top | item 28379583

(no title)

For anyone who wants to go a similar route I can highly recommend OpenWrt as the OS. Not only does it run on cheap routers, but also on big x86 machines and even in VMs and/or containers. For example, I run OpenWrt on my desktop in a LXC container to manage networking (Wifi, bridging firewall for bridging VMs into the network, general firewall, etc.) through the nice webui. It gets direct to access the WiFi adapter and the host gets access through a bridge connected to the container via a VETH interface.

It comes with nice addon packages for stuff like Wireguard, all kinds of tunnels/VPN, adblockers, runs containers and a ton more. I even run it on a VPS as container with it having exclusive access to the "physical" NIC. The parent OS isn't directly accessible at all. Makes firewalling a breeze. The only open ports are for the Tor relay and Wireguard, through Wich I connect to the webui/ssh and do everything else.

Of course, my router also runs OpenWrt...

discuss

eric__cartman|4 years ago

I always found it baffling how a community maintained project like OpenWrt can not only keep routers updated for many years (unlike the manufacturer that gives you an update once in a blue moon for the first 2 years) but make these cheap routers so useful and so stable you just forget the thing is there in the first place. I can't remember the last time I had to reboot a router running OpenWrt because it started behaving erratically.

You can do a lot with these commodity ARM CPUs, 64-128MB of ram and a few tens of megabytes of flash storage.

maerF0x0|4 years ago

i literally have my comcast router on a 24 hour time and it shutsdown for an hour each night from 3-4am . Communism style brownouts of internet over night

lillecarl|4 years ago

How is the OpenWrt CLI? Say I want to deploy it with Ansible.

How does it stack up against VyOS (which just recently got VRF-lite support)

dtx1|4 years ago

> How is the OpenWrt CLI

You SSH into it. Then do whatever you need to. There's nothing in the UI that can't be done via CLI as far as I know. Some plugins might not be 100% CLI compliant but at least the Base UI (luci) is completely transparent to the CLI via uci.

rhn_mk1|4 years ago

OpenWRT doesn't pack Python out of the box, so you need to install it, and have enough space for it, if you want to use Ansible. It uses a custom stack for configuration (like VyOS), so builtin ansible tasks won't always be so helpful. Configuration is not stored in a single place, but in several files, and it's easy to lock yourself out while testing changes: there's no commit-timeout, and there's no committing of changes, nor rollback. It's just editing random files, and restarting services.

I think there's a special configuration command that might fix some of the above issues, but I've been using the web interface (which actually does support committing and, to some extent, validation).

3np|4 years ago

You know, I used to do this and give the same advice as well but after a lot of time spent on it, I am not anymore.

The way OpenWRT handles routing and firewall rules is particular and they apply their own terminology for some things. They have their own distro-specific packages for things like DHCP (odhcp(c)d) and firewall (fw3).

For very simple networks, it's very smooth to get to where you want. Add on dual-stack v4/v6, vlans, multiple firewall zones, routing policies etc and things start becoming very unpredictable.

Oh, and that adblock package? Turns out a single invalid line in a blocklist will completely break DNS (at least on the version I was running from last year).

Not to mention that (AFAIK) there's no good way to keep up to date with security patches and bugfixes while keeping the system stable.

After all the countless hours I poured into OpenWRT configuration, I finally realized that it's so much less pain and confusion with vanilla Debian with systemd-networkd (which BTW natively supports setting up Wireguard interfaces now) and firewalld+nftables, everything configured via ansible playbooks.

For someone diving into this today, it's a lot easier and more future-proof with nftables than iptables - and OpenWRT will be married to iptables for the foreseeable future.

It's great that it works for you, but if you like I did have some imposter syndrome over not perfectly understanding Linux networking and are happy that OpenWRT takes care of those confusing iptables rules and routing policies and what-not - you may just discover that learning how it actually works will take less work than abusing OpenWRT into doing what you want.

Sure, you have to give up the WebUI and some of the custom add-ons.

I am sure BSD or Rocky Linux are fine choices as well; Debian just happens to be what I mostly use for servers otherwise.

I don't want to hate too much on OpenWRT as it's great for novices with trivial needs and there are many devices where it or dd-wrt are the only readily available options. But if you run Linux anyway and have an x86/amd64/arm device you're going to use as a main router, I'd recommend choosing a "normal" distro and setting things up from scratch.

123pie123|4 years ago

for home I can recommend openwrt running on a BT Home Hub 5A

you can buy them in the uk/ ebay for 15-20 pounds already with openwrt installed (you can do it yourself, but it includes a bit of soldering) - I have two in case the main one fails - talks to most if not all ISPs

I love openwrt now, it does take a bit of getting used to if you havent used it before.

I mainly use to lock my wifi down between hours for the kids. whilst keeping another wifi/ SSID open.

for security all my NAS's are wired and locked down to key wired computers - I keep meaning to create a Nextcloud gateway on docker

OrvalWintermute|4 years ago

I thought about which OS for some of the same things and I realized that I would rather go with a lab version of a full enterprise firewall.

A Palo Alto VM gets you pretty much most of the sweet PA features without the cost, and a better approach than an outdated strategy like VLAN as Access Control, or zone firewalling, permitting the use of permit/deny by protocol, and overall better privilege tiering by network area.

todd8|4 years ago

I’m curious about PA firewalls. The product descriptions claim “Machine Learning” based routing/firewalls. What does that even mean? I’m a bit skeptical about AI being used in a firewall. Can someone help me understand why I should consider this instead of running pfsense on a Netgate appliance?

EvanAnderson|4 years ago

> A Palo Alto VM ... without the cost ...

Does Palo Alto have some kind of no-cost offering in their VM line?

stjohnswarts|4 years ago

I have dd-wrt on a tp-link router and it works great and has been for about 3 years now. No issues. I just have to check the site about once a month and see if there's an update. I wish that was automated or had a notice in the web gui a new one is available. Very configurable and stable.

atatatat|4 years ago

[deleted]