Help Needed with Efficient Firewall (Whitelist)

Installing and Using OpenWrt Network and Wireless Configuration
1

Context:

I’m setting up a MikroTik RB750Gr3 router with OpenWrt 24.10.0 and have a few key goals. My main focus is security (I’ve had my data stolen before) and ensuring low-latency gaming (under 50ms). Additionally, I want to ensure my family’s safety on the same network while maintaining a smooth experience for everyone. Here's the plan:

Goals:

  1. Outbound Traffic Blocked by Default:
    I want to block all outbound traffic by default, allowing only trusted services such as DNS, gaming servers, and trusted websites.
    The idea is, if a device on my network gets compromised, I want to prevent it from sending data to any external server (like data theft or remote access). My focus is on controlling outbound traffic to protect against potential threats. How can I implement this in OpenWrt? I understand that this setup will add complexity, but I’m committed to it for better protection.
  2. Dynamic IP Whitelisting for Gaming & Streaming Services:
    Many of the games I play are older and unmaintained, and as a result, the game servers might be insecure. These services often use dynamic IP addresses or CDNs. The challenge is, I need a way to automatically update a list of allowed IPs for these services (and others like YouTube) without doing it manually each time the IPs change.
    How do I set up my router to automatically add trusted domains and their corresponding IPs to my firewall whitelist?
  3. VPN Integration (WireGuard):
    I use a third-party VPN for secure browsing and plan to use WireGuard (WG) as my VPN protocol. However, I need the ability to toggle the VPN on and off easily, with VPN turned off for gaming to avoid latency issues.
    Additionally, I want to ensure that VPN encryption happens after the firewall, so that malicious outbound traffic (if a device is compromised) isn’t encrypted and sent out through the VPN. How should I set this up in OpenWrt?
  4. Gaming Latency Optimization:
    I want to ensure my gaming performance stays smooth, especially since some of the games I play are older. How can I prioritize gaming traffic in OpenWrt to maintain under 50ms latency and avoid lag?
    What configuration settings should I use for SQM QoS, traffic shaping, and enabling hardware NAT acceleration to minimize latency?

Reason for Setup:

While gaming performance is a priority, this setup is also crucial for security. I want to prevent my devices from being exploited or my data from being stolen if something goes wrong (like downloading compromised files). Additionally, I’m implementing this to protect my family’s devices on the same network. I also need to ensure that everything runs smoothly and securely, especially when I’m traveling and using potentially insecure networks (e.g., hotel Wi-Fi).

Thanks for any help and suggestions—appreciate your guidance on how to make this setup as secure and optimized as possible!

2

2/ 4/ For gaming look into qosmate and geomate.

1/ it is not well instrumented, default is to permit output, youll need to start adding rules for basic services like ntp

3/ sounds like pbr

3
  1. Is unrealistic for a residential user.
  2. Automated way to get the IPs for old games? Not saying that it is impossible, but first try to find them, as feeding them in an ipset is not hard.
  3. Not that the firewall will eventually stop some attack, but theoretically you can have 2 separate devices or apply firewall in the input interface.
  4. The router will be the least of your problems if the server is away in terms of router hops and latency is high.