Figuring out my setup

I only recently learned about OpenWRT, it sounds great, and I have a few questions :smiley:. I am not that smart, and I am very uneducated when it comes to networking, so any help is appreciated!

First, I need help with choosing a router. The modem that my ISP has given me is incompatible, so as I understand, I can't do much about that, and I need to buy a separate router, which is supported by OpenWRT, and connect it to the modem.

Secondly, are there any downsides to this approach, security wise? By default, the modem that my ISP has given me doesn't really allow for much configuration. If the modem isn't secure enough, is it something to worry about, since all of the traffic will be routed through OpenWRT, and not the modem? Can the modem somehow ruin the rest of my setup?

Thirdly, are there any go-to configurations / guides that one can use, that cover everything essential? I would also like to route all of my traffic through a VPN at the router level, so that is something to consider as well. Of course, I would try to learn more about it in retrospect, but I feel like networking is a vast field, and understanding everything I need in order to make a safe config by myself seems out of reach for me now.

And last but not least, are there any guides for securing your network (and OS in general) on an OS level (Windows)? This might not be the best place to ask, but I don't know where else. As of now, I just block incoming connections through Malwarebytes Firewall Control.

The OpenWrt Table of Hardware has a lot of information about various devices. Be sure to use it before buying any hardware since it also indicates when certain devices may not have full support. (as a general rule, only supported devices will be in the TOH, so if it's not there, it's probably not supported). In some cases, there may be specific features that don't work even for devices in the TOH, but they are noted in the device pages.

Also, read through the hardware recommendations forum section.

If it is possible to put your ISP device into 'pass-through' or 'bridge' modes, that should bypass the ISP's router functions and make it just a modem. Then the OpenWrt device will be your router. This is usually better from a security and practical use perspective. But even if your ISP router cannot be put into these modes, OpenWrt is almost certainly more secure than your ISPs router.

Yes and no... it depends on your goals. The quick start guide is helpful for general stuff.

Sure. Read up on the main VPN options for OpenWrt

OpenWrt's default firewall will protect your network. If you need additional security, you can search the forum for "hardening". As for the other OS's (like Windows and such), that's out of scope for this forum, but there are plenty of other forums that may have advice.

1 Like

I see, thanks! :slight_smile:

So, in that case, both of these would act as routers? Sorry if it's a stupid question. My understanding of the two terms is that a modem is connected to the ISP, and a router is the LAN, but I guess if it's not set as a bridge, then it will also act as a router? From my perspective, with limited knowledge, it would seem like I wouldn't have to be worried about someone intercepting my traffic, or doing something shady, even if my modem (what I got from the ISP) was compromised, because all of my traffic is routed through a VPN on OpenWRT, right?

Sorry for the stupid question, I am not really the smartest person.

Incompatible in what way? With OpenWrt (so you can't install OpenWrt on it)?

Yes, that is my understanding. I don't see it on the list of the supported devices

If your ISP device doesn't have the option to disable routing, then yes, both would be routers. They would be cascaded:

[WAN (internet) - ISP router - LAN] -> [WAN - OpenWrt router - LAN] -> client devices

This creates double-NAT which is not ideal but typically isn't an issue with most things these days. The only think you need to be aware of is if the ISP router uses 192.168.1.x as its address, you will need to change the address that OpenWrt uses (the default is 192.168.1.1, it would need to be another subnet, otherwise routing will not work properly).

But basically, everything behind your OpenWrt router will be secured by OpenWrt, and therefore not subject to the potential vulnerabilities of the ISP's device.

1 Like

I see...
But even if it is compatible, the question is if you're allowed to modify it.
In some cases, the modem belongs to the ISP and they just lend you their property. This means: hands off!
If they just give it for free and don't care about it...that's something different.

1 Like

Is the second approach, with 2 devices, more common then? Would it not just void the warranty?

That depends...
If you're free to choose your own router, many people go with an All-in-One.
Or just split between wired router and wireless AP.

If they must use the ISP device, there's no other way than to add another router.

1 Like

Not in my experience. The kind of person that goes out of their way to use an OpenWrt device would also take steps to avoid the double-router situation in the first place, unless they have no choice. Of course you can always ask the ISP for a modem-only device, or instructions on putting the modem in bridge mode.

What type of connection does the ISP use? VDSL, Cable (DOCSIS), Fiber, Wireless?

I see. I haven't tried asking them about that, I only asked them for a list of supported devices. I'll try

I think DOCSIS. I could try to change my ISP if it would be of any help, but I am not very optimistic about any of the alternatives, either. I could try to get Fiber, if it would make a difference.

I have created a Beginner's guide that might be useful to dip in.
Do note however that harvesting all info may take quite some time

1 Like

I don't know of any DOCSIS modem/router, that is supported by OpenWrt.
So, just replacing the ISP modem with a device which runs OpenWrt won't work.

You're stuck with either the two-device-solution, or maybe there's more freedom of choice (this also depends on your ISP) when you choose to go with fiber.

Thanks, I'll look at it tomorrow. Need to go to sleep soon.

Can you explain? Sorry

Because you haven't told us in which region of the world you're living,
i can tell you only about the experiences i made and read about.

When you go with fiber, in the best case you just get a ONT where you can plug in any router you like (as long as it can do ethernet). You might even get all necessary data (credentials, SIP data for telephone, whatever).
Or they will tell you nothing and just give you a black box where you can connect your phone and pc, but can't change anything about it (just like with a DOCSIS device).
I'd ask the ISP, how much freedom of choice they allow their customers.

1 Like