OpenWRT routers
Overview
OpenWrt is an open source operating system specifically designed for routers. It was originally released by Linksys as the firmware for the WRT54G series of routers that use software licenced under the GPL. The software has been modified from this point and is available for many brands of router, and is supplied as the firmware on others. OpenWrt is a Linux based system.
The current range of Technicolor routers (e.g. DGA0122) use a customised version of OpenWrt.
A key feature of OpenWrt is that additional packages may be added to the base system. VPN servers, and advert blocking services are popular
Securing the Router
OpenWrt is a very secure operating system. This is the result of the open nature of the development process. Many eyes mean that all bugs are shallow, and and problems that are found are fixed quickly as there is no opaque company that has to do the development. But you should do the basic steps to your new installation of changing the base password to a long complex one ideally one generated by your password manager. Ideally you should use public key authentication for ssh access, and disable password logins.
Configuration
OpenWrt can be configured using the shell commands when accessing the router with ssh or a serial console. This uses the Unified Configuration Interface (UCI) commands. You can also edit the configuration files directly, though there is no verification of settings made via this route, use with caution. There is also a web based configuration management system that can be run if you have sufficient memory and resources. The LuCI web configuration system may need to be installed onto the base system, although on modern installations (other than using snapshot versions) Luci is likely to be preinstalled.
Editing the configuration files in the "/etc/config" directory can be done in situ - the Unix standard "vi" editor is preinstalled. Once OpenWrt is online, additional packages may be installed - the "nano" editor is popular with basic users. Alternatively scp or sftp file transfer clients may be used to copy configuration files to a local machine, edit locally, and copy back. Note that the preinstalled ssh server doesn't support sftp, you may have to force your scp client to use 'old' scp (e.g. "scp -O" - you can install the sftp server package later).
Configuring the WAN interface to access AAISP
A new OpenWrt installation will be accessible over Ethernet using ssh, and (unless installed from a snapshot) over a web gui. Username is "root" with no password. The installation will usually have two interfaces defined - "wan" and "lan", with a firewall zone for each.
In order to access AAISP, the router needs to talk PPPoE over the WAN interface. IPCP will configure IPv4, and then IP6CP will start to configure IPv6. The heavy lifting of IPv6 configuration will be normally be done by DHCPv6.
VLANs
It's easy for new OpenWrt users to get confused by VLANs. On some routers the WAN and LAN are configured as separate VLANs on one Ethernet. So you can see the LAN defined as eth0.1 and the WAN as eth0.2 (where the number after the dot is the VLAN id number).
A recent change to OpenWrt has affected configuration of the network switch, so there are two possible ways the switch is configured.
Then the PPPoE instance on the WAN may need to be configured to be run over a VLAN because of the carrier's requirements, but this VLAN my be separate from the router hardware configuration.
For CityFibre FTTP connections, a WAN VLAN ID of 911 is needed.
For VDSL connections, a WAN VLAN ID of 101 is needed.
Openreach FTTP does not need a WAN VLAN.
ADSL users need an ADSL modem. OpenWrt doesn't support many of the modems built into normal consumer ADSL router/modems. If using an external modem then no VLAN is needed.
On older "swconfig" versions
OpenWrt prior to version 21 had the "Network", "Switch" menu in Luci, and older switch configuration software. Some hardware is still using this older software even in version 24.
- Delete any wan6 interface under "Network", "Interfaces"
- If needing a WAN VLAN, go to "Network", "Switch" and you should see two VLANs defined: VLAN 1 for the LAN ports, and VLAN 2 for the WAN port. Change VLAN 2 to be numbered VLAN 911 or 101 as required. Change this VLAN on the WAN port from untagged to tagged. Save and Apply.
- Under "Network", "Interfaces" edit the wan interface. Change the protocol to PPPoE. Device should be "eth0.2" if you're not using a VLAN, or "eth0.911" or "eth0.101" if you are. Enter your AAISP username and password. Under "Advanced settings", set "Obtain IPv6 address" to automatic, tick "Use default gateway". Under DHCP server, ignore this interface.
- Save and apply, then restart the wan interface
- The wan and wan_6 interfaces should now come up online
The appropriate entries in /etc/config/network will look like the following.
