One of the best explanations that I could find at the moment regarding the OpenWrt firewall. Especially differentiating the forward chain and forwarding to and from firewall zones. Thanks again for your time and effort.
Thanks for watching @goppinaththurairajah760, and you're welcome! I really appreciate the compliment. I did my best to explain every relevant part of firewall rules in OpenWrt / Linux systems, with regards to iptables and nftables, that wouldn't be too advanced. Initially, I would get tripped up on the different forwardings, interzone forwarding and zone to zone forwarding. Once you find the right settings and draw it out visually, it makes it much easier to understand. I'm not exactly sure how this looks in iptables / nftables, but you could just dump out the output of those configs (in this case, would be nftables) and you can see how it looks, if you're curious.
I’d have to agree! Especially for anyone running off the shelf hardware. It really makes the most use of them, instead of being restricted. Now I get why, for sake of simplicity and ease for the standard user, but that’s not everyone and for people interested in learned more about networking, OpenWrt is a great start. Especially these days with everything being a networked service. Good luck on your journey! There’s plenty to learn and it never ends.
Absolutely. I got most of my knowledge about networking tinkering with OpenWrt. I have been using it on many routers for various different purposes. I used it as an LTE router with Huawei USB stick, and it was ISP provided router that was extremely unstable and buggy, had weird choice of hardware, and was not officially supported, but some enthusiasts made and supported OpenWrt builds for it turning quite a useless hardware into a fully capable computer. I used it on at least 5 different Xiaomi routers, I built 802.11r/k/v seamless routing area on them, I ran VPNs clients and servers on them, I build L2 network between me and my family members home networks, I have a policy based proxying to automatically bypass government censorship, I have network wide adblock, I have built a file share server on an external drive, an SMS gateway, an asterisk node, and right now I have a special small and power-efficient x86 build that is used to power the home network with a lot of VLANs and provide a reverse-proxy access to some of my homelab stuff. OpenWrt is simply one of the most significant open-source things that I use in my life. Infinetely grateful to the developers
Nicely done! I use OpenWRT on a Linksys EA8300 in our camper! Yes! high-tech our way through many Sate and Federal Campgrounds!! Phone, Cameras, Android TV and Laptops... USB tethering a Cellphone to router... had me hack my way through the firewall rules ... I see now I need to go back and make sure I didn't just ALLOW EVERYTHING 🙂 THANKS!!!!
Thanks for watching @mikedavis1426! I like your setup! I've been hearing how popular OpenWrt setups are for campers, including Rooter, which is based on OpenWrt, but is optimized for cellular modem usage, which makes sense to give the whole camper internet access. It sounds like your EA8300 handles usb tethering well, thats something I want to try out one day on OpenWrt. By default, OpenWrt will allow all traffic out, just like consumer grade routers. Difference is, you can fine tune that in OpenWrt. Now for something like a camper, its probably not as bad to have some of those rules, unless that network is always live and running. If you definitely want to lock it down, I'd suggest doing some research on most common ports used (80, 443, 22, 21,22, 123, etc), and set up allow rules for those. The difficulty will come in when you have non standard port usage for legitimate traffic, you'll have to monitor OpenWrt logs to see whats being dropped, review that traffic, and add rules for it accordingly. For example, some video conferencing may use non standard ports. You don't really know what they are until you used then and see what your firewall shows. Thats how I had to figure it out 🙂. Best of luck!
Thanks for watching @Baku-oc5fc! I appreciate the compliments, as I truly try my best in these areas so that my videos are not only easy to understand, and easy to follow, but also well received. It's good to know that my viewers think I'm doing well on these areas I focus on.
I'm a big fan of you DevOdyssey. LOVE your video! I guess I watch every new video you put out. that said though, your delivery reminds me of a skyrim npc :) especially your gestures!
Thanks for the compliment and thanks for watching shahabsamkan4027! It means a lot to hear that. I have never played Skyrim, though I have heard plenty of it. I didn't know their NPCs are emotive with their hands a lot, but hey I'll take that as a compliment! 😊 Now I have to play Skyrim to see this for myself 😂
Snort3 or suricata can definitely be helpful, though those are more IPs/IDS solutions, that are on top of DPI in general. IDS and IPS solutions can be for source intensive too, so OpenWrt on your standard routers won’t be able to handle too many rules in either platform. They’d be better on a x86 mini pc if you still wanted to use OpenWrt. To that point, it doesn’t seem like suricata has been fully ported to OpenWrt, only Snort has been. There are other DPI systems like Netify that work on OpenWrt, but I have not tried it, and it seems to be a paid solution as well. They don’t seem to exactly be an IDP or IDS but simply doing packet inspection for network analytics. For DPI and related services like IDP or IDS, I’d recommend using a platform with more power, and using BSD based solutions like OPNsense or pfSense, using Intel based hardware, and something with more than 1 GB of RAM. I haven’t gotten around to doing DPI or IDP/IDS personally, other than enterprise grade solutions such as Palo, so I don’t have much experience to share here. Though I’ve heard good things about ZenArmor that I’m hoping to try in the near future that offers tons of functionality more than IDP and IDS, more in the realm of “Next Generation Firewalls”. If you do happen to use Snort on OpenWrt, I’d be curious to hear about your experience. You might get to it before I do.
Excellent overview of the Firewall and the zones on OpenWRT and explained in a very simple/accessible terms. Thank you. I was looking for this info on the OpenWRT site, but was unable to find (perhaps, my mistake).
