I have an OpenWRT network with several clients. One of the clients of the network got severely infected with malware. I don't have visibility on what malware they were (it was a friend who stayed a few days).
Is it possible that malware on the clients installed malware on the OpenWRT router?
Ok, that makes sense. Do you have some links on these malware by any chance? It would be good for me to educate myself on that, so that I understand the risk more precisely. For example, I'd like to understand if these malware can contaminate stock fw simply by crafting malicious frames, or if they require access to the admin panel.
It depends on the malware type and the window of vulnerability.
This may become risky if the malware targets routers and can update its own exploits automatically.
Critical vulnerabilities in BusyBox, Dropbear, uHTTPd leading to arbitrary code execution are not impossible, so it depends on whether you update the firmware before the malware updates its exploits.
A possible solution is moving vulnerable devices to a separate VLAN or SSID with restrictive firewall policy.
Apart from compromised systems exploiting potential security issues in the services you're running on the router, it depends on your firewall what kind of access systems on your guest network have in the first place (e.g. luci doesn't generally need to be served to the guest network, ssh neither, to cover the default services - similar considerations apply to addon services).
It's hard (impossible) to judge from the outside what the actual exposure to the malicious system was - and what the risks were, both to the router itself, as well as the other systems attached to it. If you don't want to go the 'safe route' of reflashing/ reinstalling/ reconfiguring 'everything' (down to the last phone, TV, smartplug, etc.), you'd need to do a proper post mortem of the situation - checking where the compromised system could have been attached to and what kind of access it might have gotten; this is hard work, for both options.
Is that possible? Can an ISP router do bridge mode for 2 clients?
If it is possible, I guess one could argue malware could still attack the ISP router, and then infect OpenWrt Router 2 and the secure network.
Split the fiber line in 2 with a fiber optic switch, and attach OpenWrt router 1 directly to the fiber line. I guess now attacks from Unsecure network to secure network have no more chance to succeed than normal everyday internet attacks.
Aside from having a malware-laden device on your isolated network, what (if any) issues did it cause?
As long as you follow some very basic good practice,, you can do everything you need with a single OpenWRT box:
Only bind the luci web interface and the dropbear SSH listener to a privileged network (i.e. one you don't let guests onto, and definitely not the WAN side). This will require a couple of config file edits to limit access to LUCI - or you could setup a firewall rule for the unprivileged/isolated networks to block access to ports 80 and 443 on the router itself.
Ensure that the only thing that the guest/isolated network can reach is the Internet. Don't forward from the guest/isolated zone to the LAN/privileged.
Other than that, If the incoming fiber is connected to an ONT which you then connect to via the customer port, they will not let you split/splice the fibre to add a separate device. The presentation to you is the downstream port of their CPE; whether you can plugin a switch and have two downstream OpenWRT devices is entirely subject to their Ts&Cs. My cable modem here in the UK allegedly allows me three attached devices, but I've never tried it!
Never say never, but in answer to your last question - there have been no CVEs recorded against OpenWRT that result from specially-crafted network traffic. There may be hardware vulnerabilities that are yet to be found, but if you prevent a device from talking directly to any services on an OpenWRT router then you've mitigated >99.9% (or more) of the potential for known attacks at this time. Most of the previous weaknesses that could result in remote code execution have been in the web UI, and there haven't been many of them.
This isn't that specific to OpenWRT, it's just good practice in terms of system management. Only let things you trust have access, and keep that access limited.