With WAN VLAN:
config switch_vlan option device 'switch0' option vlan '2' option ports '0t 1t' option vid '911' OR '101'
Without WAN VLAN:
config device option name 'eth0.2' option macaddr 'aa.bb.cc.dd.ee.ff'
And for both configurations:
config interface 'wan' option device 'eth0.2' OR 'eth0.911' OR 'eth0.101' option proto 'pppoe' option username 'xxnn@a.1' option password 'ItIsASecret' option ipv6 'auto'
On new "Distributed Switch Architecture" versions
Newer versions of OpenWrt do not have the "Network", "Switch" menu in Luci. To configure this version in Luci:
- Delete any wan6 interface under "Network","Interfaces"
- If needing a WAN VLAN, go to "Network","Interfaces","Devices". "Add device configuration", select device type "VLAN (801.1q)", base device "Switch port: wlan", "VLAN ID" 911 or 101 as required. This will create a device named "wan.911" or "wan.101". Save.
- Under "Network", "Interfaces" edit the wan interface. Change the protocol to PPPoE. Device should be "wan" if you're not using a VLAN, or "wan.911" or "wan.101" if you are. Enter your AAISP username and password. Under "Advanced settings", set "Obtain IPv6 address" to automatic, tick "Use default gateway". Under DHCP server, ignore this interface.
- Save and apply, then restart the wan interface
- The wan and wan_6 interfaces should now come up online
The appropriate entries in /etc/config/network should look like the following. If you do not have Luci installed, make these edits to "/etc/config/network".
With VLAN:
config device option type '8021q' option ifname 'wan' option vid 'nnn' (911 or 101) option name 'wan.nnn' (911 or 101)
And for both non VLAN and VLAN configurations:
config interface 'wan' option device 'wan' OR 'wan.nnn' option proto 'pppoe' option username 'xxnn@a.1' option password 'ItIsASecret' option ipv6 'auto'
Do not have an interface named wan6, the IPv6 configuration will be handled automatically. The option ipv6 auto line will cause a virtual interface named wan_6 to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options.
Routed IPv4 addresses in the local network
AAISP offer a block of up to 8 routed IPv4 addresses to customers. These can be configured on the lan interface instead of RFC1918 addresses, but you will have to change the firewall config. By default 2 firewall zones are created - wan and lan, and masquerading is done on the wan zone. The masquerading should be turned off for routed lan addresses - "Network", "Firewall", edit "wan" zone, untick masquerading.
Enabling IPv6 in the local network
OpenWrt fully supports IPv6, as well as IPv4 and dual stacks to enable the mix of both protocols.
The easiest approach is to use prefix delegation from the WAN to provide the network address. This is achieved by configuration of the wan interface to obtain the IPv6 address automatically, and to delegate IPv6 addresses downstream. This is achieved through a virtual wan_6 interface.
Then on the lan interface Advanced settings configure the IPv6 prefix filter to wan_6 and set the IPv6 assignment length to 64. There is a choice of the suffix to append to the prefix - popular choices would be ::1 (to use that fixed value), or eui64 (to use an address based on the MAC address).
There is the possibility of running a NAT64 server on OpenWrt, so the local network can use only IPv6 but hosts on it can still reach IPv4 hosts on the Internet.
For prefix delegation to the lan interface, "/etc/config/network" should look like:
config interface 'lan' option device 'br-lan' option proto 'static' option defaultroute '1' list ipaddr '192.168.1.1/24' list ip6class 'wan_6' option ip6ifaceid 'eui64' option ip6assign '64'
The list ip6class wan_6 line causes the lan to use the delegated prefix from wan_6. option ip6ifaceid ::1 makes the local IPv6 address on the lan use ::1 as the 64 bit suffix (you might choose to use eui64 instead to use the 64 bits derived from the MAC address as the suffix). option ip6assign 64 defines how many bits are taken from the wan_6 prefix delegation.
Multiple routed IPv6 /64 blocks
There's a gotcha for users who have multiple /64 blocks routed to them by AAISP. Current versions of OpenWrt use Policy-Based Routing (PBR) which allows routing to be configured according to multiple rules, not just by destination address.
If DHCPv6 is used to request Prefix Delegation (PD) with the virtual wan_6 interface, AAISP will reply with one block which will normally be a /64. OpenWrt uses this to set the LAN address and netmask, and then enables routing from just this block from LAN to WAN. If you have multiple /64 blocks, any other /64 blocks routed to you by AAISP won't be able to send packets to the Internet.
To quote from OpenWrt Wiki - Routing basics Note that by default OpenWrt announces IPv6 default route only for GUA and applies source filter for IPv6 that allows routing only for prefixes delegated from the upstream router.
