Tag: openwrt

Implementing VLANs in OpenWRT: Enhancing Network Security and Efficiency

Posted on by Kurt Weiske

OpenWRT is a powerful open-source firmware replacement for many home “appliance” routers that gives you enterprise router features out of home network appliances. One key feature it offers is the ability to implement Virtual LANs (VLANs), which allow you to segment your network into distinct virtual networks. I will guide you through the process of setting up VLANs in OpenWRT, with a focus on three use cases: isolating IoT devices,  creating guest networks and isolating homelab networks.

Understanding VLANs

A VLAN is a logical grouping of network devices. By using VLANs, you can create isolated networks that operate as if they were physically separate, providing enhanced security and efficiency.

a VLAN uses an identifier called a “Tag” to identify a virtual network. VLAN-aware devices can associate a tag with a specific physical port or wireless network and isolate traffic to those ports/networks.

A port can also be configured as a “trunk” port, which can pass all traffic. This is useful when you want to extend multiple VLANs across devices, for example a backbone network connecting two ethernet segments.

Steps to Implement VLANs in OpenWRT

1. Accessing OpenWRT Web Interface

  1. Connect to your router’s web interface by entering its IP address in your web browser. Typically, this is 192.168.1.1. Hopefully you’ve changed yours.  :)
  2. Log in with your admin credentials.

2. Install VLAN Support

Navigate to System > Software and click on Update lists to ensure you have the latest package information. Then, search for and install the luci-proto-relay package. This package provides the necessary tools for configuring VLANs.

3. Configure VLANs

  1. Go to Network > Switch. Here, you will see a list of your router’s switch ports.
  2. Identify the port to which your LAN devices are connected. This is often labeled as ‘CPU’ or ‘WAN’.
  3. Click Edit next to the identified port.
  4. In the “VLAN” section, create a new VLAN by clicking Add.
  5. Assign a VLAN ID (e.g., 10 for IoT devices) and choose a CPU Port. The CPU port should be the same port you identified earlier.
  6. Click Save.
  7. Repeat steps 4-6 for additional VLANs, such as a guest network (e.g., VLAN ID 20).

4. Configure Interfaces

  1. Go to Network > Interfaces.
  2. Click Add new interface.
  3. Choose a name for the interface (e.g., IoT).
  4. Select the VLAN you created for IoT devices from the dropdown menu.
  5. Click Submit.
  6. Repeat steps 2-5 for each additional VLAN you want to create.

5. Configure DHCP (Optional)

If you want each VLAN to have its own DHCP server, go to Network > DHCP and DNS. Click Add to create a new DHCP server for each VLAN interface you created.

Use Cases for VLANs

1. Isolating IoT Devices

IoT devices are notorious for their security vulnerabilities. My oven and my refrigerator both connect to a phone app which is mildly helpful and frighteningly connected. By placing them on a separate VLAN, you can isolate them from your main network, minimizing the risk of an IOT security exploit affecting my home network.They can talk to specific hosts/networks on the internet, but not any of my internal hosts.

2. Guest Networks

Creating a guest network on a separate VLAN allows you to provide internet access to visitors while keeping them isolated from your private network. With my guest network, I’ve set an easy password and configured “client isolation”, meaning that a client on the guest network can’t access another guest, or my home network.

3. Homelabs

I have a VLAN set up for my homelab, so I can restrict my traffic from a test Active Directory environment, a test Linux environment and several home servers in their own virtual network, separating their traffic from my home streaming traffic.

Conclusion

Implementing VLANs in OpenWRT is a powerful way to enhance network security and efficiency. By segmenting your network into distinct virtual networks, you can isolate specific groups of devices and control their access. This is particularly useful for securing IoT devices and providing a secure guest network. With OpenWRT’s flexibility, you can tailor your network to meet your specific needs.

WRT54G to WRT1900ACS: Empowering Networks with OpenWRT

Posted on by Kurt Weiske

What’s a WRT1900ACS?

The WRT1900ACS is a capable router from several years ago that are dirt cheap on the used market and have a ton of features that I like. With an alternative OS like OpenWRT or DD-WRT, you unlock new features that compare to a proper router.

