{"id":1278,"date":"2014-03-04T08:49:19","date_gmt":"2014-03-04T13:49:19","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1278"},"modified":"2015-10-30T08:19:54","modified_gmt":"2015-10-30T13:19:54","slug":"installing-openwrt-on-a-raspberry-pi-as-a-new-home-firewall","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=1278","title":{"rendered":"Installing OpenWRT on a Raspberry Pi as a New Home Firewall"},"content":{"rendered":"<div>\n<h1>Installing OpenWRT on a Raspberry Pi as a New Home Firewall<\/h1>\n<div>By\u00a0<a href=\"http:\/\/hub.tutsplus.com\/authors\/ben-miller\" rel=\"author\">Ben Miller<\/a>,<time title=\"8 Nov 2013\" datetime=\"2013-11-08T15:00:09Z\">8 Nov 2013<\/time><\/div>\n<div><\/div>\n<div><a href=\"http:\/\/computers.tutsplus.com\/articles\/installing-openwrt-on-a-raspberry-pi-as-a-new-home-firewall--mac-55984\" target=\"_blank\">http:\/\/computers.tutsplus.com\/articles\/installing-openwrt-on-a-raspberry-pi-as-a-new-home-firewall&#8211;mac-55984<\/a><\/div>\n<\/div>\n<div>\n<div>\n<p><a title=\"openWRT\" href=\"http:\/\/openwrt.org\/\">OpenWRT<\/a>\u00a0is an active and vibrant home firewall project that was born on the Linksys WRT54G line of home routers. It has grown and expanded to support an amazing array of old and new hardware alike. The list of compatible hardware is large enough to require its own\u00a0<a title=\"Supported Hardware\" href=\"http:\/\/wiki.openwrt.org\/toh\/start\">index<\/a>.<!--more--><\/p>\n<p>With the recent interest in the Raspberry Pi there is of course is an OpenWRT build for it as well. In this tutorial I will show you how to install OpenWRT on a Raspberry Pi, add a second network interface, and replace your home firewall with your new OpenWRT firewall.<\/p>\n<h2>OpenWRT<\/h2>\n<p>Of course, a Raspberry Pi could be used as a firewall with the default Raspbian distribution with the right configuration, packages, and tweaks. The key value of OpenWRT, however, is that it provides an easy to use and manage firewall solution for those who are not linux power users. Most common operations can be done through the friendly web interface.<\/p>\n<p>Please note that the OpenWRT image for the Raspberry Pi is very new and still under development. This tutorial uses a modified version of the default image to fix boot issues and SD Card stability. Refer to this article\u00a0<a href=\"https:\/\/sites.google.com\/site\/openwrtraspi\/\">about the modifications<\/a>\u00a0for an in-depth explanation. I\u2019ll be using the pre-built, modified image so no custom compiling or advanced knowledge is required.<\/p>\n<h2>Gather the Components<\/h2>\n<ul>\n<li>Raspberry Pi Model B. Check out the\u00a0<a title=\"Pi Buyers Guide\" href=\"http:\/\/mac.tutsplus.com\/tutorials\/electronics\/your-first-raspberry-pi-a-buyers-guide\/\">Raspberry Pi Buyer&#8217;s Guide<\/a>\u00a0for buying options<\/li>\n<li><a title=\"Compatible Adaptors\" href=\"http:\/\/elinux.org\/RPi_VerifiedPeripherals#Working_power_Adapters\">Power adapter<\/a><\/li>\n<li><a title=\"SD Card\" href=\"http:\/\/www.amazon.com\/Kingston-Digital-Secure-SD10V-8GB\/dp\/B0064Z7260\/\">SD Card<\/a><\/li>\n<li>PI Case<\/li>\n<li><a title=\"USB Network Interface\" href=\"http:\/\/www.amazon.com\/gp\/product\/B002Q10UQU\/\">INTELLINET Hi-Speed USB 2.0<\/a><\/li>\n<li>Ethernet cable connected to home network<\/li>\n<li>Ethernet cable to connect to Internet Interface (Cable Modem\/DSL Modem\/etc)<\/li>\n<li>HDMI monitor &#8211; setup only<\/li>\n<li>USB Keyboard &#8211; setup only<\/li>\n<li>Computer for SD Card image creation and configuration &#8211; setup only<\/li>\n<\/ul>\n<div>\n<p><strong>Tip:<\/strong>\u00a0When purchasing components for use with your RasPi elinux.org has a list of<a title=\"Verified Periferals\" href=\"http:\/\/elinux.org\/RPi_VerifiedPeripherals\">verified peripherals.