[answered] Firewall service on AP/switch - on or off?

Dear openwrt enthusiasts,

let me quickly introduce my setup: I have an OPNsense box that acts as router and internet access; then I have an OpenWrt AP and an OpenWrt switch and I have 3 subnets.
For example the OPNsense box provides LAN and GUEST networks to the AP, which then provides 4 SSIDs (2.4 GHz + 5 GHz for each network)
Both networks have the main router set as gateway.
I was now wondering if I need the firewall service to run, because to my understanding, there should be no possibility to access devices in other subnets for connected clients, because all is routed to the main router.
Is that correct, or would there be possibilities for the clients top circumvent this and it therefore would be recommended to keep the the firewall service turned on?
The same applies to the switch, which has to handle three subnets.

Generally you do not need a firewall enabled on the OpenWrt device if you're running it in a dumb AP/switch mode. Since the OpenWrt box is not the gateway that clients will use, it will not be involved in any inter-VLAN routing. The firewall features are usually all handled within your main router (OPNsense in your case).

All of that said, to ensure that inter-VLAN routing is not possible on your OpenWrt system, make sure that the OpenWrt network configuration only has an address on the trusted/management VLAN. It does not need an address on any other networks -- it just needs VLAN assignments and bridges (which can be configured as "unmanaged") to link the wired and wireless systems. Alternatively, if you have assigned addresses for all of the networks on the OpenWrt box, you will probably want to set the non-management networks in their own firewall zone with input, output, and forward all set to drop -- this will prevent the OpenWrt system from doing any routing at all -- this would just be an extra precaution if you really want the device to have addresses on all networks (not really much of a practical concern because the client devices won't use it as a gateway, but if the device has addresses on all networks, this would be prudent).

EDIT: I should clarify that the firewall isn't "necessary" in that it doesn't typically do anything when the device is operating in bridge modes (dumb AP/switch). But I agree with @slh that there is no reason to disable it or remove it from the device.


There is little reason to disable the firewall, as it won't interfere with bridged traffic anyways - so this is (mostly) a case of better being safe, than sorry. If you actually need it, depends a lot on your actual configuration. In case the AP/ switch isn't being a member of the bridge(s), there's little reason to firewall what isn't accessible anyways, but in many cases there can be non-obvious interconnections (e.g. how to access the AP's own management interface, etc.) that could break the camel's back


FWIW, the OpenWRT Wiki instructs users to disable the firewall when using Dumb AP mode, see step 11 in the link below.


So it does... I had never noticed that, but you're absolutely right.

In most cases, there is no harm in disabling the firewall for a dumb AP, but I think it would really only benefit devices that are severely resource constrained (an example may be an older router being used as a dumb AP that running an OpenWrt version that just barely fits within the available RAM -- such as a 4/32 device running 18.06 or 19.07-tiny).


A dumb AP by its purest definition would only deal with a single BSSID, so nothing to shield from - the more complex your setup get (multiple VLANs, multiple AP interfaces), the more likely you're going to want a firewall.


That is how the AP currently is set up. The question more theoretical. Of course the AP is powerful enough, so that should not make much difference.

And that is exactly, why this question arose.

That confirms my thoughts of better be safe than sorry.
So I will keep it turned on.
Thanks everybody!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.