For a while I have been planning to switch from an all-in-one wifi router to having separate devices because that way they can be upgraded piece by piece instead of having to replace the whole thing.

I am confused about the role of the firewall.

If I have a router running OpenWRT, does it have a firewall included? Either by default or by installing certain packages?

Or is it required to have a separate firewall running opnsense/pfsense?

If not required, what would be the benefits that would lean in favour of separate firewall?

use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting.

ETA: The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. So don’t worry about wasting fibre speeds. :(

My assembled components so far are: router, WAPs, switches, ethernet cable and cable modem.

Thanks for any advice.

  • Ajen@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed. If you want to set up complicated firewall rules or run a VPN server on the same machine as your firewall (you can always use a different server), AND you have a fast internet connection (like 1gbps) and want full speed then it’s a good idea to use a faster x86 machine for the firewall. Lots of people just use openwrt and live with the performance penalty, though.

    • spaghettiwestern@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Openwrt includes a firewall, but most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed.

      Not my experience. Right now I’m running 2 Wireguard VPNs and a moderately complex firewall on a single core 775Mhz Atheros TP-Link router and it’s not even breaking a sweat. More than 60% of memory is available, and even when transferring a huge file the utilization doesn’t exceed 50%.

      • Ajen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Memory normally isn’t the bottleneck. When you say “moderately complex firewall” does that include policy-based routing? What speeds do you get between a wireguard client and a wireless client?

        • spaghettiwestern@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          PBR is in use and different LAN clients use different Wireguard VPNs or bypass the VPNs entirely. Download speeds are limited by remote server uplink speeds to about 100Mbps. Just ran a test and at full VPN utilization the router’s loafing along at 22% CPU. No matter how complex I’ve made the config this cheap router has been able to easily handle it.

          What VPN speeds were you running that maxed out your router CPU? Were you running Wireguard or OpenVPN?

          • Ajen@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I’m talking about 1gbps between multiple clients on LAN and VPN. I don’t think there are any 802.11ax routers with a support that can handle gigabit speeds without any performance loss when you get the cpu involved in routing.

            But I’m also saying most people will be fine with just an openwrt router. The features you get are usually worth the slight performance loss, and buying a separate firewall to squeeze an extra 100mbps out of your connection when you’re already getting >850mbps doesn’t always make sense.

            • spaghettiwestern@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              In your response to the OP’s question where you said “most wifi routers aren’t fast enough to run complicated firewall rules, VPNs, etc. at full speed” were you also “talking about 1gbps between multiple clients on LAN and VPN”?

              OP: “use case: small home network 2-3 users. some internal self hosting and maybe one day external self hosting.”

              From their comments they don’t even have a gigabit Internet connection, much less anything that would stress even a moderately priced router.

              Openwrt isn’t capable of providing enterprise level performance either but that’s not what’s being discussed. A high end router running Openwrt (and even cheaper hardware) should be able to handle OP’s stated use case without breaking a sweat.

              • Ajen@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Yes, that’s what I was talking about. And yes, OP has said in other comments that they have gigabit upstream. OP’s original question was about why some people use openwrt as just an AP and use a separate machine for a firewall. I gave a common reason.

                Personally, I’m building a NAS with 8 SAS drives controlled with an enterprise RAID controller and 2.5gbps ethernet. Total cost is under $300 (including drives) since it’s all used hardware. Enterprises have moved past 1g/2.5g ethernet and SAS 2 a while ago, so lightly used hardware is cheap.

    • imaradio@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The best internet I could subscribe to where I’m at is 1024 Mbps down, 50 Mbps up. :(

      Sounds like I can just use the router then.

      • Ajen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        1024Mbps = 1gbps

        That’s fast enough to hit the limit of most hardware people put openwrt on, but if you stick with standard firewall rules and don’t install anything else on the router you should be ok. The router might limit your download speed slightly, but you should still easily get 800+ mbps.

        • imaradio@lemmy.caOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          ok, ok, I don’t know how numbers work oops

          I doubt the WAN would provide the advertised top theoretical speed most of the time; I just don’t want to be running at like 10% of potential or something like that. If I were to do that I should at least get a cheaper plan.

          • Ajen@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            You might see a 10% performance hit with gigabit internet depending on what you enable in openwrt and how fast your hardware is. On the other hand I wouldn’t compare openwrt speed against the advertised speed. Test the actual speed you get by plugging your computer directly into your modem.

            • imaradio@lemmy.caOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              I mean I don’t want to take a 90% performance hit lol. I can def live with 10% hit.

  • jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    The firewall is the gatekeeper that typically controls the traffic between the WAN and LAN. Most routers have at least a basic firewall built in. Whether you should have a separate router and firewall depends on a few things.

    A common scenario is if you’re routing a whole bunch of different subnets internally. This is often the case in an enterprise environment where thousands of devices are connected to the network. Routing can eat up a lot of horsepower and you don’t want spikes in WAN traffic slowing down your internal routing. In that situation it makes sense to have separate firewall and router appliances.

    If you’re running you’re entire LAN on one subnet, you’re not typically going to have any internal issues with routing related to WAN traffic. It’s also easier to troubleshoot one network appliance than multiple. I run a single Mikrotik as my main router and firewall. Don’t make it any more complex than you need to unless you just want to see if you can.

    • imaradio@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I run a single Mikrotik as my main router and firewall.

      Cool! I also have a mikrotik. I flashed over the stock firmware in favour of openwrt which I have some experience with. And is free software.

      Don’t make it any more complex than you need to unless you just want to see if you can.

      I do not. I don’t really enjoy networking stuff tbh. I am willing to do it because I think in the end I will be happier with the result. It’s like going to the gym though.

      A lot of forum posts are from people who are motivated by the learning value or by making small optimizations. I just want “good enough”.

      Is there any specific information about setting up the openwrt firewall that you’d recommend? Or is it literally included in the default install?

  • Barbieque
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    When I set up OpenWRT it had a firewall installed by default. I assume this is standard for all devices it can be installed on.