Bridge WAN to LAN

Installing and Using OpenWrt
#1

Hello,
I am going to be utilizing a 4G carrier as my internet provider shortly. I have already read documentation on getting the sim card out of the hotspot device and building a USB stick that will plug directly in to my Netgear 6300v2 that I am going to flash with LEDE. My conundrum is that I currently have some Cisco equipment that I have spent decent money on and don't want it to be unused.

I would like to bridge the WAN device to an Ethernet port on the R6300v2 and essential hand my outside address to my Cisco ASA, this way I can utilize the VPN on that and really keep my same configuration that I had with my old ISP.

Is there an easy way to do this so that the R6300v2 is essentially a transparent device and not doing any routing? I had a recommendation on another forum of just configuring my ASA in the DMZ and forwarding everything - which I can do, but I am wondering if there is a better way.

Thanks!

#2

I believe there is, but I haven't tested this using a modem. I suggest you read up on Dumb AP / Access Point Only for reference (obviously, this is not you want, but the steps are very similar.)

Before I continue, note that when doing this kind of thing you risk locking yourself out of your device. So, ensure that:

  1. Recovery mode works in your device; or
  2. You have working serial or JTAG access; or
  3. You can at least access the device via SSH through the WAN interface

You need to bridge your ethernet ports to the WAN interface and disable all services like DHCP, firewall, etc. The dumb AP guide covers most of that.

If that should not work, you may need to do some routing in your router, but I believe a better solution for minimising this would be as follows (kind of similar to a 'DMZ IP':

  1. You get an IP(v6) address(es) from your ISP in subnet A in your R6300v2.
  2. You connect your Cisco ASA to your R6300v2. It gets an equivalent subnet in the private address space (subnet B).
  3. You disable the default firewall rules, and you set up some simple ip(6)tables rules for stateless NAT from the A to B address space.
  4. (Optionally) You assign one of your R6300v2 ports a different VLAN, an you connect it to your internal network for management.
  5. (Optionally) You bridge the remaining free ethernet ports to the ASA, so you can use the R6300v2 as a switch to give you extra ports.

While not exactly equivalent, this may help you figure out the switch rules. I have a TP-Link Archer C7 set up to do the following:

  1. Obtain an IP address in the 'management' VLAN (VID 10), for local management.
  2. Act like a switch with the remaining free ports.

The connection is:

  1. WAN (eth0) port is connected to my actual router.

  2. LAN ports (eth1) are connected to any devices I wish to connect to my network (with VLAN tagging.)

  3. VLANs are 1, 2, 3, 4, 5 and 10. Of these, only 1, 3, 4 and 5 can are bridged to the WAN port.

     config interface 'loopback'
 	option ifname 'lo'
 	option proto 'static'
 	option ipaddr '127.0.0.1'
 	option netmask '255.0.0.0'

 config globals 'globals'
         # This should be your unique ULA prefix
 	option ula_prefix 'fc12:3456:789a::/48'

 # Management
 config interface 'MGMT'
 	option proto 'dhcp'
 	option ifname 'eth0.10'
 	option peerdns '1'

 config interface 'MGMT6'
 	option proto 'dhcpv6'
 	option ifname 'eth0.10'
 	option peerdns '1'

 config interface 'vlan1'
 	option proto 'none'
 	option stp '1'
 	option auto '1'
 	option ifname 'eth0.1 eth1.1'
 	option type 'bridge'

 config interface 'vlan2'
 	option proto 'none'
 	option stp '1'
 	option auto '1'
 	option ifname 'eth0.2'
 	option type 'bridge'

 config interface 'vlan3'
 	option proto 'none'
 	option stp '1'
 	option auto '1'
 	option ifname 'eth0.3 eth1.3'
 	option type 'bridge'

 config interface 'vlan4'
 	option proto 'none'
 	option stp '1'
 	option auto '1'
 	option ifname 'eth0.4 eth1.4'
 	option type 'bridge'

 config interface 'vlan5'
 	option proto 'none'
 	option stp '1'
 	option auto '1'
 	option ifname 'eth0.5 eth1.5'
 	option type 'bridge'

 config switch
 	option name 'switch0'
 	option reset '1'
 	option enable_vlan '1'
 	option mirror_source_port '0'
 	option mirror_monitor_port '0'

 config switch_vlan
 	option device 'switch0'
 	option vlan '1'
 	option vid '1'
 	option ports '0t 1t 2t 3t 4t 5t 6t'