Thanks for watching @moetocafe! I appreciate it and the compliment. It took me some time, and testing, to wrap my head around zones but once I did, it was easy enough to remember. I figured a good visual could really help to show how they work. You can find a very quick and basic explanation below, but you can find more on OpenWrt's forum I'm sure, though I have no specific examples from the forum to refer to. openwrt.org/docs/guide-user/firewall/fw3_network Visuals always help, in my opinion.
@@DevOdyssey I was reading the Quick start guide, but couldn't understand the basic concepts on how is OpenWRT constructed logically, so your video helped me comprehend. My first attempt at OpenWRT was unsuccessful, but now I'm almost confident I'll manage. My ISP limits the Internet by MAC address, and until I figure out how to set-up the networks settings in OpenWRT I already messed it up and rendered it inoperational :)) I hope to have time soon and finally do it the right way. My initial mistake was to put MAC address on the WAN, which now I understand was wrong, as it is a zone, not a device. The ethernet device (it was something like esp3...) must be set with the MAC.
Glad to hear how my video helped!@@moetocafe The reset button on routers sure make it convenient to start from scratch when we lock ourselves out! Trial and error will certainly help you truly learn OpenWrt. Its the way I have learned, with plenty of self lock outs to show for it. Given that your ISP limits internet by MAC address, I would assume that its referring to the MAC on your WAN port (or if anything your modem's MAC). So I'm not sure why it wouldnt work there. But nonetheless, by default there is a WAN zone as well, not just a WAN interface, neither of which are a device, hope I'm not losing you here 🙂 You are correct, that the ethernet device itself is where you would modify and MAC settings, as need be. Would be happy to hear how this works out for you!
I would like to see a set of basic firewall rules set up on OpenWRT with a default deny rule set on the LAN. I would like to see rules for DNS/mDNS, dhcp-client including refresh, http/https-client, passive ftp client, ssh-client, pgp-clients, multimedia (like UA-cam) clients, and video conferencing clients (like ZOOM). An episode where you review assorted network tools would also be useful. I would like to be able to inspect the details of packets that get dropped for example, to figure out how to write my own rules and to check my configuration. Thanks for explaining the basics of linux firewalls. Some things definitely make more sense now.
Thanks for watching @JBlask! Appreciate you sharing your ideas. A general firewall rule video on good rules to implement is one I've been wanting to make for sometime, but haven't gotten around to it. Those additional rules you're referring to, I havent really ever made rules for all those, as some are automatic, like the dhcp rules. HTTP(s), FTP and SSH are straight forward, pgp clients I'm not sure on, and doing rules for applications like UA-cam or Zoom requires a different type of firewall, one that can create Layer 7 or application rules. You won't be able to create those with OpenWrt. I have wanted to do a network tools video too, like ping, iperf3, tcpdump, but haven't fully fleshed that idea out. Deep packet inspection is something I still need to improve on, so one day I could go more in depth there. Nonetheless, I'm happy to hear this video as it stands was able to teach the basics, just as I had intended.
Thanks for the compliment @Alex-un5tl! Glad I could clear it up for you. Took me some time to wrap my head around it as well, but once I finally understood it, it made writing firewall rules much easier.
You’re welcome! Appreciate you watching @be16_channel. If you learned something, then I know my video served its purpose. I hope my other videos help build upon what you’ve learned here!
HE IS BACK!!! I was actually on your channel two days ago wondering where you went and here you are! I always love watching you and always learn something. I actually use you as my main youtube source when trying to learn openwrt and networking! Last time we interacted I was playing around setting up my own wrt on a bananapi, that has gone on ice since then, but maybe its time to pick it up again. You set the destination zone to device. Does that mean every ping attempt going through the router (to both lan and wan) will be stopped or ONLY the pings to 192 168 1 1? (youtube did not like me using dots there) I just want to tell you how happy I am to see you again! Watching you is like watching a video presentation in school (yes, I'm that old, we used vhs when I went to school) BUT NOT BORING! I don't know what you work with besides this, but I REALLY hope someone besides us here on youtube gets to experience your teaching. :D
Thanks Marcus! That all really means a lot to hear, thank you so much for sticking around and being a fan. I'm happy to have caught you at the right moment! I've had a bit of life changes that caused the hiatus, notably becoming a father, so I've been figuring out how to allocate my time to get more videos out. It always make me happy to hear how much my fans learn from watching my videos. It feels great to be an official source of networking and OpenWrt knowledge for you 😊 I would be happy to hear you pick that up and get it working with OpenWrt! I've been wanted to get more hardware to try out OpenWrt installs on to see what I can get working, I've been a bit cost conscious, and not spending some money on hardware. Banana Pi has lured me with its networking options, so definitely get back to it, and reach out if you have any questions! As for destination zone to device in this example, it will only be dropped when going to the router interface itself, that being 192 168 1 1. If you ping an external IP address, that be passed through the router with no drops or rejects. Yea I try to not use dots in my IP addresses either, I learned UA-cam did not like that awhile ago, so I always format it haha. I'm flattered to hear that, and I'm glad to be back as well. A comment like this is a nice one to come back to with a new video. I can relate, I used to watch VHS in school as well, so I hear you, just not boring of course haha. You're too kind, thanks for all the compliments. I have a day job in Information Security doing (Web) Application Security and Security Assessments, so this knowledge I've gained over the years has been extremely useful for me at work. I do have some colleagues I share my knowledge with, and some interns on the team, but I'll have to say, its me who's been doing tons of learning over the years as I got my start in Information Security roughly 3 years ago. What I know now, and have made videos on, is a result of how much I've learned to be well prepared for a role in Information Security. Anyway, thanks again for the kindness, and I look forward to hearing about your Banana Pi project!
