I’d have to agree! Especially for anyone running off the shelf hardware. It really makes the most use of them, instead of being restricted. Now I get why, for sake of simplicity and ease for the standard user, but that’s not everyone and for people interested in learned more about networking, OpenWrt is a great start. Especially these days with everything being a networked service. Good luck on your journey! There’s plenty to learn and it never ends.

Absolutely. I got most of my knowledge about networking tinkering with OpenWrt. I have been using it on many routers for various different purposes. I used it as an LTE router with Huawei USB stick, and it was ISP provided router that was extremely unstable and buggy, had weird choice of hardware, and was not officially supported, but some enthusiasts made and supported OpenWrt builds for it turning quite a useless hardware into a fully capable computer. I used it on at least 5 different Xiaomi routers, I built 802.11r/k/v seamless routing area on them, I ran VPNs clients and servers on them, I build L2 network between me and my family members home networks, I have a policy based proxying to automatically bypass government censorship, I have network wide adblock, I have built a file share server on an external drive, an SMS gateway, an asterisk node, and right now I have a special small and power-efficient x86 build that is used to power the home network with a lot of VLANs and provide a reverse-proxy access to some of my homelab stuff. OpenWrt is simply one of the most significant open-source things that I use in my life. Infinetely grateful to the developers

Thanks for watching @goppinaththurairajah760, and you're welcome! I really appreciate the compliment. I did my best to explain every relevant part of firewall rules in OpenWrt / Linux systems, with regards to iptables and nftables, that wouldn't be too advanced. Initially, I would get tripped up on the different forwardings, interzone forwarding and zone to zone forwarding. Once you find the right settings and draw it out visually, it makes it much easier to understand. I'm not exactly sure how this looks in iptables / nftables, but you could just dump out the output of those configs (in this case, would be nftables) and you can see how it looks, if you're curious.

Thanks for watching @mikedavis1426! I like your setup! I've been hearing how popular OpenWrt setups are for campers, including Rooter, which is based on OpenWrt, but is optimized for cellular modem usage, which makes sense to give the whole camper internet access. It sounds like your EA8300 handles usb tethering well, thats something I want to try out one day on OpenWrt. By default, OpenWrt will allow all traffic out, just like consumer grade routers. Difference is, you can fine tune that in OpenWrt. Now for something like a camper, its probably not as bad to have some of those rules, unless that network is always live and running. If you definitely want to lock it down, I'd suggest doing some research on most common ports used (80, 443, 22, 21,22, 123, etc), and set up allow rules for those. The difficulty will come in when you have non standard port usage for legitimate traffic, you'll have to monitor OpenWrt logs to see whats being dropped, review that traffic, and add rules for it accordingly. For example, some video conferencing may use non standard ports. You don't really know what they are until you used then and see what your firewall shows. Thats how I had to figure it out 🙂. Best of luck!

Thanks for watching @Baku-oc5fc! I appreciate the compliments, as I truly try my best in these areas so that my videos are not only easy to understand, and easy to follow, but also well received. It's good to know that my viewers think I'm doing well on these areas I focus on.

Thanks for the compliment and thanks for watching shahabsamkan4027! It means a lot to hear that. I have never played Skyrim, though I have heard plenty of it. I didn't know their NPCs are emotive with their hands a lot, but hey I'll take that as a compliment! 😊 Now I have to play Skyrim to see this for myself 😂

😄it's an awesome game! I'm sure you'll enjoy it@@DevOdyssey

One day, when I get more free time!@@shahabsamkan4027

Thanks for watching! I appreciate your kindness, and knowing that you learned something from it.

You’re welcome! Appreciate you watching @be16_channel. If you learned something, then I know my video served its purpose. I hope my other videos help build upon what you’ve learned here!

Thanks Marcus! That all really means a lot to hear, thank you so much for sticking around and being a fan. I'm happy to have caught you at the right moment! I've had a bit of life changes that caused the hiatus, notably becoming a father, so I've been figuring out how to allocate my time to get more videos out. It always make me happy to hear how much my fans learn from watching my videos. It feels great to be an official source of networking and OpenWrt knowledge for you 😊 I would be happy to hear you pick that up and get it working with OpenWrt! I've been wanted to get more hardware to try out OpenWrt installs on to see what I can get working, I've been a bit cost conscious, and not spending some money on hardware. Banana Pi has lured me with its networking options, so definitely get back to it, and reach out if you have any questions! As for destination zone to device in this example, it will only be dropped when going to the router interface itself, that being 192 168 1 1. If you ping an external IP address, that be passed through the router with no drops or rejects. Yea I try to not use dots in my IP addresses either, I learned KZbin did not like that awhile ago, so I always format it haha. I'm flattered to hear that, and I'm glad to be back as well. A comment like this is a nice one to come back to with a new video. I can relate, I used to watch VHS in school as well, so I hear you, just not boring of course haha. You're too kind, thanks for all the compliments. I have a day job in Information Security doing (Web) Application Security and Security Assessments, so this knowledge I've gained over the years has been extremely useful for me at work. I do have some colleagues I share my knowledge with, and some interns on the team, but I'll have to say, its me who's been doing tons of learning over the years as I got my start in Information Security roughly 3 years ago. What I know now, and have made videos on, is a result of how much I've learned to be well prepared for a role in Information Security. Anyway, thanks again for the kindness, and I look forward to hearing about your Banana Pi project!

