OpenWrt on Raspberry Pi 4B without USB3 Ethernet dongle

I’ve now been running OpenWRT on the raspberry Pi 4B for three weeks with a little setback during the first week. Initially, I was using a USB3 to Gigabit Ethernet adapter based on the Realtek rtl8153 chipset, using the standard 8152 kmod present in the OpenWRT kernel. My family was complaining about problems with video, so eventually I decided to do something about it. I always hated USB3 Network adapters. I use a MacBook Pro, and I noticed that the official Apple Thunderbolt-to-GigabitEthernet adapter daisy-chained with the TB3-to -TB2 adapter beats any USB-based Gigabit Ethernet adapter. USB introduces flakiness into the Gigabit Ethernet connection. Sometimes USB-based Gigabit Ethernet adapters function at the line speed of 940 Gbps but a few minutes later the throughput could be reduced by 1/3 or even by half. I’ve tried multiple devices with rtl8152, rtl8153, and rtl8156 chipsets, and they all have this problem. On the other hand, the TB-based Gigabit Ethernet adapter is a direct PCI bus to the chipset without any USB3 bus involved. Unfortunately, Apple never bothered to update their adapter from TB2 to TB3; hence, two daisy-chained adapters are required on newer Macs, as described above)

So, knowing all of that going into the OpenWRT on the Raspberry Pi4B experiment, I actually expected that a USB3 gigabit Ethernet network adapter could be problematic, and my family let me know it was actually the case.

My solution was to eliminate the USB-based Gigabit Ethernet adapter altogether. Of course, the most obvious downside to that solution is that the 2Gbps maximum theoretical bidirectional throughput of two GigabitEthernet ports used as LAN/WAN interfaces would be halved to 1 Gbps of maximum theoretical bidirectional throughput. However, curiously enough for a home environment the real-life throughput would not be halved but reduced by the amount of the bandwidth used in the upstream (from the home LAN to the Internet) direction. For asymmetric Internet connections the math is even better. For example, if your Internet bandwidth is 1Gbps down/ 40 Mbps up, then you are likely to enjoy up to 900 Mbps download speed while using just one physical interface on the Raspberry Pi 4B. Just make sure you configure SQM correctly with 900 Mbps download bandwidth and 40 Gbps upload bandwidth for a total of 940 Mbps (which is the maximum that the Raspberry Pi can push in one direction on a physical interface).

So, by eliminating the USB to Gigabit Ethernet adapter you are not losing a lot of download bandwidth but you are improving the quality of the routing system dramatically by jettisoning the flaky USB-based Ethernet controller.

So, how do you configure this? It’s really easy. All you need to do is create VLANs under the on-board Gigabit Ethernet controller (usually eth0). As an example, eth0.10 (VLAN10) is used as the WAN interface and eth0.20 (VLAN 20) is used as the LAN interface. I would also create another interface in OpenWRT, call it RECOVERY, associate it with eth0 and assign a static IP to it. This interface would be used for troubleshooting/recovery purposes allowing a direct connection with a computer without having to configure VLANs in a computer OS. That’s all! You can even make this change in /etc/config/network and then reload the network daemon: /etc/init.d/network reload.

So now that we have configured OpenWRT with two tagged VLANs and matching VLAN SVIs (LAN and WAN), we need a VLAN-aware switch to assist the Raspberry Pi in using the same physical interface for both LAN and WAN SVIs. It’s absolutely not a problem, though, because TP-link has very inexpensive 5-port and 8-port Gigabit Ethernet Easy Smart switches (they are simplified managed switches that have VLAN and some QoS capabilities). There are non-POE and POE+ versions of these switches. The non-POE 5-port Gigabit Ethernet Easy Smart switch costs $25 on Amazon. You could get a POE+ version of this switch for $60. Add a POE splitter for another $17, and you can power your Raspberry Pi from the POE+ switch and free up one outlet on your UPS. You can also buy another POE splitter for your modem to power your modem from the POE+ switch and free up another outlet on your UPS. Since I'm posting links to specific devices here, I would highly recommend the Argon Neo case for the Raspberry Pi 4B used as a router/firewall. Do not buy the version with a fan. The case passively cools the Raspberry Pi used as a router/firewall with no issues whatsoever.
Note: The other Argon case (Argon One) has a circuitry that prevents the Raspberry Pi from automatically powering up after the power is lost and then restored, so even though the Argon One is a very nice case and should be considered for the Raspberry Pi used as a desktop for sure, it is not suitable for the router/firewall use case

So, this is what you need to do on the switch:
Port 1: assign VLAN 10
Port 2: configure as 802.1q trunk
Ports 3-5 (or 3-8): assign VLAN 20

