A more flexible setup: making my Livebox a bridge

Just1M · May 2, 2020, 5:41pm

Hello everyone,
First post on this forum, please be don't be too rude

I live in France and have an FTTH subscription at Sosh/Orange. The ISP provides 3 devices of their own: an ONT / Optical to Ethernet converter (Huawei), a router (Livebox 4, Sagemcom) and a TV "decoder" (Sagemcom). I have something like 15 devices connected to the Internet at home, some of them needs fixed IP addresses and some others even need to be accessed from the Internet through a domain name (self hosted server). This makes many rules to configure and it was becoming tedious to manage (DHCP, Firewall, WiFi concerns, ...).

A year back I decided to buy a router to put behind my ISP router. The idea was to:

Not be limited regarding the Local network configuration
Be able to configure Layer-2 bridges (WDS)
Keep most of the configuration in my own equipment, being able to switch to another provider without much configuration to change
Use only my own router as a WiFi access point
(bonus) Be completed isolated of the ISP's "control scope"

The Livebox 4 (ISP's router) contains specific configurations, at least for IPTV. That's mainly why I decided to not drop this front router completely.
The (second) router -the one I bought- is a Linksys WRT1200AC, with OpenWRT installed on it of course.
The physical wiring is as follows:

FTTH  --  ONT  --  Livebox 4  --  WRT1200AC  --  NAS
                      |                 +------  Computers
                   TV decoder           +------  WDS repeater
                                        +------  Smartphones
                                        +------  SmartHome devices

First point: Access the NAS from the Internet

Unfortunately my wish to have the most simple front router configuration didn't become real.
Because the second router has its own firewall, I have first decided to put it in the DMZ of the front router. But this doesn't make my NAS accessible from the Internet.
Then I have disabled the DMZ and have created port forwarding rules, exactly like the ones I have set in the second router. Now it works, but this setup introduces more hassles than flexibility!

What is the recommended way to configure my front router as a "transparent bridge"? I must precise that it doesn't come with a built-in "bridge mode", unfortunately.
Would I lose the TV service?

Here is the Livebox (front router) configuration:

DHCP enabled (mask 255.255.255.0)
Fixed IP address: 192.168.0.1/24
Second router fixed IP address: 192.168.0.11/24
IPv6 enabled
Firewall set to "medium (recommended)": "The firewall filters all the inbound connections. Outbound connections are allowed, except for the Netbios services."

Note: I haven't tested to set the firewall to "weak" yet ("The firewall doesn't block any inbound connection. Please note that a connection initiated from the Internet could be rejected if no corresponding NAT/PAT rule has been created.").

Second point: Make use of IPv6

Third point: Put the TV decoder inside my LAN (behind the second router)

Let's close the first issue before opening others

eduperez · May 2, 2020, 6:01pm

I would not discard the option of getting rid of the ISP router. You are fortunate to have the ONT separated from the router. I do not know the details of your ISP, but many people in Spain with a similar setup have replaced the ISP router.

mk24 · May 2, 2020, 6:05pm

It depends on how the TV traffic is handled. One common way is just to have different VLANs going into the ONT, and that can be readily done with the OpenWrt switch configuration. The WRT1200 hardware switch would switch the TV VLAN directly to another port which is connected to the TV decoder.

Just1M · May 2, 2020, 6:14pm

Thank you @eduperez. You're right, this may be a valid option.
But all the setup would be broken if I switch to an ISP that doesn't have an ONT (direct SFP connection).

ejl · May 3, 2020, 8:23am

The named ISP reminded me about this blog I read a while ago.

Replacing Orange Livebox router by a Linux box
(published 2019-12-06).

--

Speaking of simplicity in a home network setup I like to raise a view, although, the poster did not raise as a specific requirement for kind simplicity in the view.

The setup should be so simple that family members can make simple checks (various status lights on/off), perform resets (based on lights) and even change a network plug from a device to another for restoring a service or all services in case of family network wizard's absence. They should be able to do these by themselves or directed on the phone by the family network wizard or, a more involving case of design and implementation for simplicity, by ISP helpdesk.

This kind of simplicity can be achieved for example by labeling devices and network cables or using colored network cables. Women are usually more sensitive to used colors ie. only green network cables are used for a VLAN segment dedicated to TV traffic. The use of colored cables also requires a clearly visible banner use explaining use of colored cables in device cabinet.

In practice I have noticed the need for this kind of simplicity, Mr Murphy does visit your home while away. A while back I moved my OpenWRT router to a vm running in a box, which may blink its lights despite OpenWRT router being out of band. Network terminal connecting to ISP sits elsewhere, which adds to annoyance a family member feels when checking for status lights. I made my old dedicated router box to sit cold next to the newer box running few vm's, although this setup for the simplicity requires me to check after every config change that the cold box is in sync and fully operational if needed (actually now I remember I forgot to sync new dns peers). Last time the vm box took minutes to reboot for unattended kernel update, what was too much for a family member and took action.

Just sharing my thoughts on the simplicity of home network setup. I haven't yet seen much, actually any, talk on this aspect but haven't either made any search there are such, which undoubtly exist.

Just1M · May 3, 2020, 9:41am

Thanks @mk24 and @ejl for your inputs.

@mk24 you're correct, the IPTV is managed with VLAN 840. But for the moment I prefer to concentrate on pure network concerns, moving the TV decoder is a bonus.

@ejl you're talking about another vision of "simplicity" but that's interesting. Having someone else debug the setup is effectively a key point.
In my mind "simplicity" meant "no complicated configuration" and "flexibility". I've edited the topic title to try to be a bit more clear.

Just1M · May 3, 2020, 9:57am

Here is a good reading about double routers setup.
(Important: I didn't mention that my ISP router doesn't have a built-in "bridge mode".)

I've finally decided to test the "weak" firewall configuration of the Livebox. Turning the DMZ On again allows me to delete all port forwarding rules set in the front router, which is what I aim for (simplicity + flexibility). Cool
So far everything is working OK, and my NAS is accessible from the Internet. Plus no more NAT loopback issue like I had in the past! (Is it because IPv6 is setup correctly from a LAN point of view? If I ping v4 my NAS from its domain name, it fails... but ping v6 works.)

Questions:

Will the TV decoder be exposed to some threats? I don't know if it has its own firewall.
Am I effectively in a "double NAT" setup? How to determine if I would suffer from "double NAT" issues?

system · February 4, 2021, 9:10am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.