Creating a secure home-network as a newbie. Hardware/Software questions

Hello,
first of all, i am completely new to this whole OpenWRT and OpenSource software/hardware stuff, but i am willing to get into it.

The first project for me as an webdeveloper was to create a home-webserver environment (Ubuntu Server 18.04). Went well so far, but on my way throught a lot of forums an other articles i went deeper an deeper and now i want to build up a secure homenetwork for my family.

Specs:
I live in Germany
I have a 400mbit/s internet connection with cable router/modem (compal ch7466ce) from Vodafone
1 Desktop (LAN/Gigabit)
1 Webserver (LAN/Gigabit)
1 TV (LAN/Gigabit)
1 Laptop (WLAN/2,4Ghz)
2 iPhones (WLAN/5Ghz)

What i want to to.

  1. Replace Routerfunction of CH7466CE in Bridgemode
  2. Buy and integrate new router with OpenWRT
  3. Run DNS for home domain
    4, Run DHCP for WLAN Devices
  4. Run OpenSource firewall
  5. Use VPN Service for all my homenetwork devices
  6. Create WLAN for 2,4/5GHz Devices (perhaps guest network)

My questions:
Since i am new to this OpenWRT World i thought an easy to manage device (like Archer C7 AC1750) would fit my purpuse but then i came across some issues

Is it correct that the nat performance of this type of routers cannot handle 400MBit WAN to LAN without any "snapshot stuff" being done? (I picked up those info while reading alot of stuff and didn't have the time get in deeper)

Is the Archer C7 capable of running vpn service with a good downspeed?

I read alot about hardware the last 2 days and assume that i need a stronger router then ARCHER C7 to get the most out of my 400MBit bandwidth aspecialy when using VPN. So hardware whise i stumbled upon Linksys WRT3200ACM-EU.
Pretty expansive i think, but if it fits all my need i will go for this device.

What downspeed is to be expected when using VPN service link NordVPN or others on WRT3200ACM-EU?

Is there a free posibility to use vpn servers? or are all of them monthly paid?

Last question for now:
Firewalls. Is the fw3 Firewall integrated in OpenWRT a good and secure one or is something like pfsense better?

Thank you for your time.

2 Likes

Thanks for that link.
Was not thinking about searching for an answer as i wrote my last question.
Sorry

2 Likes

Yes you will want more CPU than the Archer C7 has. VPN at 400 Mb almost demands an x86. If it weren't for that, one of the WRT3200 / 32X would be suitable.

4 Likes

Your webserver is probably just sitting there most of the time, you could certainly consider running OpenWrt x86 version in a VM on that machine (assuming it's an x86 not a RPi or similar), that should handle 400Mbps routing and even SQM.

Another good option would be a cheap x86 dedicated router box like this sort of thing: https://www.aliexpress.com/item/Minisys-4-Gigabit-Intel-Lan-J3160-CPU-Pocket-Mini-Computer-Support-Pfsense-OpenVPN-AES-NI-Barebone/32893735378.html

If you go this way, it would be good obviously to have an access point for wifi... the Archer C7 you mention would work fine for a "Dumb AP" setup (no routing / NAT, just wifi) you can get them used, but there are also good more modern devices, such as the gl-inet b-1300 or similar.

3 Likes

Thanks for the answers mk24 and dlakelan.

My webserver is running on an Macmini 2010

I read some guides to get virtualbox installation going on my ubuntu server.

The macmini has only 1 ethernet-port and I always assumed that the router/firewall should be located between the modem and network like this

Is OpenWRT able to get something like USB-to-ETHERNET going?

Edit: My MacMini does not support USB3 for aditional Gigabit Adapters.

Is there any way to get this going?
I dont want to have alot of energy spending devices running all day.

Sort of, you could use vlans and a managed switch, and a VM.

1 Like

Well, i think to safe some money i will read some stuff about VLAN and VM.

