Openwrt with only one ethernet port

Goal:
Use openwrt as a vpn.

I need the openwrt to connect to the internet and for that I do set up an interface with static ip and connect to my isp router.

I then managed to configure a proxy(v2ray) to run on the openwrt device (HP T240 - generic x86/64). The proxy has checks on the luci interface so I know it is working there.

But I can't manage to create another interface to connect to the openwrt and route my PC traffic through it. PC -> OpenWrt -> Proxy.

I assume it has to be a virtual device but I couldn't do it. Searching didn't help either.

That would only be possible with VLANs and a VLAN aware device on the other end of the link (e.g. a managed switch), if your ISP router can be configured that way is rather questionable (most likely not).

The pragmatic alternative would be adding a second ethernet card to your T240, and be it via USB3.

I created another interface with static ip (192.168.x.1) on the bridged lan device without a default gateway and setup a DHCP server for it. This seems to work just fine.

So basically the following setup works:

ISP router => DHCP:off - Change IP range - 192.168.3.1
OpenWrt: 
Interface1: Static IP to ISP router 192.168.3.100 - Firewall: wan - Device: @lan
Interface2: Static IP 192.168.4.1 - Empty default gateway - Firewall: lan - Device: br-lan - DHCP server: on

From the sound of it, it may not be okay to do this. This may cause problems, including network issues or security vulnerabilities and/or a false sense of security.

We can review your configuration if you’d like.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
root@By-AmirHossein:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "By-AmirHossein",
        "system": "Intel(R) Atom(TM) x5-Z8350  CPU @ 1.44GHz",
        "model": "HP HP t240 Thin Client",
        "board_name": "hp-hp-t240-thin-client",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@By-AmirHossein:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd96:61ac:5646::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.13.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'wan'
        option proto 'static'
        option device '@lan'
        option ipaddr '192.168.12.201'
        option netmask '255.255.255.0'
        option gateway '192.168.12.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

root@By-AmirHossein:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@By-AmirHossein:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option localuse '1'
        option rebind_domain 'www.ebanksepah.ir 
my.irancell.ir'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@By-AmirHossein:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'passwall2'
        option type 'script'
        option path '/var/etc/passwall2.include'
        option reload '1'

config include 'passwall2_server'
        option type 'script'
        option path '/var/etc/passwall2_server.include'
        option reload '1'

I have installed passwall over openwrt for the v2ray proxy/vpn.

This is not a recommended construct as you are mixing two untagged networks on the same port. This may lead to issues with both network stability and security.

As mentioned earlier, this can only be done properly with a managed switch and VLANs, or with a second Ethernet port.

Alright. I'll buy a usb network card.
Thanks.

Can you explain the security aspect of it? Just curious.

Anything connected to that port (directly or indirectly such as via a switch) can connect to either network. There is nothing to enforce which network a device joins, both in terms of intentional or accidental connections to the wrong network.

How does that become a security concern?
This is convenient for me. I can easily switch the networks I'm connecting to by changing the IP on the connected device as I also have more than one internet service and sometimes I need to switch between them. Even if I get another ethernet port I'm going to connect them together via a switch.
Just trying to learn how this can go wrong and improve it.

In your case, maybe it's not a real security issue, assuming:

  1. both networks are fully/equally trusted
  2. you have manual control of the hosts to ensure they are on the desired network
  3. you don't need to worry about either network with respect to 'unauthorized' users joining one or the other arbitrarily (i.e. a guest or iot device, etc.).
  4. you're only running a DHCP server on at most one of those networks.

If any of those are not true, you may want to reconsider the approach.

It is, however, bad practice to have multiple untagged networks on a single port, and may cause headaches in terms of performance and reliability (security aside).

This is usually handled by something like mwan3 (and maybe policy based routing (PBR)) to steer traffic according to the need (such as failover, round robin, specific domains and/or services via one wan with others over the other, or specific devices or subnets to use one wan vs the other).

First, why would you do that? Second, it will almost certainly break your network due to switching loops unless you are talking about using bonding/link aggregation (you'll need a switch that can do this).

If you want to learn and improve your network topology, I'd recommend that you consider either a managed switch and/or another ethernet port on your device. What you're doing now may actually function without any noticeable issues under some or even many circumstances, but it is far from ideal and is generally sloppy network design. If you're okay with a band-aid / duct-tape solution, that's fine... but if you want to learn to do it correctly, we can help you with that.

All the 4 points are true in my case. I usually don't run any DHCP server at all and connect manually to the desired network.
I though about it and figured having two physically separate ports might not be a bad idea. I can put all the ISP internet networks in one ethernet port of the openwrt router and route them through openwrt through the other port with multiple interfaces. I still put multiple networks on one port but at least it goes through openwrt and only in one way you could say.
I also usually connect only one device to this network. I have a physically separate router for other devices and guests.

I appreciate it. I wouldn't mind having a bit more secure and reliable setup.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.