My ISP provides a router modem with 4 ethernet ports. This modem cannot be configured from my end and it is not possible to put it in bridge mode, which the ISP also refuses. I also cannot change the ISP at the moment.
Considering this circumstance and the lack of a configurable firewall, I would like to connect an additional router (Xiaomi 4C flashed with 23.05.3) to the modem for better network protection of the connecting client, a PC. The 4C router has a WAN port and 2 ethernet ports. So the setup would be:
ISP Modem (no bridge mode) --> 4C Router --> Client PC
I understand that in this setup I would have a DHCP-server both running on the ISP modem and the 4C router, which might create some conflicts.
How do I avoid IP conflicts and connectivity issues in this setup?
How would I physically connect the ethernet cables in the correct way? Do I connect an ethernet port of the ISP modem and connect it to the WAN port of the 4C router? Or would I connect it to an ethernet port on the 4C?
The connecting client PC should only be able to browse the Internet, but should not be able to manage OpenWRT (no Luci or SSH access) or access other devices on the LAN. What is the best way to achieve this? Putting it on a dedicated VLAN assigned to a specific ethernet port on the 4C?
I want to manage the 4C OpenWRT router from a separate laptop that will not be connected permanently to this network.
Wifi will remain disabled on the 4C router and will not be used.
Does the ISP allow you to use a modem you can purchase for yourself?
Do you plan to add other clients to the 4C? If the PC is the only client you care about putting behind the firewall, it might be easier to set up a firewall on the PC unless you don't trust its operating system.
Considering this circumstance and the lack of a configurable firewall, I would like to connect an additional router (Xiaomi 4C flashed with 23.05.3) to the modem for better network protection of the connecting client, a PC. The 4C router has a WAN port and 2 ethernet ports. So the setup would be:
Congratulation on flashing it with OpenWRT
How would I physically connect the ethernet cables in the correct way? Do I connect an ethernet port of the ISP modem and connect it to the WAN port of the 4C router? Or would I connect it to an ethernet port on the 4C?
Modem (LAN1/2/3/4) <--> (WAN) Xiaomi 4C (LAN1/2) <--> PC
The connecting client PC should only be able to browse the Internet, but should not be able to manage OpenWRT (no Luci or SSH access) or access other devices on the LAN. What is the best way to achieve this? Putting it on a dedicated VLAN assigned to a specific ethernet port on the 4C?
I would say there are many possibilities to achieve this. You could make some firewall rules to block PCs MAC to access Router itself (If the user spoofs MAC on PC, then he can access the router. So there are some other firewall rules needed.). Or you could block every device (except Laptop) to access router. Another way would be to make one LAN port on 4C a management port and another PC connection port. That way you could allow only the client on management port access to the router. This approach is not so optimal (someone could just switch cables on the router). Like i said there are more possibilities.
How do I avoid IP conflicts and connectivity issues in this setup?
If you connect routers like i showd above, there will be no IP conflicts.
I understand that in this setup I would have a DHCP-server both running on the ISP modem and the 4C router, which might create some conflicts.
DHCP of the modem will serve WAN side of the Xiaomi 4C, And Xiaomi-s DHCP will serve clients connected to LAN network. So no issues there.
You will get a bit better "internet" if you configure provider's router to treat OpenWRT as DMZ host or Fullcone NAT
That way you can receive outside connections in like to upnp for voip or games, or run your webserver if very lucky.
@elbertmai Unfortunately it won't be possible to replace the ISP modem with my own device. The 4C router will only connect 1 single client PC via ethernet cable that is running Linux with an iptables-based software firewall. However, I do not consider software firewalls sufficiently secure if the client should get compromised.
@brada4 The ISP won't allow customizations of their modem router, I am afraid.
@ilija.culap Thanks a lot for your clarification. I will then implement your suggested connection setup:
Modem (LAN1/2/3/4) <--> (WAN) Xiaomi 4C (LAN1/2) <--> PC
I scanned the gateway modem with nmap and it is available on 192.168.0.1 and hands out IPs on the 192.168.0.0/24 range.
If I connect the 4C router to the modem via WAN, the Luci interface will remain by default on 192.168.1.1, correct? And clients that connect to the 4C would get served an IP on the 192.168.1.0/24 range, right?
In this sense, can I assume that the default setup of the 4C OpenWRT does not have to be changed?
Now regarding how to sufficiently secure the management access of the 4C OpenWRT:
There will only be this single client PC connecting via ethernet, which only needs browser Internet access. I consider this PC untrusted. There will be a possibility that the PC's browser gets hijacked or that the operating system gets compromised. That's why I need a hardware-based firewall to prevent this from happening in the first place. In the case that this device becomes compromised, there might be an attempt to brute-force Luci or SSH-access and compromise OpenWRT. Mac-spoofing is a possibility but I think would require that a potential attacker knows the MAC-address of the management laptop, which should be unknown. There is no physical threat that an unauthorized person gets physical access to the network components.
