Router wanted to config firewall

Hello, I'm looking to buy a router to config firewall for parental controls. I have a Spectrum modem (rented for free) and Eero wifi router so I plan to use the router as

[Spectrum Modem] ----> [New OpenWrt Router] ----> [Eero Wifi router] ----> [clients]

I believe I am looking for something basic - just need OpenWrt and firewall. Does this setup make sense? If so, what router should I buy?

Thanks in advance.

I wouldn't recommend setting up your network as you have described, unless the Eero can be placed in AP only mode (i.e. not routing). Two reasons for this:

  • all of your clients will be behind double NAT. This isn't a huge issue most of the time, but can cause some issues with certain services/protocols.
  • All of your devices will appear as a single device from the perspective of the OpenWrt router. This is the result of NAT masquerading which will happen on the Eero router (unless this can be disabled). The result is that you won't be able to distinguish any of the devices that are allowed to access certain content vs those that are not allowed.

Instead of your approach, I would consider using a PiHole type DNS based solution instead. Or remove the Eero router from the equation.

1 Like

Psherman has a very good point, regarding the single IP issue.

But it also depends on your use case, I'm using a setup where all DNS requests are coming from a single IP - my pihole's cloud hosted.
It works, but access to certain sites is blocked for all, not only devices used by the kids.

AFAIK pihole doesn't have any scheduling, so you can't switch access/rules on and off automatically.

Disney Circle might be a better product for you, since it's put inside your network.

Adguard Home would do it. Two ways to do it. opkg install on a OpenWrt router or custom install via
[How-To-Updated 2021] Installing AdGuardHome on OpenWrt

More info on AGH here

Also definitely AP mode on your other router.

Problem isn't if someone or something could or couldn't do it, but how to set it up, since OP have a eero mesh system running.

Hi psherman,

Eero supports bridge mode, which I believe is what is needed here.

I didn’t consider pi-hole because pi-hole won’t work when client side decides to configure another DNS server.

Thank you very much.

You simply have to intercept those calls in the firewall, and redirect to the pihole, no biggie.

I do it with all calls to (hard-coded DNS in some googles devices), not because it makes any difference, but the I can stop the kids from telling Google home to play stuff on the chromecast, from YouTube or some other streaming source.

If I understand correctly, you are recommending firewall AND pi-hole - actually that makes sense. Do you use OpenWrt for the firewall? How's your setup?

Thank you,

If you're considering the pi, I'd install a Linux dist on it, so a pihole can be installed, then you wouldn't have to have two devices, but one.
The RPi would host the pihole, and be the router.

Problem would be the steep(er) learning curve of Linux, unless you're already familiar with it.

No, I don't use openwrt as a FW, but that's because of other reasons.

I was missing something basic completely - I have several raspberry pis, and I am familar with Linux and pi-hole, but I didn't imagine I can set up OpenWRT on top of RPi. Sorry and thanks for pointing it out!

Where can read docs on hosting firewall on RPi so it can intercept DNS traffic?


You can't.

That's why I said you'd need to use a plain Linux dist, openwrt doesn't run pihole very well, if at all.

I'm sorry if I sound stupid - to intercept DNS traffic for parental control, are you suggesting I should use RPi and pi-hole, not with OpenWRT?

If you want to combine pihole with the router, then yes. The problem is pihole, it doesn't run on openwrt.

Openwrt isn't a must, any firewall/dist will do.