RaspPI with OpenWrt as Bridge with Firewall between ISP modem and Router


Sorry for a noob question but I failed to find something relevant in tutorials\forum posts (yes, I checked relevant posts that show up when a new post is being created). I read some docs but honestly can't even tell now which info is relevant to my case. I'd highly appreciate if you point out to some tutorial I could use for my case.

I have similar setup for my home network:
ISP<->Cable Modem<->Router with Wifi(and DHCP server)<->Client(s)

I want to add a Bridge between Cable Modem and Router that analyzes traffic and blocks connections to some websites\ip addresses.
ISP<->Cable Modem<->OpenWrt Bridge-Firewall<->Router with Wifi(and DHCP server)<->Client(s)

I consider using a Bridge a Raspberry PI 2 with USB-2-Ethernet adapter. I set up OpenWrt on the RasPI and made the Usb-2-Eth adapter work. So now what? As I understand, I need to:

Setup Bridge mode. There are several concerns so far: I need to handle the ISP IP address changes, as now my Router could get different IP addresses after restart. I need to have a way to connect to the Bridge for reconfiguration. Usually it is solved by some special IP address that the Bridge considers as a configuration IP and accepts connection. Have no clue how to configure that in OpenWrt. And correct me if I'm wrong, but as my current speed is 30 Mbps downloading and 10Mbps uploading, the RasPI should not be a bottleneck for the internet connection speed.

Setup filtration settings: I need to set up something like IP tables ( kmod-ipt-physdev probably, but something less low level like Shorewall would be preferable) and something that allows me to analyze traffic and update rules, here https://jan.newmarch.name/IoT/Home/OpenWrtRPi/ was mentioned using tcpdump on OpenWrt side and Wireshark on client machine, I'm not sure though could could I connect Wrieshark using Bridge setup.

Sidenote 1: I considered using another configuration for my goal. Setting up something like PiHole in the network behind Router and configured in the Router as a Primary DNS with configured host names for the hosts I'd like to block. But I believe the Bridge-Firewall between ISP Modem and Router solution would provide better performance. Correct me if I'm wrong.

Sidenote 2: There is a setup when Bridge-Firewall is situated between Router and clients (additional switch required in this case) https://shorewall.org/bridge-Shorewall-perl.html
ISP<->Cable Modem<->Router with Wifi(and DHCP server)<->OpenWrt? Shorewall Bridge-Firewall<->Switch<->Client(s) Not sure if it the good configuration though.

Thanks for your help!

Personally I don't see the point to add the RPi in bridged mode in either location.
If you really want to run OpenWrt efficiently, the best place is the border router.
And since this question resembles a lot the XY problem could you better tell us what do you want to achieve rather than how to achieve it? Analyze traffic and update rules is too generic, not to mention the usage of tcpdump and wireshark.

Thank you for quick response.

I want to have ability to block traffic to some hosts in my home network. My current router ( WNDR3400v3 ) has restricted OpenWrt support and even more restricted ability to filter traffic. The list of hosts is to be changed, I also need to see which host is used now and block it.

Your router is probably using PPPoE to connect to the ISP; then, the RPi is not going to detect any IP traffic between them.

To add on what @eduperez said, even if it is DHCP or STATIC, most likely it is after NAT, so it is difficult to understand where the traffic is headed to.
If you connected the RPi inside the lan, between the router and the hosts, you wouldn't be able to control to the wifi users of the Router and you'd need to buy a switch to connect the lan hosts on the port of RPi.

Bottom line is to better buy a new router which can work with OpenWrt and will cover you for the next years with hundreds of Mbps of throughput.

I know we're on openwrt forum but I cannot refrain from not recommending freshtomato for your wndr3400v3 (freshtomato.org and https://www.linksysinfo.org/index.php?forums/tomato-firmware.33/ ) and after installing it should cover your need to control the clients in your lan

Yeah, thanks for the advice. The option is on the table, but this is a completely separated process that could take weeks: to find a model of router, get it delivered, properly configure. That's why I consider other options based on hardware I already have.

That's seem to be a way to go, thanks! I've installed the latest FreshTomato FW and it seem to have all necessary functionality.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.