Wireless Bridge - Is it worth disabling the Firewall?

zakporter · August 17, 2019, 11:11am

When running a router as a Wireless Bridge is it worth disabling the Firewall or just leave it alone?

Seems a bit over the top running multiple Firewalls considering the internet facing router has one...

jeff · August 17, 2019, 11:41am

If you’re running WDS or a bridged protocol, you’ll need a different firewall than stock, generally much simpler.

If you’re running relayd (which I don’t suggest unless it’s the only option), it is an IPv4-only, NAT-based hack and requires a similar-to-stock firewall.

zakporter · August 17, 2019, 1:26pm

Just the standard WDS bridge setting that comes with consumer routers on stock firmware.

jeff · August 17, 2019, 3:12pm

You'll be ignoring the WAN-specific rules if you don't have traffic trough the WAN. They can be left for simplicity. Without VLANs over WDS or other reasons to prevent between-zone traffic, the "stock" rules are probably OK.

No such thing. While 4ADDR that WDS uses is standardized, how it is used is not. Interoperability between various implementations is far from guaranteed.

zakporter · August 17, 2019, 10:18pm

On most consumer (off the shelf) routers with stock firmware there is a box to tick to enable WDS bridge and a separate box to tick to disable the firewall/DMZ.

When you tick the box to enable the WDS bridge is it worth ticking the box to disable the firewall?

Yes
No
Don't Know

Unless someone gives me one of those 3 options i will not have the clue into understanding your post?

slh · August 17, 2019, 10:23pm

In the typical WDS/ 4addr repeater case (single ESSID, everything bridged), all packets bypass the firewall anyways (all traffic remains within the same zone) - so disabling it doesn't gain you anything (well, not a lot). In more complex setups you will need the firewall.

jeff · August 17, 2019, 10:31pm

WDS: You may or may not be able to interoperate two different firmwares (such as Brand X OEM and OpenWrt, or Brand X and Brand Y) because there is no "standard" WDS.

Firewall: Needed on the router associated with your ISP connection. Probably just fine to leave as it is with an OpenWrt device working as a slaved AP over WDS with only a single VLAN or bridge.

Mushoz · August 18, 2019, 3:05pm

Doesn't matter. As already mentioned, in this setup the packets will remain within the LAN zone, so no firewall rules will be triggered. It won't matter if you keep it enabled or disable it. Personally, I would keep it enabled. Should you ever redeploy it in a different situation, it's good that the firewall is already running if WAN is also involved

zakporter · August 18, 2019, 11:53pm

Thanks.

You don't get a Firewall on a Dongle and i'm the only one on the bridge , that's what i was thinking.

psyborg · August 19, 2019, 1:07am

disable it, if you know how to set static ip disable dnsamasq too. unneeded services, when disabled, free up at least some resources and allow faster device bootup