I want to know more about BCP38, but unable to wrap my head around it.
Does it drops the packets generated by LAN devices like IOT stuff so they cant participate in DDOS?
Or what does it do?
Is it important to have in fresh openwrt?
is it necessary to install in openwrt?
Do you establish an Internet connection to your ISP using BGP protocol and IPs registered with a Regional Internet Registry (RIR)?
If not, it's unnecessary.
For information, see:
or
What it does is conceptually simply, it will not allow packets to escape your network with source IP addresses that are outside of your network's reach. That is, applications in your network will not be able to spoof source addresses somewhere else. And that is helpful as this is sometimes used to make remote machines send traffic to arbitrary addresses, aka for DOS (denial of service) and especially DDOS (distributed DOS) attacks.
I would argue that this is good practice and all networks should do this, including enduser leaf networks... (sure if all ISPs would do that, or even better all ASs that would be even better, but until that day, every network not sending spoofed packets will help a tiny bit to make the internet better or all).
Same document.
As far as I know BCP-38 for OpenWrt does egress filtering intelligently ... from its luci page:
Auto-detect upstream IP
Attempt to automatically detect if the upstream IP will be blocked by the configuration, and add an exception if it will. If this does not work correctly, you can add exceptions manually below.
This works pretty well in practice.
Indeed, I was assuming we were discussing the bcp38 and luci-app-bcp38 packages for OpenWrt, that might have been incorrect. Generally I am of the impression that these solve as much of the BCP-38 issue as is reasonable for leaf networks.
True, but that is generally true for a router, if you try to configure your wan on an interface connected to the lan, expect issues 
The simplest is just adding unreachable routes for rfc1918 and documentation networks. No need to set routes on any interface.
In very simple terms: it stops stuff leaving your network that shouldn't leave your network. It also prevents stuff getting into your network that your upstream ISP shouldn't be sending you.
That's all the private/reserved etc space (RFC1918 and others), amongst other things. @_bernd's explanation is pretty much the same thing.
what would be appropriate settings for this?
@_bernd : would you please explain with some examples? i understand very little.
If you use luci-app-bcp38, direct your browse to "https://192.168.0.1/cgi-bin/luci/admin/network/firewall/bcp38" (maybe log in) just select the appropriate wan interface and check the enable and Auto-detect upstream IP checkboxes... in most cases that is all you need to do...
What gives you struggles?
An unreachable route?
Normally a route has a destination network, a next hop address aka gateway and an interface.
But there are outer routes too.
Like unreachable routes. If a router needs to forward traffic to such a route the traffic will not forwarded but terminated on layer 3 and in this case an icmp packet with network unreachable is sent to the source address.
There is also a black hole route which just sucks the traffic and nothing is sent back to the source.
It's not a firewall and no access control. It is just how to route traffic.
Examples here https://baturin.org/docs/iproute2/#ip-route-add-special
Actually I use it on regular PPPoE with static IPv4 and IPv6 and packet counters are non-zero. So it does its job.
I'm not sure why you accidentally egress traffic with the incorrect SRC IP - but OK.
The issue BCP 38 (the RFC) prevents is the following: if you have the ability to route the invalid packets - so that they egress your ISP to another Autonomous System (i.e., the Internet).
Hence most people are needlessly "implementing" BCP 38.
I also set various of these non global routes as unreachable at my edge router... Because even without bgp you would sent traffic into the ISP network which does not belong there. Even they filter too it's better everyone is washing their hands...
I'm doing nothing special to generate it, just casual home network with several Linux PCs, mobile devices and no smart devices... So traffic is just there for some reason and it's not a bad idea to stop it.
Maybe an even better realistic issue of even a simple home network.
Some random client sends traffic to another private network but which is not configure locally. The router would simply use the default route and like I said, send it into the ISP network.