Static Route with RPI3 Basic OpenWrt

Hi All,
I am new to openWRT and I am learning it as I go.
I have just built an OpenWRT router/AP on a RPI3B+ following NetworkChuck Tutorial online.
I currently have the following configuration - Having onboard wifi and a USB Ralink 802.11 n WLAN.
the current routes that I have are:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 wlan0      *        U     0      0        0 br-lan     *        U     0      0        0 wlan0

I want to be able to access devices on from a PC located in network
I have added the NW for IoT and I want to be able to connect to them from my Home assistant located in network.

The current configuration I have for network is:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd80:b2f7:f25d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'static'
        option device 'wlan0'
        option ipaddr ''
        option netmask ''
        option gateway ''
        option broadcast ''
        option peerdns '0'
        option dns ''

I am not sure how to do it? I would be happy to get assistance on creating the static route to make my TWO network connected and I will be able to connect from to and vice versa.

The following is my Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '7'
        option hwmode '11g'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'HT20'
        option disabled '0'
        option short_gi_40 '0'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'SSID-01'
        option encryption 'psk2'
        option key 'MyPassHERE'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3:1.0'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'SSID-02'
        option encryption 'psk2'
        option key 'MyPassHERE'

I have SSID-02 on Network that way I can connect all my devices to it and have them connected to the internet from the new OpenWRT RPI3.

I want to be able to have devices located on network and access them from - and also have them send data to serves on from

Please assist me with doing that and make them talk from one LAN to another.
I would be happy to know all I need to do in order to have the settings the way i need them to be - any device on can get to any device on and vice versa.

Thank you

It seems that the network is upstream of your Pi. Is that correct?

Does your upstream router ( have the ability to set static routes? This is required for what you want to do (you don't need to set a static route on the Pi because it already has a route from the network >; the other direction > must be added to the router).

That static route will be via
Then you will need to make a few modifications to the firewall on the OpenWrt (Pi) firewall, but first thing is the main router static route.

EDIT: It is worth noting that the current security model you have (i.e. the IoT network behind the Pi) doesn't really protect your trusted network (in front of the Pi) because the firewall doesn't isolate the networks. Currently, the IoT network can initiate connections to the main network, but not vice versa. You'll want to actually reverse this behavior if you want to prevent the IoT network from initiating connections to your trusted network. But we'll get to that later.

1 Like

Thanks @psherman
Yes it is my upstream - I'll have to check the way to create a static route on my router (ARCHER VR600)
I am already thinking to change it to pfSense (But I am not there yet (I am sure that on pfSense it would be easier way to create static route).

Would an ERROR in creating the route will effect my router in any way? meaning I will not be able to access it or something like that?


If you change to pfSense (or OpenWrt) as your main router, you could actually just create VLANs to handle the different networks (trusted LAN, IoT, guest, etc.) and setup the firewall rules on the router to provide the access/restrictions as desired... you wouldn't need a second router.

A major error could potentially mess things up, but the static routes are pretty simple. All you really need is the destination network ( and the IP address of the gateway that gets you to the destination network ( -- also called "via" when you are setting this up. These values are pulled from the configuration you shared.

1 Like

Thanks @psherman
Yes that is what I want to do.
is this settings OK? can I save it and it will work? thanks

Yes, but the interface won’t be pppoe. It will be the lan.

You will also need to modify the openwrt firewall:

  • turn off masquerading on the wan.
  • enable forwarding from wan > lan

Thanks @psherman
I don't have another one to chose from -it is the only one.

Oh. Ok. That should stay as is. It is the wan/default route. The static route should work as you showed before.

Edit: does it give you the option when you are creating the static route to select the interface?

1 Like

Thanks @psherman
You are RIGHT!!! it does give me the LAN if in the dropdown :slight_smile:
this should work - correct?

Yes. That looks good

Thanks @psherman , I have created it.
Now I need to follow this and have the ability to connect with - Right?

Should I edit the firewall file? where does these settings need to be done?

On your openwrt pi, you can edit the firewall using the web interface, uci commands, or editing the firewall file directly- whichever is most comfortable for you.

Thanks @psherman
Is this enough or I need to do changes in the reject section at the top?

or this

Since I could not put two images in one post I had to put it in a new one

Yes. Masquerading off. Forward to lan enabled.

1 Like

Thanks @psherman
that is how it should be?

Yes. This does not give you additional security, but does allow the connections you have specified.

1 Like

Thanks a lot @psherman
I will have to test and will work on security after I'll have it working for a while and see that I have the settings correct on my devices.
I am sure want to have the IoT be secure - I put a VERY STRONG password on it for starts :slight_smile:
I know that this is not enough - but it will give me time to check the network.

Thank you!

Thanks @psherman for all your help.
I have a question regarding the Firewall settings that I have made
IS it allow ALL Ports from to and also ALL ports from and

So I'm not sure exactly what your goals are here, but my perspective may be different.
IMO, the network that is important to secure is the trusted LAN (where your computers and valuable data live). The IoT network should still be secured, but putting a "VERY STRONG" password on the IoT network doesn't really help protect your main network.

I'd have to see your firewall file (/etc/config/firewall) to know what your current settings look like, and I'd also need to know your objectives if you want advice about how to set your firewall.

My angle on the security model is as follows:

  • IoT devices are generally not considered trusted devices. They may have vulnerabilities that could be actively exploited (either within the firmware residing within the product, or with cloud infrastructures that some of the IoT devices require).
  • IoT devices will probably not get frequent updates to patch those vulnerabilities, and more could be found at any time.
  • At some point, IoT devices won't be actively supported by the vendors, but may continue to function, albeit in an even less trustworthy mode of operation since updates will cease and cloud services may not be properly maintained.
  • So, these IoT devices should always be treated with a level of distrust.
  • You may or may not wish to allow the IoT devices access to the internet (sometimes it is required, other times it is optional) due to potential security issues or just simple privacy considerations (i.e. does your smart light bulb manufacturer build a profile of your usage with their cloud services and do you want to prevent the devices from calling home?)
  • The IoT network, as a potential security threat, should not have free access to the main trusted network.
  • The main trusted network, on the other hand, should be secured against access from any untrusted devices/users.
  • The trusted network may or may not need access to the IoT network.
  • The firewall can be used to craft the allowances and restrictions as large blanket rules or targeted/granular ones.
  • As an example, you can setup firewall rules that allow the trusted LAN to initiate connections and the IoT network to respond, while blocking the reverse situation. (basically this equates to telling the IoT network "you will not speak unless you are spoken to").

If the above is your desired result, you need to set the firewall to drop or reject all traffic from source to destination Then, based specifically on how your OpenWrt setup is being configured and used, allow forwarding from WAN > LAN (normally this would not be recommended if the OpenWrt device was directly connected to the internet).

1 Like