Thank you Marcus! She’s been the center of my world since she’s born. She’s growing and learning quickly, and I’ve learned from her to, notably how to be a father; something she’ll continue to teach me throughout my life. As a voracious learner, I couldn’t be happier to be on this journey with a new life to raise in this world.
Thank you for the video , I have question regarding the wireguard vpn as I tried all the steps you mentioned in the last video but didn't work. I think the new openwrt firmware it little different, can you help in this ?
Thanks for watching Abubakr! So this comment seems better suited for that Wireguard video you are referring to, so in future questions, it would be better to ask there, so others can see our discussion and maybe learn from it. Which Wireguard VPN video are you referring to? the router one or the Site to Site VPN one? The protocol hasn't gone through any major changes, so that configuration should work, and you might be running into another issue or a configuration issue. There could be some OpenWrt UI changes, but from what I see, those changes shouldn't be major to be different from this video. If I have a better understanding of what video you are referring to and telling me the steps you took to achieve that configuration, I might be able to help you and see where your problem may lie.
So by firewall zones, it is possible to make like 2 or more physical routers and each of them has different local IP gateway in Openwrt system? (I dont know how to say it technically but you get the idea, right?) and if so, can you guide me what are the steps? Thanks 😊
Thanks for watching @j0efil! Not sure I completely understand, but I'll try. You can create different networks, or subnets, in OpenWrt, and each of those will have a different router IP, (say 192.168.1[.]1 and 192.168.2[.]1). They both would physically lie on the same system (the OpenWrt router). You can achieve this in multiple ways. If your router has more than one ethernet interface, you can simply create a new network on it. If not, you can create VLANs that can achieve the same thing, with a bit more flexibility. You can watch my video on creating VLANs below (for newer OpenWrt systems). The second video you can watch for more educational information regarding what VLANs are. VLANs in OpenWrt 21.02+ ua-cam.com/video/d3aYMqt-b_c/v-deo.html How VLANs work (and how to set them up in OpenWrt 19.x) ua-cam.com/video/5TtlAXeaGUM/v-deo.html
@@j0efil You're welcome! I unfortunately don't have a guide on it at this time, but I suggest following through with their guides. openwrt.org/docs/guide-user/network/wan/multiwan/mwan3 But if I understand what you are getting it, it should be as easy as changing the metric on the port, that really defines its routing priority. The hight the metric, the increased priority it has, it's really as simple at shat.
Thanks for watching @solomonkamariki6342! I haven't yet gotten into tailscale, but its something I've been wanting to get into. With my appreciation for WireGuard, I was happy to see how tailscale expanded on WireGuard by adding authentication, and a plethora of other features, making it something entirely of a robust peer to peer tunnel meshing platform. Anyway, when I do get around to using tailscale, you can be sure I'll make a video on it!
Thanks for watching! These rules were just used as an example / demonstration, and should proceed with caution when implementing these rules, as you can definitely lock yourself out of LuCI, especially if you rely on HTTP to access LuCI (and not HTTPS). To change the firewall rules via the terminal / ssh, you refer to the following documentation. openwrt.org/docs/guide-user/firewall/firewall_configuration Basically the rules are stored in a file, so you can delete the rule, or use uci commands to delete the rule. The link above goes into good detail on how to do that.
@@ArminC-g3yAwesome, glad you figured it out and learned plenty along the way. Happy to make these videos and hear from my viewers what they get out of them. All the best on your learning journey!
Sorry you haven't mention that crutial information at the very begging oif your video it will safe a l;ot of unnecessary wasted time. plasse reconsider your way of introduction in your video @@DevOdyssey
@@scorpion47aka thanks for watching! I appreciate the feedback. Always take good consideration when making firewall rules, especially since most routers don’t have serial access that you can use as an out of band access, as otherwise you’d need to reset the router if you get locked out completely. I’ll keep this in mind in my other videos, as in general I do try to highlight important consequences of any actions done on a system / router.
Thanks for watching @redblue4962! Don't apologize, its not a dumb question at all, its an interesting one. So from reading the default and your question, your internet should still work, if you've already connected to it. If not, then it might fail to work for IPv6 traffic, and it might not get a new IP address. Honestly, I'm still not well versed in IGMP and ISKAMP, so I'm not sure of what the implications are there. It doesn't seem like there is a default "allow outbound" rule, as it seems to be implicitly allow outbound traffic unless you block it, so I don't think you'd block yourself from reaching the internet. So I definitely wouldn't do it without knowing what each rules exactly does, but it doesn't seem to be catostrophic. Oh and you won't be able to ping your router from the internet, which isn't exactly a bad thing, and from a security sense, can be beneficial.
Hello sir i need help i want to priortize packets from wan interface to my pc local ip address using dscp classification EF is that possible? If yes how to do it please answer me i really need to know how💔
@@captainspaulding7612 thanks for watching! In full transparency, I have no experience implementing DSCP tagging in firewall rules. However, I can share with you what I know conceptually and my research on how to implement it. Essentially, you want to create a firewall rule against traffic you want to apply the tag on. For example, you want to prioritize video streaming traffic. Create the firewall rule, with the source being your local IP, the destination being the video streaming website, the protocol for video streaming, typically https (tcp, 443), but could be other ports and protocols too. Then in the advanced settings, scroll down to extra arguments, and add the following: -j DSCP -set-dscp 34 34 correlates to AF41 priority, which is most commonly used for video traffic, for EF you’d use 46. Then set your action to accept, then save and apply, and you’re done. Just repeat for any other video streaming services. You can do some additional checks to verify the rules in action, using terminal commands, but otherwise, the above should get your desired result. Feel free to do a bit more research and you should be able to find what you’re looking for regarding verification.
