I just started whit my first OpenWRT on an old Asus Router. This router max runs OpenWRT10 so i installed that. Works fine.

My situation at home is that my internet provider gave me A fritzbox and and i'm bound to it. Could set it to bridge-mode, but i don't have any connection account data (Password and stuff). And i think the OpenWRT defaults runs on NAT, so i would have a Double NAT. 192.168.178.x is the Fritbox network, and 192.168.1.x is the other one.

Now have just have some Machines in the Fritzbox network that i don't trust (Android, and some IoT stuff), on the other Network i Would like to have my Secure stuff (Computers, NAS and so on). Both have a Class C IP, so i simply could only Route the network in stead of NAT. Am i right?

Now i made a Portforwarding to reach the NAS from my Laptop (which is in the Fritzbox network, i don't have AP's in the other one), assuming it is on NAT mode. This works for the Web interface of the NAS running on Port 8080, but not for accessing the share trough AFP.

I was thinking, when I disable the NAT and simply use at Firewall whit some Routing table it should work. Or am i completely wrong?  I had this stuff at School, but that's 20 years ago...

And some simple question. When running on NAT, how can I block internet traffic from some device (like the NAS), but not the traffic into the other network?

If you disable NAT in Openwrt, then you need to add a static route in the fritzbox. The static route should contain your secure network as target and the IP of Openwrt as gateway.

You will need to add one or more firewall traffic rules. It may be enough to reject traffic from the NAS to address which don't match the other network. For example if the other network is 192.168.1.0-192.168.1.255 then use "!192.168.1.0/24" as Destination address in the rule.

Thanks for the Reply.

I already found this: https://wiki.openwrt.org/doc/uci/firewall but there is so much info, and i don't be sure. Also found this: https://forum.openwrt.org/viewtopic.php?id=41214

So to be short: i have to edit: /etc/config/firewall

config rule
        option src              lan
        option dest             wan
        option src_ip           192.168.1.2
        option target           REJECT

But to reject all means that it also won't reach the other network at the WAN side. This network by the way, has range 192.168.178.0/24

But to be more secure I would like to allow only the IP address from the machines itself who would have access. Like my laptop having IP 192.168.178.23. Assuming the Laptop has a Fixed IP.

Should i make 2 rules? Like the one above to block everything and one like this:

config rule
        option src              lan
        option dest             wan
        option src_ip           192.168.1.2
        option dest_ip          192.168.178.23
        option target           ACCEPT

(Last edited by Roman78 on 29 Jul 2017, 09:50)