Yesterday, I set up my idea for filtering against a blocklist of IP addresses on my NanoPi. The idea was to set up bridge filtering with nftables, since, as I mentioned, I want to position the NanoPi transparently between the router (Fritz!Box) and the mini-PC running the web services in Docker. For testing purposes, I connected it between the Fritz!Box and my Windows PC. I used the IPV64 list (with 26,747 IP addresses) as the blocklist.
The setup and filtering worked well in principle. With blocked IP addresses, even a ping fails. Very good.
However, I'm seeing that the performance is very inconsistent. When pinging from the Windows PC through the NanoPi to the internet, there were frequent timeouts; websites sometimes loaded quickly, sometimes slowly. Even the SSH connection to the NanoPi kept dropping.
I've read that bridge filtering requires more resources than routing-based filtering. I'm now wondering if my idea of bridge filtering wasn't such a good one after all. Or are these performance issues normal when filtering against such large lists? Would router-based filtering really be more performant?
Has anyone here had experience with bridge filtering? What are your thoughts?
Even though it's not entirely on topic, I have a question about setting up OpenWRT as a router for a subnet behind a Fritz!Box. My provider gives me a /56 IPv6 prefix, and I'd like to use prefix delegation. I've enabled IA_PD and IA_NA on the Fritz!Box. What do I need to enable in OpenWRT so that it accepts the Fritz!Box's delegation and, if necessary, delegates it further to downstream devices?
In the WAN interface of LuCI, there's the option "DHCP Client" or "DHCPv6 Client". Which should I use if I want to use both IPv4 and IPv6 simultaneously in all networks and also open ports from the internet?
The defaults (wan with dhcp and wan6 with dhcpv6) will do just that, if the F!Box will play ball is another topic though, as its configurability is rather limited.
So far, I've configured everything in the LAN-BR interface. I've neglected the two WAN interfaces. Does this mean that if I activate "DHCP Client" in the WAN interface and "DHCPv6 Client" in the WAN6 interface, and the Fritz!Box offers a delegated IPv6 prefix, then OpenWRT will automatically take care of using it and distributing it within its own network (then in LAN-BR)?
In the Fritz!Box, you can only activate IA_PD and IA_NA, but not configure them further. That should actually be sufficient.
A beginner question (off-topic): I've installed OpenWRT 25.12-rc5 on my NanoPi, and now an official final release has been published. Can I install it using the downloadable image file in LuCI on the eMMC of my NanoPi R5S, or will it be offered to me automatically as a firmware update?
For installation via LuCI, do I use the *.gz file or the extracted *.img file?
