X86_64 NICs flip

I'm using the current stable build of generic x86.

each time I reboot or power cycle openwrt the firewall blocks inbound access to my lan port.

If I use a deep port scanner I can see that the ip exists but I cannot use http, ssh or ping it.

If I use the command below from the console everything works again, but when I reboot the firewall is back up and I'd blocking the port.

/etc/init.d/firewall stop

/etc/init.d/firewall disable

I have had the same problem with other forks, such as immortalWrt. and I've re flashed my openwrt install twice to start from scratch, and have had the same problem so I'm obviously doing something wrong in the setup. I've not changed anything on the firewall manually as I've not gotten that far yet.

I'm using the console rather than the gui as I cannot access the router and the Internet at the same time on my pc as I need to keep swapping the cables over.

It may be relevant that I'm also having issues with eth0 and eth1 randomly swapping between wan and lan on reboot that i have another thread open about.

The ip address moves with the port flip, I'm using a fixed ip on the lan side and it's this ip that gets firewalled out.

I have zero Linux knowledge so I'm going to need some basic instructions on how to do things as well as on what I need to do.

Still using Immortalwrt ?

see first line of my post

I'm using the current stable build of generic x86.

The naming is the same in immortal, so it doesn't really answer the question.

let's see your configuration:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

This (Direct link to the download)

Posting a link that initiates a download - not the best way to answer the question. It works, though.

For others, the link is - https://downloads.openwrt.org/releases/25.12.3/targets/x86/generic/openwrt-25.12.3-x86-generic-generic-ext4-combined-efi.img.gz

Additionally, you were asked to post relevant outputs. Do you need some time to gather them?

Can you better describe the source and destination of this traffic to the LAN port (so we can better troubleshoot if the firewall or anything else may be causing issues).

its 2026, everyone check where links go before clicking them. a direct link removed any ambiguity.

yes, I cannot access it remotely, I need to be in front of the console to get anything. I'm on my phone right now. not with it

I'm still on the initial setup. it was plugged directly in to my computer. eventually it will be plugged into an unmanaged switch. the Wan will go into my isp router on modem mode.

Test doing that with your link, from a phone (with various apps).

If the connection is via LAN only, usually the firewall isn't involved.

Did you alter firewall rules for LAN?

long press. it's set up by default.

hence why I'm here. it shouldn't be happening. my lan port is acting like a Wan port.

I hadn't gotten that far yet. it's happened three times and with different forks. so it's either hardware or something I've set up that's not a firewall rule.

Users are expected to perform extra tasks to protect themselves, that was my point. Thanks for informing them (as you see, I posted the URL).

Okay, cool:

• What's the hardware (especially the NIC cards)?
• What did you setup or alter then (we still need to kmow)?
• I'm assuming from your wording that it might have worked prior to these alterations and with full Lunux distros?

Are you using USB devices or see tcpdump traffic, or just a tongue-in-cheek remark?

like having anti virus software, or a firewall?

zotac zbox ad02. default on board nic. I don't know the nic specs.

I thought I just set up the device and interface for the Wan and lan ports. I hadn't gotten as far as the firewall.

It ran OK till the first time I rebooted.

I'm using the on board nic right now, this is what gets firewalled out.

.

my understanding is that the Wan port should be invisible to ping, ssh and http while the lan port should respond to all three. due to the default firewall settings.

If the firewall is on eth0 which is my lan port using the on board nic, and a fixed ip does not respond to pings, http or ssh. exactly as if it were a Wan port. turn the firewall off and it becomes accessible.

I'm not doing anything with the usb it's currently disconnected as I'm not ready to do anything with it.

by default openwrt responds to pings on wan.

if there's only one ethernet port, it'll be lan.

I must have misread, I thought that the Wan port didn't respond to icmp commands.

So are you saying it's possible you connected to the incorrect eth port (BTW, WAN is also a DHCP client by default and wouldn't have an IP to ping)?

Are you obtaining an IP in the 192.168.1.0/24 range (by default LAN is 192.168.1.1 and running a DHCP server)?

So we assume that the correct drivers are in the default x86_64 firmware?

Have you booted this device with a regular distribution and obtained the NIC information?

It's important to this discussion.

or openwrt off a flash drive, using an image containing the pciutils package.

Are you obtaining an IP in the 192.168.1.0/24 range (by default LAN is 192.168.1.1 and running a DHCP server)?

My understanding of the documentation was that the LAN port should be set up with a fixed IP address and as a DHCP server so that anything that connected to this port would obtain an IP address from Openwrt?

I manually told it to be on 192.168.0.X because that's the subnet that most of my fixed IPs are on, and I didn't want to have to go around changing them to 192.168.1.X. I have all of my masks set up to 255.255.255.0 so if it were on 192.168.1.1 it would cause problems.

So we assume that the correct drivers are in the default x86_64 firmware?

I'm not having any trouble communicating on the port when the firewall is downed using the console. So it's at least partially compatible. I haven't checked the speed to see if it is full GB.

Does Openwrt bring up a firewall on its own if it detects an incompatible driver?

Do you mean like Ubuntu?

No, previously it had Libreelec on it. This never came up so I didn't look.

I plugged it into the back of my computer and It had an IP address of 192.168.1.1 on the LAN port when I first booted it up.

I changed this to 1921.168.0.x because that's the subnet range I use for the devices that will need to connect to it.

It's not been on my network and hasn't been connected to my DHCP.

I planned to set it up in isolation, then turn my router into modem mode and plug it in via the WAN socket. I thought that it was set up, powered it down so that I could move it next to my ISP's router, and when I turned it back on I couldn't get any response from it on SSH ICMP or HTTP.

A deep port analysis showed that the IP address existed, but I couldn't get anything to connect to it.

I eventually came across a forum that suggested that disabling the firewall might help. I disabled the firewall in the console, and the port came back to life. ICMP, SSH and HTTP all connected first time.

Each time I reboot the same thing happens.

I used this console command for the firewall

/etc/init.d/firewall stop

/etc/init.d/firewall disable

It's supposed to stop and then disable the firewall until I choose to enable it, but it keeps re-enabling on each reboot.

I originally did this on Openwrt Generic X86, but didn't realise what the problem was. I thought that I must have botched the network setup and made it unreachable, so I installed ImmortalWRT, and the exact same thing happened. Which was when I found out about disabling the firewall.

Since nobody seemed to want to know about ImmortalWRT due to the politics around it I reinstalled OpenWRT form the link above, and the same problem happened again.

Then I made this post.

Just a stab in the dark...maybe you locked yourself out because the netmask of your LAN isn't set correctly.
In the past you could use

option ipaddr '192.168.0.1'
option netmask '255.255.255.0'

Nowadays the entry should be like
option ipaddr '192.168.0.1/24'