Query about topology and operation in OpenWrt

ramses · September 6, 2018, 8:52am

Dear gentlemen,

I want ask you if a need that I have is possible.

There are some firewalls that I can intercalate between the router and the LAN, in bridge mode, without changes in the router neither on LAN devices.

The doubt is: Can I do this with a router with OpenWRT and to filter trafic form/to LAN from/to Operator Router, by example, Parental Control, Layer 2 Firewall, etc...?

The scheme would be:

Origin Schema: Operator Router <---> LAN Switch
Final Schema: Operator Router <---> OpenWRT Router <---> LAN Switch

Without changing nothing in the Operator Router or in the LAN Devices.

Regards,

Ramses

jeff · September 6, 2018, 2:10pm

It's often called "transparent firewall" or "bridged firewall"

Yes, it would be implemented kernel-level features than can be managed with OpenWrt and the appropriate kernel modules.

ramses · September 7, 2018, 6:19am

@Jeff, very thanks by your answer.

Can you tell me if there is a howto to configure the router in this mode with OpenWRT?

Regards,

Ramses

jeff · September 7, 2018, 1:24pm

No, there isn't one I know of. It's a rather uncommon topology for home users.

You'd need to set up a management interface and then bridge the "outside" and "inside" interfaces to each other. That bridge would need to be packet filtered, either with something like ebtables ot nftables.

dlakelan · September 7, 2018, 2:01pm

Iptables will filter bridges so long as the packet hits the kernel and you have enabled the bridge filtering sysctls. This means you can't have a hardware switch switching the packets directly. You need either 2 Ethernet connections, or one vlan per port on the hardware switch, then bridge all the vlans in a kernel bridge.