My interest lies in network security and networking, and I undertook this project to address some challenges I faced in my daily life. As a basic home internet user in the past, I relied on an ISP-provided router, which had limited functionality and belonged to the ISP. This led me to the idea of using the ISP router as an uplink while building my own customizable router with enhanced security features and advanced networking capabilities.
During my research, I explored OpenWrt, pfSense, and RaspAP. After using all three for a couple of months and engaging with their communities, I realized that OpenWrt was the best choice for my project.
As an intern at N-able Pvt Ltd Sri Lanka, focusing on networking, and a CCNA candidate, I have intermediate networking knowledge. Additionally, my cybersecurity degree has provided me with a solid understanding of network security. For this project, I used a Raspberry Pi 4 running OpenWrt, initially configuring it as a travel router before transforming it into my home router and firewall.
To enhance my setup, I incorporated a Layer 2 managed switch to connect my PCs using VLANs. I configured OpenWrt in a router-on-a-stick setup, managing inter-VLAN routing and firewall functionalities. My network includes various end devices such as a NAS server, a Proxmox server, my personal laptop, and mobile devices connected via Wi-Fi.
The following screenshots demonstrate how the system is set up and functioning.
- Port 1 : Connects to OpenWRT router
- Port 2,3,4,5,6,9 : Connects to End Devices inside the network
- Port 7 : Switch Management Port
- Port 8 : UpLink (ISP Internet)
- Vlan Configurartion
- PID Configurartion
-
OpenWrt is a highly customizable Linux-based operating system primarily designed for embedded devices, such as routers. It is an open-source firmware that replaces the default firmware provided by device manufacturers, offering enhanced control, flexibility, and advanced features.
- Key Features of OpenWrt:
-
Customizability:
- Allows full control over router configurations.
- Users can add or remove packages to tailor the firmware to their needs.
-
Advanced Networking Capabilities:
- Supports features like VLANs, advanced QoS (Quality of Service), and dynamic DNS.
- Provides robust firewall management and NAT (Network Address Translation) settings.
-
Extensive Package Support:
- Includes a package manager (opkg) to install software like VPN servers/clients, file sharing services, or monitoring tools.
-
Performance:
- Often improves the performance of older hardware by optimizing resource usage.
- Enhances Wi-Fi performance and signal stability.
-
Security:
- Regular updates and community patches to fix vulnerabilities.
- Strong support for encrypted VPNs, firewalls, and secure protocols.
-
Open Source:
- Developed by a global community of contributors, ensuring transparency and reliability.
-
Common Use Cases:
- Home Networks: Improve performance and add features unavailable on stock firmware.
- Small Business Networks: Set up secure VPNs, bandwidth control, and advanced routing.
- Specialized Applications: Deploy in IoT projects, create mesh networks, or use as a NAS server.
-
- Key Features of OpenWrt:
-
This os is runing on Raspberry Pi 4 model B
-
4GB RAM and 32GB ROM
-
Version : OpenWrt 23.05.5 r24106-10cc5fcd00
-
Architecture : ARMv8 Processor rev 3
-
Target Platform : bcm27xx/bcm2711
- User interface with Argon Theme
- Device list with MAC address and it's DHCP IP with lease time
- Wifi adapter and Information
- The inbult adapter is used for get internet from ISP via Wi-Fi if needed. This senario it is turned off
- USb Wi-Fi adapter (Atheros Ar9271) is use to Broatcast Personal SSID and Guest SSID
- Shows Signal strength
- Can manualy Disconnect connected client(User)
- Device MAC and BSSID
- Interfaces and Information
- guestwifi
- This interface is dedicated to guest users, primarily for Wi-Fi access.
- It isolates guest traffic, ensuring that only guest-related data flows through this interface.
- Guest can't connect each connected devices
- Network is separated (192.168.100.0/24)
- Can't use admin panal
- lan
- This interface is used for home users, including both wired (LAN) and wireless (WLAN) connections.
- It carries internal network data and information for home devices.
- VLAN 99 is assigned to this interface for segmentation and security.
- Network is 192.168.10.0/24
- tailscale
- This interface is used for remote access via Tailscale VPN, allowing secure connections to the home network from external locations.
- wwan
- This is the uplink interface that forwards all traffic from both the home and guest networks to the ISP.
- VLAN 1000 is assigned to this interface to separate WAN traffic from internal networks.
- DHCP is givenn by ISP router (192.168.1.0/24)
- guestwifi
-
Firewall zoneing
-
lan (Local Area Network)
- Forwarding: lan → wan, tailscale
- Input: Accept (Devices on LAN can communicate freely)
- Output: Accept (LAN devices can send traffic anywhere)
- Forward: Accept (Traffic is allowed to flow between forwarded zones)
- Masquerading: Disabled (LAN devices retain their original IP when accessing the internet)
-
wan (Wide Area Network - Internet)
- Forwarding: Rejected (Traffic from WAN cannot reach internal networks)
- Input: Accept (Incoming WAN traffic is allowed)
- Output: Accept (WAN can send responses back)
- Forward: Reject (WAN traffic is not forwarded to other zones)
- Masquerading: Enabled (Hides internal network behind WAN IP for outbound connections)
-
tailscale (VPN Network)
- Forwarding: tailscale → lan, wan
- Input: Accept (Incoming traffic allowed)
- Output: Accept (Outbound traffic allowed)
- Forward: Accept (Forwarding between specified zones is allowed)
- Masquerading: Enabled (Useful for VPN routing)
-
guestwifi (Guest Wi-Fi Network)
- Forwarding: guestwifi → wan
- Input: Reject (Prevents access to OpenWrt router services)
- Output: Accept (Guest devices can access external services)
- Forward: Reject (Blocks internal communication between guest devices)
- Masquerading: Disabled (Guest devices retain their IP)
-
VM_Network (Virtual Machine Network)
- Forwarding: Rejected (No external communication allowed)
- Input: Accept (VMs can communicate with OpenWrt services)
- Output: Accept (VMs can send traffic externally)
- Forward: Accept (Forwarding allowed within VM network)
- Masquerading: Disabled (VMs keep their IPs)
-
- Trafic Rule set
- Trafic rules for each zone
- Lan device can use ICMP but guest devices stops ICMP
- Trafic rules for each zone
- Trafic Port Forwardings
- DNS is use externally port 5353
# Firewall port forwards
- Routing
- Internal Proxmox server VMs use the 10.0.0.0/8 network. Routing is used to provide internet access and connectivity to LAN end devices.
- Bandwith Monitor
- The feature is used to determine each user's download and upload usage.
- Guest Wi-Fi Connectivity Page
- The password consists of 20 characters, including a mix of numbers, uppercase and lowercase letters, and special characters.
- A QR code is provided for easy connection.
- The password expires and is automatically regenerated every 24 hours.
- A real-time countdown shows when the password will expire.
- Displays the count of connected devices/clients in real time.
- Speedtest via Ethernet using speedtest.net
- Home user, no limitation
- Public IP is dynamic
petal_20250123_203802.mp4
- Speedtest via Wi_Fi (Home User)
- Home user, no limitation
- 2.4 GHz signal
- USb Wi-Fi adapter (Atheros Ar9271)
petal_20250123_202925.mp4
- Speedtest via Wi_Fi (Guest User)
- Has Speed limitation ( Down : 5Mbps | Up : 2Mbps)
- 2.4 GHz signal
- USb Wi-Fi adapter (Atheros Ar9271)
petal_20250123_203032.mp4