In my case, I had 2001:8b0:xxxx:4534::/64, ...:4535/64, ...:4536::/64 and ...:4537::/64 routed to me by AAISP, but only the lowest numbered block - 4534::/64 was routed back.
# ip -f inet6 route ... default from 2001:8b0:xxxx:4534::/64 via fe80::203:97ff:feba:900 dev pppoe-wan metric 512 ...
Note that the old style command route -A inet6 doesn't show the routing being restricted by source address.
odhcp6c
Key to understanding the delegation of IPv6 blocks is the DHCPv6 client, which is called odhcp6c on OpenWrt.
Looking back at the wan interface config there is an option ipv6 line. The default value is auto, which has the effect of automatically creating a virtual interface named wan_6 and running odhcp6c on it BUT ignoring any extra config you may wish to supply. A possible alternative if multiple /64 blocks are to be used is 1 which allows you to configure ipv6 the way you want (static, dhcpv6, ...), but there is a simpler solution.
Solution
We need a way for the WAN to tell the LAN about the wider routing block, whilst letting the LAN only use for itself the first /64 block.
This turns out to be remarkably easy. On the AAISP control panel, add a /60 block of IPv6 addresses, and ensure that this is the lowest number address block (in fact, you can probably unroute some or all of your /64 blocks). When DHCPv6 requests prefix delegation, AAISP returns the lowest number address block - if this is the new /60 then that's what you'll be delegated, and you can then split this into up to 16 /64 blocks.
In my case I see for wan_6:
Protocol: Virtual dynamic interface (DHCPv6 client) Uptime: 0h 40m 58s IPv6: 2001:8b0:1111:1111:0:ffff:abcd:pqrs/128 IPv6-PD: 2001:8b0:xyz:4520::/60
And for lan:
IPv6: 2001:8b0:xyz:4520::1/64
It's the ip6assign option in the config for the lan which determines that the lan receives a /64.
Now I see:
# ip -f inet6 route ... default from 2001:8b0:xyz:4520::/60 via fe80::9e89:1eff:fe2e:0 dev pppoe-wan metric 512 ...
Installing packages
One of OpenWrt's key features is being able to install extra software packages. For example, you can install a VPN server on the router, or add SFTP support to the SSH server.
On the Luci web interface go to "System","Software", and click "Update lists...". You can then search for and install packages. openssh-sftp-server might be useful, or the nano text editor for in-situ changes to the configuration.
From the command line, opkg is the tool to manage packages. "opkg update" to update the lists, "opkg find openssh*" to search, "opkg install wireguard-tools" to install.
Advanced configuration of the local network
You can do some quite advanced configurations of the local network. But first you have to understand OpenWrt's naming convention.
Devices
Devices are the actual network hardware identifiers, like you see in ifconfig. So eth0, eth0.1, phy0-ap0, phy1-ap1, br-lan, and pppoe-wan are all devices
Interfaces
Interfaces are groups of one or more devices, an interface named lan could contain the device br-lan. Similarly an interface named wan could contain the device pppoe-wan.
Firewall zones
OpenWrt current versions provide a Zone Based Firewall. A zone is a collection of one or more interfaces. Much of the work of configuring the firewall is defining the rules for traffic between zones.
The OpenWrt documentation likes to confuse new users by defining zones with names like lan and wan - which are also usually names of interfaces. But the lan zone isn't the same as the lan interface. So let's try to be sensible here - zones will have CAPITAL names, and interfaces have lower case names.
So you'll probably start with two zones, a zone named WAN which covers the wan interface, and a zone named LAN which covers the lan interface. Then you can define two relationships - how to deal with traffic between the LAN zone and the WAN zone, and how to deal with traffic from the WAN zone to (actually) everywhere else.
Adding more zones
Suppose you want to create a guest WiFi network. You start by creating a new bridge device, then create a new access point (probably on an existing radio) and connect it to that bridge. Then you probably need to add a new interface in order to use different IP addresses from the DHCP server - let's call it lan2. And now you have to decide whether hosts on the guest WiFi network have access to the hosts on your LAN zone.
If you want guests to have access to the LAN zone, then just add the new lan2 interface to the list of interfaces covered by the LAN zone, job done.
If you want guests to have no access to the LAN zone, then you need to create a new zone (let's go wild and call it GUEST), make it cover just the lan2 interface and define its relationships to the other existing zones. We want to have the same access to the WAN zone, so we configure that relationship like the LAN zone. But we want the LAN and GUEST zones to be separate, so we don't define any relationship between them.