Installing OpenWRT on a Raspberry Pi as a New Home Firewall
OpenWRT is an active and vibrant home firewall project that was born on the Linksys WRT54G line of home routers. It has grown and expanded to support an amazing array of old and new hardware alike. The list of compatible hardware is large enough to require its own index.
With the recent interest in the Raspberry Pi there is of course is an OpenWRT build for it as well. In this tutorial I will show you how to install OpenWRT on a Raspberry Pi, add a second network interface, and replace your home firewall with your new OpenWRT firewall.
OpenWRT
Of course, a Raspberry Pi could be used as a firewall with the default Raspbian distribution with the right configuration, packages, and tweaks. The key value of OpenWRT, however, is that it provides an easy to use and manage firewall solution for those who are not linux power users. Most common operations can be done through the friendly web interface.
Please note that the OpenWRT image for the Raspberry Pi is very new and still under development. This tutorial uses a modified version of the default image to fix boot issues and SD Card stability. Refer to this article about the modifications for an in-depth explanation. I’ll be using the pre-built, modified image so no custom compiling or advanced knowledge is required.
Gather the Components
- Raspberry Pi Model B. Check out the Raspberry Pi Buyer’s Guide for buying options
- Power adapter
- SD Card
- PI Case
- INTELLINET Hi-Speed USB 2.0
- Ethernet cable connected to home network
- Ethernet cable to connect to Internet Interface (Cable Modem/DSL Modem/etc)
- HDMI monitor – setup only
- USB Keyboard – setup only
- Computer for SD Card image creation and configuration – setup only
Tip: When purchasing components for use with your RasPi elinux.org has a list ofverified peripherals.
The instructions below assume that you have access to an existing private network to download and setup the firewall. In my case, I built my OpenWRT RasPi firewall behind my old firewall before replacing it. I’m going to use my process as the model for this tutorial. Additionally, this tutorial assumes you have a separate switch for your network that is not integrated with your home router.
This diagram shows how the networking is going to configured in the finished product. The OpenWRT will replace a standard two interface firewall. This tutorial will not cover adding WAP functionality to the firewall, although that may be a future topic.
Gather Information
You will need some basic information about your network. Write down your internal IP address space information for later use. In this example I will use the network 192.168.1.0, netmask 255.255.255.0, and broadcast 192.168.1.255 as this is a very common home setup.
Write down the IP address of your current firewall. In this example it is 192.168.1.1. Finally, find an unused IP address to use temporarily in this process. I’ll use 192.168.1.2 in my example.
Most of this information can be discovered by interrogating your existing firewall.
Assemble the Raspberry Pi
- Put the RasPi in it’s case
- Attach the monitor and USB Keyboard
- Plug in the USB Network card – don’t attach a cable
- Plug in a network cable from your home network to the RasPi’s built in network interface
- Get the power ready to plug in but do not attach it yet
Create Boot SD Card
- Download the modified OpenWRT image
- Uncompress the bz2 image (use bunzip2 for Linux or OSX and 7zip for Windows )
- Write the extracted image to the SD Card using the methods described in the tutorial How to Flash an SD Card for Raspberry Pi
- Insert the SD card into your RasPi
- Attach power
At this point your should see typical boot messages scroll on you monitor.
Boot the Pi and Change the Default Password
Once the console has stopped scrolling messages hit the enter key to open the command line prompt. You will see something like this:
Making the Attitude Adjustment drink is optional and not required for this tutorial. It may be fun however if you have the ingredients on hand. If you choose to follow the instructions, ensure to pick back up here afterwards.
- Enter the command
ifconfig eth0
and you should see something like this:
1
2
3
4
5
6
7
|
eth0 Link encap:Ethernet HWaddr B8:27:EB:5C:B3:3F inet addr:192.168.1.126 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:67533 errors:0 dropped:0 overruns:0 frame:0 TX packets:71487 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24032301 (22.9 MiB) TX bytes:12706941 (12.1 MiB) |
Pay attention to the inet addr line, above. This is the current IP address the system received by DHCP. You will need this address to login and manage the device. In this example the IP is 192.168.1.126
.
- Open a web browser to the IP address you identified above. You will see a warning that that the password has not been set. Click the link to set it.
