Is it possible to reverse roles of WAN and LAN?

I am looking to slowly replace my WiFi access points.

I like the flexibility that OpenWRT provides and would be open to buying something like an MT6000 or AX1800.

One of the nice things that I would like to be able to do is to be able to log in to the admin account from a WAN connection but not from the LAN connection.

The reason for this is because the WAN is never going to be exposed directly to the Internet but is in fact a backbone LAN connection, from which I would like to be able to log in to admin from other PCs on that backbone. On the other hand I do not want to expose the Admin account to connections coming in on WiFi, as I consider WiFi connections to be less secure than the backbone LAN.

Is this something one can configure on the within the MT6000 or AX1800?

Yeah, should be easy but you need to use LuCI for configuring the firewall manually.

Maybe you dont need to reverse wan with lan?

From what i read you just want access from wan right?

This can be done through luci, and then navigating to luci -> network -> firewall -> traffic rules (tab).

A rule can look like this:

Proto: tcp and udp, use icmp for ping too
src: wan
Source ip: 192.168.1.1/24
dest_ip: your routers ip
Target: accept

the only tricky part is when you upgrade without settings you are locked out, you could look into /etc/sysupgrade.conf

Yes, I want to access Admin from the WAN (not the Internet, merely PCs sitting on the WAN before it gets to the Internet router), and I know most systems will allow that easily enough. The additional factor is that I want to block access to Admin from WiFi, and it is this latter part that is not always available.

Do you need additional help?

All the steps above will be enough to get it working - but there is no nice switch inside the GUI to allow it. So adjusting the firewall in LuCI is definitely necessary.

That makes it a bit complicated, you preferably want the wifi clients under a different network than lan.

You can try to follow this guide:

https://openwrt.org/docs/guide-user/network/wifi/routedap

Basically it consists of creating a new interface via luci -> network -> interfaces in luci with a different range and firewall zone, and then point wifi to this interface via luci -> network -> wireless, and you need to forward the new firewall zone to wan.

Then you can just block access through the firewall towards the router you can do that aswell with a traffic rule which looks like:

src: wlan0 (this is the new zone from the other interface)
dest: this device
target: reject

Thank you.

As I said in my original post, I have not yet purchased the new devices (there are other GL-iNet devices I have purchased for other use cases, but this is yet to be a future purchase). At present I just wanted to assure myself there was a path to achieving what I desired (even if maybe not as simple as I would have wished for), and may well be asking more questions after the purchase as to the implementation details.

I appreciate your responses to my query.

1 Like