Introduction: Bridge Firewall With OrangePi R1

I had to buy another Orange Pi :) This was because my SIP phone began to ring in the middle of night from strange numbers and my VoIP provider sugested that was due to port scans. Another reason - I had heard too often about routers being hacked, and I have a router I am not allowed to administer (Altibox/Norway). I was also curious what was going on in my home network. So I decided to set up a bridge-firewall, transparent to TCP/IP home network. I tested it with a PC, then I decided to buy OPi R1 - less noise & less power consumption. If you have your own reason to have such a hardware firewall - that is easier than you think! Don't forget to buy a heat sink and a decent micro SD card.

Step 1: OS & Cabling

I installed Armbian:

As you have maybe noticed I used USB TTL converter to have access to serial console, which was not necessary, the default network config assumes DHCP. It is also possible to activate WiFi interface with sudo nmtui

The only comment to the converter - in many tutorials no VCC connection is suggested. For me it worked only when power supply was connected (3.3V is the only square pin out on the board). And it was going to overheat if not connected to USB before power supply was switched on. I guess R1 has pinout compatible with OPi Zero, I have troubles with finding R1 schematics.

After booting Armbian, changing root password and some update/upgrade stuff I found two interfaces ('ifconfig -a') - eth0 and enxc0742bfffc6e. Check it because you will need them now - the most awesome thing is that to turn your R1 to a Ethernet bridge you only need to adjust /etc/network/interfaces file. I was emazed that Armbian comes with some preconfigured versions of the file including interfaces.r1switch - sounds like what we need but it does not work.

Another important thing was proper identification of Ethernet ports - enxc0742bfffc6e was the one near serial pins.

Before you make the R1 lose contact with Internet (OK, this could have been configured better) just install one thing:

sudo apt-get install iptables-persistent

Well, you might also want to install some network monitoring tools, see here:

Step 2: /etc/network/interfaces

If you switch you local network to eth0 than you need the following interfaces file (you can always get back to orig version with sudo cp interfaces.default interfaces; reboot):

auto br0
iface br0 inet manual

bridge_ports eth0 enxc0742bfffc6e

bridge_stp off

bridge_fd 0

bridge_maxwait 0

bridge_maxage 0

Step 3: Iptables

After reboot your R1 should be transparent to the network and work like a cable connector. Now let us make life more difficult for the bad guys out there - configure firewalls rules (hashed lines are comments; adjust network addresses to your DHCP configuration!). It is vital to make rules persistent afterwards with

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

# flash all and close doors

iptables -F
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

# but allow internal network to go outside

iptables -A INPUT -m physdev --physdev-is-bridged --physdev-in eth0 -s -j ACCEPT

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 -s -j ACCEPT

# allow DHCP to go thru bridge

iptables -A INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

iptables -A FORWARD -i br0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# all established traffic should be forwarded

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# just for local browser - access to monitoring tools like darkstat

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

#block spoofing

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s -m limit --limit 5/min -j LOG --log-level 7 --log-prefix NETFILTER

iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in enxc0742bfffc6e -s -j REJECT

# access to ssh via Wifi
iptables -A INPUT -i wlan0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Step 4: Final Considerations

After a week - it works perfectly.

June 6th 2018: R1 emits a lot of heat, way too much. Maybe it is ok, maybe someone has a solution other than a fan.

Aug 18th 2018: 'armbianmonitor -m' shows 38 Celsius, which is far below my personal perception. I felt a significant change (down) when I reduced the clock a bit:

echo 1000000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq

Sep 27th 2021: If you don't have a R1 just use a USB-attached Ethernet card with any other single board computer. I replaced R1 with ASUS Tinker during upgrade.