OpenWRT routers

From AAISP Support Site


OpenWrt is an open source operating system specifically designed for Routers. It was originally released by Linksys as the firmware for the WRT54G series of routers that use software licenced under the GPL. The software has been modified from this point and is available for many brands of router, and is supplied as the firmware on others.

The current range of Technicolor routers (e.g. DGA0122) use a customised version of OpenWrt.

OpenWrt can be configured using the shell commands when accessing the router with ssh or a serial console. This uses the Unified Configuration Interface (UCI) commands. You can also edit the configuration files directly, though there is no verification of settings made via this route, use with caution. There is also a web based configuration management system that can be run if you have sufficient memory and resources. The LuCI web configuration system may need to be installed onto the base system.

Securing the Router

OpenWrt is a very secure operating system. This is the result of the open nature of the development process. Many eyes mean that all bugs are shallow, and and problems that are found are fixed quickly as there is no opaque company that has to do the development. But you should do the basic steps to your new installation of changing the base password to a long complex one ideally one generated by your password manager.

Configuring the WAN interface to access AAISP

In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be normally be done by DHCPv6.


It's easy for new OpenWrt users to get confused by VLANs. On some routers the WAN and LAN are configured as separate VLANs on one Ethernet. So you can see the LAN defined as eth0.1 and the WAN as eth0.2

Then the PPPoE instance on the WAN may need to be configured to be on a VLAN because of the carrier's requirements, but this VLAN is separate from the router hardware configuration.

For City Fiber connections, a VLAN ID of 911 is needed.

For VDSL connections, a VLAN ID of 101 is needed.

Openreach FTTP does not need a VLAN.

ADSL users need an ADSL modem. OpenWrt doesn't support many of the modems built into normal consumer ADSL router/modems. If using an external modem then no VLAN is needed.

The appropriate entries in /etc/config/network will look like the following.

With VLAN:

config device
       option type '8021q'
       option ifname 'wan'
       option vid '911' OR '101' 
       option name 'vlan0'

Without VLAN:

config device
       option name 'eth0.2'
       option macaddr ''

And for both configurations:

config interface 'wan'
       option device 'vlan0' OR 'eth0.2'
       option proto 'pppoe'
       option username 'XXXX@a.1'
       option password 'ItIsASecret'
       option ipv6 'auto'

The option ipv6 auto line will cause a virtual interface named wan_6 to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options. In order to use the delegated prefix, the LAN should be configured to expect it, e.g.:

config interface 'lan'
       option device 'br-lan'
       option proto 'static'
       option defaultroute '1'
       list ipaddr '81.187.xx.yy/zz'
       list ip6class 'wan_6'
       option ip6ifaceid 'eui64'
       option ip6assign '64'

The list ip6class wan_6 line causes the lan to use the delegated prefix from wan_6. option ip6ifaceid eui64 makes the local IPv6 address on the lan use the 64 bits derived from the MAC address as the suffix (you might choose to use ::1 instead). option ip6assign 64 defines the netmask associated with the prefix delegation.

Multiple routed IPv6 /64 blocks

There's a gotcha for users who have multiple /64 blocks routed to them by AAISP. OpenWrt uses Policy-Based Routing (PBR) which allows routing to be configured according to multiple rules, not just be destination address.

If DHCPv6 is used to request Prefix Delegation (PD), AAISP will reply with one block. OpenWrt uses this to set the LAN address and netmask, and then enables routing from just this block from LAN to WAN. If you have multiple /64 blocks, any other /64 blocks routed to you won't be able to send packets to the Internet.

To quote from OpenWrt Wiki - Routing basics Note that by default OpenWrt announces IPv6 default route only for GUA and applies source filter for IPv6 that allows routing only for prefixes delegated from the upstream router.

In my case, I have 2001:8b0:xxxx:4534::/64, ...:4535/64, ...:4536::/64 and ...:4537::/64 routed to me, but only 4534:: is routed back.

# ip -f inet6 route
default from 2001:8b0:xxxx:4534::/64 via fe80::203:97ff:feba:900 dev pppoe-wan  metric 512

Note that the old style command route -A inet6 doesn't show the routing being restricted by source address.


