Homenet possibility

As a complete newbie I just stumbled onto OpenWRT and had a function in mind.
My background is that I have a CCNA and CCNP cert. so I'm not new to networking concepts.

To my project at hand.
I have a "closet-server" an old HP running VMWare ESXi 6.5, it is running 6 NICs, i was wondering if it would be possible running OpenWRT on this server as a Virtual Machine?
Assign two NICs to it and run it as my router...
The functions I'm looking for in OpenWRT are the following:

  • Run "router-on-a-stick" to act as gateway for 4 different VLANs
  • 2 of the VLANs should be connected to 2 different VPN:s (work/private) both using wireguard
  • The other two VLANs will only connect to internet.

Equipment I'm running right now:
Cisco 3560 equipped with SFP for incoming fibre
ISP-provided shit-router
Ubiquiti Mesh wifi
Haven't put to muck work into this network as my family only uses it to browse and stream

So the setup I'm thinking
Fibre -> Cisco VLAN XXX -> NIC1 OpenWRT -> NIC2 via Trunk -> Cisco

I'm aware that I could use a Cisco-router for this but where's the fun in that?

I hope my explanation makes sense and i realize that I'm quite lazy for just asking this but I just want to know if this would be possible at all before i put any time into it.

Possible, yes - but I'd generally recommend against this for home environments.

OpenWrt works fine on x86_64 (bare-iron) hardware (and I do use it that way myself, on a low-power Atom j1900), but your plan introduces interesting bootstrapping problems (if the hypervisor is supposed to get internet access from this virtual router) and forces you to do part of the configuration- and policy decisions twice (once on the hypervisor, so the vrouter gets access to the hardware in the first place - and another time in the virtual OpenWrt instance again). Likewise this now (at least partially) exposes your hypervisor to the hostile internet and some hypervisors also reduce the maximum achievable throughput quite significantly (compared to running on the bare iron). While these issues can be ignored for internal special-purpose routing (e.g. your virtual cluster used for experimenting), as long as your normal network infrastructure ('internet', dhcp, dns, WLAN) is sorted differently or if you are in an actual enterprise settings (redundancy, HA, hot-failover, software defined switching, etc.), it's rarely a good match for the typical home setup (which foremost needs to work and be fault tolerant despite doing ad-hoc administration with cold-spares (aka, run to the shops for a replacement device and going through a 5-minute course of a quick'n'dirty base setup) at best).

If you know what you're doing and are fully aware of the implications outlined above, full stream ahead - Southampton, Cherbourg, Queenstown, 137 hours to New York City.

But in all 'normal' home usage scenarios, you're usually better suited by running OpenWrt on the bare iron (x86_64 or not, depending on your performance expectations), on dedicated hardware only used for this single purpose of acting as network infrastructure devices.

1 Like

Welcome to OpenWrt!

I'd provide the same caveats @slh does, but would suggest simply setting up an OpenWrt VM as a subnet router to experiment and learn the OpenWrt environment and quirks. I've got OpenWrt on a bare metal x86 for my edge router, but add a Hyper-V OpenWrt VM providing an isolated subnet (the VM's WAN is just another DHCP client to the "real" router, a couple of Linux server VMs provide clients on a virtual switch downstream of the VM router). This lets me do all sorts of wacky/dangerous stuff on the VM router without any chance of familial strife. You can also do pentests and various attacks against the WAN side without upsetting your ISP, which is always a good thing. (See our thread on snort IPS mode of snort3 is not dropping traffic for some motivation there.)

All the usual advantages of a VM apply: if I screw things up too badly, just restore from a snapshot; if it gets totally out of control, kill it and start over. The freedom to change things on a whim without thinking "oh, crap, my wife is gonna kill me if I break facebook again" is really liberating.

Note: I only use Hyper-V instead of QEMU because I have more RAM on the Windows box than the Linux server... Either would do just as well.

Thank you both for your input, my inexperience didn't consider the dangers with exposing the hypervisor to internet which i will take into consideration. Although i don't think there are any considerable risk with this as my internet-connection is behind an ISP-NAT so no direct connection from the outside is possible.

@efahl this is a great idea, I think i will run a subnet router on the hypervisor to learn and get familiar with the OS for OpenWRT to later implement it on a bare metal x86 to be ran as a router.

Guess i'll head over and try to get started.

As I'm already here i might as well ask you another question, is there any package available to connect to OpenWRT while its behind my ISP-nat? At the moment i have a small subnet with a couple of clients at home for experimenting with running a hamachi bridge, is it possible to run hamachi on OpenWRT or is there any other solution for this. Did run softether earlier but my work-issued MacBook did not want to cooperate with that solution.

Aside from CPU-level vulnerabilities, it is possible to do what you are asking:

You can pass-through two network interfaces to the OpenWrt x86_64 VM. You can also create a virtual network between your hypervisor and the OpenWrt VM. A modern x86_64 CPU handles this at 10Gbps in my testing.

You can then add that virtual network interface to a bridge together with your lan NIC and even do vlan filtering.

Do you mean ssh (or whatever) in from the VM's WAN port? That's just adding a rule to open the port, so no additional packages. If you want in from "outside", say from your neighbor's house, then you could do the same on your real edge router...

For simplicity, I open three ports on the VM to a specific workstation. The edge router LAN is, my workstation is (VM router "WAN" IP is The LAN side of the VM is, which keeps things easy to see.

Here's the rule on the VM router that punches through the firewall, you'll figure out what this means when you start digging into the files in /etc/config/, this is from /etc/config/firewall.

config rule
        option name 'DANGER-allow-mgmt-from-WAN'
        option src 'wan'
        option dest_port '22 80 443'
        option target 'ACCEPT'
        list src_ip ''

In LuCI, it would look like this (being a CLI curmudgeon, I sometimes forget this part):

This turns into nftables rules via OpenWrt's fw4 package, and can be viewed with the nft command after it's all reloaded:

$ nft list chain inet fw4 input_wan
table inet fw4 {
        chain input_wan {
... trimmed other rules ...
                ip saddr tcp dport { 22, 80, 443 } counter packets 21 bytes 1092 accept comment "!fw4: DANGER-allow-mgmt-from-WAN"
                ip saddr udp dport { 22, 80, 443 } counter packets 0 bytes 0 accept comment "!fw4: DANGER-allow-mgmt-from-WAN"
                jump reject_from_wan

Devices like the later examples in this thread are worth looking at, to get the reliability and fun factor in:

EDIT: the first modern new-from-the-eShop mini-PCs with four ethernet ports and N95 CPUs (or better) start around 130 EUR/ USD (but ~180-250 EUR/ USD is more commonly found), so don't overpay for an 'old' device (but you can sometimes find those for really little money, as in under 50 EUR/ USD).

Most cgNAT ISPs at least offer IPv6 connectivity, which can be an alternative for incoming connections (not perfect, but good enough for my needs). Otherwise you'd need either a remote (v-)server under your control (to act as mediator) or something like tailscale. I'm also behind cgNAT (new fibre ISP, who simply came to late to get IPv4 addresses and has to make do with 32'768 IPv4 addresses for their 1.5 million customers…), works well enough for me (connect in via wireguard, problem solved).