I'm completely new here. After reading a lot about OpenWRT, I'd like to give it a try. I'm planning two small projects, if possible. One of them is using OpenWRT as a transparent firewall behind my AVM Fritz!Box to protect some web services from attacks. These services are hosted in Docker containers with their own MacVLAN. After some online research, I've decided that the NanoPi R5C is quite suitable for my needs, and I've also seen that there are OpenWRT images available for it.
Could you please tell me which version of OpenWRT I can install on the device and which image file I need? I was told that the sysupgrade images can only be used if I already have an older version of OpenWRT or a running operating system installed.
Furthermore, I was told that I should first install FriendlyWRT from the NanoPi manufacturer onto the eMMC flash memory and then install an OpenWRT sysupgrade image over it. Is this the right approach, or is there a complete OpenWRT image available for the NanoPi R5C somewhere?
Is it even possible to configure OpenWRT to only filter incoming and outgoing traffic without handling routing, DHCP, or NAT? I want to keep those functions on the Fritz!Box so I don't have network separation between internal and external services. (That's sufficient for my initial testing purposes.)
Maybe aim for R5S - you have 2x25Gbit ports + 1gbe for home network or isolated control interface. But you can have management interface on LAN-side vlan, decoded by other eg wifi router.
tldr - you can boot OpenWrt from sdcard, and optionally replace emmc installation with OpenWrt.
About firewall:
OpenWrt does not instrument nft bridge type (ex ebtables), you need to do your nft or ebtables-nft rules. SoC ihas very fast CPU and could do some traffic conditioning passing, up to light IDS/IPS, but not detailed DPS.
It can run docker containers (or podman, or lxc) so you can chain WAF containers on the router itself.
Thank you so much for your quick reply. That's a lot of specific information, and I realize I'm still pretty much a beginner.
First of all: The NanoPi R5C was indeed a typo on my part. Sorry. Yes, I want to use the NanoPi R5S. To be honest, I'd like to use the 1 GbE port for internet access to my Fritz!Box and one of the two 2.5 GbE ports as a forwarder to my mini PC running Docker. The 2.5 GbE port would then be a backup in case I want to connect a 2.5 GbE switch at some point to put the rest of the network behind the firewall. May this be possible?
What you're saying: Do I have to install FriendlyWRT first and then OpenWRT on top of it? I don't quite understand the purpose of the sysupgrade files yet. Or can I flash the OpenWRT image directly to an SD card using Balena Etcher, for example, and then boot from it? How do I then transfer the data from the SD card to the eMMC storage?
My final setup is as shown in the image. Some of the decisions I've made in my network might seem strange to you, but there were good reasons for building it this way. Do you think it's possible to protect the web services in Docker with MacVLAN from attacks using a transparent firewall based on OpenWRT on a NanoPi R5S?
Well, it shows a very similar setup. However, my router (Fritz!Box) doesn't have an integrated firewall. This firewall function is supposed to be provided by the NanoPi running OpenWRT. Also, the diagram shows the 1 GbE port being used for management. I don't want that. The OpenWRT web GUI should be accessible from the entire local network via the NanoPi's IP address.
So, the NanoPi with OpenWRT is more than just a middleware device. It is the firewall.
Furthermore, there should only be one device after the NanoPi: the LAN port on the mini-PC, which runs the MacVLAN for my web services. The rest of the network is connected directly to the router before the NanoPi (and therefore not protected by the OpenWRT firewall). This may change in a later point in time...
Important question: Can I use the 1 GbE port on the NanoPi as an input and the two 2.5 GbE ports simultaneously as outputs (as shown in my diagram)?
But generally speaking, I gather from your words that my idea of using the NanoPi with OpenWRT as a transparent firewall between the router (FritzBox) and the mini-PC (web services in the MacVLAN) works? Is that correct?
I have the feeling we're on the same page, but we're still talking past each other.
When I say "transparent," I don't mean Layer 2 bridging.
OpenWRT should act as an additional router hop between the Fritz!Box and my Mini PC.
The Fritz!Box handles NAT and port forwarding, OpenWRT filters incoming traffic (blocklists, CrowdSec bouncers etc.), and the Mini PC only sees the cleaned requests.
So, for the Mini PC, OpenWRT is transparent because it doesn't see any new routing complexity – but OpenWRT can still actively filter.