@@DevOdyssey CONGRATS TO THE ADDITION TO YOUR FAMILY!!

Thank you Marcus! She’s been the center of my world since she’s born. She’s growing and learning quickly, and I’ve learned from her to, notably how to be a father; something she’ll continue to teach me throughout my life. As a voracious learner, I couldn’t be happier to be on this journey with a new life to raise in this world.

Thanks for watching @moetocafe! I appreciate it and the compliment. It took me some time, and testing, to wrap my head around zones but once I did, it was easy enough to remember. I figured a good visual could really help to show how they work. You can find a very quick and basic explanation below, but you can find more on OpenWrt's forum I'm sure, though I have no specific examples from the forum to refer to. openwrt.org/docs/guide-user/firewall/fw3_network Visuals always help, in my opinion.

@@DevOdyssey I was reading the Quick start guide, but couldn't understand the basic concepts on how is OpenWRT constructed logically, so your video helped me comprehend. My first attempt at OpenWRT was unsuccessful, but now I'm almost confident I'll manage. My ISP limits the Internet by MAC address, and until I figure out how to set-up the networks settings in OpenWRT I already messed it up and rendered it inoperational :)) I hope to have time soon and finally do it the right way. My initial mistake was to put MAC address on the WAN, which now I understand was wrong, as it is a zone, not a device. The ethernet device (it was something like esp3...) must be set with the MAC.

Glad to hear how my video helped!@@moetocafe The reset button on routers sure make it convenient to start from scratch when we lock ourselves out! Trial and error will certainly help you truly learn OpenWrt. Its the way I have learned, with plenty of self lock outs to show for it. Given that your ISP limits internet by MAC address, I would assume that its referring to the MAC on your WAN port (or if anything your modem's MAC). So I'm not sure why it wouldnt work there. But nonetheless, by default there is a WAN zone as well, not just a WAN interface, neither of which are a device, hope I'm not losing you here 🙂 You are correct, that the ethernet device itself is where you would modify and MAC settings, as need be. Would be happy to hear how this works out for you!

You’re welcome Alex! Thanks for watching 😊

Thanks for watching Abubakr! So this comment seems better suited for that Wireguard video you are referring to, so in future questions, it would be better to ask there, so others can see our discussion and maybe learn from it. Which Wireguard VPN video are you referring to? the router one or the Site to Site VPN one? The protocol hasn't gone through any major changes, so that configuration should work, and you might be running into another issue or a configuration issue. There could be some OpenWrt UI changes, but from what I see, those changes shouldn't be major to be different from this video. If I have a better understanding of what video you are referring to and telling me the steps you took to achieve that configuration, I might be able to help you and see where your problem may lie.

Thanks for watching Antonio! I’d certainly like to get to more of those topics. With OpenWrt on x86, it should act no different than on any system. However being virtual, that’s a whole new topic of it’s on of virtual networking, and depends on your hypervisor on how you would go about that. I’ve done this with OPNsense and VMWare, just not yet with OpenWrt. Regardless the concepts look the same and I look forward to making a video on it one day. Building shouldn’t be much different. Youd still create a build. Difference is with virtualization, you’d need to create a virtual machine file that is based off your OpenWrt custom build. This file will vary on hypervisor but the concepts remains the same across platforms. This also covers your install question. I’m not sure what you mean by configuring open server, but there are plenty of articles I’m sure than explain this that you can reference in the mean time. As for what VPN tech you want to use, I’ve not used IPsec with IKE so I can’t go into detail there, Better than what other option? Other VPN software? As I haven’t used it before or set it up, I can’t really comment on it, but it’s an enterprise based solution (IPSec / IKE) so you can’t go wrong, thought this may be more difficult to achieve than just using Wireguard or OpenVPN. I’m not sure what you mean but organizing a network, as at least for your internal network, that depends on your use case. For connecting two different networks over the internet that are both behind NAT, the easiest route is to use a cloud server that acts as an intermediary between the two to broker the connection. Otherwise you can try something like UDP hole punching, but that would require using a STUN server, or a cloud server to gather the port information needed for UDO hole punching. I haven’t done this with IPSec / IKE, so I don’t have anything to day here, but I have done so to Wireguard and it’s not too difficult, but it’s a pretty manual process if you’re using pure Wireguard. This was mostly to prove out the concept. I’d recommend using tailscale here as it’s built on Wireguard and offers many additional great features on top of it, and overcomes the issue of traversing NAT, especially when it’s in both networks are NATted to the internet. That’s another solution I look forward to trying out myself; I’ve only heard great things about it.