@@captainspaulding7612 You're welcome. Take some time to work it out, and eventually it should make sense. I need to do the same, and would like to try this out and see how it affects my video streaming quality.
Is it possible to learn a little about openwrt x86(on a vmware or virtualbox, proxmox workstation)? How to install, build? 1. Can I find out by configuring open server on openwrt and client? 2. ipsec, ike server client? 3. Please tell me, is it better to use ipsec/ike natively from an android phone version 12-13? 4. How would you organize a network between two objects if both are for nat?
Thanks for watching Antonio! I’d certainly like to get to more of those topics. With OpenWrt on x86, it should act no different than on any system. However being virtual, that’s a whole new topic of it’s on of virtual networking, and depends on your hypervisor on how you would go about that. I’ve done this with OPNsense and VMWare, just not yet with OpenWrt. Regardless the concepts look the same and I look forward to making a video on it one day. Building shouldn’t be much different. Youd still create a build. Difference is with virtualization, you’d need to create a virtual machine file that is based off your OpenWrt custom build. This file will vary on hypervisor but the concepts remains the same across platforms. This also covers your install question. I’m not sure what you mean by configuring open server, but there are plenty of articles I’m sure than explain this that you can reference in the mean time. As for what VPN tech you want to use, I’ve not used IPsec with IKE so I can’t go into detail there, Better than what other option? Other VPN software? As I haven’t used it before or set it up, I can’t really comment on it, but it’s an enterprise based solution (IPSec / IKE) so you can’t go wrong, thought this may be more difficult to achieve than just using Wireguard or OpenVPN. I’m not sure what you mean but organizing a network, as at least for your internal network, that depends on your use case. For connecting two different networks over the internet that are both behind NAT, the easiest route is to use a cloud server that acts as an intermediary between the two to broker the connection. Otherwise you can try something like UDP hole punching, but that would require using a STUN server, or a cloud server to gather the port information needed for UDO hole punching. I haven’t done this with IPSec / IKE, so I don’t have anything to day here, but I have done so to Wireguard and it’s not too difficult, but it’s a pretty manual process if you’re using pure Wireguard. This was mostly to prove out the concept. I’d recommend using tailscale here as it’s built on Wireguard and offers many additional great features on top of it, and overcomes the issue of traversing NAT, especially when it’s in both networks are NATted to the internet. That’s another solution I look forward to trying out myself; I’ve only heard great things about it.
Thanks for watching @x-factor9689! I’m not sure I entirely understand what you’re asking for. In terms of SNI, that’s just the hostname of the client initiating the connection in the TLS protocol, regardless of originating country of the server. Countries don’t have SNI, TLS does for hosts. I tried looking up what HC or NPV mean but I couldn’t find it. To me, it sounds like you are trying to bypass country restriction for internet browsing, which you can do with just a VPN. If you have more context you can provide, I may be able to provide a better answer.
Thanks for watching @ThatTransistorGuy! I haven’t personally encountered this, but it seems to relate to iptables rules being present when nftables is now the default firewall rule engine. This can be caused by other apps you may have installed that utilized iptables rules, such as vpn-policy-routing. I’d look into that first. Here is a reference in the OpenWrt forum that led me to this. forum.openwrt.org/t/legacy-rules-detected-on-22-03-0/136955
the new openwrt 22 has taken away the ability to create custom rules to control TTL settings with iptables. A lot of us use these with LTE modems. The new method requires using nftables for setting ttl values. This method involves firewall rules from what I can comprehend. We're all waiting for someone to create a thorough video showing how to do this. Can you give it a try? You'd get a million views, I can tell you that!! So far no content creator has taken on this challenge.
Thanks for watching Molly! I do know that OpenWrt has moved to nftables versus iptables, so it might be possible in nftables. I have heard the importance of using different TTLs with LTE modems, as its seemingly an indicator for what OS you are using, and therefore can bypass rate limiting or bandwidth throttling with different TTLs. It looks like you can create a firewall rule for changing TTLs, and this is something I'll look the future more in depth, as I do have my own LTE modem that I'll be messing around with in the future to get MBIM working, as opposed to QMI. Take a look here to see if this helps. Should work for OpenWrt 22.03 as per the title in the post. forum.openwrt.org/t/working-nftables-rule-for-ttl-in-22-03/144838 I'd definitely recommend doing research there when you need guidance.
The perspective of this video is from someone getting started on firewall rules. With that, I'd expect some fundamentals of networking to be understood, at least routing, ports and associated protocols. This information builds on top of that, with rules and zones. Without those fundamentals, its wouldn't make sense to get into firewall rules. If you had any questions, I'd be more than happy to offer my help and explanation(s).
Want to see a best practices firewall rules video?
One of the best explanations that I could find at the moment regarding the OpenWrt firewall. Especially differentiating the forward chain and forwarding to and from firewall zones. Thanks again for your time and effort.
Thanks for watching @goppinaththurairajah760, and you're welcome! I really appreciate the compliment.
I did my best to explain every relevant part of firewall rules in OpenWrt / Linux systems, with regards to iptables and nftables, that wouldn't be too advanced.
Initially, I would get tripped up on the different forwardings, interzone forwarding and zone to zone forwarding. Once you find the right settings and draw it out visually, it makes it much easier to understand. I'm not exactly sure how this looks in iptables / nftables, but you could just dump out the output of those configs (in this case, would be nftables) and you can see how it looks, if you're curious.
