This is going to sound like a stupid question but i’m a newbie and i need help configuring my OpenWRT BT HH5A to bridge mode to act as modem.
I plan to get a Gl.Inet MT3000 and use that as my router instead essentially this is what the setup is going to be:
wan - - - - - > openwrt bt hh5a in bridge mode - - - - - > Gl.Inet MT 3000 as main router.
Finally, i’m on ADSL and simplified steps would be greatly appreciated.
Thank you 
OpenWrt does not support bridge mode natively. Emulating it would require creating a bridge between dsl0 and eth0 devices and then firewalling dsl0 on the bridge level so that only PPPoE comes through.
This is not simple. I don't know exactly how to do this and would not want to hold any responsibility if, due to my wrong instructions, hackers get through from the WAN.
So, let me just say "no" and recommend using your HH5A as a router. For ADSL, it is more than capable of doing so; even with SQM it still has some headroom.
If your goal is to avoid double NAT, then just disable the NAT function on your MT3000 and add a route to the "real" LAN through the MT3000's "WAN" IP on your HH5A.
There’s a byte order problem with the BT HH5A which makes the modem not work correctly hence why I am looking for a replacement router.
Could you explain step by step on what adding a route to the real lan would look like/require of me?
Let's assume that the network looks as follows:
Then, on HH5A, please go to Network > Routing, and add a static IPv4 route as follows:
Thank you, I’ll try out this way when the router comes.
No firewall needed, just do not use the bridge member ports in any other function...
Mmmh, I appreciate your caution, but bridged modem is a use case that some of us already use quite successfully without a big security risk (worst case a hacker can access the modem, but ther is still the router's firewall betwenn the hacker and the LAN).
My problemnhere is that I do not use a HH5A anymore and hence can not help the OP in the fine grained way he desires.
Could you elaborate a bit on this?
Let me respectfully disagree. Back in 2017, when Globe Telecom had an outage, I have seen a lot of packets on my ADSL link that should not have been there, including PADI packets from other modems (normally, this is blocked at the ISP's side, but this filter broke during the outage). I could have set up a malicious access concentrator and could have learned others' PPPoE passwords.
Now let's see how it goes when a malicious ISP sends an IP packet on the bridge, with the destination equal to the management IP of the modem. Then they can reach the management interface, because of the symmetry of the bridge. They then can try brute-forcing your modem password. This is the kind of access that should be possible over Ethernet only, not from ADSL, and that's what warrants a bridge firewall.
EDIT: I see that you mentioned this kind of access but then dismissed it.
This applies to VDSL, not ADSL. ADSL is always either PPPoE without any VLAN tag, or PPPoA.
Sure, but that is a simple case of not doing that, as these packets will not be accepted from the routers PPPoE client after the bridge... in fact if you use the HH% as modem router it will see exactly the same gunk... the only danger I see is if somebody could escape the bridge and get access to the modem, but as I said even that is outside of the router's firewall so should be considered unsafe anyway (not that having a hostile party using once bridged-modem to exfiltrate packet captures would be a harmless issue).
Nothing as the bridge should only connect the bridged interfaces.... I had to establish an additional interface (using a different VLAN) to be abke to access the modem's lan side...
Because I tried to ab-use it and failed... but I will try again later today, by disabling my interface to the LAN side of the modem and see whether I can set a specific fixed route to reach the modem's LAN side via the dsl-bridge.
Do you have any reference for this, as far as I know the biggest German Telco uses VLAN7 on its links independent of ADSL, VDSL, or GPON. I think I even measured this appearing on my link...
Thanks for trying! However, I was talking about reaching the modem's management IP itself. I am also specifically worried because Linux uses a weak host model for IPv4, i.e., will by default answer ARP and IP packets that have a destination IP equal to an IP assigned to any interface, not necessarily the "correct" one. Well, whether you see the replies is another question.
When trying again, please also try to abuse link-local IPv6.
Sure: https://openwrt.org/docs/guide-user/network/wan/isp-configurations
As you can see, none of the configurations tagged as ADSL and not tagged as "please put the ISP modem in bridge mode" (i.e., intended for use with OpenWrt-supported ADSL modems) use any VLAN. They use VPI/VCI instead, which is an ATM concept.