<\/a><\/p>\n<\/div>\n<p>The instructions below assume that you have access to an existing private network to download and setup the firewall. In my case, I built my OpenWRT RasPi firewall behind my old firewall before replacing it. I\u2019m going to use my process as the model for this tutorial. Additionally, this tutorial assumes you have a separate switch for your network that is not integrated with your home router.<\/p>\n<p>This diagram shows how the networking is going to configured in the finished product. The OpenWRT will replace a standard two interface firewall. This tutorial will not cover adding WAP functionality to the firewall, although that may be a future topic.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrt-raspi-network.png\" alt=\"openwrt-raspi-network\" width=\"600\" height=\"150\" \/><figcaption>Network Diagram<\/figcaption><\/figure>\n<h2>Gather Information<\/h2>\n<p>You will need some basic information about your network. Write down your internal IP address space information for later use. In this example I will use the network 192.168.1.0, netmask 255.255.255.0, and\u00a0broadcast 192.168.1.255 as this is a very common home setup.<\/p>\n<p>Write down the IP address of your current firewall. In this example it is 192.168.1.1. Finally, find an unused IP address to use temporarily in this process. I\u2019ll use 192.168.1.2 in my example.<\/p>\n<p>Most of this information can be discovered by interrogating your existing firewall.<\/p>\n<h2>Assemble the Raspberry Pi<\/h2>\n<ul>\n<li>Put the RasPi in it&#8217;s case<\/li>\n<li>Attach the monitor and USB Keyboard<\/li>\n<li>Plug in the USB Network card &#8211; don\u2019t attach a cable<\/li>\n<li>Plug in a network cable from your home network to the RasPi\u2019s built in network interface<\/li>\n<li>Get the power ready to plug in but do not attach it yet<\/li>\n<\/ul>\n<h2>Create Boot SD Card<\/h2>\n<ul>\n<li>Download the modified\u00a0<a title=\"OpenWRT Image\" href=\"http:\/\/www.uploadmb.com\/dw.php?id=1354316794\">OpenWRT image<\/a><\/li>\n<li>Uncompress the bz2 image (use bunzip2 for Linux or OSX and\u00a0<a title=\"7-Zip Website\" href=\"http:\/\/www.7-zip.org\/\">7zip<\/a>\u00a0for Windows )<\/li>\n<li>Write the extracted image to the SD Card using the methods described in the tutorial\u00a0<a title=\"How to Flash an SD Card for Raspberry Pi\" href=\"http:\/\/mac.tutsplus.com\/tutorials\/electronics\/how-to-flash-an-sd-card-for-raspberry-pi\/\">How to Flash an SD Card for Raspberry Pi<\/a><\/li>\n<li>Insert the SD card into your RasPi<\/li>\n<li>Attach power<\/li>\n<\/ul>\n<p>At this point your should see typical boot messages scroll on you monitor.<\/p>\n<h2>Boot the Pi and Change the Default Password<\/h2>\n<p>Once the console has stopped scrolling messages hit the enter key to open the command line prompt. You will see something like this:<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrtissue.png\" alt=\"openwrtissue\" width=\"600\" height=\"351\" \/><figcaption>OpenWRT Issue<\/figcaption><\/figure>\n<p>Making the\u00a0<em>Attitude Adjustment<\/em>\u00a0drink is optional and not required for this tutorial. It may be fun however if you have the ingredients on hand. If you choose to follow the instructions, ensure to pick back up here afterwards.