I am trying to get all the traffic of my home devices routed through a RPI.
I have done the following setup:
connected the RPI to the LAN port of my ISP router.
once I got an IP from the ISP router, I configured the RPI to use the same IP as a static IP.
I disabled the DHCP server of my ISP router. the DHCP server of the RPI is still functioning.
I rebooted my ISP router.
So, essentially for all the devices who used to connect to my ISP router, will now get an IP from the RPI.
the RPI during DHCP, will provide its own IP as the Default gateway and the Default DNS server to the devices.
Now, I can see all the OUTGOING traffic on the RPI.
I can't however see the INCOMING traffic. is there a way to route the INCOMING traffic from the ISP router as well through the RPI?
I also did the speed tests with the above setup, which showed that the upload speeds are really poor when compared to the speeds when no such RPI setup exists.
the download speeds however are similar.
So a lot more information is needed for us to help you.
First, can you draw a diagram of your network topology? This is necessary so that we can see how things are physically connected.
Next, how are you running the speed tests (wired or wireless, a website or iperf or something else)? What speeds are you actually getting with and without the Pi? What are you expecting to get?
What is the purpose of the Pi in your network? Is it doing something special, or just simply that you would rather be using an OpenWrt based router? You have a router from your ISP -- can you remove it and use your Pi in place of the ISP router?
There are still lots of other details that might be relevant, but we first need to get these questions answered to then be able to provide guidance or even guess what else might be going on.
The main router doesn't know the Pi is there, it will send packets returning from the Internet directly to the endpoint PC.
This setup is commonly used when you want a "whole house" VPN client that is a separate box from the main router. However there is nothing to stop a LAN PC from ignoring the DHCP advertised gateway and going directly to the main router instead.
In order to actually, reliably, securely intercept all traffic you need two networks, and two interfaces in the Pi.
I am running the speed tests using the RUN SPEED TEST Button, I get from google on the Chrome when I browse "Speed test", its usually the first result.
its based on Measurement Lab
it looks something like that:
Here are the results without having the RPI in the setup:
Coming to the purpose of Pi:
I am trying to build a custom firewall that can see the traffic from all the devices.
the plan is to build the Pi so that, it can be plugged to any ISP router. The devices in the network can continue to connect to the same ISP router SSID over Wifi, even after the introduction of Pi.
Thanks a lot @mk24
You are absolutely right in saying that:
However the low Upload speeds are not making sense. The packets going from the devices, have just 1 additional HOP to travel more. But the speed reduction is quite dramatic.
here is the speed comparison with and without this setup:
When you say two networks, do you mean, the Pi should create a subnet from the ISP router and then the devices connect to an SSID broadcasted by the Pi?
I also wanted to check the speed and the duplex settings on the connected interface of the Pi (as all the network data passes through that).
can anyone please tell me if there is a command in openwrt to do this?
Also, is it possible for me to configure/change the default values of this configuration?
This is an unusual topology, and I'm not entirely certain that this is going to do what you want.
What changes did you make on your main router? Is wifi active on that router? What about the Pi -- do you have wifi enabled there, too? Are your client devices connecting to wifi on the router or on the Pi?
From the Pi...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Maybe, but the processor isn't really doing much here, from what I can tell.
The 3b+ has a gigabit physical connection, but the bandwidth is actually limited to ~330Mbps because it is connected to a USB 2.0 bus (max theoretical speed of USB 2.0 is 480Mbps). (see this)
I wouldn't even bother with this setup... I don't think it is going to do what you want with the topology you are proposing/using.
Don't just take my word for it... try to configure the firewall to block a specific site or service. For example, if you try to block 126.96.36.199 (google DNS) and then ping it from one of your client computers, you'll find that you probably can't block it based on this topology.
In order to achieve your goals, you would need to have a significantly different configuration. You could look at a bridge firewall, but I don't think this will work in your current setup. You can also simply cascade this device with your other router such that all clients connect through the Pi (or another router) in standard router mode.
This isn't really going to work the way you expect, AFAICT. At the very minimum, you'd need to be able to do some configuration on the ISP router. But really, this requires a situation where the clients connect first to the secondary device (Pi or otherwise) with that secondary device working as a normal NAT router.
I am saying that if you configure the Pi as a standard NAT router, you could achieve something of what you are trying to do. I wouldn't recommend the Pi 3B+ for this task (a Pi 4 would be better), and I would strongly advise against using the built-in Wifi on any of the Pi devices because it isn't going to produce good results... but that said, here is the theory:
eth0 on the pi (built-in ethernet) connects to the upstream/ISP router.
eth0 needs to be configured to be the wan interface (typically this would be DHCP client or static IP).
the wan interface is associated with the wan zone in the firewall.
the wan zone is usually configured with masquerading enabled
eth1 (an external USB ethernet adapter connected to one of the USB ports) and/or wifi on the Pi would then be configured as the lan. This will typically be static IP with a DHCP server enabled)
devices connect to eth1 or wifi from the Pi.
all lan traffic must pass through the routing engine/firewall in order to reach the wan (and therefore the upstream network/internet).
That is how a standard router operates. The firewall can filter the data because it is passing between two independent networks.