Yes, that is what I am going to test...
Let's do this step by step...
As I said, I actually experienced, when my ISP added that VLAN automatically, and later when setting VLAN 7 became mandatory.
see: https://www.telekom.de/hilfe/downloads/1tr112.zip
9.5.1.3 PPP based Dial in Broadband Services over an Ethernet based Access Platform
The following services are realized over ADSL2plus technology only! All services are transmitted inside the PPPoE connection.
The PPPoE is transmitted in single tagged frames (VLAN-ID = 7).
Really, I am not convinced that the volunteer updated openwrt wiki is the authoritative source here 
VPI/VCI are indeed ATM concepts, but no ISPs maintains an notable ATM network outside the ADSL links (and some even do not do this, AT&T uses as far as I can tell PTM even over ADSL) so they often want/need VLAN tags anyways. An example being Deutsche Telekom from the wiki page:
1&1 or O² on a Telekom line with Annex J
When migrating from Annex B to Annex J, connection properties seem to have changed to require using VLAN 7.
Annex J is an ADSL-annex...
But we digress, my gut feeling is that both of us extrapolate from our own individual experience with ADSL, which is fine, and I just happened to end with an ISP that required VLAN7...
Apologies, I probably should have expanded on this but when it came to using Hudra’s QosMate, my router failed to assign DSCPs on ingress aswell as marking them to the conntrack (something along those lines). It only worked for marking egress
Thank you that seems simple enough for me to follow, really appreciate this.
Only one thing would be i’m not really familiar with VLAN and I don’t think i’ve ever had to assign a VLAN ID before.
How do i find the appropriate ID to allow this bridging to work successfully.
It does not matter which ID you use as long as it is separate from the VLAN ID you use for the modem's br-lan bridge, as you want that traffic to be separate... (assuming for the sake of the discussion, that the dsl-brodge will not leak...)
Ahh okay thank you @moeller0
I think @takimata solution sounds most appropriate for me. I can easily copy the settings as it is into my network file and be up and running in minutes aswell as remembering to disable firewall and dnsmasq and the wan connection.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcb:9d52:1d0e::/48'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'dsl0:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u*'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config interface 'lan'
option device 'br-lan.1'
option proto 'dhcp'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option mtu '1492'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:xx'
option mtu '1492'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:xx'
option mtu '1492'
config device
option name 'lan3'
option macaddr 'xx:xx:xx:xx:xx:xx'
option mtu '1492'
config device
option name 'lan4'
option macaddr 'xx:xx:xx:xx:xx:xx'
option mtu '1492'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'dsl0'
option macaddr 'xx:xx:xx:xx:xx:xx'
Does this look correct?
No.
While the common PPPoE MTU is indeed 1492, it is inside the PPPoE tunnel. The outer Ethernet interface should have MTU=1500. Or, if there is a VLAN tag, 1504.
Actually, many PPPoE ISPs support baby jumbo frames. That is, MTU=1500 inside the tunnel. In this case, you need MTU=1508 on the Ethernet interfaces. Or, if they are supposed to transfer tagged packets, 1512.
Also, as I said, please double-check whether the ISP requires a VLAN tag on the ADSL. Neither Rostelecom in Russia nor Globe Telecom in the Philippines do so on ADSL, and adding an unneeded VLAN tag would break the connection. Please ignore this section if you are on Deutsche Telekom.
The VLAN tag (at least the first one) lives outside of the classical ethernet MTU...
I am with Plusnet and they do not require vlan tags if you are on ADSL connection. It only requires it for VDSL I believe which is irrelevant to me.
)I can not test from the VDSL side of things, but it looks like this is not as easy as you feared.
I might tackle IPv6 on another day, as is I can not reach the modem via IPv6 (I did only define IPv4 access).
Hmm I can try both methods and see which one works once the router comes.
I did find a guide on how to put the BTHH5A in full bridge mode in the setup pdf on the OpenWRT page, however the guide is heavily outdated which makes a newbie like myself hard for it to follow.