<\/p>\n<ul>\n<li>Enter the command\u00a0<code>ifconfig eth0<\/code>\u00a0and you should see something like this:<\/li>\n<\/ul>\n<div>\n<div id=\"highlighter_362822\">\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>1<\/div>\n<div>2<\/div>\n<div>3<\/div>\n<div>4<\/div>\n<div>5<\/div>\n<div>6<\/div>\n<div>7<\/div>\n<\/td>\n<td>\n<div>\n<div><code>eth0 Link encap:Ethernet HWaddr B8:27:EB:5C:B3:3F<\/code><\/div>\n<div><code>inet addr:192.168.1.126 Bcast:192.168.1.255 Mask:255.255.255.0<\/code><\/div>\n<div><code>UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<\/code><\/div>\n<div><code>RX packets:67533 errors:0 dropped:0 overruns:0 frame:0<\/code><\/div>\n<div><code>TX packets:71487 errors:0 dropped:0 overruns:0 carrier:0<\/code><\/div>\n<div><code>collisions:0 txqueuelen:1000<\/code><\/div>\n<div><code>RX bytes:24032301 (22.9 MiB) TX bytes:12706941 (12.1 MiB)<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Pay attention to the\u00a0<em>inet addr<\/em>\u00a0line, above. This is the current IP address the system received by DHCP. You will need this address to login and manage the device. In this example the IP is\u00a0<code>192.168.1.126<\/code>.<\/p>\n<ul>\n<li>Open a web browser to the IP address you identified above. You will see a warning that that the password has not been set. Click the link to set it.<\/li>\n<li>Enter\u00a0<code>root<\/code>\u00a0as the username and click the\u00a0<strong>login<\/strong>\u00a0button to login first without a password<\/li>\n<li>Enter a password into the\u00a0<strong>Password<\/strong>\u00a0and\u00a0<strong>Confirmation<\/strong>\u00a0fields<\/li>\n<li>Click\u00a0<strong>Save &amp; Apply<\/strong><\/li>\n<\/ul>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrtpw.png\" alt=\"openwrtpw\" width=\"600\" height=\"208\" \/><figcaption>Change Password<\/figcaption><\/figure>\n<h2>Install the Drivers for the USB Ethernet Adapter<\/h2>\n<p>The next step is to download and install the kernel drivers for the USB Ethernet adapter. OpenWRT has a nice web based package manager that will allow you to filter on an appropriate package and install or remove it as needed.<\/p>\n<ul>\n<li>Click on the\u00a0<strong>System &gt; Software<\/strong>\u00a0tab<\/li>\n<li>Click the Update lists button to update the available package list<\/li>\n<li>Type\u00a0<strong>mcs7830<\/strong>\u00a0in the\u00a0<strong>Find Package<\/strong>\u00a0field<\/li>\n<li>Click\u00a0<strong>Find Package<\/strong><\/li>\n<li>Click the Available Packages tab below the filter field<\/li>\n<li>Click\u00a0<strong>Install<\/strong>\u00a0next to the\u00a0<code>kmod-usb-net-mcs7830<\/code>\u00a0package<\/li>\n<\/ul>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrtsoftware.png\" alt=\"openwrtsoftware\" width=\"600\" height=\"412\" \/><figcaption>Install Kernel Module<\/figcaption><\/figure>\n<h2>Create the WAN Interface<\/h2>\n<p>The new USB network interface eth1 will be the external or WAN interface for the router. I recommend this particular adapter because it is a true USB 2.0 device and is not limited to the lower speeds of a 1.0 or 1.1 USB device. These next step will define the eth1 device as the WAN interface which OpenWRT understands and will automatically apply the correct firewall policy.