OpenWRT is an active and vibrant home firewall project that was born on the Linksys WRT54G line of home routers. It has grown and expanded to support an amazing array of old and new hardware alike. The list of compatible hardware is large enough to require its own index .
With the recent interest in the Raspberry Pi there is of course is an OpenWRT build for it as well. In this tutorial I will show you how to install OpenWRT on a Raspberry Pi, add a second network interface, and replace your home firewall with your new OpenWRT firewall.
Of course, a Raspberry Pi could be used as a firewall with the default Raspbian distribution with the right configuration, packages, and tweaks. The key value of OpenWRT, however, is that it provides an easy to use and manage firewall solution for those who are not linux power users. Most common operations can be done through the friendly web interface.
Please note that the OpenWRT image for the Raspberry Pi is very new and still under development. This tutorial uses a modified version of the default image to fix boot issues and SD Card stability. Refer to this article about the modifications for an in-depth explanation. I’ll be using the pre-built, modified image so no custom compiling or advanced knowledge is required.
Tip: When purchasing components for use with your RasPi elinux.org has a list of verified peripherals.
The instructions below assume that you have access to an existing private network to download and setup the firewall. In my case, I built my OpenWRT RasPi firewall behind my old firewall before replacing it. I’m going to use my process as the model for this tutorial. Additionally, this tutorial assumes you have a separate switch for your network that is not integrated with your home router.
This diagram shows how the networking is going to configured in the finished product. The OpenWRT will replace a standard two interface firewall. This tutorial will not cover adding WAP functionality to the firewall, although that may be a future topic.
You will need some basic information about your network. Write down your internal IP address space information for later use. In this example I will use the network 192.168.1.0, netmask 255.255.255.0, and broadcast 192.168.1.255 as this is a very common home setup.
Write down the IP address of your current firewall. In this example it is 192.168.1.1. Finally, find an unused IP address to use temporarily in this process. I’ll use 192.168.1.2 in my example.
Most of this information can be discovered by interrogating your existing firewall.
At this point your should see typical boot messages scroll on you monitor.
Once the console has stopped scrolling messages hit the enter key to open the command line prompt. You will see something like this:
Making the Attitude Adjustment drink is optional and not required for this tutorial. It may be fun however if you have the ingredients on hand. If you choose to follow the instructions, ensure to pick back up here afterwards.
ifconfig eth0and you should see something like this:
eth0 Link encap:Ethernet HWaddr B8:27:EB:5C:B3:3F inet addr:192.168.1.126 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:67533 errors:0 dropped:0 overruns:0 frame:0 TX packets:71487 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24032301 (22.9 MiB) TX bytes:12706941 (12.1 MiB)
Pay attention to the inet addr
line, above. This is the current IP address the system received by DHCP. You will need this address to login and manage the device. In this example the IP is
rootas the username and click the login button to login first without a password
The next step is to download and install the kernel drivers for the USB Ethernet adapter. OpenWRT has a nice web based package manager that will allow you to filter on an appropriate package and install or remove it as needed.
The new USB network interface eth1 will be the external or WAN interface for the router. I recommend this particular adapter because it is a true USB 2.0 device and is not limited to the lower speeds of a 1.0 or 1.1 USB device. These next step will define the eth1 device as the WAN interface which OpenWRT understands and will automatically apply the correct firewall policy.
WANas the interface name
Next, configure the internal interface to be static and enable the DNS/DHCP services on the internal network to allow internal dynamic IP addressing and name services. The temporary IP address is used in these steps to allow us to change the protocol to static, enable the DHCP services, and reconnect to the OpenWRT firewall later without jumping through too many hoops or having to statically assign an IP to your computer later in the process.
255.255.255.0in the IPv4 netmask field.
Tip: If you don’t leave a keyboard and monitor attached to your firewall it will still continue to work just fine. You can reconnect the monitor and keyboard if you need to troubleshoot or connect to the firewall via its serial interface (Instructions can be found at the elinux.org RPi Serial Connection page). Most online troubleshooting can be done by logging into the Pi via SSH. A monitor and keyboard may only be needed if it does not appear on the network.
This final reconfiguration of the interface will move it over to the address the old firewall was using. This will allow any existing DHCP leases or hard coded addresses in your home to continue using the Internet without interruption.
On rare occasions I discovered that the system needed a reboot to align all the rules and services after moving interfaces around. This last reboot is more to verify that everything is setup right from cold boot. This means next time the power goes out you’ll still be in good shape after it comes back on.
Congratulations! You have a brand new firewall. Another Attitude Adjustment drink is optional.
In this tutorial I have installed OpenWRT onto a Raspberry Pi, added a second USB network interface, and replaced your home firewall. The simple web interface of OpenWRT provides a powerful and easy way to manage your new firewall. This default install provides basic home firewall functionality including Address Masquerading, DHCP, and DNS services.
These capabilities are just the beginning. There is a rich catalogue of software available for the openWRT that can be accessed via the System > Software tab. Packages exist to provide VPN, Web server, and many other features well beyond the capabilities of off the shelf home firewalls.