Trying to use firewall on OpenWrt behind main router

I have a TP-Link Archer A7 that is running OpenWrt behind an Orbi Pro 6 router.

I need some additional firewall functionality for devices connected wirelessly and by wire to the A7 so would like to use OpenWrt firewall functions. I essentially need to block all multicast (and anything else) to devices behind the A7.

Right now, the A7 has a static address and DHCP turned off and essentially a dumb access point. It's also on a separate VLAN managed by the Orbi Pro 6.

Everything is working ok in that the devices behind the A7 can access the internet and devices in front of the A7 can ping the devices behind the A7.

However, I can't seem to be able to use the WAN port. Whenever, I move the ethernet cable connected to my main router to the WAN port, the devices (wired and wireless) behind the A7 lose internet access.

I'm assuming it's a firewall issue but I can't seem to resolve it.

Also, only devices behind the A7 seem to be able to access LUci. Is there a way for devices in front of the A7 (on the main VLAN) to be able to access LUci and configure OpenWrt on the A7?

I'm definitely not a networking person... so sorry if some of the terminology is not correct.

Thanks in advance!

Welcome to the community!

Ensure that both networks are not numbered 192.168.10/24. If so change the OpenWrt to e.g.

Allow input access to 443/tcp (web GUI). You will do this in Traffic Rules.

I understood that the Archer A7 is set a a dump AP, so it must be in the same subnet than the router. There is no routing on the Archer.

@larches_06novella Do you want to use the WAN port of the Archer as a regular port? Than you must add it to the bridge. I don't know if it's possible on this device, some can, others can't. It may also be a VLAN related problem, browse the switch menu.


Thanks so much for your fast response!

  1. Not sure if this is what you meant but the devices behind the A7 are on a different VLAN / subnet versus the devices in front. My main devices are 192.168.1.x and the devices behind the A7 are 192.168.20.x

One complexity is that the DHCP server are maintained by my main router so I need devices behind the A7 to get their addresses all from the main router.

The VLAN is also maintained by the main router as the A7 is attached to a port on my main router that is configured just for that VLAN (with access, rather than trunk, to minimize traffic to the A7).

Anything else I should do?

  1. Thanks for the guidance on the traffic rules. I'll try this now.


I don't want to use the WAN port as a regular port. Rather, I want to be able to use the A7's firewall capability. And my understanding is that I have to use the WAN port so that OpenWrt's firewall functionality can be implemented.

I guess what I really want would be for the A7 to be a managed switch that can filter out multicast traffic.

The reason for this is that I have some ancient devices attached to the A7 that are highly sensitive to traffic and I want to block all traffic that is not directed specifically to them.

Is there a way to configure the A7 as an access point but still have a firewall?


I'm still trying to figure it out but maybe I'm making things too complicated.

What I really want is a dumb access point (which I have now) but to include traffic filtering / firewall to block multicast and other traffic.

Is this possible with the OpenWrt router configured as an access point?

In that case the Archer needs to be setup as a real router, and you'll have double NAT.

Unless I missed, the OP could make a route in the main device for: via lan gateway 192.168.1.x

They could make the A7 with a static IP on the upstream network, that would be IP x.

Then they could disable masquerade on thr WAN interface of the OpenWrt. This would eliminate double NAT.

1 Like

Thanks again.

I think the static route is the way to go (based on what I've been able to understand).

Right now, I have the OpenWrt A7 configured as a router behind my main router. Main router IP is and OpenWrt A7 is, acting as a DHCP Server.

I know I have double NAT and am ok with that right now.

All devices behind the A7 can access internet ok.

However, no devices in front of the A7 (192.168.1.x) can access any devices behind the A7 (192.168.2.x).

I'm assuming I need to set up a static route between the 2 routers?

What should that command be? I was experimenting but couldn't get it to work (most likely due to my misunderstanding of how to format the static route).



if get it right, you want devices on to access devices behind A7 / ?
then on main router, you need to add static route via 192.168.1.yyy
where yyy is the WAN address of second (A7) router
then, you need to setup firewall on A7 to pass traffic from WAN -> LAN

this way, devices on subnet will know that devices enumerated with is reachable trough 192.168.1.yyy

1 Like

Thanks very much. I got it working once I set up the static route on the main router!

Then on the A7 (with OpenWrt), I set up a firewall WAN -> LAN with "accept" for all 3, along with the default LAN -> with accept for all 3,

Everything seems to be working ok in that computers on my 192.168.1.x subnet can ping 192.168.2.x

Is there anything else I should do besides just adding that last WAN->LAN firewall?


1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.