Key to understanding the delegation of IPv6 blocks is the DHCPv6 client, which is odhcp6c on OpenWrt.

Looking back at the wan interface config there is an option ipv6 line. The default value is auto, which has the effect of automatically creating a virtual interface named wan_6 and running odhcp6c on it BUT ignoring any config you may wish to supply. An alternative if multiple /64 blocks are to be used is 1 which allows you to configure ipv6 the way you want (static, dhcpv6, ...)


We need a way for the WAN to tell the LAN about the wider routing block, whilst letting the LAN only use for itself the first /64 block.

This turns out to be remarkably easy. On the AAISP control panel, add a /60 block of IPv6 addresses. When DHCPv6 requests prefix delegation, AAISP returns the lowest number address block - if this is the new /60 then that's what you'll get, otherwise you might have to unroute some or more of the /64 blocks.

In my case I see for wan_6:

Protocol: Virtual dynamic interface (DHCPv6 client)
Uptime: 0h 40m 58s
IPv6: 2001:8b0:1111:1111:0:ffff:abcd:pqrs/128
IPv6-PD: 2001:8b0:xyz:4520::/60

And for lan:

IPv6: 2001:8b0:xyz:4520:xxxx:xxxx:xxxx:xxxx/64

It's the ip6assign option in the config for the lan which determines that the lan uses a /64.

Now I see:

# ip -f inet6 route
default from 2001:8b0:xyz:4520::/60 via fe80::9e89:1eff:fe2e:0 dev pppoe-wan  metric 512 

Enabling IPv6 in the local network

OpenWrt fully supports IPv6, as well as IPv4 and dual stacks to enable the mix of both protocols.

The easiest approach is to use prefix delegation from the WAN to provide the network address. This is achieved by configuration of the wan interface to obtain the IPv6 address automatically, and to delegate IPv6 addresses downstream.

Then on the lan interface configure the IPv6 prefix filter to wan_6 and set the IPv6 assignment length to 64. There is a choice of the suffix to append to the prefix - popular choices would be ::1 (to use that fixed value), or eui64 (to use an address based on the MAC address).

There is the possibility of running a NAT64 server on OpenWrt, so the local network can use only IPv6 but hosts on it can still reach IPv4 hosts on the Internet.

Advanced configuration of the local network

You can do some quite advanced configurations of the local network. But first you have to understand OpenWrt's naming convention.


Devices are the actual network hardware identifiers, like you see in ifconfig. So eth0, eth0.1, phy0-ap0, phy1-ap1, br-lan, and pppoe-wan are all devices


Interfaces are groups of one or more devices, an interface named lan could contain the device br-lan. Similarly an interface named wan could contain the device pppoe-wan.

Firewall zones

OpenWrt current versions provide a Zone Based Firewall. A zone is a collection of one or more interfaces. Much of the work of configuring the firewall is defining the rules for traffic between zones.

The OpenWrt documentation likes to confuse new users by defining zones with names like lan and wan - which are also usually names of interfaces. But the lan zone isn't the same as the lan interface. So let's try to be sensible here - zones will have CAPITAL names, and interfaces have lower case names.

So you'll probably start with two zones, a zone named WAN which covers the wan interface, and a zone named LAN which covers the lan interface. Then you can define two relationships - how to deal with traffic between the LAN zone and the WAN zone, and how to deal with traffic from the WAN zone to (actually) everywhere else.

Adding more zones

Suppose you want to create a guest WiFi network. You start by creating a new bridge device, then create a new access point (probably on an existing radio) and connect it to that bridge. Then you probably need to add a new interface in order to use different IP addresses from the DHCP server - let's call it lan2. And now you have to decide whether hosts on the guest WiFi network have access to the hosts on your LAN zone.

If you want guests to have access to the LAN zone, then just add the new lan2 interface to the list of interfaces covered by the LAN zone, job done.

If you want guests to have no access to the LAN zone, then you need to create a new zone (let's go wild and call it GUEST), make it cover just the lan2 interface and define its relationships to the other existing zones. We want to have the same access to the WAN zone, so we configure that relationship like the LAN zone. But we want the LAN and GUEST zones to be separate, so we don't define any relationship between them.