I started running home networks on a Linksys WRT54G, an ancestor to the WRT1900ACS. a pioneering router that redefined home networking. Its open-source firmware became a playground for tech enthusiasts, setting the stage for a community-driven approach to router customization. I still keep one in storage for nostalgia’s sake.

The WRT1900ACS was released in 2015 but still holds its own in 2023. Equipped with a 1.6 GHz dual-core processor, 512MB of RAM, and four antennas, the WRT1900ACS holds its own. I use it as a border router on a 600 mbit cable circuit and it keeps up with multiple traffic streams.

This router has a USB 3.0/eSATA connection, a USB 2.0 connection and gigabit ethernet. I’ve used an external USB drive to act as shared storage for my LAN, and shared movies and music using the router’s built-in DLNA server.

One thing that attracted me to the WRT1900AC series of routers is dual firmware images. The router keeps a backup firmware image at all times. If the router crashes and doesn’t come fully up 3 times in a row, it’ll switch to the failover image. I keep the Linksys image on one side and OpenWRT on the other, so I can always go back if needed. If you want to go all-in, you’ll need to upgrade the firmware twice.

Under OpenWRT, I’m able to use enterprise-class networking tools with a friendly GUI. I’ve added network traffic monitoring, a Wireguard client and server, VLANs and a reverse proxy for my network.

If I were to compare the two, I’d say DD-WRT is a little easier to pick up, OpenWRT is more flexible. I’ve been focused more on OpenWRT of late, as I’m running a homelab and use it as a sandbox for ideas to use at work.

Installing OpenWRT

OpenWRT has detailed information about the router and installation instructions at https://openwrt.org/toh/linksys/wrt1900acs, but the process is pretty straightforward. You’ll use the Linksys stock firmware, go to the firmware upgrade section of the web admin tool, and upload the “Firmware OpenWRT Install” version. Mess up and brick your router? turn it on, wait for the lights to come on, then turn it off. Repeat two more times to return to the failover image and try again.

Once you install OpenWRT there is a multitude of extensions and applications available. Be mindful of available disk space and memory when choosing applications to install!

 

Installing OpenWRT and Wireguard VPN

Posted on by Kurt Weiske

Most home routers sold today are running Linux under the hood with a proprietary web GUI intended for home users. There’s been a movement over the past several years to create a more featureful environment for these routers by creating third-party firmware.

I installed OpenWRT on a Linksys WRT1900ACS router acting as my internet gateway. OpenWRT is a fully writeable Linux filesystem, and unlike factory images, allows you to extend the router’s capabilities through add-on packages. OpenWRT can serve files visa NFS, act as a web server or reverse proxy for your homelab, filter web ads for your network, and more. It’s as close to a full router experience as you can get on a piece of commodity home hardware. As a router/firewall, OpenWRT features zone-based firewall rules, NAT, Port forwarding, VLANs and advanced wireless security and support for Wireguard and OpenVPN virtual private networks.

 

The installation took about 15 minutes – going to the OpenWRT site, finding the correct firmware version, and flashing my router from the OEM web interface with the web-upgrade version of OpenWRT. Many Linksys routers feature a dual-flash design, so if you brick the router during the process you can boot over to the working partition and start over again.

As a side-benefit, my WAN speeds increased by roughly 30% by running OpenWRT on the same hardware versus the OEM firmware.

Once I had my router working, I added Wireguard VPN support. Wireguard is an efficient, key-based VPN that claims to be simpler than IPSec or OpenVPN. Torguard, my VPN provider supports Wireguard, so I downloaded my Wireguard configuration from their web site, entered it into the OpenWRT GUI, and enabled Wireguard.

VPNs are great at hiding your traffic from your ISP and local traffic, but many streaming media sites block VPN traffic. That’s where the vpn-policy-routing package comes in. Install it, enter the names of sites that should bypass the VPN and you’re done.

Now, I have all of my traffic routed through a VPN with the exception of streaming services, and can add any new services that need to route over my WAN with a web administration page.