OpenWRT is a godsent. Besides letting us use inexpensive devices to build our home infrastructure, it's a great way to learn about networking
I’d have to agree! Especially for anyone running off the shelf hardware. It really makes the most use of them, instead of being restricted. Now I get why, for sake of simplicity and ease for the standard user, but that’s not everyone and for people interested in learned more about networking, OpenWrt is a great start. Especially these days with everything being a networked service.
Good luck on your journey! There’s plenty to learn and it never ends.
Absolutely. I got most of my knowledge about networking tinkering with OpenWrt. I have been using it on many routers for various different purposes. I used it as an LTE router with Huawei USB stick, and it was ISP provided router that was extremely unstable and buggy, had weird choice of hardware, and was not officially supported, but some enthusiasts made and supported OpenWrt builds for it turning quite a useless hardware into a fully capable computer. I used it on at least 5 different Xiaomi routers, I built 802.11r/k/v seamless routing area on them, I ran VPNs clients and servers on them, I build L2 network between me and my family members home networks, I have a policy based proxying to automatically bypass government censorship, I have network wide adblock, I have built a file share server on an external drive, an SMS gateway, an asterisk node, and right now I have a special small and power-efficient x86 build that is used to power the home network with a lot of VLANs and provide a reverse-proxy access to some of my homelab stuff.
OpenWrt is simply one of the most significant open-source things that I use in my life. Infinetely grateful to the developers
Nicely done! I use OpenWRT on a Linksys EA8300 in our camper! Yes! high-tech our way through many Sate and Federal Campgrounds!! Phone, Cameras, Android TV and Laptops... USB tethering a Cellphone to router... had me hack my way through the firewall rules ... I see now I need to go back and make sure I didn't just ALLOW EVERYTHING 🙂 THANKS!!!!
Thanks for watching @mikedavis1426!
I like your setup! I've been hearing how popular OpenWrt setups are for campers, including Rooter, which is based on OpenWrt, but is optimized for cellular modem usage, which makes sense to give the whole camper internet access.
It sounds like your EA8300 handles usb tethering well, thats something I want to try out one day on OpenWrt. By default, OpenWrt will allow all traffic out, just like consumer grade routers. Difference is, you can fine tune that in OpenWrt. Now for something like a camper, its probably not as bad to have some of those rules, unless that network is always live and running.
If you definitely want to lock it down, I'd suggest doing some research on most common ports used (80, 443, 22, 21,22, 123, etc), and set up allow rules for those. The difficulty will come in when you have non standard port usage for legitimate traffic, you'll have to monitor OpenWrt logs to see whats being dropped, review that traffic, and add rules for it accordingly. For example, some video conferencing may use non standard ports. You don't really know what they are until you used then and see what your firewall shows. Thats how I had to figure it out
🙂. Best of luck!
Boris - excellent, and solid content delivery skills. Well done.
Thanks for watching @Baku-oc5fc!
I appreciate the compliments, as I truly try my best in these areas so that my videos are not only easy to understand, and easy to follow, but also well received. It's good to know that my viewers think I'm doing well on these areas I focus on.
I'm a big fan of you DevOdyssey. LOVE your video! I guess I watch every new video you put out. that said though, your delivery reminds me of a skyrim npc :) especially your gestures!
Thanks for the compliment and thanks for watching shahabsamkan4027! It means a lot to hear that.
I have never played Skyrim, though I have heard plenty of it. I didn't know their NPCs are emotive with their hands a lot, but hey I'll take that as a compliment! 😊
Now I have to play Skyrim to see this for myself 😂
😄it's an awesome game! I'm sure you'll enjoy it@@DevOdyssey
One day, when I get more free time!@@shahabsamkan4027
Something with snort3 and/or suricata might be helpful.
Would squid help with layer3 issues? What else have you used for DPI?
Snort3 or suricata can definitely be helpful, though those are more IPs/IDS solutions, that are on top of DPI in general. IDS and IPS solutions can be for source intensive too, so OpenWrt on your standard routers won’t be able to handle too many rules in either platform. They’d be better on a x86 mini pc if you still wanted to use OpenWrt.
To that point, it doesn’t seem like suricata has been fully ported to OpenWrt, only Snort has been. There are other DPI systems like Netify that work on OpenWrt, but I have not tried it, and it seems to be a paid solution as well. They don’t seem to exactly be an IDP or IDS but simply doing packet inspection for network analytics.
For DPI and related services like IDP or IDS, I’d recommend using a platform with more power, and using BSD based solutions like OPNsense or pfSense, using Intel based hardware, and something with more than 1 GB of RAM. I haven’t gotten around to doing DPI or IDP/IDS personally, other than enterprise grade solutions such as Palo, so I don’t have much experience to share here. Though I’ve heard good things about ZenArmor that I’m hoping to try in the near future that offers tons of functionality more than IDP and IDS, more in the realm of “Next Generation Firewalls”. If you do happen to use Snort on OpenWrt, I’d be curious to hear about your experience. You might get to it before I do.
Excellent overview of the Firewall and the zones on OpenWRT and explained in a very simple/accessible terms. Thank you.
I was looking for this info on the OpenWRT site, but was unable to find (perhaps, my mistake).
Thanks for watching @moetocafe!
I appreciate it and the compliment. It took me some time, and testing, to wrap my head around zones but once I did, it was easy enough to remember. I figured a good visual could really help to show how they work.
You can find a very quick and basic explanation below, but you can find more on OpenWrt's forum I'm sure, though I have no specific examples from the forum to refer to.
openwrt.org/docs/guide-user/firewall/fw3_network
Visuals always help, in my opinion.
@@DevOdyssey I was reading the Quick start guide, but couldn't understand the basic concepts on how is OpenWRT constructed logically, so your video helped me comprehend.
