Setup a transparent filtering bridge on openwrt

DjangoR · September 13, 2019, 12:19pm

Hi there

I would like to setup what's called an 'transparent filter bridge' with openwrt. The device should work as a 'firewall only (no NAT)' between 2 interfaces : LAN facing interfaces where all my devices are connected (switch, pc etc) and ISP ROUTER facing interface which do the NAT and act as a GATEWAY providing a 192.168.0.1 ip. The bridge itself should have an ip address for management of course.

The purpose of this is simple : I have a gigabyte connection to the internet and my router (WDR4300) cannot withstand that high rate. The isp ethernet modem can but I have no firewall there. So, I found this guide :
transparent filtering bridge which explain how to disable NAT and create a transparent firewall, although it is on freebsd, I believe we can do the same on linux.
I have installed kmod-br-netfilter, but I need some guidance to set this up on openwrt. Can anyone help me please ?

slh · September 13, 2019, 12:26pm

While that can be done, be aware that the performance limitations are roughly similar. Or to spell it out explicitly, your tl-wdr4300 will under no circumstances do bridging (let alone meaningful filtering) at anywhere close to 1 GBit/s linespeed (more like 150-200 MBit/s).

DjangoR · September 13, 2019, 1:25pm

well thanks you for your response, it's more for testing purposes than real usage, I just wanted to know what performance I could achieve with bridging, keeping nat out of the equation since it is cpu intensive.

Could you provide any guide or step by step procedure to set it up ?

jeff · September 13, 2019, 3:08pm

First off, the TL-WDR4300 only has a single path from the switch to the CPU, so you will never achieve over 470 Mbps TCP throughput (1/2 of ~940 Mbps GigE theoretical limit), no matter how fast the CPU is.

Second, experience with the dual-MAC, faster SoC in the Archer C7v2 (QCA9558 at 720 MHz vs. AR9334 at 560 MHz) is that it can't route more than about 400-500 Mbps through Ethernet.

Given that this is about "testing purposes", and the evidence is strong that you'll get nowhere near gigabit rates through it, I'd start simple -- no firewall rules at all. To do that:

Create a management interface on one of the LAN ports
Bridge WAN to LAN

and have at it.

If you want to play around with transparent firewalling, you'd likely need to then install ebtables and craft your own firewall rules.

undef · October 8, 2019, 11:04am

Hi, I have a similar setup:

orange flybox4G (huawei b310s - i think) at 10.0.0.1 - connected to "wan"
my transparent fw (a zyxel router) at 10.0.0.2
all other devices 10.0.0.x wired/wireless to zyxel - connected to "lan"
flybox acts as gw only
zyxel handles dhcp/dns/...
-- br-lan bridges the wan port ;-p

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6f:4628:9003::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipaddr '10.0.0.2'
        option gateway '10.0.0.1'
        option ifname 'eth0.1 eth1.2'
        option dns '127.0.0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
```

it's been a while since I set this up, but it seems stable. 
(except for opening ports, could be due to CGNAT, but ... life)

anyway here's my init.d script - should at least be a decent starting point.
(don't forget to stop the wrt firewall)

```
#!/bin/sh /etc/rc.common

#firewall also starts at 19
#original wrt firewall should be disabled!!!
START=19
#USE_PROCD=1
QUIET=""

IPTABLES=/usr/sbin/iptables

stop() {
        $IPTABLES --flush
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
}

start() {
        # Flush active rules, custom tables
        $IPTABLES --flush
        $IPTABLES --delete-chain

#FORWARD across the bridge
        # allow everything from LAN (eth0.1) / WiFi (radio0 radio1)
        # physdevs are named differently per device... sometimes
        # check correct name first !!!
        iptables -A FORWARD -i br-lan -m physdev --physdev-in eth0.1 -j ACCEPT
        iptables -A FORWARD -i br-lan -m physdev --physdev-in wlan+ -j ACCEPT

        # allow everything known from WAN (eth 1.2)
        iptables -A FORWARD -i br-lan -m physdev --physdev-in eth1.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

        #default, drop all the rest
        iptables -P FORWARD DROP

#INPUT to our transparentfirewall proper
       #allow access from "lan"
       iptables -A INPUT -i br-lan -m physdev --physdev-in wlan+ -j ACCEPT
       iptables -A INPUT -i br-lan -m physdev --physdev-in eth0.1 -j ACCEPT

       #allow related traffic from "wan" e.g. DNS?
       iptables -A INPUT -i br-lan -m physdev --physdev-in eth1.2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

       #loopback
       iptables -A INPUT -i lo -j ACCEPT

       #DROP all the rest
       iptables -P INPUT DROP

#OUTPUT from our transparent firewall proper
      #ALLOW all
      iptables -P OUTPUT ACCEPT

}
```

good luck!