OpenWRT routers: Difference between revisions

It's easy for new OpenWrt users to get confused by VLANs. On some routers the WAN and LAN are configured as separate VLANs on one Ethernet. So you can see the LAN defined as ''eth0.1'' and the WAN as ''eth0.2'' (where the number after the dot is the VLAN id number).

A recent change to OpenWrt has affected configuration of the network switch, so there are two possible ways the switch is configured.

Then the PPPoE instance on the WAN may need to be configured to be run over a VLAN because of the carrier's requirements, but this VLAN my be separate from the router hardware configuration.

For CityFibre FTTP connections, a WAN VLAN ID of 911 is needed.

For VDSL connections, a WAN VLAN ID of 101 is needed.

Openreach FTTP does not need a WAN VLAN.

== On older "swconfig" versions ==

OpenWrt prior to version 21 had the "Network", "Switch" menu in Luci, and older switch configuration software. Some hardware is still using this older software even in version 24.

* Delete any wan6 interface under "Network", "Interfaces"

* If needing a WAN VLAN, go to "Network", "Switch" and you should see two VLANs defined: VLAN 1 for the LAN ports, and VLAN 2 for the WAN port. Change VLAN 2 to be numbered VLAN 911 or 101 as required. Change this VLAN on the WAN port from untagged to tagged. Save and Apply.

* Under "Network", "Interfaces" edit the wan interface. Change the protocol to PPPoE. Device should be "eth0.2" if you're not using a VLAN, or "eth0.911" or "eth0.101" if you are. Enter your AAISP username and password. Under "Advanced settings", set "Obtain IPv6 address" to automatic, tick "Use default gateway". Under DHCP server, ignore this interface.

* Save and apply, then restart the wan interface

* The wan and wan_6 interfaces should now come up online

The appropriate entries in ''/etc/config/network'' will look like the following.

With WAN VLAN:

config switch_vlan

option device 'switch0'

option vlan '2'

option ports '0t 1t'

option vid '911' OR '101'

Without WAN VLAN:

config device

option name 'eth0.2'

option macaddr 'aa.bb.cc.dd.ee.ff'

And for both configurations:

config interface 'wan'

option device 'eth0.2' OR 'eth0.911' OR 'eth0.101'

option proto 'pppoe'

option username 'xxnn@a.1'

option password 'ItIsASecret'

option ipv6 'auto'

== On new "Distributed Switch Architecture" versions ==

Newer versions of OpenWrt do not have the "Network", "Switch" menu in Luci. To configure this version in Luci:

* Delete any wan6 interface under "Network","Interfaces"

* If needing a WAN VLAN, go to "Network","Interfaces","Devices". "Add device configuration", select device type "VLAN (801.1q)", base device "Switch port: wlan", "VLAN ID" 911 or 101 as required. This will create a device named "wan.911" or "wan.101". Save.

* Under "Network", "Interfaces" edit the wan interface. Change the protocol to PPPoE. Device should be "wan" if you're not using a VLAN, or "wan.911" or "wan.101" if you are. Enter your AAISP username and password. Under "Advanced settings", set "Obtain IPv6 address" to automatic, tick "Use default gateway". Under DHCP server, ignore this interface.

* Save and apply, then restart the wan interface

* The wan and wan_6 interfaces should now come up online

The appropriate entries in ''/etc/config/network'' should look like the following. If you do not have Luci installed, make these edits to "/etc/config/network".

option vid 'nnn' (911 or 101)

option name 'wan.nnn' (911 or 101)

And for both non VLAN and VLAN configurations:

option device 'wan' OR 'wan.nnn'

option username 'xxnn@a.1'

The ''option ipv6 auto'' line will cause a virtual interface named ''wan_6'' to be created, and an instance of the DHCPv6 client to be run on it. This will request an IPv6 Internet address, and a single Prefix to be Delegated. You can't get the DHCPv6 client started this way to accept more options.