My first attempt at OpenWRT was unsuccessful, but now I'm almost confident I'll manage. My ISP limits the Internet by MAC address, and until I figure out how to set-up the networks settings in OpenWRT I already messed it up and rendered it inoperational :)) I hope to have time soon and finally do it the right way.
My initial mistake was to put MAC address on the WAN, which now I understand was wrong, as it is a zone, not a device.
The ethernet device (it was something like esp3...) must be set with the MAC.
Glad to hear how my video helped!@@moetocafe
The reset button on routers sure make it convenient to start from scratch when we lock ourselves out! Trial and error will certainly help you truly learn OpenWrt. Its the way I have learned, with plenty of self lock outs to show for it.
Given that your ISP limits internet by MAC address, I would assume that its referring to the MAC on your WAN port (or if anything your modem's MAC). So I'm not sure why it wouldnt work there. But nonetheless, by default there is a WAN zone as well, not just a WAN interface, neither of which are a device, hope I'm not losing you here 🙂
You are correct, that the ethernet device itself is where you would modify and MAC settings, as need be. Would be happy to hear how this works out for you!
I would like to see a set of basic firewall rules set up on OpenWRT with a default deny rule set on the LAN. I would like to see rules for DNS/mDNS, dhcp-client including refresh, http/https-client, passive ftp client, ssh-client, pgp-clients, multimedia (like UA-cam) clients, and video conferencing clients (like ZOOM).
An episode where you review assorted network tools would also be useful. I would like to be able to inspect the details of packets that get dropped for example, to figure out how to write my own rules and to check my configuration.
Thanks for explaining the basics of linux firewalls. Some things definitely make more sense now.
Thanks for watching @JBlask! Appreciate you sharing your ideas. A general firewall rule video on good rules to implement is one I've been wanting to make for sometime, but haven't gotten around to it. Those additional rules you're referring to, I havent really ever made rules for all those, as some are automatic, like the dhcp rules. HTTP(s), FTP and SSH are straight forward, pgp clients I'm not sure on, and doing rules for applications like UA-cam or Zoom requires a different type of firewall, one that can create Layer 7 or application rules. You won't be able to create those with OpenWrt.
I have wanted to do a network tools video too, like ping, iperf3, tcpdump, but haven't fully fleshed that idea out. Deep packet inspection is something I still need to improve on, so one day I could go more in depth there.
Nonetheless, I'm happy to hear this video as it stands was able to teach the basics, just as I had intended.
I found openwrt firewall zone section confusing, thank you very much for explaining
Thanks for the compliment @Alex-un5tl! Glad I could clear it up for you. Took me some time to wrap my head around it as well, but once I finally understood it, it made writing firewall rules much easier.
Thank you, this helped me learn openwrt firewall. I'm from indonesia.
You’re welcome! Appreciate you watching @be16_channel. If you learned something, then I know my video served its purpose.
I hope my other videos help build upon what you’ve learned here!
HE IS BACK!!!
I was actually on your channel two days ago wondering where you went and here you are!
I always love watching you and always learn something. I actually use you as my main youtube source when trying to learn openwrt and networking!
Last time we interacted I was playing around setting up my own wrt on a bananapi, that has gone on ice since then, but maybe its time to pick it up again.
You set the destination zone to device. Does that mean every ping attempt going through the router (to both lan and wan) will be stopped or ONLY the pings to 192 168 1 1? (youtube did not like me using dots there)
I just want to tell you how happy I am to see you again!
Watching you is like watching a video presentation in school (yes, I'm that old, we used vhs when I went to school) BUT NOT BORING!
I don't know what you work with besides this, but I REALLY hope someone besides us here on youtube gets to experience your teaching. :D
Thanks Marcus!
That all really means a lot to hear, thank you so much for sticking around and being a fan. I'm happy to have caught you at the right moment! I've had a bit of life changes that caused the hiatus, notably becoming a father, so I've been figuring out how to allocate my time to get more videos out.
It always make me happy to hear how much my fans learn from watching my videos. It feels great to be an official source of networking and OpenWrt knowledge for you 😊
I would be happy to hear you pick that up and get it working with OpenWrt! I've been wanted to get more hardware to try out OpenWrt installs on to see what I can get working, I've been a bit cost conscious, and not spending some money on hardware. Banana Pi has lured me with its networking options, so definitely get back to it, and reach out if you have any questions!
As for destination zone to device in this example, it will only be dropped when going to the router interface itself, that being 192 168 1 1. If you ping an external IP address, that be passed through the router with no drops or rejects. Yea I try to not use dots in my IP addresses either, I learned UA-cam did not like that awhile ago, so I always format it haha.
I'm flattered to hear that, and I'm glad to be back as well. A comment like this is a nice one to come back to with a new video. I can relate, I used to watch VHS in school as well, so I hear you, just not boring of course haha.
You're too kind, thanks for all the compliments. I have a day job in Information Security doing (Web) Application Security and Security Assessments, so this knowledge I've gained over the years has been extremely useful for me at work. I do have some colleagues I share my knowledge with, and some interns on the team, but I'll have to say, its me who's been doing tons of learning over the years as I got my start in Information Security roughly 3 years ago. What I know now, and have made videos on, is a result of how much I've learned to be well prepared for a role in Information Security.
Anyway, thanks again for the kindness, and I look forward to hearing about your Banana Pi project!
@@DevOdyssey CONGRATS TO THE ADDITION TO YOUR FAMILY!!
Thank you Marcus! She’s been the center of my world since she’s born. She’s growing and learning quickly, and I’ve learned from her to, notably how to be a father; something she’ll continue to teach me throughout my life. As a voracious learner, I couldn’t be happier to be on this journey with a new life to raise in this world.
