My internal network is split into different segments, physically
separated by routers based on OpenWrt since 2016.
WLAN is provided by additional access points.
This setup was implemented using TP-Link routers (TP-Link TL-WR1043ND and TP-Link TL-AC2600).
The TL-WR1043ND routers provided DHCP, DNS, and NTP. Squid was installed on the larger TL-AC2600 only.
The wireless access points are “dumb”: They simply act as a bridge between WLAN and LAN.
The old setup was in production for 5 years, and it has run quite well.
However I wanted to change some things:
- Turn of forwarding to the Internet
- The router acts as a DNS and NTP server
- All devices or applications should use the web proxy on the routers
- Add services to the routers: Web proxy, ad blocking, NAS, MQTT
- Setup WPA3
- Integrate Pi-hole functionality (DNS-based ad blocking) into the routers: Pi-hole was running in Docker on a separate Pi
- Update all systems to OpenWrt 19
Having collected lots of experience with the previous setup I decided to
change the hardware of the routers from TP-Link to Raspberry Pi. OpenWrt is supported on the Pi since 2017
Pros of using Raspberry Pis
- No more “out of flash” space: Endless space for additional utilities and applications. The extroot option on OpenWrt is not easy to maintain.
- CPU speed, RAM size: More services can be run on the routers
- No risk to brick your device: If someting fails, you can just start again by installing OpenWrt again on the SD card
- No need for a serial terminal (this requires soldering) to watch the boot process: Just connect a HDMI display
- Simple backup/rollback strategies: Copy the SD card, use a new SD-Cards for tests etc.
- WLAN is limited on the Pis. No problem in my case, since the wireless access points still use TP-Link hardware
- OpenWrt is not yet officially supported on the Pi 4. I am using Pi 3 currently.
- The TP-Link routers contain an integrated switch (four ports). I am using an external one (which needs another power supply), but I need this anyway, since four ports were never enough.
- There is no 2nd Ethernet port on the Pi: One possiblity is to use VLAN, the other option is to use an USB-Ethernet-Adapter. Since I wanted to keep my switches, I opted for the 2nd option. It’s not really convenient to setup the 2nd Ethernet interface, but it’s not a rocket science either.
- Instead of manual configuration I have switched to scripted installation
- This way there is no need for separate documention, and there is no real need for a backup either: The scripts are the documention and the backup, and these are maintained using git
- I have added a Squid/Privoxy proxy chain to all routers
- There is now Adblock on each router (this replaced Pi-hole).
- NAS services are provided by NFS and Samba
- A DAV service is offered by Radicale (calendar, address books, task lists)
- There is a Mosquitto installation to provide an MQTT service. This is used for various automation tasks.
- The only “problem” is to setup the 2nd Ethernet interface
- Having endless storage and computing power is really a big plus
- Looking forward to replace the Pi 3 versions with Pi 4: This will result in two (nominal) Gigabit Ethernet interfaces. I have not had any performance problems with 100 MBit though.
- Runs without any problems so far
- I still encounter applications which need to be configured to use a proxy