Customizing OpenWRT

Ever since I’ve set up OpenWRT I’ve been meaning to play a bit around the firewall settings, including those for interfaces and zones.

What I had in mind more specifically was to create a distinct firewall zone dedicated to the logical network of Docker containers living on my Raspberry Pi 4.

I wanted to see if I could manage ingress and egress traffic from/to it from OpenWRT. Not because I needed it, no. Nothing is exposed and all of the containers are just for LAN use. I wanted to see if it was basically possible to do that for a network not directly managed on the hardware running the router.

It took me some time but it does look like I’ve succeeded! Here’s a bit of a rundown of the steps I took – as much for me in case I ever want to do it again, as for potential visitors interested in the same goal:

1. I had to create a brand new network interface. For this, I went to Network → Interfaces →Add new interface. This is how my interface looks like:

• IPv4 address and IPv4 netmask constitute the subnet of the Docker network I’m using (172.18.0.0/24).
• IPv4 gateway is the IP address of my Raspberry Pi where all the containers technically live.

2. Then, I went to the Firewall Settings to create a new Docker zone “connected” to this interface:

Then I hit Save and confirmed I wanted to apply the changes. What came out of that was a new alias interface off of the existing lan interface (default one).

From there, all I needed to do was to create a new traffic rule in the firewall to test the traffic and that was it!