Great job! Very educational
Thanks for watching! I appreciate your kindness, and knowing that you learned something from it.
Thank you for the video , I have question regarding the wireguard vpn as I tried all the steps you mentioned in the last video but didn't work. I think the new openwrt firmware it little different, can you help in this ?
Thanks for watching Abubakr!
So this comment seems better suited for that Wireguard video you are referring to, so in future questions, it would be better to ask there, so others can see our discussion and maybe learn from it.
Which Wireguard VPN video are you referring to? the router one or the Site to Site VPN one? The protocol hasn't gone through any major changes, so that configuration should work, and you might be running into another issue or a configuration issue. There could be some OpenWrt UI changes, but from what I see, those changes shouldn't be major to be different from this video. If I have a better understanding of what video you are referring to and telling me the steps you took to achieve that configuration, I might be able to help you and see where your problem may lie.
So by firewall zones, it is possible to make like 2 or more physical routers and each of them has different local IP gateway in Openwrt system? (I dont know how to say it technically but you get the idea, right?)
and if so, can you guide me what are the steps? Thanks 😊
Thanks for watching @j0efil! Not sure I completely understand, but I'll try.
You can create different networks, or subnets, in OpenWrt, and each of those will have a different router IP, (say 192.168.1[.]1 and 192.168.2[.]1).
They both would physically lie on the same system (the OpenWrt router).
You can achieve this in multiple ways. If your router has more than one ethernet interface, you can simply create a new network on it. If not, you can create VLANs that can achieve the same thing, with a bit more flexibility. You can watch my video on creating VLANs below (for newer OpenWrt systems). The second video you can watch for more educational information regarding what VLANs are.
VLANs in OpenWrt 21.02+
ua-cam.com/video/d3aYMqt-b_c/v-deo.html
How VLANs work (and how to set them up in OpenWrt 19.x)
ua-cam.com/video/5TtlAXeaGUM/v-deo.html
@@DevOdyssey thanks! Big help! Also do you have a guide how to setup port priority using mwan3?
@@j0efil You're welcome! I unfortunately don't have a guide on it at this time, but I suggest following through with their guides.
openwrt.org/docs/guide-user/network/wan/multiwan/mwan3
But if I understand what you are getting it, it should be as easy as changing the metric on the port, that really defines its routing priority. The hight the metric, the increased priority it has, it's really as simple at shat.
Can you do a video, tailscale on openwrt?
Thanks for watching @solomonkamariki6342!
I haven't yet gotten into tailscale, but its something I've been wanting to get into. With my appreciation for WireGuard, I was happy to see how tailscale expanded on WireGuard by adding authentication, and a plethora of other features, making it something entirely of a robust peer to peer tunnel meshing platform.
Anyway, when I do get around to using tailscale, you can be sure I'll make a video on it!
After adding rule examples you mention I got locked out of LuCI. How can I reset or delete the rules in ssh?
Thanks for watching!
These rules were just used as an example / demonstration, and should proceed with caution when implementing these rules, as you can definitely lock yourself out of LuCI, especially if you rely on HTTP to access LuCI (and not HTTPS).
To change the firewall rules via the terminal / ssh, you refer to the following documentation.
openwrt.org/docs/guide-user/firewall/firewall_configuration
Basically the rules are stored in a file, so you can delete the rule, or use uci commands to delete the rule. The link above goes into good detail on how to do that.
@@DevOdyssey I was able to figure it out and learned a lot! Thank you for all the videos
@@ArminC-g3yAwesome, glad you figured it out and learned plenty along the way. Happy to make these videos and hear from my viewers what they get out of them.
All the best on your learning journey!
Sorry you haven't mention that crutial information at the very begging oif your video it will safe a l;ot of unnecessary wasted time.
plasse reconsider your way of introduction in your video @@DevOdyssey
@@scorpion47aka thanks for watching! I appreciate the feedback. Always take good consideration when making firewall rules, especially since most routers don’t have serial access that you can use as an out of band access, as otherwise you’d need to reset the router if you get locked out completely. I’ll keep this in mind in my other videos, as in general I do try to highlight important consequences of any actions done on a system / router.
Hello and sorry, for I am about to ask a dumb question 😢 what happens if I delete all the default firewall rules on openwrt?
Thanks for watching @redblue4962!
Don't apologize, its not a dumb question at all, its an interesting one. So from reading the default and your question, your internet should still work, if you've already connected to it. If not, then it might fail to work for IPv6 traffic, and it might not get a new IP address. Honestly, I'm still not well versed in IGMP and ISKAMP, so I'm not sure of what the implications are there.
It doesn't seem like there is a default "allow outbound" rule, as it seems to be implicitly allow outbound traffic unless you block it, so I don't think you'd block yourself from reaching the internet. So I definitely wouldn't do it without knowing what each rules exactly does, but it doesn't seem to be catostrophic.
Oh and you won't be able to ping your router from the internet, which isn't exactly a bad thing, and from a security sense, can be beneficial.
Hello sir i need help i want to priortize packets from wan interface to my pc local ip address using dscp classification EF is that possible? If yes how to do it please answer me i really need to know how💔
@@captainspaulding7612 thanks for watching! In full transparency, I have no experience implementing DSCP tagging in firewall rules. However, I can share with you what I know conceptually and my research on how to implement it.
Essentially, you want to create a firewall rule against traffic you want to apply the tag on. For example, you want to prioritize video streaming traffic. Create the firewall rule, with the source being your local IP, the destination being the video streaming website, the protocol for video streaming, typically https (tcp, 443), but could be other ports and protocols too. Then in the advanced settings, scroll down to extra arguments, and add the following:
-j DSCP -set-dscp 34
34 correlates to AF41 priority, which is most commonly used for video traffic, for EF you’d use 46.
