OpenWRT 22.03 Bridge Firewall

Hi,

I've installed OpenWRT on Xiaomi AX6S without problems. All work good but i can't do anything with firewall. I use it with bridge behind my classical routeur ISP.
I've follow this link (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge) but no rule i put in firewall work. Anyone have idea ?

Thx a lot

If you are running your device is a standard dumb AP mode, it will not be able to perform any firewall functions because the traffic never reaches the firewall for evaluation... it is purely switched.

What is your specific goal -- what do you wish to firewall/filter?

2 Likes

Hello, thx for reply and sorry for late. I want pu it behind my ISP routeur (My routeur have DHCP and DNS) and my openwrt router, i want to use firewall, wifi and lan. Do you want any screenshot of config, or cli config ?

If you want to use the OpenWrt device as a firewall, simply reset it to defaults and connect the WAN port of your OpenWrt router to the LAN of your ISP router. This creates a double-NAT situation which is not ideal, but is typically not a real issue for most use cases these days (exceptions: port forwarding requires both routers are configured, uPnP doesn't work, and some game consoles aren't happy about double NAT).

From the default config, you may need to change the LAN IP of your OpenWrt router if the ISP router happens to use the 192.168.1.0/24 subnet... it is mandatory that the subnets not overlap. So you could change your OpenWrt router to something else like setting its lan for 192.168.2.1 or 10.0.2.1 or whatever (any RFC1918 address is acceptable, typically with a /24 for most home network environments).

Thanks for reply, i know is the easy solution, but i want find a solution of my actual problem, but if is not possible okey i understand, but i'm sure is possible...

I guess I still don't understand your goal... if you want to use the OpenWrt firewall, you generally need it to be operating in routed mode. If you setup a dumb AP configuration, it will not be routed and thus will not do any firewall filtering.

What specifically are you trying to achieve?

I understand, i try this because i want put this anywhere without config isp router. just plug and go. There is a specific guide (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge) to use firewall in bridge mode. I want to try to use it. If is not possible or find any solution i useyour solution..

You don't need to do any special configuration to either router aside from ensuring that the OpenWrt router doesn't use the same subnet as the upstream router. In fact, using the OpenWrt router in normal routed mode is the easiest method and almost guarantees that it'll just work as plug and play (unless double NAT is going to be an issue for your use) To best achieve the idea of avoiding a wan/lan subnet collision, use a somewhat random lan subnet on your OpenWrt device (for example: 10.25.31.1/24 for the lan IP address of the OpenWrt router). The chances of a conflict are pretty slim.

Bridge filtering is actually considerably more complex and also more limited in what it can do compared to normal routing+fireall (and to be honest, I'm not an expert on bridge filtering).

There is another approach you can take -- if your ISP router supports static routes, you can avoid the double-NAT and setup symmetric routing. From there, your OpenWrt firewall would be able to perform whatever firewall features you desire between the upstream and downstream networks. This does require adjustments to the main (ISP) router, though, and support for static routes is not always available on ISP or consumer focused routers.