Thanks for watching @redblue4962! Don't apologize, its not a dumb question at all, its an interesting one. So from reading the default and your question, your internet should still work, if you've already connected to it. If not, then it might fail to work for IPv6 traffic, and it might not get a new IP address. Honestly, I'm still not well versed in IGMP and ISKAMP, so I'm not sure of what the implications are there. It doesn't seem like there is a default "allow outbound" rule, as it seems to be implicitly allow outbound traffic unless you block it, so I don't think you'd block yourself from reaching the internet. So I definitely wouldn't do it without knowing what each rules exactly does, but it doesn't seem to be catostrophic. Oh and you won't be able to ping your router from the internet, which isn't exactly a bad thing, and from a security sense, can be beneficial.

Thanks for watching @solomonkamariki6342! I haven't yet gotten into tailscale, but its something I've been wanting to get into. With my appreciation for WireGuard, I was happy to see how tailscale expanded on WireGuard by adding authentication, and a plethora of other features, making it something entirely of a robust peer to peer tunnel meshing platform. Anyway, when I do get around to using tailscale, you can be sure I'll make a video on it!

Thanks for watching! These rules were just used as an example / demonstration, and should proceed with caution when implementing these rules, as you can definitely lock yourself out of LuCI, especially if you rely on HTTP to access LuCI (and not HTTPS). To change the firewall rules via the terminal / ssh, you refer to the following documentation. openwrt.org/docs/guide-user/firewall/firewall_configuration Basically the rules are stored in a file, so you can delete the rule, or use uci commands to delete the rule. The link above goes into good detail on how to do that.

@@DevOdyssey I was able to figure it out and learned a lot! Thank you for all the videos

@@user-uh5dh3ir8jAwesome, glad you figured it out and learned plenty along the way. Happy to make these videos and hear from my viewers what they get out of them. All the best on your learning journey!

Sorry you haven't mention that crutial information at the very begging oif your video it will safe a l;ot of unnecessary wasted time. plasse reconsider your way of introduction in your video @@DevOdyssey

@@scorpion47aka thanks for watching! I appreciate the feedback. Always take good consideration when making firewall rules, especially since most routers don’t have serial access that you can use as an out of band access, as otherwise you’d need to reset the router if you get locked out completely. I’ll keep this in mind in my other videos, as in general I do try to highlight important consequences of any actions done on a system / router.

Thanks for watching @x-factor9689! I’m not sure I entirely understand what you’re asking for. In terms of SNI, that’s just the hostname of the client initiating the connection in the TLS protocol, regardless of originating country of the server. Countries don’t have SNI, TLS does for hosts. I tried looking up what HC or NPV mean but I couldn’t find it. To me, it sounds like you are trying to bypass country restriction for internet browsing, which you can do with just a VPN. If you have more context you can provide, I may be able to provide a better answer.

Thanks for watching Molly! I do know that OpenWrt has moved to nftables versus iptables, so it might be possible in nftables. I have heard the importance of using different TTLs with LTE modems, as its seemingly an indicator for what OS you are using, and therefore can bypass rate limiting or bandwidth throttling with different TTLs. It looks like you can create a firewall rule for changing TTLs, and this is something I'll look the future more in depth, as I do have my own LTE modem that I'll be messing around with in the future to get MBIM working, as opposed to QMI. Take a look here to see if this helps. Should work for OpenWrt 22.03 as per the title in the post. forum.openwrt.org/t/working-nftables-rule-for-ttl-in-22-03/144838 I'd definitely recommend doing research there when you need guidance.

Thanks for watching @ThatTransistorGuy! I haven’t personally encountered this, but it seems to relate to iptables rules being present when nftables is now the default firewall rule engine. This can be caused by other apps you may have installed that utilized iptables rules, such as vpn-policy-routing. I’d look into that first. Here is a reference in the OpenWrt forum that led me to this. forum.openwrt.org/t/legacy-rules-detected-on-22-03-0/136955

@@DevOdyssey thanks!

@@ThatTransistorGuy You're welcome!