Setting up OpenWRT as an Access Point for an IDS

hi all -

I am running OpenWRT 19.01 (I didn't upgrade b/c I haven't learned how to use NFTables yet, but this question should be the same across versions)

I am trying to setup an Intrusion Detection System based on this guide (https://jufajardini.wordpress.com/2021/02/15/suricata-on-your-raspberry-pi/) and I have Suricata installed on a Pi, I was wondering if I need to change OpenWRT to an access point as documented here (https://docs.vilfo.com/en/articles/1982415-setting-an-openwrt-router-as-an-access-point)

1. Log in to your OpenWRT router admin interface

2. Navigate to Network ➝ Interfaces

3. Locate the LAN interface

4. Click on Edit

5. Find the field Protocol

6. Select DHCP client from the drop-down

7. You will be prompted with a new message asking if you want to switch the protocol, click the button labeled Switch protocol

8. Click on Save and apply

Or will this permanently change configurations? I tried this earlier and got a warning about it potentially disabling some functions. Is this possible to setup by changing to Access Point and then using the following:

Modem connected to Switch over mirrored port -> Pi connected to Switch over monitor port -> Router connected to Switch over Monitor port?

Or should it be modem -> switch -> Router?

I assume you mean 19.07?

There is a certain amount of irony here in that you're talking about implementing an intrusion detection system while you use an obsolete, EOL, and unsupported version of OpenWrt that has many known vulnerabilities.

It's probably time to learn how to use the latest stuff (fw4), especially if you're talking about security related things.

Regarding the overall premise of your question -- if OpenWrt is running as an AP (specifically a dumb AP), you will not be able to use it as a firewall/IDS/IPS. That is because all of those require that the device is routing (L3), but a dumb AP is just a bridge (effectively swtiching) at L2.

Your IDS/IPS system needs to be the (main) router where the internet connection comes into your network.

A few other thoughts:

1. The Pi (all variants) makes a terrible AP because of the extremely low end wifi chipset they use.
2. You didn't mention your ISP speed. IDS/IPS systems requie a lot of CPU power if you are trying to route at any reasonable speeds.
3. You didn't mention which Pi you're using. The Pi4 is very powerful and capable of gigabit routing (at least when you're not running IPS), but the earlier Pi devices are much more limited in bandwidth. I don't know what hte IPS performance would look like on each generation of Pi devices, but I think you'll quickly find that you may want a more powerful (x86 class) machine for IDS purposes (unless you have very slow ISP service).

I'm running a pi v4. And yes I can upgrade to the latest OpenWRT, but you are saying that the setup outlined in the tutorial is not possible with OpenWRT, since it would not work to have traffic mirrored from modem or router to Pi v4 since it would require downgrading OpenWRT router to access point?

Can you provide a diagram of your proposed network topology?

…not that there'd generally be much (or almost any) firewalling involved in the dumb-AP role - and the fw3/ fw4 syntax has remained 98% identical.

Setting up IDS654×570 32.6 KB

Is this possible?

Also, I had installed OpenWRT on a Netgear Nighthawk router, I could resort to the default router firmware if that would be easier.

With the latest OpenWRT is it possible?

# nftables rules for mangle table
nft add table inet mangle
nft add chain inet mangle prerouting { type filter hook prerouting priority 0 \; }
nft add rule inet mangle prerouting iifname "eth0.2" ip saddr 0/0 tee to 192.168.1.156

nft add table inet mangle
nft add chain inet mangle postrouting { type filter hook postrouting priority 0 \; }
nft add rule inet mangle postrouting ip saddr 192.168.1.0/24 tee to 192.168.1.156

Would this work for NFTables to mirror traffic to the .156 device w/ the latest OpenWRT?