Connect your modem into switch port 1. Connect your Raspberry Pi 4B’s onboard Gigabit Ethernet controller to switch port 2. Plug your other wired devices (including your Wi-Fi AP) into ports 3-5 (or ports 3-8). If you want to further segment your network into additional VLANs, create more SVIs (interfaces) in Open WRT and assign them to eth0.X, eth0.Y, etc., where X, Y, etc. are VLAN numbers. Then, assign matching VLAN numbers to certain ports in the range 3-5 (or 3-8). If your Wi-Fi AP (or other device) that you want to connect to the switch is VLAN-capable, then configure the port on the switch to which this device is connected as 802.1q trunk but MAKE SURE that you disallow VLAN10 out of that switch port. This step will ensure that the traffic from the Internet arriving in switch port 1 on VLAN 10 can only get to switch port 2 where it will be received by the OpenWRT’s WAN interface (eth0.10) so that this traffic could not leak into your LAN bypassing the OpenWRT firewall.

If you already have a managed VLAN-aware switch, then you don’t even have to buy a TP-Link switch. As long as you have two spare ports on your managed switch, configure one of them with VLAN 10 to connect the modem, and configure the other one as 802.1q trunk for connecting the Raspberry Pi 4B. Then, configure all remaining ports for VLAN 20 (or any other VLAN ID other than VLAN10 that you configured in OpenWRT to further segment your LAN). Just make sure to disallow VLAN 10 from any existing or new 802.1q trunk port on the existing switch to preclude the Internet traffic from leaking into your LAN bypassing the OpenWRT firewall.

I hope this solution will come in handy to those who decided to use their Raspberry Pi 4B as the OpenWRT firewall.

Now that the Raspberry Pi Foundation has announced Compute Module 4 and the official IO board with a PCIe x1 port, it will be possible to use a PCIe based secondary Ethernet interface (single 1 Gbps, dual 1 Gbps, quad 1 Gbps, single 2.5 Gbps, or dual 2.4 Gbps) for the bidirectional throughput of up to 5 Gbps. But as of now, there are no cases available for CM4 mounted on the IO board, and having the naked electronic boards used as a router is not an appealing solution. So, for those with symmetric Internet connections of up to 500 Mbps or for those with asymmetric connections of up to 1 Gbps downstream, the solution I’ve proposed here should work really well. At least it’s working well for me. With the SQM configured, this is the best home firewall solution bar none. Even pfSense can’t compare because of how effective SQM is as a QOS algorithm. And I’m saying this as a network engineer with a 20+ years in the industry who has been designing QOS solutions for very large enterprises for many years.

5 Likes

Nice write up.

A big caveat on the TP-Link SG108E switch is that the management server listens on all the VLANs. This is a bad design but it can be worked around if security isn't critical in your application. The important workaround is to turn off the DHCP client in the switch and set it with a static IP in your LAN range. If the DHCP client is active, there will be a race condition where it may take your single public IP from the cable modem-- which will break the network.

The Zyxel GS1200 series is at a similar price point to the TP Link and has a much better user interface. Unfortunately they don't offer one with PoE. The GS1900 series is a lot more professional. Also there is work on porting OpenWrt to certain GS1900 models.

Is this a problem with SG-105E switches?

I hear that if one wants to get an SG-105E, it should be hardware version 3 because some of the improvements with VLANs implemented in the latest firmware only apply to hardware version 3.

Also, a managed switch should never stay on DHCP-assigned IP address. The management IP should always be manually assigned. If the user knows enough to be able to manage a switch, the user should be able to assign a static IP to the switch. I can see that the DHCP client feature is necessary for a managed switch without a console port so that the initial IP address could be assigned by DHCP for accessing the switch initially, but as soon as the switch is accessed, the user should change the IP to a static one and turn the DHCP feature off.

In my case, I am using a Cisco enterprise switch, so my advice to get a TP-Link Easy Smart switch is based purely on the very reasonable price point. Also, this is obviously for home use (and perhaps very small business use), so there’s no need to buy expensive switches. As long as these TP-Link switches serve the purpose, they should be considered. The whole OpenWRT routing solution based on the Raspberry Pi 4B can be had for as little as $90, including the Raspberry Pi board, the case, the power supply, the switch, the SD card, and all required Ethernet cables. Or, if one goes with a POE+ switch, the total price could be a little over $145.

At these price points, I would go as far as to recommend getting two Raspberry Pi 4B boards, two power supplies (or a power supply and a POE splitter), two microSD cards, a couple extra Ethernet cables and two SG105E switches just to have cold spares to preclude any prolonged Internet outage in case one of these parts goes bad. Even at double the price (if buying spares), this is still an amazing price point for a home router/firewall solution. To provide a comparison, Ubiquiti is about to release their flagship “enterprise” UniFi UXG-Pro router/firewall for $500, which has less compute power than the Raspberry Pi 4B. And with the terrible customer service that Ubiquiti is known for, one should buy two of their devices to have a cold spare on hand.

1 Like

25 posts were split to a new topic: OpenWrt installation on Rspberry Pi 4B