Config for the "It Just Works Home Router"

GL-INET MT-6000 Wireless router, default Openwrt 24.10 image with irqbalance, luci-app-adblock-fast, and luci-app-https-dns-proxy.

Hardware Flow offloading enabled, packet steering enabled, aqm settings enabled on startup for wifi performance

let me know if you have any questions! critiques welcome!

root@Waypoint:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "Waypoint",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

root@Waypoint:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd26:6b8:b1a::/48'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option type 'bridge'
        option name 'br_guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br_guest'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

root@Waypoint:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HE40'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'your-wifi-name-here'
        option encryption 'psk2'
        option key 'your-password-here'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'your-wifi-name-here'
        option encryption 'psk2'
        option key 'your-password-here'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'your-guest-wifi-name-here'
        option encryption 'psk2'
        option key 'your-password-here'
        option network 'guest'

root@Waypoint:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server ''
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@Waypoint:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

#added guest zone firewall rules

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

Your router is OP, you dont need offloads for firewall, and it totally kills any chances for sqm

i agree but in my environment i dont need sqm, we NEVER max out our connection, so its just an extra process running at that point, and with syncronous fiber coming to my house soon it will be even less needed.

it is offload XOR sqm, choose/use one

correct, i use offload because there isnt much benefit to sqm for my house, for wifi i use aqm instead of wed for better latency.

Wifi has builtin qos called wmm.

this has AQM built in and can be tuned per the wiki page

Overall, the config looks good to me.

I would say that the 'it just works' angle of this is true for your environment, but may not be universal. You can kind of treat it like a renovation for a home or kitchen... what works for you might not be ideal for someone else.

For example:

• users who need a pppoe or static IP address on the wan should be aware that your config is not going to work directly -- they need to make the requisite edits. (to be fair, this consideration is no different with your config than it would be for the default config)
• adblock and https-dns-proxy is not a universal thing, and it does introduce some non-trivial risks when it comes both initial operation and troubleshooting. It's 'safer' (from the 'it just works' standpoint) to not include these packages and configs.
• flow offloading, packet steering, etc. are not always desired or appropriate for some setups, so again, I would omit them from any 'it just works' config.

That's not to say that there's anything wrong with your choices or your config... I tend to recommend a more minimalistic configuration for novices and/or those looking for the simplest method to ensure 'it just works.' Then, those that want to enable more advanced features and/or experiment can add the packages as they see fit.

you bring up a ton of very good points, i think my naming scheme needs some work.

the idea i was going for is a very simple easy to setup configuration that "nearly" anyone can use, and i suppose this was targeted at my hardware and environment, but i really do think this setup follows the 80/20 rule.

maybe i call this the "grandmas house router" lol set it up and its basically good to go!

i found that the wiki documentation on everything i added to this configuration was above optimal and very easy to follow, which is a big part of why i love this community.

Indeed. This looks like the typical US Cable Internet configuration, where the ISP runs an Ethernet port on the customer's side. As DOCSIS is specified with DHCP, that "just works" with any OEM firmware router sold on the US market.

But not the whole world is Cable with an Ethernet bridge.

For me it's a GPON port. It needs an ONT with a media-converter to Ethernet to even connect an OpenWrt device. This Ethernet port is not running DHCP. It needs 802.11q configured with PPPoE to prove that you are a customer with a paid subscription.

"Grandmas house router" is sold or rented out by the ISP which is already configured in this way. It has an optical WAN port, does Wi-Fi by itself and doesn't run OpenWrt. There is no Ethernet WAN anywhere.