Urgent Question Regarding Double Router and firewall

So yes, I am running double router in my setup. (aware of double nat, etc.)
My questions is, by connecting my fresh install openwrt router via dhcp bridge mode on lan to my ISP gateway/router is the firewall on openwrt automatically running and protecting openwrt while using luci to download packages? Or is the gateway firewall protecting my openwrt router?
Wan is not setup because I have to install a usb driver first to due to one ethernet port.
That package requires dependencies and so on.

Your description is a bit confusing, I hope I correctly inferred what you mean.

If by "dhcp bridge mode" you mean you set the "lan" interface of your OpenWrt router to dhcp and connected a LAN port to your main router, in the spirit of your question that would be a "no".

(The firewall would be running but in this scenario it wouldn't be able to firewall anything, to firewallize* it needs to sit between two firewall zones, by default that is between WAN and LAN.)

One would certainly hope so, just like it should protect all the other clients in your network.

*) Yes, that is absolutely a word.

This is what I did yes. So the safe option then would probably be to compile the image with the built in usb support that is needed and configure the lan and wan zone before connecting the second router (openwrt) to the internet?

Honestly I don't think that's necessary. If you can't trust your own network behind the ISP's router to the point where you can't connect an unprotected client to download a few things ... you've got bigger problems.

1 Like

If its not necessary then that is great! The isp equipment is just a basic comcast xFi Advanced Gateway (XB7). Honestly not to sure how good there own equipment is for protection. Probably just being paranoid, but was afraid that maybe, some how, the second router without its own firewall would be a easy to find and huge target for bots, people scanning the net, etc.

I do not trust that my 10 year old isp router gets security patches, hence I double nat as well, but I put my openwrt in the dmz zone of my isp router such that everything incoming on the isp router just gets forwarded to my openwrt router. That seems to work for me

I currently share a router with other family members so im not sure if dmz zone would work for me.
Basically the second router would plug into the first router, and all my devices will connected to a managed switch that connects to the second router (switch for vlans to separate my computers). Second router is for vlan support, adguard home, dns for my devices, and crowdsource.

ok so you want the ISP router to be used to connect clients as well then pretty much the only choice is to use the openwrt device in bridge/switch/AP mode.
But that implies that you have to trust that the ISP router is secure. Like I said I do not have that trust about my ISP's router...

You're probably right about the first part (no updates), but NAT != security. Yes, it makes it harder for a hacker/bot on the internet to identify the hosts behind the router, but it is the firewall that provides the security, not the NAT itself

This, in effect, bypasses the firewall on the first router with the exception of the NAT masquerading operations. Therefore, there is almost no difference between this and a direct connection from the OpenWrt WAN to the internet.

Double NAT is really not a proper additional security measure -- it only provides the illusion of that. If you don't trust your ISP router, you may be able to remove it entirely or put it into bridge/pass-through mode (where the ISP issued IP address will be presented directly to the WAN of your OpenWrt device).

Fortunately, the OpenWrt firewall is properly designed and robust enough for most normal home and small business uses.

I know, i dont double nat because of security, but in that way the setup is easy and well with the dmz its not an issue for me and all traffic passes through the openwrt firewall

I know hence the reason to do it.

yes but if you bridge with the ISP router then that is not happening by default, especially if you the ISP router as client acces point as well

1 Like

If you're using the ISP router as an access point, all the machines that connect to it use the (likely outdated and vulnerable) ISP router's firmware, negating the value for the OpenWrt router in the first place (at least for those clients).

1 Like

That was pretty much my point. So we agree :slight_smile:

1 Like

unfortunately I am not allowed to put the gateway in bridge mode

What security issues does running double nat create?

It doesn’t cause any security issues. It just doesn’t improve anything.

ah my apologies, miss interpreted your previous statement. Thank you for correcting :slight_smile:

When it does come to double nat I've read that it wont effect server-client games but may effect peer to peer and a way around this is port forwarding on both routers.

Do you think this would be a common issue now a days for current games or gaming consoles?

I assume it would effect p2p file transfers such as torrent programs?
in this context torrenting is used as a example for legal purposes such as download linux iso's for example.

Hopefully not effect Dynamic Streaming over HTTP? Web media streaming such as youtube or other subscription movie services.

Most network protocols and applications can deal with double NAT without issue. There are some here and there that may choke, but those are more rare these days.

Regarding port forwarding for inbound connections -- if you've set your main router such that the OpenWrt router is effectively DMZ'd, that is sufficient to make port forwarding work properly by setting up those port forwards on OpenWrt. Either DMZ or port forward on both devices ( primary router wan > primary router's LAN @ OpenWrt's WAN IP; OpenWrt WAN > OpenWrt's LAN @ host's IP).

Unfortunately I can not setup dmz.
This gateway is shared by my family (it also uses land lines, and such) and they are not okay with me bridging or using something like dmz.
I can do basic stuff with it like port forwarding and such.
Basically as long as it doesn't effect them and there devices still stay connected to there gateway I have some room to make changes.

Sure... whatever works for you. I'm not sure what value OpenWrt has in your context, but if it your network is working for you, that's all that matters.

oh sorry should of given more background. I start classes soon for a degree in networking/cyber security but most of it is done at home via remote learning. Having my own router will make it easier to learn and also, wanted vlan support, change of dns, something like crowdsec running, and adguard. The thing is, this must be done in away that does not effect there network. It will be more practical in long run to get my own isp. my isp says they can run two internet at the same house but since the family pays for 1200Mbps it would be awesome to use that speed and not have to pay for expensive cost.

I see... so you're setting up a home lab. Okay, that makes sense.