundamentally, your VLANs, if setup with unmanaged interfaces, don't actually interact with the router at all -- they just pass through. So you probably still had at least one interface (with an address) that was assigned to the lan zone and/or a specific rule that allowed input from a given network.
Thanks. All interfaces literally show as gray in luci, and I just verified all of them are unspecified in luci. Which file(s) shall I begin with?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
I just looked into the firewall file, 'defaults' input is REJECT on mt6000, and ACCEPT on belkin3200. So, 'defaults' is used for unspecified I guess?
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood 1
option input REJECT
Yes, exactly. It appears that you changed the input policy on the defaults one one of your devices.
Maybe it is because I used a UBI image from a github page before support for belkin came up in official openwrt, and that config is carried over. A bit dangerous in hindsight. Thanks so much for your help
Possibly -- but it was changed at some point by somebody -- not sure if if is part of your github sourced image, or if it was something you did (intentionally or inadvertently).
You're welcome.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.