This topic is now deleted

this post is now deleted

Your description is a bit confusing, I hope I correctly inferred what you mean.

If by "dhcp bridge mode" you mean you set the "lan" interface of your OpenWrt router to dhcp and connected a LAN port to your main router, in the spirit of your question that would be a "no".

(The firewall would be running but in this scenario it wouldn't be able to firewall anything, to firewallize* it needs to sit between two firewall zones, by default that is between WAN and LAN.)

One would certainly hope so, just like it should protect all the other clients in your network.

*) Yes, that is absolutely a word.

Honestly I don't think that's necessary. If you can't trust your own network behind the ISP's router to the point where you can't connect an unprotected client to download a few things ... you've got bigger problems.

1 Like

I do not trust that my 10 year old isp router gets security patches, hence I double nat as well, but I put my openwrt in the dmz zone of my isp router such that everything incoming on the isp router just gets forwarded to my openwrt router. That seems to work for me

ok so you want the ISP router to be used to connect clients as well then pretty much the only choice is to use the openwrt device in bridge/switch/AP mode.
But that implies that you have to trust that the ISP router is secure. Like I said I do not have that trust about my ISP's router...

You're probably right about the first part (no updates), but NAT != security. Yes, it makes it harder for a hacker/bot on the internet to identify the hosts behind the router, but it is the firewall that provides the security, not the NAT itself

This, in effect, bypasses the firewall on the first router with the exception of the NAT masquerading operations. Therefore, there is almost no difference between this and a direct connection from the OpenWrt WAN to the internet.

Double NAT is really not a proper additional security measure -- it only provides the illusion of that. If you don't trust your ISP router, you may be able to remove it entirely or put it into bridge/pass-through mode (where the ISP issued IP address will be presented directly to the WAN of your OpenWrt device).

Fortunately, the OpenWrt firewall is properly designed and robust enough for most normal home and small business uses.

I know, i dont double nat because of security, but in that way the setup is easy and well with the dmz its not an issue for me and all traffic passes through the openwrt firewall

I know hence the reason to do it.

yes but if you bridge with the ISP router then that is not happening by default, especially if you the ISP router as client acces point as well

1 Like

If you're using the ISP router as an access point, all the machines that connect to it use the (likely outdated and vulnerable) ISP router's firmware, negating the value for the OpenWrt router in the first place (at least for those clients).

1 Like

That was pretty much my point. So we agree :slight_smile:

1 Like

It doesn’t cause any security issues. It just doesn’t improve anything.

Most network protocols and applications can deal with double NAT without issue. There are some here and there that may choke, but those are more rare these days.

Regarding port forwarding for inbound connections -- if you've set your main router such that the OpenWrt router is effectively DMZ'd, that is sufficient to make port forwarding work properly by setting up those port forwards on OpenWrt. Either DMZ or port forward on both devices ( primary router wan > primary router's LAN @ OpenWrt's WAN IP; OpenWrt WAN > OpenWrt's LAN @ host's IP).

Sure... whatever works for you. I'm not sure what value OpenWrt has in your context, but if it your network is working for you, that's all that matters.

I see... so you're setting up a home lab. Okay, that makes sense.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.