I would like to setup what's called an 'transparent filter bridge' with openwrt. The device should work as a 'firewall only (no NAT)' between 2 interfaces : LAN facing interfaces where all my devices are connected (switch, pc etc) and ISP ROUTER facing interface which do the NAT and act as a GATEWAY providing a 192.168.0.1 ip. The bridge itself should have an ip address for management of course.
The purpose of this is simple : I have a gigabyte connection to the internet and my router (WDR4300) cannot withstand that high rate. The isp ethernet modem can but I have no firewall there. So, I found this guide : transparent filtering bridge which explain how to disable NAT and create a transparent firewall, although it is on freebsd, I believe we can do the same on linux.
I have installed kmod-br-netfilter, but I need some guidance to set this up on openwrt. Can anyone help me please ?
While that can be done, be aware that the performance limitations are roughly similar. Or to spell it out explicitly, your tl-wdr4300 will under no circumstances do bridging (let alone meaningful filtering) at anywhere close to 1 GBit/s linespeed (more like 150-200 MBit/s).
well thanks you for your response, it's more for testing purposes than real usage, I just wanted to know what performance I could achieve with bridging, keeping nat out of the equation since it is cpu intensive.
Could you provide any guide or step by step procedure to set it up ?
First off, the TL-WDR4300 only has a single path from the switch to the CPU, so you will never achieve over 470 Mbps TCP throughput (1/2 of ~940 Mbps GigE theoretical limit), no matter how fast the CPU is.
Second, experience with the dual-MAC, faster SoC in the Archer C7v2 (QCA9558 at 720 MHz vs. AR9334 at 560 MHz) is that it can't route more than about 400-500 Mbps through Ethernet.
Given that this is about "testing purposes", and the evidence is strong that you'll get nowhere near gigabit rates through it, I'd start simple -- no firewall rules at all. To do that:
Create a management interface on one of the LAN ports
Bridge WAN to LAN
and have at it.
If you want to play around with transparent firewalling, you'd likely need to then install ebtables and craft your own firewall rules.