Therefore, I only need classic Layer 3 firewalling, not an NFT bridge.
The three LAN ports on the NanoPi should be equally important. It shouldn't be the case that there are two ports for network traffic and one just for management. From what I've read, this should be configurable in OpenWRT.
Regardless, I still need an answer to the question of how to get OpenWRT from the SD card onto the eMMC flash drive. Does OpenWRT include a tool for this?
takes a bit of experimenting. If you set fritz to passthrough mode - does it disable dhcp server and nat between lan ports or you have to disable those and change internal ip first
D easy - gigabit goes to gigabit, 2.5 to 2.5 ports.
No, still one missunderstanding. The Fritzbox shall do everything expect firewall. The NanoPi ist pass through and only firewall - for the MacVLAN Port in the Mini PC only.
But the path trough the NanoPi shall be from 1 GbE port to one of the 2.5 GbE ports.
OK, it is a bridge/subnet with machines more or less.
By large you can have OpenWrt in kvm machine inside your docker host between macvlan network and (pci passthrough?) physical port.
The Fritz!Box uses stateful packet inspection, IP masquerading and NAT.
That's what most people call a firewall.
So your definition of a firewall is something different?
Like Adguard Home and Pihole?
How do you want to disable this function in Fritz!OS?
The term "transparent firewall" probably isn't quite right for what I'm trying to do. It might be better to call it transparent filtering of requests. The Fritz!Box will still function as usual. However, I had to set up some port forwarding rules to make my web services, which run on the mini-PC, accessible. The Fritz!Box firewall doesn't cover these.
Currently, I'm using the CrowdSec plugin for Caddy as my reverse proxy in Docker. This provides dynamic, event-based protection. I'd also like to add static protection against blocklists. This means that OpenWRT should immediately drop requests from IP addresses on such a list and not even forward them to Caddy with CrowdSec.
For protection, I'm currently using the CrowdSec plugin for Caddy as my reverse proxy in Docker.
Here's an example of such a list that I'd like to include:
There also seems to be a CrowdSec bouncer that can block further attacks on the NanoPi that were only detected in CrowdSec within Docker. I'd like to integrate that as well.
In my opinion, something like this can't really be integrated well and securely into Docker. It would certainly work using Proxmox, but I don't have Proxmox installed. Furthermore, I think it would be good if requests outside the mini-PC were blocked beforehand, so that it doesn't become overloaded by a flood of requests it has to fend off, causing all services to stop working.
I thought banIP set rules in a real firewall. Is that also possible in a filter bridge without NAT, etc.? I was thinking more along the lines of using nftables or ebtables. I'd have to write a script for that, but that should be possible via SSH on the device.
Using KVM is an elegant idea for testing, but I don't want to modify my Open Media Vault on my PC with it. There have apparently been occasional conflicts between KVM and Open Media Vault.
For playing around and testing OpenWRT, I can now use my old Fritz!Repeater 450E, which I got working after a day of working with OpenWRT.
My NanoPi R5S arrived today, and I wanted to get it up and running with OpenWRT. I downloaded an OpenWRT image and wrote it to an SD card using balenaEtcher 2.1.4 under Windows 11. I tried a SanDisk 64 GB card and a generic 8 GB card for testing.
For testing purposes, I used the following images:
Unfortunately, the NanoPi R5S won't boot from it. Either it doesn't boot at all, or it seems to be booting from the FriendlyWRT image that was pre-installed on the eMMC flash memory. At least my Fritz!Box recognizes the device as FriendlyWRT. But even when the Fritz!Box recognizes it as OpenWRT, LuCI isn't accessible at its IP address, nor can an SSH connection be established. The IP address is only reachable via PING.
So how do I get OpenWRT running on the NanoPi R5S? Thanks for your tips!
It doesn't seem to boot from the image at all. After the first boot of OpenWRT, is the NanoPi a DHCP server or simply a network device? Why does the Fritz!Box then assign it its own IP address within the Fritz!Box network? If I connect it directly to a Linux PC via LAN cable, I get a network error message on the PC.
However, my router (Fritz!Box) doesn't have an integrated firewall. This firewall function is supposed to be provided by the NanoPi running OpenWRT. Also, the diagram shows the 1 GbE port being used for management. I don't want that. The OpenWRT web GUI should be accessible from the entire local network via the NanoPi's IP address.
