OpenWrt compatible hardware for a firewall



Assuming we extract the iptables rules that implement the recommended firewall configuration, it should be possible to buy a retail router and set it up with OpenWrt.

Terse firewall description

Admin Subnet:
Admin Gateway:
Admin Workstation:

Application Subnet:
Application Gateway:
Application Server (OPT1):

Monitor Subnet:
Monitor Gateway:
Monitor Server (OPT2) :


OSSEC: 1514
ossec_agent_auth: 1515
  • Disable DHCP
  • Disallow everything
  • Allow TCP ssh from Admin to all
  • Allow UDP OSSEC from App to Mon
  • Allow TCP ossec agent auth from App to Mon
  • Allow TCP/UDP DNS from App/Mon to IP of know name servers
  • Allow UDP NTP from App/Mon to all
  • Allow TCP any port from Mon to all
  • Allow TCP 80/443 from App/Mon to all
  • Allow TCP any port from Admin to all

OpenWrt compatible hardware:



Proposed implementation at