The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces.Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and outputted from, the router itself.This section discusses the relationships between the firewall code and the network interfaces.
At the heart of all routers is a hardware switch with a number of interface ports.When a packet enters one of the switch ports, the hardware switch matches a fixed field in the packet and forwards the packet to an output port which transmits it.
The switch generally uses the layer-2 destination MAC address in the packet to switch on.Each port has a cache of MAC addresses for stations reachable by (attached to) that port.Entries in the MAC cache gradually out, so must be re-discovered if used again.Layer-2 frames with a known destination MAC are switched to the desired LAN port.If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC.
OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11).
The wired LAN ports each map directly to a single switch port.Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz).Each handles one or more IEEE802.11 standard protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking).The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing.All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port.
The LAN bridge interface br-lan combines wireless interface(s) with the wired ports to create a single logical network.
![[OpenWrt Wiki] Firewall and network interfaces (1)](data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw== "[OpenWrt Wiki] Firewall and network interfaces (1)")
Use bridging when combining WLAN and wired Ethernet ports.Otherwise partition the ports into VLANs.
Firewall zones
The firewall of an OpenWrt router is able to collect interfaces into zones to more logically filter traffic.A zone can be configured to any set of interfaces but generally there are at least two zones: lan for the collection of LAN interfaces and wan for the WAN interfaces.
This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:
A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,
A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.
recognize the zone concept does not significantly simplify a simple SOHO router with a single br-lan interface and a single wan interface.Each interface has a one-to-one mapping with a zone.
Firewall and VLANs
VLAN provisioning and use is documented in:
A switch partitioned into multiple VLANs futher helps to organize the switch ports.It is recommended that each VLAN map one-to-one with a zone.The advantage to using a VLAN architecture is the packets are tagged with the VLAN ID to disambiguate routing/firewall decisions.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
FAQs
The firewall of an OpenWrt router is able to collect interfaces into zones to more logically filter traffic. A zone can be configured to any set of interfaces but generally there are at least two zones: lan for the collection of LAN interfaces and wan for the WAN interfaces.
Where are the firewall rules in OpenWrt? ›
OpenWrt's firewall management application firewall is mainly configured through /etc/config/firewall . Most of the information in this wiki will focus on the configuration files and content. The LuCI and UCI interfaces are user abstractions, ultimately modifying the configuration files.
How many interfaces does a firewall have? ›
All firewalls have at least two interfaces: Inside—The inside interface is typically assigned a static IP address (and this IP address typically comes from one of the three private IP address blocks—10.0. 0.0/8, 172.16. 0.0–172.31.
What are the different types of interfaces in OpenWrt? ›
Section "interface"
| Protocol | Description | Program |
|---|
| pppoe | PPP over Ethernet - DSL broadband connection | pppd + plugin rp-pppoe.so |
| pppoa | PPP over ATM - DSL connection using a builtin modem | pppd + plugin ... |
| 3g | CDMA, UMTS or GPRS connection using an AT-style 3G modem | comgt |
| qmi | USB modems using QMI protocol | uqmi |
21 more rowsJan 1, 2024
While routers do act as basic firewalls, they offer pretty limited protection. We recommend pairing your router with some form of software firewall (like those included on your Windows or iOS device).
What is the difference between a router firewall and a firewall? ›
Routers link networks together and help to direct network traffic from its source to its intended destination. Firewalls, on the other hand, are security appliances designed to protect a private network against external cyber threats.
What type of firewall does OpenWrt use? ›
OpenWrt uses the firewall4 ( fw4 ) netfilter/nftables rule builder application. It runs in user-space to parse a configuration file into a set of nftables rules, sending each to the kernel netfilter modules.
Is OpenWrt better than pfSense? ›
Features: Both OpenWrt and pfSense include a range of networking and security features, but pfSense is generally considered to be more comprehensive and feature-rich, with a focus on providing advanced firewall and routing capabilities.
What firewall rules should I use? ›
A good rule would be permit tcp any WEB-SERVER1 http . permit ip any any WEB-SERVER1 - Allows all traffic from any source to a web server. Only specific ports should be allowed; in the case of a web server, ports 80 (HTTP) and 443 (HTTPS). Otherwise, the management of the server is vulnerable.
How many network interfaces can I have? ›
In Linux kernel 2.2 there was a limit of 255 interfaces. In modern Linux kernels, interfaces and IP addresses are implemented as a linked list, removing any hard limit of these items.
How many firewalls do I need? In most scenarios, a single office or home office location requires only one firewall if the appliance is appropriately sized for the demands of the network.
What is network interface in firewall? ›
Firewall interfaces (ports) enable a firewall to connect with other network devices and with other interfaces within the firewall.
What is the default network interface of OpenWrt? ›
The default IP of the LAN ports of a OpenWrt device is 192.168. 1.1, if the addresses of the devices in the network you connect to the WAN port are 192.168. 1. X (X=any number), you need to change the IP address of the LAN interface on your OpenWrt router to 192.168.
What is the difference between OpenWrt interface and device? ›
OpenWrt interfaces are logical networks which utilize one or more devices. Devices in OpenWrt terminology are Linux kernel netdevs, such as eth0 etc. Linux itself uses the term interface and device interchangeably when referring to netdevs.
What are the 3 main types of interface? ›
The various types of user interfaces include: graphical user interface (GUI) command line interface (CLI) menu-driven user interface.
What type of firewall is OpenWrt? ›
OpenWrt uses the firewall4 ( fw4 ) netfilter/nftables rule builder application. It runs in user-space to parse a configuration file into a set of nftables rules, sending each to the kernel netfilter modules.
What can we do with OpenWrt? ›
OpenWRT is for wireless routers. It can support almost all the functions that are necessary for wireless routers like, WAN, LAN, WLAN, Firewall, Port forwarding, Port triggering, USB, IPv6 etc.
Can a router have a built-in firewall? ›
Most routers come with a built-in firewall that is designed to allow outgoing traffic to easily pass into the worldwide web but prevents any incoming traffic requests.
![[OpenWrt Wiki] Firewall and network interfaces (1)](https://i0.wp.com/openwrt.org/lib/images/smileys/exclaim.svg "[OpenWrt Wiki] Firewall and network interfaces (1)")
Use bridging when combining WLAN and wired Ethernet ports.Otherwise partition the ports into VLANs.![[OpenWrt Wiki] Firewall and network interfaces (2024)](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/h8AAvMB+NzmkbcAAAAASUVORK5CYII=)