In the spirit of @richb-hanover-priv's recent thread about Maintaining and OpenWrt Router, I'm putting this here to discuss how we can make it easier for a brand new user of OpenWrt to configure their router into their own specialized use case. Perhaps tools that act as an "expert system" to turn a high level description of what the user wants to do, into a low level description of which SSIDs and VLANs and ports and switches and features and DNS and DHCP and etc need to be enabled...
It looks like configuration templates, which can be integrated into LuCI.
From my point of view, tons of effort are required to create and support it.
It's not clear, who is going to volunteer for that job.
I think, instead we should concentrate on improving the quality of wiki articles:
Update and clean up the documentation, reorganize it if required.
Split technical reference documentation and guides.
Let’s try not to think like software designers here, but think of usecases for your target audience. Software designers are biased. I will bring up Sun Microsystems, which was run by techies, and Oracle, which is run by a marketing person. Do the math.
There are a lot of software designers on this forum. Think of all the times when the management in their unlimited wisdom solicited designer’s input about the roadmap or user interface or a feature set and how well that worked out in the end. We are good at building things and not at coming up with an easy to use and intuitive interface.
There are several configuration usecases that are possible here. The most important one is a secure router appliance.
A trusted LAN (bridged wired & wireless) for stationary devices and a handful of trusted mobile ones
One or two isolated wired ports for a gaming console, a server, a downloader, etc
A guest network for all IoT devices & work laptops/equipment without an ability to talk to each other or anything else (the password here doesn't to have to change ever if it is a good one)
A guest network for guests, friends, etc. without an ability to talk to each other or anything else (it is worth separating from the one above because the password has to be changed more often)
A LAN port and a WiFi network for router management only; there should be no other way to manage the router.
Firewall rules configured to drop all incoming connections by default (it is not currently the case)
Firewall rules to block (drop) all cross-talk between the firewall zones
IPv6 disabled by default (this is still an IPv4 world and properly working IPv6 is still an art or an accident)
DDNS (although it is quite tricky to setup)
OpenDNS could be used as a good default
Access to the modem
I guess one could argue a NAS functionality should be there as it is pretty much standard now in mainstream routers
One monolithic image to include all these packages.
Good docs to cover how to configure this setup.
UPDATE: access to the modem added
UPDATE 2: Due to a popular demand, I reformatted the list into bullet points
UPDATE 3: Added missed items to the list
(I hope this is on-topic...) We already have a proof of concept for assisting with package re-installation. A while back, I posted a tweaked version of Malte Forkel's script on OpenWrtScripts.
Run the script before sysupgrade, and it saves the current set of packages to /etc/config/opkg.installed. Run it after the sysupgrade with the install option and it re-installs the packages, using their saved configs.
I absolutely agree. I'm just saying that an enhanced "Flash New Firmware image" feature could bundle this technique. Perhaps there could be two checkboxes: Keep Settings and Keep current package (or we might create something even better.)
This statement is so important that I want to pull it out of the middle of your earlier note to emphasize it.
OpenWrt is currently designed to make most of its configurable options equally easy (which sort of translates to equally difficult...) It's the normal evolution of a techie product - the developer implements a feature, then adds enough configuration capability to make it usable. This is wonderful: it gives us a robust, reliable, powerful base for moving forward.
I think we are talking about a next step in helping newcomers. I envision an opinionated GUI that pre-configures the most common operations and guides other choices for a particular use case. (I like your basic secure router criteria. In fact, if we only produced a Basic Secure Router, we might declare victory on this whole topic.)
That would definitely solve my problem: that is how I built the few routers that I actually care about to manage. If this idea ever sees the light of day, I could delegate managing those routers to their respective owners.
I like to think in terms of extreme use cases as they do a good job emphasizing a problem while at the same time making possible solutions very obvious. The best example of a target audience here is this: a young medical/law student or a busy doctor/successful law practitioner. Some have enough money to afford not to care about some router in the corner and the rest are so busy that they do not have time to care about that same router somewhere in the corner. Both groups could benefit from a secure router because they got a lot to lose if a router is compromised.
You can declare a victory if those people can get their router set up (maybe with someone's help) and then maintain it by themselves.
The picture will not be complete without a standard list of devices on the network to help with the use case:
IoT's: TVs, thermostats, microwaves, all the other internet connected crap
Trusted PC's, laptops, mobile devices, etc: on the trusted network
Management interfaces for select few trusted devices
Personal devices that leave the home network often and connect to all WiFi hotspots that their owners can see would go on a special untrusted network as they can be compromised
Untrusted devices: work laptops, etc. My work equipment has no business on my trusted network
Visiting guest devices
A game console or two connected to a wired isolated network
Here's some homework (for us all...) Part of envisioning a new way to work is to understand what currently exists. A couple exercises for your idle moments:
Check out the GUIs of any commercial routers you have lying around. Note what they do right (that we could emulate), and what they do wrong (that we could or already do better.) Also consider any other equipment whose GUI might have principles that apply.
Review what the OpenWrt wiki already says (links below). Same questions - what's right, what could be better?
Use the criteria for a Basic Secure Router (above). Think about a) how many configuration items could be handled automatically by sensible defaults, and b) how few steps/questions a newcomer would have to address?
(As an extreme position, envision the process: use the Vendor firmware to flash an OpenWrt image, connect to http://192.168.1.1, enter a new password, and then expect all the other items above would be automagically configured with sensible defaults. Where does this model fall down?)
I envision an expert system that discovers what you want to do by asking you questions and having you draw diagrams (this connected to that, etc) It spits out uploadable configs for ALL the devices involved (routers, AP, second router, etc)
I would say it is a policy decision best left to the administrator, why OpenDNS instead of google's or cloudfront's servers, and what is wrong about the ISP's DNS servers? My point here is that the answer depends on more factors than we can possibly foresee.
This can be quite resource hungry, if I understand correctly, and might not work well with small flash routers.
Good idea, but tricky to generally implement. DOCSIS modems tend to respond to 192.168.100.1, but there seems tobe no such convention for dsl-modems; I have no information about the multiple (X)PON-modemtypes.
I disagree, this is a service best run on an independent device, the more one runs on the router the larger the attack surface and the larger the possible damage if the router gets highjacked/hacked.
Again the proper way is to ask questions in a non-technical language: choose a DNS provider who will look up site names for you, we suggest one of the following: Cloudflare is fast and accurate and does not keep records of your usage. Google is fast and accurate but may track you. Your ISP has servers but they are often but not always are slower or inject ads, or track you OpenDNS filters malicious sites and etc etc...
For the threat model of a typical home-net that seems overly onerous to me. I would rather aim for making it not a catastrophe if the router gets hacked/highjacked (and try to warn for any signs of hacking early).