I’ve now been running OpenWRT on the raspberry Pi 4B for three weeks with a little setback during the first week. Initially, I was using a USB3 to Gigabit Ethernet adapter based on the Realtek rtl8153 chipset, using the standard 8152 kmod present in the OpenWRT kernel. My family was complaining about problems with video, so eventually I decided to do something about it. I always hated USB3 Network adapters. I use a MacBook Pro, and I noticed that the official Apple Thunderbolt-to-GigabitEthernet adapter daisy-chained with the TB3-to -TB2 adapter beats any USB-based Gigabit Ethernet adapter. USB introduces flakiness into the Gigabit Ethernet connection. Sometimes USB-based Gigabit Ethernet adapters function at the line speed of 940 Gbps but a few minutes later the throughput could be reduced by 1/3 or even by half. I’ve tried multiple devices with rtl8152, rtl8153, and rtl8156 chipsets, and they all have this problem. On the other hand, the TB-based Gigabit Ethernet adapter is a direct PCI bus to the chipset without any USB3 bus involved. Unfortunately, Apple never bothered to update their adapter from TB2 to TB3; hence, two daisy-chained adapters are required on newer Macs, as described above)
So, knowing all of that going into the OpenWRT on the Raspberry Pi4B experiment, I actually expected that a USB3 gigabit Ethernet network adapter could be problematic, and my family let me know it was actually the case.
My solution was to eliminate the USB-based Gigabit Ethernet adapter altogether. Of course, the most obvious downside to that solution is that the 2Gbps maximum theoretical bidirectional throughput of two GigabitEthernet ports used as LAN/WAN interfaces would be halved to 1 Gbps of maximum theoretical bidirectional throughput. However, curiously enough for a home environment the real-life throughput would not be halved but reduced by the amount of the bandwidth used in the upstream (from the home LAN to the Internet) direction. For asymmetric Internet connections the math is even better. For example, if your Internet bandwidth is 1Gbps down/ 40 Mbps up, then you are likely to enjoy up to 900 Mbps download speed while using just one physical interface on the Raspberry Pi 4B. Just make sure you configure SQM correctly with 900 Mbps download bandwidth and 40 Gbps upload bandwidth for a total of 940 Mbps (which is the maximum that the Raspberry Pi can push in one direction on a physical interface).
So, by eliminating the USB to Gigabit Ethernet adapter you are not losing a lot of download bandwidth but you are improving the quality of the routing system dramatically by jettisoning the flaky USB-based Ethernet controller.
So, how do you configure this? It’s really easy. All you need to do is create VLANs under the on-board Gigabit Ethernet controller (usually eth0). As an example, eth0.10 (VLAN10) is used as the WAN interface and eth0.20 (VLAN 20) is used as the LAN interface. I would also create another interface in OpenWRT, call it RECOVERY, associate it with eth0 and assign a static IP to it. This interface would be used for troubleshooting/recovery purposes allowing a direct connection with a computer without having to configure VLANs in a computer OS. That’s all! You can even make this change in /etc/config/network and then reload the network daemon: /etc/init.d/network reload.
So now that we have configured OpenWRT with two tagged VLANs and matching VLAN SVIs (LAN and WAN), we need a VLAN-aware switch to assist the Raspberry Pi in using the same physical interface for both LAN and WAN SVIs. It’s absolutely not a problem, though, because TP-link has very inexpensive 5-port and 8-port Gigabit Ethernet Easy Smart switches (they are simplified managed switches that have VLAN and some QoS capabilities). There are non-POE and POE+ versions of these switches. The non-POE 5-port Gigabit Ethernet Easy Smart switch costs $25 on Amazon. You could get a POE+ version of this switch for $60. Add a POE splitter for another $17, and you can power your Raspberry Pi from the POE+ switch and free up one outlet on your UPS. You can also buy another POE splitter for your modem to power your modem from the POE+ switch and free up another outlet on your UPS. Since I'm posting links to specific devices here, I would highly recommend the Argon Neo case for the Raspberry Pi 4B used as a router/firewall. Do not buy the version with a fan. The case passively cools the Raspberry Pi used as a router/firewall with no issues whatsoever.
Note: The other Argon case (Argon One) has a circuitry that prevents the Raspberry Pi from automatically powering up after the power is lost and then restored, so even though the Argon One is a very nice case and should be considered for the Raspberry Pi used as a desktop for sure, it is not suitable for the router/firewall use case
So, this is what you need to do on the switch:
Port 1: assign VLAN 10
Port 2: configure as 802.1q trunk
Ports 3-5 (or 3-8): assign VLAN 20
Connect your modem into switch port 1. Connect your Raspberry Pi 4B’s onboard Gigabit Ethernet controller to switch port 2. Plug your other wired devices (including your Wi-Fi AP) into ports 3-5 (or ports 3-8). If you want to further segment your network into additional VLANs, create more SVIs (interfaces) in Open WRT and assign them to eth0.X, eth0.Y, etc., where X, Y, etc. are VLAN numbers. Then, assign matching VLAN numbers to certain ports in the range 3-5 (or 3-8). If your Wi-Fi AP (or other device) that you want to connect to the switch is VLAN-capable, then configure the port on the switch to which this device is connected as 802.1q trunk but MAKE SURE that you disallow VLAN10 out of that switch port. This step will ensure that the traffic from the Internet arriving in switch port 1 on VLAN 10 can only get to switch port 2 where it will be received by the OpenWRT’s WAN interface (eth0.10) so that this traffic could not leak into your LAN bypassing the OpenWRT firewall.
If you already have a managed VLAN-aware switch, then you don’t even have to buy a TP-Link switch. As long as you have two spare ports on your managed switch, configure one of them with VLAN 10 to connect the modem, and configure the other one as 802.1q trunk for connecting the Raspberry Pi 4B. Then, configure all remaining ports for VLAN 20 (or any other VLAN ID other than VLAN10 that you configured in OpenWRT to further segment your LAN). Just make sure to disallow VLAN 10 from any existing or new 802.1q trunk port on the existing switch to preclude the Internet traffic from leaking into your LAN bypassing the OpenWRT firewall.
I hope this solution will come in handy to those who decided to use their Raspberry Pi 4B as the OpenWRT firewall.
Now that the Raspberry Pi Foundation has announced Compute Module 4 and the official IO board with a PCIe x1 port, it will be possible to use a PCIe based secondary Ethernet interface (single 1 Gbps, dual 1 Gbps, quad 1 Gbps, single 2.5 Gbps, or dual 2.4 Gbps) for the bidirectional throughput of up to 5 Gbps. But as of now, there are no cases available for CM4 mounted on the IO board, and having the naked electronic boards used as a router is not an appealing solution. So, for those with symmetric Internet connections of up to 500 Mbps or for those with asymmetric connections of up to 1 Gbps downstream, the solution I’ve proposed here should work really well. At least it’s working well for me. With the SQM configured, this is the best home firewall solution bar none. Even pfSense can’t compare because of how effective SQM is as a QOS algorithm. And I’m saying this as a network engineer with a 20+ years in the industry who has been designing QOS solutions for very large enterprises for many years.