 config switch_vlan
 	option device 'switch0'
 	option vlan '2'
 	option vid '2'
 	option ports '1t 6t'

 config switch_vlan
 	option device 'switch0'
 	option vlan '3'
 	option vid '3'
 	option ports '0t 1t 2t 3t 4t 5t 6t'

 config switch_vlan
 	option device 'switch0'
 	option vlan '4'
 	option vid '4'
 	option ports '0t 1t 2t 3t 4t 5t 6t'

 config switch_vlan
 	option device 'switch0'
 	option vlan '5'
 	option vid '5'
 	option ports '0t 1t 2t 3t 4t 5t 6t'

 option switch_vlan
 	option device 'switch0'
 	option vlan '10'
 	option vid '10'
 	option ports '1t 6t'
#3

Hi Corrideat,

I would like to do almost the same as you are doing. I live at a doorm and we want ~20 Archer C7 acting as bridges connected to a firewall doing nat on ipv4 and with ipv6 available.
Looking at your config, would you mind explaining a few of the settings you posted:
(see Weird Wireless Issues: no IPv6 & unable to ping wireless hosts for full config)

config globals 'globals'
     # This should be your unique ULA prefix
     option ula_prefix 'fc12:3456:789a::/48'

What is this? Is this something I should worry about changing for each AP?

I want to achive:

  1. WAN (eth0) port is connected to my actual router or chained to another Archer C7.
  2. LAN ports 2,3 are connected to hubs. Untagged wired lan.
  3. LAN ports 1,4 are optionally connected to other Acher C7, ie. all VLANS are sent here.
  4. VLANS are 10, 3, 30, 32. 10: admin/management, 3: wired lan, 30 Free wifi, 32 Auth wifi.
    ie. only VLAN 3 is untagged on LAN port 2,3. ALL are on LAN port 1,4.
    I came up with the following config, but it is not like yours. Am I doing anything wrong or can I get you to explain your config in greater details. There seems to be something I do not understand.
# Port 	   	Switch port
# CPU/ETH1		   0
# WAN			   1
# LAN 1			   2
# LAN 2			   3
# LAN 3 		   4
# LAN 4			   5
# ETH0			   6
# administration
config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1t 2t 5t 6t'
	option vid '10'

# wired untagged lan for hub
config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '1t 2t 3 4 5t 6t'
	option vid '3'

# auth wifi
config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '1t 2t 5t 6t'
	option vid '30'

# free wifi
config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '1t 2t 5t 6t'
	option vid '32'

config interface 'admin'
	option 'proto' 'dhcp'
	option ifname 'eth0.10'
config interface 'authed'
	option proto 'static'
	option ifname 'eth0.30'
	option type 'bridge'
config interface 'free'
	option proto 'static'
	option ifname 'eth0.32'
	option type 'bridge

Ps.
I am sorry to bump such an old thread, But I could not find any contact info on Corrideat.

#4

This is the ULA prefix configuration, which is analogous to private addresses in IPv4 (e.g., 192.168.0.0/16). If you're not using your LEDE devices to distribute IPv6 addresses, you can probably leave this value alone (LEDE sets it to a random value automatically upon initialisation). If you indeed are using your LEDE devices to distribute IPv6 addresses, what you do to this value depends on your network topology, but you might want the values to match across all of them.

It's unclear to me what works (or, more to the point, doesn't work) with your configuration. A cursory look gives me the impression that you got the main idea correct, but that it won't work because you are missing 0t on your switch_vlan stanzas (this is needed if you're using LAN ports), and are likewise missing eth1.X in your bridges.

#5

Thanks for your reply!

The LEDE device only acts as a bridge to the actual router. So I will just leave it then. I have the IPv6 scope 2001:0878:0928::/48.

Yes, this is what I do not really understand. The posted configuration actually works for the setup described in "I want to achive" (so it seems at least).

The router is connected through WAN and another LEDE device might be connected through lan1 or lan4 (ie. all traffic from these lan ports should be routed to WAN).
Why is it necessary to have both eg. eth0.30 and eth1.30 in the bridges? I would think that only eth0.30 is necessary as that is "the way traffic is sent". In the config switch_vlan the LAN ports are chosen as option ports '1t 2t 5t 6t'.

What does 0t in the switch_vlan stanza means? From the port view I posted, I see it is CPU/ETH1 ie. for the LAN ports. But I do not understand what this means. Like I do no not really understand what eg. ifname 'ethX.30' means in the bridges. Can you explain that a bit?