<\/p>\n<ul>\n<li>Click on the\u00a0<strong>Network &gt; Interface<\/strong>s tab<\/li>\n<li>Click\u00a0<strong>Add new interface<\/strong><\/li>\n<li>Enter\u00a0<code>WAN<\/code>\u00a0as the interface name<\/li>\n<li>Select\u00a0<strong>eth1<\/strong>\u00a0from the list of available physical interfaces<\/li>\n<li>Select\u00a0<strong>DHCP<\/strong>\u00a0for as the Protocol<\/li>\n<li>Click the\u00a0<strong>Firewall Settings<\/strong>\u00a0tab and select\u00a0<strong>Wan<\/strong>\u00a0for the firewall zone<\/li>\n<li>Click\u00a0<strong>Save &amp; Apply<\/strong><\/li>\n<\/ul>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrtinterfaces.png\" alt=\"openwrtinterfaces\" width=\"590\" height=\"385\" \/><figcaption>OpenWRT Interfaces<\/figcaption><\/figure>\n<h2>Prepare to Cut Over to the Pi<\/h2>\n<p>Next, configure the internal interface to be static and enable the DNS\/DHCP services on the internal network to allow internal dynamic IP addressing and name services. The temporary IP address is used in these steps to allow us to change the protocol to static, enable the DHCP services, and reconnect to the OpenWRT firewall later without jumping through too many hoops or having to statically assign an IP to your computer later in the process.<\/p>\n<ul>\n<li>Click on the\u00a0<strong>Network &gt; Interfaces<\/strong>\u00a0tab<\/li>\n<li>Click\u00a0<strong>Edit<\/strong>\u00a0next to the eth0 LAN interface<\/li>\n<li>Change the protocol to\u00a0<strong>Static address<\/strong><\/li>\n<li>Confirm that you wish to change the protocol<\/li>\n<li>Enter the unused address you collected earlier into the IPv4 Address field. In this example:\u00a0<code>192.168.1.2<\/code><\/li>\n<li>Enter your subnet mask, most likely\u00a0<code>255.255.255.0<\/code>\u00a0in the IPv4 netmask field.<\/li>\n<li>Enter the broadcast address collected earlier in the IPv4 broadcast field. For example\u00a0<code>192.168.1.255<\/code><\/li>\n<li>Click\u00a0<strong>Save &amp; Apply<\/strong>\u00a0&#8211; The results will not return to your browser because you just moved the Pi to a different address.<\/li>\n<li>Give the Pi a few minutes to commit the changes.<\/li>\n<li>Put the new IP address in your browser and connect to the Pi again.<\/li>\n<li>Click on the\u00a0<strong>System &gt; Reboot<\/strong>\u00a0tab<\/li>\n<li>Click on the\u00a0<strong>Perform Reboot<\/strong>\u00a0link and confirm<\/li>\n<li>Log in when the system has rebooted<\/li>\n<\/ul>\n<h2>Confirm That Firewall and DHCP\/DNS Services Are Set for Startup<\/h2>\n<ul>\n<li>Click on the\u00a0<strong>System &gt; Startup<\/strong>\u00a0tab<\/li>\n<li>Ensure that all services are enabled.<\/li>\n<li>Click on the red\u00a0<strong>X<\/strong>\u00a0next to a service if it is disabled to enable it. network, dnsmasq and firewall are of particular importance to have running.<\/li>\n<\/ul>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cdn.tutsplus.com\/mac\/uploads\/2013\/10\/openwrtstartup.png\" alt=\"openwrtstartup\" width=\"585\" height=\"598\" \/><figcaption>All Services Set to Startup<\/figcaption><\/figure>\n<h2>Replace Existing Firewall<\/h2>\n<ul>\n<li>Turn off your existing firewall<\/li>\n<li>Put the Raspberry Pi in place<\/li>\n<li>Plug the Internet\/Modem facing cable into the USB interface<\/li>\n<li>Plug the LAN cable from your home network switch into the on-board interface<\/li>\n<li>Turn on the Raspberry Pi<\/li>\n<\/ul>\n<div><strong>Tip:<\/strong>\u00a0If you don\u2019t leave a keyboard and monitor attached to your firewall it will still continue to work just fine. You can reconnect the monitor and keyboard if you need to troubleshoot or connect to the firewall via its serial interface (Instructions can be found at the\u00a0<a title=\"Serial Monitor\" href=\"http:\/\/elinux.org\/RPi_Serial_Connection\">elinux.org RPi Serial Connection<\/a>\u00a0page). Most online troubleshooting can be done by logging into the Pi via SSH. A monitor and keyboard may only be needed if it does not appear on the network.