Update of OpenWrt routers, 2nd gen

- 3 minutes read - 578 words

History

My internal network is split into different segments, physically separated by routers based on OpenWrt since 2016.
WLAN is provided by additional access points.
This setup was implemented using TP-Link routers (TP-Link TL-WR1043ND and TP-Link TL-AC2600).
The TL-WR1043ND routers provided DHCP, DNS, and NTP. Squid was installed on the larger TL-AC2600 only.
The wireless access points are “dumb”: They simply act as a bridge between WLAN and LAN.

Motivation

The old setup was in production for 5 years, and it has run quite well.

However I wanted to change some things:

  • Turn of forwarding to the Internet
    • The router acts as a DNS and NTP server
    • All devices or applications should use the web proxy on the routers
  • Add services to the routers: Web proxy, ad blocking, NAS, MQTT
  • Setup WPA3
  • Integrate Pi-hole functionality (DNS-based ad blocking) into the routers: Pi-hole was running in Docker on a separate Pi
  • Update all systems to OpenWrt 19

Having collected lots of experience with the previous setup I decided to change the hardware of the routers from TP-Link to Raspberry Pi. OpenWrt is supported on the Pi since 2017

Pros of using Raspberry Pis

  • No more “out of flash” space: Endless space for additional utilities and applications. The extroot option on OpenWrt is not easy to maintain.
  • CPU speed, RAM size: More services can be run on the routers
  • No risk to brick your device: If someting fails, you can just start again by installing OpenWrt again on the SD card
  • No need for a serial terminal (this requires soldering) to watch the boot process: Just connect a HDMI display
  • Simple backup/rollback strategies: Copy the SD card, use a new SD-Cards for tests etc.

Cons

  • WLAN is limited on the Pis. No problem in my case, since the wireless access points still use TP-Link hardware
  • OpenWrt is not yet officially supported on the Pi 4. I am using Pi 3 currently.
  • The TP-Link routers contain an integrated switch (four ports). I am using an external one (which needs another power supply), but I need this anyway, since four ports were never enough.
  • There is no 2nd Ethernet port on the Pi: One possiblity is to use VLAN, the other option is to use an USB-Ethernet-Adapter. Since I wanted to keep my switches, I opted for the 2nd option. It’s not really convenient to setup the 2nd Ethernet interface, but it’s not a rocket science either.

Installation

  • Instead of manual configuration I have switched to scripted installation
    • This way there is no need for separate documention, and there is no real need for a backup either: The scripts are the documention and the backup, and these are maintained using git
  • I have added a Squid/Privoxy proxy chain to all routers
  • There is now Adblock on each router (this replaced Pi-hole).
  • NAS services are provided by NFS and Samba
  • A DAV service is offered by Radicale (calendar, address books, task lists)
  • There is a Mosquitto installation to provide an MQTT service. This is used for various automation tasks.

Conclusion

  • The only “problem” is to setup the 2nd Ethernet interface
  • Having endless storage and computing power is really a big plus
  • Looking forward to replace the Pi 3 versions with Pi 4: This will result in two (nominal) Gigabit Ethernet interfaces. I have not had any performance problems with 100 MBit though.

Update

2021-03-19

  • Runs without any problems so far
  • I still encounter applications which need to be configured to use a proxy

Tags

openwrt