- Enter
root
as the username and click the login button to login first without a password - Enter a password into the Password and Confirmation fields
- Click Save & Apply
Install the Drivers for the USB Ethernet Adapter
The next step is to download and install the kernel drivers for the USB Ethernet adapter. OpenWRT has a nice web based package manager that will allow you to filter on an appropriate package and install or remove it as needed.
- Click on the System > Software tab
- Click the Update lists button to update the available package list
- Type mcs7830 in the Find Package field
- Click Find Package
- Click the Available Packages tab below the filter field
- Click Install next to the
kmod-usb-net-mcs7830
package
Create the WAN Interface
The new USB network interface eth1 will be the external or WAN interface for the router. I recommend this particular adapter because it is a true USB 2.0 device and is not limited to the lower speeds of a 1.0 or 1.1 USB device. These next step will define the eth1 device as the WAN interface which OpenWRT understands and will automatically apply the correct firewall policy.
- Click on the Network > Interfaces tab
- Click Add new interface
- Enter
WAN
as the interface name - Select eth1 from the list of available physical interfaces
- Select DHCP for as the Protocol
- Click the Firewall Settings tab and select Wan for the firewall zone
- Click Save & Apply
Prepare to Cut Over to the Pi
Next, configure the internal interface to be static and enable the DNS/DHCP services on the internal network to allow internal dynamic IP addressing and name services. The temporary IP address is used in these steps to allow us to change the protocol to static, enable the DHCP services, and reconnect to the OpenWRT firewall later without jumping through too many hoops or having to statically assign an IP to your computer later in the process.
- Click on the Network > Interfaces tab
- Click Edit next to the eth0 LAN interface
- Change the protocol to Static address
- Confirm that you wish to change the protocol
- Enter the unused address you collected earlier into the IPv4 Address field. In this example:
192.168.1.2
- Enter your subnet mask, most likely
255.255.255.0
in the IPv4 netmask field. - Enter the broadcast address collected earlier in the IPv4 broadcast field. For example
192.168.1.255
- Click Save & Apply – The results will not return to your browser because you just moved the Pi to a different address.
- Give the Pi a few minutes to commit the changes.
- Put the new IP address in your browser and connect to the Pi again.
- Click on the System > Reboot tab
- Click on the Perform Reboot link and confirm
- Log in when the system has rebooted
Confirm That Firewall and DHCP/DNS Services Are Set for Startup
- Click on the System > Startup tab
- Ensure that all services are enabled.
- Click on the red X next to a service if it is disabled to enable it. network, dnsmasq and firewall are of particular importance to have running.
Replace Existing Firewall
- Turn off your existing firewall
- Put the Raspberry Pi in place
- Plug the Internet/Modem facing cable into the USB interface
- Plug the LAN cable from your home network switch into the on-board interface
- Turn on the Raspberry Pi
Reconfigure the Internal Interface
This final reconfiguration of the interface will move it over to the address the old firewall was using. This will allow any existing DHCP leases or hard coded addresses in your home to continue using the Internet without interruption.
- Login to the temporary IP address 192.168.1.2
- Click on the Network>Interfaces tab
- Click Edit next to the LAN interface
- Change the IPv4 Address to be the address of your previous firewall. Example: 192.168.1.1
- Click Save & Apply – Again the task will not complete in the browser as you have changed the address of the Firewall
- Login to the OpenWRT Raspberry Pi at its new address you assigned i.e. 192.168.1.1
Perform Final Reboot and Test
On rare occasions I discovered that the system needed a reboot to align all the rules and services after moving interfaces around. This last reboot is more to verify that everything is setup right from cold boot. This means next time the power goes out you’ll still be in good shape after it comes back on.
- Click on the System > Reboot tab
- Click on the Perform Reboot link and confirm
- Wait approximately 60 seconds for the firewall to boot
- Test that your workstation has indeed getting a new DHCP address and can surf the Internet
Congratulations! You have a brand new firewall. Another Attitude Adjustment drink is optional.
Summary
In this tutorial I have installed OpenWRT onto a Raspberry Pi, added a second USB network interface, and replaced your home firewall. The simple web interface of OpenWRT provides a powerful and easy way to manage your new firewall. This default install provides basic home firewall functionality including Address Masquerading, DHCP, and DNS services.
These capabilities are just the beginning. There is a rich catalogue of software available for the openWRT that can be accessed via the System > Software tab. Packages exist to provide VPN, Web server, and many other features well beyond the capabilities of off the shelf home firewalls.