Under those circumstances, which measures or combination of messures do you suggest to protect the 4C router from becoming compromised?
Set up a guest network on the OpenWrt router for the untrusted PC. A guest network cannot reach any services in OpenWrt other than DHCP and possibly DNS. You will also still need the original LAN network in order to plug in another PC to change settings in OpenWrt as necessary. The two LAN ports on the 4C can be configured as different networks.
To be pedantic, "Linux with an iptables-based software firewall" basically describes OpenWrt and therefore is also a software firewall. The problem here isn't that it's software, it's whether you are able to fully control what runs on the PC. If you can't, then putting the firewall on a separate device is a reasonable course of action. I presume that by "hardware-based firewall" you really mean "a dedicated computer I fully control and runs a firewall".
Would be nice if you share what is that CPE like on the providers' page. I dont think your NMAP worked, it should see at least DHCP server and one of UPNP spawns.
You can have guest network for untrusted devices that has no access to the router administration. The risk profile of 2+ devices compromised sounds credinle, you can have admin network wired and all air networks no-admin, like on a normal day you dont have admin from normal devices. Does this ring the bell?
OpenWRT is a discrete hardware unit running Linux, but with nftables and hardware offload. I dont think it is any better or even different from most other linux firewalls.
@mk24 Is there a guide that explains step by step how to create a guest lan network in OpenWRT? I only noticed a guest wifi guide in the official documentation, but I won't use Wifi on this router. The 4C router has ethernet ports 1 and 2 as well as the WAN port. So the idea would be to have for instance the isolated guest lan for the untrusted PC on ethernet port 1 and use port 2 only for admin management access of OpenWRT with another laptop if required. It should also not be possible to access Luci or SSH over WAN via the internet (no remote access).
Start by checking if your your router has DSA or swconfig. If you have Network->Switch, then you have swconfig. For swconfig you should separate both LAN ports. If you do not know how to do it, post a screenshot of Network->Switch here. For DSA go to next step.
Now you should have 3 network devices: lan1, lan2 and wan (or eth0.1, eth0.2 and eth0.3 for swconfig). That you can check under Network->Interfaces->Devices
Create 2 new firewall zones (mgmt and client). Assigng correct input, output and forward rules to them. Assign correct zones for forwarding traffic. For "client" zone you should reject input traffic, so that PC cannot access router itself. For more information look at Firewall documentation or check @onemarcfifty 's YouTube channel. (I am not specialist for firewalls )
Create 2 new networks on Layer 3 (mgmt and client), assign static IP addresses, assign correct network devices (lan1 or lan2), assign corresponding firewall zone, enable DHCP. After that remove lan network and click "Save and Apply". Your Laptop is going to get new IP from mgmt network.
You can remove br-lan device and lan firewall zone.
For security you could create some firewall rules to accept traffic on mgmt only from Laptop and on client only from PC. (MAC addresses)
So at end you would have:
MGMT network with its own IP range, firewall rules that allow only your Laptop to connect to the router (and internet if desired) on LAN1
CLIENT network with its own IP range, firewall rules that allow only PC to connect to the router on LAN2, and firewall rules that disallow it to manage OpenWRT.
Thanks for your detailed guidance which helped me to find the right direction @ilija.culap. The 4C router has indeed the "Network -> Switch" option.
I found the following tutorial on YouTube on how to create a "Guest LAN", which basically seems to explain what you have suggested if I am not mistaken:
Under "Network -> Switch" I created a new VLAN called "Guest Lan" and I unassigned ethernet port 2 from the existing LAN interface of the router. So the idea is to have the Guest VLAN on ethernet port 2 of thr router and for management access you need to connect to ethernet port 1:
Under "Network -> Interfaces" I created a new LAN interface and assigned the previously created Guest VLAN (eth0.3) to it on a new subnet (192.168.3.1) and a new firewall zone called "guestlan" assigned to WAN:
Under "Network -> Firewall" I edited the "guestlan" zone to allow forwarding to destination zone WAN and set 2 new traffic rules for DHCP (port 67) and DNS (port 53) for the guest lan interface:
I then connected to the router on ethernet port 2 and I am not able to ping 192.168.3.1 or 192.168.1.1 -> Destination Port Unreachable. SSH access to 192.168.1.1 is also not possible -> 22: Connection refused. I am also not able to access Luci from ethernet port 2. Management access from ethernet port 1 still works as expected.
Is this a valid, safe approach or did I miss something?
Now regarding the MAC filtering for the laptop on ethernet port 1:
How can I create a rule to only allow access from the MAC of my laptop? I guess this should act nicely as a physical 2 factor authentication for router access.
You can drop in places where you reject. It is comfort option that firewall actively denies wrong connections. Hacker-guests can enjoy timeouts instead. Probably ping is usefull for some too.
