OpenWRT routers

From AAISP Support Site

Overview

OpenWrt is an open source operating system specifically designed for Routers. It was originally released by Linksys as the firmware for the WRT54G series of routers that use software licenced under the GPL. The software has been modified from this point and is available for many brands of router, and is supplied as the firmware on others.

The current range of Technicolor routers (e.g. DGA0122) use a customised version of OpenWrt.

OpenWrt can be configured using the shell commands when accessing the router with ssh or a serial console. This uses the Unified Configuration Interface (UCI) commands. You can also edit the configuration files directly, though there is no verification of settings made via this route, use with caution. There is also a web based configuration management system that can be run if you have sufficient memory and resources. The LuCI web configuration system may need to be installed onto the base system.

Securing the Router

OpenWrt is a very secure operating system. This is the result of the open nature of the development process. Many eyes mean that all bugs are shallow, and and problems that are found are fixed quickly as there is no opaque company that has to do the development. But you should do the basic steps to your new installation of changing the base password to a long complex one ideally one generated by your password manager.

Configuring the WAN interface to access AAISP

In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be normally be done by DHCPv6.

VLANs

It's easy for new OpenWrt users to get confused by VLANs. On some routers the WAN and LAN are configured as separate VLANs on one Ethernet. So you can see the LAN defined as eth0.1 and the WAN as eth0.2

Then the PPPoE instance on the WAN may need to be configured to be on a VLAN because of the carrier's requirements, but this VLAN is separate from the router hardware configuration.

For City Fiber connections, a VLAN ID of 911 is needed.

For VDSL connections, a VLAN ID of 101 is needed.

Openreach FTTP does not need a VLAN.

ADSL users need an ADSL modem. OpenWrt doesn't support many of the modems built into normal consumer ADSL router/modems. If using an external modem then no VLAN is needed.

The appropriate entries in /etc/config/network will look like the following.

With VLAN:

config device
       option type '8021q'
       option ifname 'wan'
       option vid '911' OR '101' 
       option name 'vlan0'

Without VLAN:

config device
       option name 'eth0.2'
       option macaddr 'aa.bb.cc.dd.ee.ff'

And for both configurations:

config interface 'wan'
       option device 'vlan0' OR 'eth0.2'
       option proto 'pppoe'
       option username 'XXXX@a.1'
       option password 'ItIsASecret'
       option ipv6 'auto'

The option ipv6 auto line will cause a virtual interface named wan_6 to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options. In order to use the delegated prefix, the LAN should be configured to expect it, e.g.:

config interface 'lan'
       option device 'br-lan'
       option proto 'static'
       option defaultroute '1'
       list ipaddr '81.187.xx.yy/zz'
       list ip6class 'wan_6'
       option ip6ifaceid 'eui64'
       option ip6assign '64'

Multiple routed IPv6 /64 blocks

There's a gotcha for users who have multiple /64 blocks routed to them by AAISP. OpenWrt uses Policy-Based Routing (PBR) which allows routing to be configured according to multiple rules, not just be destination address.

If DHCPv6 is used to request Prefix Delegation (PD), AAISP will reply with one block. OpenWrt uses this to set the LAN address and netmask, and then enables routing from just this block from LAN to WAN. If you have multiple /64 blocks, any other /64 blocks routed to you won't be able to send packets to the Internet.

To quote from OpenWrt Wiki - Routing basics Note that by default OpenWrt announces IPv6 default route only for GUA and applies source filter for IPv6 that allows routing only for prefixes delegated from the upstream router.

In my case, I have 2001:8b0:xxxx:4534::/64, ...:4535/64, ...:4536::/64 and ...:4537::/64 routed to me, but only 4534:: is routed back.

# ip -f inet6 route
...
default from 2001:8b0:xxxx:4534::/64 via fe80::203:97ff:feba:900 dev pppoe-wan  metric 512
...

Note that the old style command route -A inet6 doesn't show the routing being restricted by source address.

odhcp6c

Key to understanding the delegation of IPv6 blocks is the DHCPv6 client, which is odhcp6c on OpenWrt.

Looking back at the wan interface config there is an option ipv6 line. The default value is auto, which has the effect of automatically creating a virtual interface named wan_6 and running odhcp6c on it BUT ignoring any config you may wish to supply. An alternative if multiple /64 blocks are to be used is 1 which allows you to configure ipv6 the way you want (static, dhcpv6, ...)

Solutions

We need a way for the WAN to tell the LAN about the wider routing block, whilst letting the LAN only use for itself the first /64 block.

This turns out to be remarkably easy. On the AAISP control panel, add a /60 block of IPv6 addresses. When DHCPv6 requests prefix delegation, AAISP returns the lowest number address block - if this is the new /60 then that's what you'll get, otherwise you might have to unroute some or more of the /64 blocks.

In my case I see for wan_6:

Protocol: Virtual dynamic interface (DHCPv6 client)
Uptime: 0h 40m 58s
IPv6: 2001:8b0:1111:1111:0:ffff:abcd:pqrs/128
IPv6-PD: 2001:8b0:xyz:4520::/60

And for lan:

IPv6: 2001:8b0:xyz:4520:xxxx:xxxx:xxxx:xxxx/64

It's the ip6assign option in the config for the lan which determines that the lan uses a /64.

Now I see:

# ip -f inet6 route
...
default from 2001:8b0:xyz:4520::/60 via fe80::9e89:1eff:fe2e:0 dev pppoe-wan  metric 512 
...

Enabling IPv6 in the local network

OpenWrt fully supports IPv6, as well as IPv4 and dual stacks to enable the mix of both protocols.