Thanks for your answers till now.

I’ll come back with new questions. :slight_smile:

Came along this little Fella: Zyxel 8-Port Gigabit Web Managed Switch

Never even thought about managed switch hardware. So i have no clue whats good or not.
any opinion on that product?
Thanks again

I like the gs1900 series from them but don't know anything about the 1200 series. The tl-sg108e from tp-link would work, I bet it's comparable to this one. Features you need are multiple tagged vlans, and QoS would be good too.

1 Like

I have one of these Zyxel 8 port at home and one at work. VLAN work fine and also Link Aggregation with a Ubiquiti 24 port switch.

1 Like

I would also recommend the GS1900-series which can be found cheaper than the listing price on Amazon.de
https://www.idealo.de/preisvergleich/OffersOfProduct/4128002_-gs1900-8-zyxel.html

1 Like

Hello again,
here i am a few steps later.
I now have set up an VirtualBox OpenWRT on my ubuntu server 18.04 LTS and bought an Zyxel gs1900-8HP (used) for 50€ on Ebay waiting to be delivered.

Better Wifi will be next step when lan is finished.

My next question is the following:
I set up VB-OpenWRT following the instruction on openwrt.org.

Now my server (IP 192.168.0.1) is able to connect to ssh root@192.168.56.2.
But the other devices in my testing-lan-setup (desktop/ip:192.168.0.10) don't.
Can you give me a quick hint why?

Probably it's easy but i don't get it. maybe to much new stuff for today.
Thanks.

  • Did you properly setup your OpenWrt router to places it on that phy?
    • Did you place that LAN phy into a VirtualBox Internal Network?
    • Did you place the other relevant VMs into that Internal Network?
  • What host is 56.2? Where is this network? You never say

Maybe I don't understand your question properly or you are seeing double NAT?
https://openwrt.org/docs/guide-user/network/integrating-lede-introduction

I just don‘t get it.

I‘ve set up an Testing Environment:

  1. Server / Ubuntu Server 18.04 LTS (192.168.0.10)
  2. Client / macOS High Sierra (192.168.0.100)

Both connected via unmanaged switch.
Fixed IP on both

  1. Router / VirtualBox with OpenWRT (192.168.56.2)

I installed the VM of OpenWRT with the above mentioned instruction.
The Host-only Network of VB is automatic set to 192.168.56.1.

All good so far.
Connecting to OpenWRT through SSH works fine from Server.

Connection from client won‘t work.

To figure out the mistake i changed the ip of VB Host-Only and OpenWRT to 192.168.0.20x but then my server won‘t connect either.

What am i missing?
Does VB Host-Only have to be 56.2?
Is it even possible to connect from
client to router?

Sorry if i am just to dumb, but in germany we say „Ich steh aufm Schlauch“.

A router is inherently a device which has multiple IP addresses on multiple different networks.

The two networks you mention are, I assume,

192.168.0.0/24 and 192.168.56.0/24

Which one is "wan" and which one is "lan" is my next question.

Furthermore, your router has just one physical interface, so it must use VLAN tags to tell the switch which network the packets belong to... So the openwrt should use eth0.1 and eth0.2 as the tagged VLANs to talk to the switch. You can not do that with an unmanaged switch, you must have a managed switch that understands vlan tags.

So, given that information, can you help us understand how you're setting up vlans and how you're numbering your networks on the VM?

Thanks for the quick answer.

My managed switch is not delivered yet.
I wanted to play along with OpenWRTs WebInterface before it arrives, but as i now assume i need to wait to get things going.

I just wanted to connect throught my client since the server does not have a UI installed. i will wait and come back when my hardware is complete.

Thanks for your patience.

1 Like

Why do you address a host-only network?

You need to be using Internal Network.

I surmise your router is doing the addressing.

I am not sure VM software you are using but on VMware workstation if you want you VM on the same subnet as the host you set the network to "bridged" in settings