<\/div>\n<h2>Reconfigure the Internal Interface<\/h2>\n<p>This final reconfiguration of the interface will move it over to the address the old firewall was using. This will allow any existing DHCP leases or hard coded addresses in your home to continue using the Internet without interruption.<\/p>\n<ul>\n<li>Login to the temporary IP address 192.168.1.2<\/li>\n<li>Click on the Network&gt;Interfaces tab<\/li>\n<li>Click Edit next to the LAN interface<\/li>\n<li>Change the IPv4 Address to be the address of your previous firewall. Example: 192.168.1.1<\/li>\n<li>Click Save &amp; Apply &#8211; Again the task will not complete in the browser as you have changed the address of the Firewall<\/li>\n<li>Login to the OpenWRT Raspberry Pi at its new address you assigned i.e. 192.168.1.1<\/li>\n<\/ul>\n<div>\n<div data-doubleclick-id=\"11757429\" data-height=\"250\" data-location=\"inarticle\" data-slot-id=\"1392179479200-0\" data-unit-name=\"hub_computer_skills\" data-width=\"300\">\n<div>\n<div>Advertisement<\/div>\n<\/div>\n<\/div>\n<\/div>\n<h2>Perform Final Reboot and Test<\/h2>\n<p>On rare occasions I discovered that the system needed a reboot to align all the rules and services after moving interfaces around. This last reboot is more to verify that everything is setup right from cold boot. This means next time the power goes out you&#8217;ll still be in good shape after it comes back on.<\/p>\n<ul>\n<li>Click on the\u00a0<strong>System &gt; Reboot<\/strong>\u00a0tab<\/li>\n<li>Click on the\u00a0<strong>Perform Reboot<\/strong>\u00a0link and confirm<\/li>\n<li>Wait approximately 60 seconds for the firewall to boot<\/li>\n<li>Test that your workstation has indeed getting a new DHCP address and can surf the Internet<\/li>\n<\/ul>\n<p>Congratulations! You have a brand new firewall. Another\u00a0<em>Attitude Adjustment<\/em>\u00a0drink is optional.<\/p>\n<h2>Summary<\/h2>\n<p>In this tutorial I have installed OpenWRT onto a Raspberry Pi, added a second USB network interface, and replaced your home firewall. The simple web interface of OpenWRT provides a powerful and easy way to manage your new firewall. This default install provides basic home firewall functionality including Address Masquerading, DHCP, and DNS services.<\/p>\n<p>These capabilities are just the beginning. There is a rich catalogue of software available for the openWRT that can be accessed via the\u00a0<strong>System &gt; Software<\/strong>\u00a0tab. Packages exist to provide VPN, Web server, and many other features well beyond the capabilities of off the shelf home firewalls.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Installing OpenWRT on a Raspberry Pi as a New Home Firewall By\u00a0Ben Miller,8 Nov 2013 http:\/\/computers.tutsplus.com\/articles\/installing-openwrt-on-a-raspberry-pi-as-a-new-home-firewall&#8211;mac-55984 OpenWRT\u00a0is an active and vibrant home firewall project that was born on the Linksys WRT54G line of home routers. It has grown and expanded &#8230; <a class=\"more-link\" href=\"http:\/\/www.wildow.com\/blog\/?p=1278\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-1278","post","type-post","status-publish","format-standard","hentry","category-raspberrypi"],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1278"}],"version-history":[{"count":3,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1278\/revisions"}],"predecessor-version":[{"id":1613,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1278\/revisions\/1613"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1278"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}