= Routed IPv4 addresses in the local network =

AAISP offer a block of up to 8 routed IPv4 addresses to customers. These can be configured on the lan interface instead of RFC1918 addresses, but you will have to change the firewall config. By default 2 firewall zones are created - wan and lan, and masquerading is done on the wan zone. The masquerading should be turned off for routed lan addresses - "Network", "Firewall", edit "wan" zone, untick masquerading.

= Enabling IPv6 in the local network =

OpenWrt fully supports IPv6, as well as IPv4 and dual stacks to enable the mix of both protocols.

The easiest approach is to use prefix delegation from the WAN to provide the network address. This is achieved by configuration of the ''wan'' interface to obtain the IPv6 address automatically, and to delegate IPv6 addresses downstream. This is achieved through a virtual wan_6 interface.

Then on the ''lan'' interface Advanced settings configure the IPv6 prefix filter to ''wan_6'' and set the IPv6 assignment length to 64. There is a choice of the suffix to append to the prefix - popular choices would be ''::1'' (to use that fixed value), or ''eui64'' (to use an address based on the MAC address).

There is the possibility of running a NAT64 server on OpenWrt, so the local network can use only IPv6 but hosts on it can still reach IPv4 hosts on the Internet.

For prefix delegation to the lan interface, "/etc/config/network" should look like:

list ipaddr '192.168.1.1/24'

The ''list ip6class wan_6'' line causes the lan to use the delegated prefix from wan_6. ''option ip6ifaceid ::1'' makes the local IPv6 address on the lan use ::1 as the 64 bit suffix (you might choose to use ''eui64'' instead to use the 64 bits derived from the MAC address as the suffix). ''option ip6assign 64'' defines how many bits are taken from the wan_6 prefix delegation.

If DHCPv6 is used to request Prefix Delegation (PD) with the virtual wan_6 interface, AAISP will reply with one block which will normally be a /64. OpenWrt uses this to set the LAN address and netmask, and then enables routing from '''just this block''' from LAN to WAN. If you have multiple /64 blocks, any other /64 blocks routed to you by AAISP won't be able to send packets to the Internet.

In my case, I had 2001:8b0:xxxx:4534::/64, ...:4535/64, ...:4536::/64 and ...:4537::/64 routed to me by AAISP, but only the lowest numbered block - 4534::/64 was routed back.

Key to understanding the delegation of IPv6 blocks is the DHCPv6 client, which is called odhcp6c on OpenWrt.

Looking back at the ''wan'' interface config there is an ''option ipv6'' line. The default value is ''auto'', which has the effect of automatically creating a virtual interface named ''wan_6'' and running odhcp6c on it BUT ignoring any extra config you may wish to supply. A possible alternative if multiple /64 blocks are to be used is ''1'' which allows you to configure ipv6 the way you want (static, dhcpv6, ...), but there is a simpler solution.

=== Solution ===

This turns out to be remarkably easy. On the AAISP control panel, add a /60 block of IPv6 addresses, and ensure that this is the lowest number address block (in fact, you can probably unroute some or all of your /64 blocks). When DHCPv6 requests prefix delegation, AAISP returns the lowest number address block - if this is the new /60 then that's what you'll be delegated, and you can then split this into up to 16 /64 blocks.

IPv6: 2001:8b0:xyz:4520::1/64

It's the ''ip6assign'' option in the config for the lan which determines that the lan receives a /64.

= Installing packages =

One of OpenWrt's key features is being able to install extra software packages. For example, you can install a VPN server on the router, or add SFTP support to the SSH server.

On the Luci web interface go to "System","Software", and click "Update lists...". You can then search for and install packages. ''openssh-sftp-server'' might be useful, or the ''nano'' text editor for in-situ changes to the configuration.

From the command line, ''opkg'' is the tool to manage packages. "opkg update" to update the lists, "opkg find openssh*" to search, "opkg install wireguard-tools" to install.