Then set your action to accept, then save and apply, and you’re done. Just repeat for any other video streaming services. You can do some additional checks to verify the rules in action, using terminal commands, but otherwise, the above should get your desired result. Feel free to do a bit more research and you should be able to find what you’re looking for regarding verification.
@@DevOdyssey thank you for replaying sir much love i will do more research about it cause it's a little confusing
@@captainspaulding7612 You're welcome. Take some time to work it out, and eventually it should make sense. I need to do the same, and would like to try this out and see how it affects my video streaming quality.
Is it possible to learn a little about openwrt x86(on a vmware or virtualbox, proxmox workstation)?
How to install, build?
1. Can I find out by configuring open server on openwrt and client?
2. ipsec, ike server client?
3. Please tell me, is it better to use ipsec/ike natively from an android phone version 12-13?
4. How would you organize a network between two objects if both are for nat?
Thanks for watching Antonio! I’d certainly like to get to more of those topics. With OpenWrt on x86, it should act no different than on any system. However being virtual, that’s a whole new topic of it’s on of virtual networking, and depends on your hypervisor on how you would go about that. I’ve done this with OPNsense and VMWare, just not yet with OpenWrt. Regardless the concepts look the same and I look forward to making a video on it one day.
Building shouldn’t be much different. Youd still create a build. Difference is with virtualization, you’d need to create a virtual machine file that is based off your OpenWrt custom build. This file will vary on hypervisor but the concepts remains the same across platforms. This also covers your install question.
I’m not sure what you mean by configuring open server, but there are plenty of articles I’m sure than explain this that you can reference in the mean time.
As for what VPN tech you want to use, I’ve not used IPsec with IKE so I can’t go into detail there,
Better than what other option? Other VPN software? As I haven’t used it before or set it up, I can’t really comment on it, but it’s an enterprise based solution (IPSec / IKE) so you can’t go wrong, thought this may be more difficult to achieve than just using Wireguard or OpenVPN.
I’m not sure what you mean but organizing a network, as at least for your internal network, that depends on your use case. For connecting two different networks over the internet that are both behind NAT, the easiest route is to use a cloud server that acts as an intermediary between the two to broker the connection. Otherwise you can try something like UDP hole punching, but that would require using a STUN server, or a cloud server to gather the port information needed for UDO hole punching. I haven’t done this with IPSec / IKE, so I don’t have anything to day here, but I have done so to Wireguard and it’s not too difficult, but it’s a pretty manual process if you’re using pure Wireguard. This was mostly to prove out the concept. I’d recommend using tailscale here as it’s built on Wireguard and offers many additional great features on top of it, and overcomes the issue of traversing NAT, especially when it’s in both networks are NATted to the internet. That’s another solution I look forward to trying out myself; I’ve only heard great things about it.
Hi dev ... can u please make a video explaining how to get sni host for any country to get access to the internet via hc or npv
Thanks for watching @x-factor9689!
I’m not sure I entirely understand what you’re asking for. In terms of SNI, that’s just the hostname of the client initiating the connection in the TLS protocol, regardless of originating country of the server. Countries don’t have SNI, TLS does for hosts.
I tried looking up what HC or NPV mean but I couldn’t find it.
To me, it sounds like you are trying to bypass country restriction for internet browsing, which you can do with just a VPN. If you have more context you can provide, I may be able to provide a better answer.
Thanks 🎉
You’re welcome Alex! Thanks for watching 😊
Please help, I'm getting a "Legacy Rules Detected" warning on 22.03.
Thanks for watching @ThatTransistorGuy!
I haven’t personally encountered this, but it seems to relate to iptables rules being present when nftables is now the default firewall rule engine. This can be caused by other apps you may have installed that utilized iptables rules, such as vpn-policy-routing. I’d look into that first. Here is a reference in the OpenWrt forum that led me to this.
forum.openwrt.org/t/legacy-rules-detected-on-22-03-0/136955
@@DevOdyssey thanks!
@@ThatTransistorGuy You're welcome!
the new openwrt 22 has taken away the ability to create custom rules to control TTL settings with iptables. A lot of us use these with LTE modems. The new method requires using nftables for setting ttl values. This method involves firewall rules from what I can comprehend. We're all waiting for someone to create a thorough video showing how to do this. Can you give it a try? You'd get a million views, I can tell you that!! So far no content creator has taken on this challenge.
Thanks for watching Molly!
I do know that OpenWrt has moved to nftables versus iptables, so it might be possible in nftables. I have heard the importance of using different TTLs with LTE modems, as its seemingly an indicator for what OS you are using, and therefore can bypass rate limiting or bandwidth throttling with different TTLs. It looks like you can create a firewall rule for changing TTLs, and this is something I'll look the future more in depth, as I do have my own LTE modem that I'll be messing around with in the future to get MBIM working, as opposed to QMI.
Take a look here to see if this helps. Should work for OpenWrt 22.03 as per the title in the post.
forum.openwrt.org/t/working-nftables-rule-for-ttl-in-22-03/144838
I'd definitely recommend doing research there when you need guidance.
Very bad explanation did not learn anything at all. You assume people know what port 80 means for example
The perspective of this video is from someone getting started on firewall rules. With that, I'd expect some fundamentals of networking to be understood, at least routing, ports and associated protocols. This information builds on top of that, with rules and zones. Without those fundamentals, its wouldn't make sense to get into firewall rules.
If you had any questions, I'd be more than happy to offer my help and explanation(s).