Configuration Vigor 130 in bridge mode PPPoE on R7800

First of all I want to thank everyone involved in making OpenWrt a reality.

I want a simple, secure and adaptable (undecided on NAS/Homeserver) home network.
So after looking at the documentation “Router vs Switch vs Gateway and why NAT influences this decision” I decided on the “OpenWrt as router and ISP device configured as bridge mode” path.

Based on the recommendations I got a Netgear R7800 and a DrayTek Vigor 130
because my ISP device from O2-Germany no longer supports bridge mode.

To get things set up I used a search engine, read the documentation “Router vs Switch vs Gateway and why NAT influences this decision” “VLAN”, “Switch”, “Accessing your modem” and “ISP Configurations” and forum posts including “[Solved] How to access the modem (which is in bridge mode)?”.

The Vigor 130 is set to bridge mode, the R7800 is flashed to OpenWrt with PPPoE and access to the modem configured.

So why this post?

  1. To clarify a few questions regarding VLAN, WAN port and Firewall rules/zones and make sure I did not mis-configure anything like exposing my LAN etc.
  2. To document for myself and others the steps taken and the configurations applied.

DrayTek Vigor 130:
Before updating the firmware I was unable to change the language to English and afterwards
unable to set it to German.

Internet Access/General Setup:
Display Name: whatever
DSL Mode: VDSL2 only
Customer: Disable
Service: Disable

Internet Access/PPPoE / PPPoA:
PPPoE/PPPoA Client: Disable

Internet Access/MPoA / Static or dynamic IP:
MPoA (RFC1483/2684): Enable
Multi-PVC channel: Channel 2
Encapsulation: 1483 Bridged IP VC-Mux
VPI: 1
VCI: 32
Modulation: Multimode
WAN Connection Detection
Mode: ARP Detection
MTU: 1492
Bridge Mode: Enable Bridge Mode
DNS Server IP Address
Primary IP Address: 80.241.218.68
Secondary IP Address: 46.182.19.48

LAN/General Setup:
LAN IP Network Configuration
For NAT Usage
1st IP Address: 192.168.0.1
1st Subnet Mask: 255.255.255.0
For IP Routing Usage: Disable
RIP Protocol Control: Disable
DHCP Server Configuration: Disable Server
Primary IP Address: 80.241.218.68
Secondary IP Address: 46.182.19.48

Firewall/General Setup:
Call Filter: Enable Set#1
Data Filter: Enable Set#2
Accept large incoming fragmented UDP or ICMP packets (used in some games and streaming)
Enable Strict Security Firewall
Block routing packet from WAN IPv6

Firewall/DoS defense Setup:
Enable DoS Defense Select All

Netgear R7800:
After flashing to OpenWrt 18.*, changing the root password and enabling ssh I did th following.

Network/Switch:
Add VLAN ID 7 with CPU(eth0) and WAN tagged

Network/Interfaces/WAN:
Protocol: PPPoE
PAP/CHAP username: username
PAP/CHAP password: password
Bring up on boot
Use built in IPv6-management
Use default gateway
Use custom DNS servers: 80.241.218.68
46.182.19.48
Override MTU: 1492
Interface: eth0.7

Network/Interfaces/Add new Interface:
Name: MODEM
Protocol: Static address
IPv4 address: 192.168.0.2
IPv4 netmask: 255.255.255.0
Bring up on boot
Use built in IPv6-management
Force link
Interface: eth0.2
Create / Assign firewall-zone: wan

Here is /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	option dns '80.241.218.68 46.182.19.48'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0.7'
	option username 'XXX@XXX.bbi-o2.de'
	option password 'XXX'
	option ipv6 'auto'
	option peerdns '0'
	option dns '80.241.218.68 46.182.19.48'
	option mtu '1492'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '7'

config interface 'Modem'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option ifname 'eth0.2'

Here is /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 Modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'XXXX::/6'
	option dest_ip 'XXXX::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'XXXX::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

What confuses me the most is that the modem is in bridge mode and reachable locally and the WAN port on the R7800 handling authentication and access to the modem. Why put the MODEM interface in the same Firewall zone as WAN. Wouldn't it make it reachable from the outside? Why not put it in the same zone as LAN or give it its own zone? How can the WAN port be untagged (VLAN 2) and tagged (VLAN 7) should VLAN 2 be tagged to?

Which DNS settings take precedence?
Do the Firewall settings on the Vigor 130 actually do anything when in bridge mode?
Am I correct in the assumption that the R7800 at 192.168.1.1 is the standard gateway and not the Vigor 130 at 192.168.0.1?

Thanks for your help :slight_smile:

I do have "1483 Bridged IP LLC" there (T-Online though).

that should probably be

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

(although that would only affect IPv6)

Your right thanks. Encapsulation should be LLC and I put wan6 on eth0.7.:grinning:

I'd still (literally) use the indirect reference to option ifname '@wan' instead of dereferencing wan to eth0.7 here, but good that it's now working for you.

Okay, done! I've changed the configuration quite a bit and will post it soon.

So I‘ve added two new firewall zones ‘modem’ and ‘guest’. The ‘modem’ zone is pretty much a copy of the ‚wan‘ zone with the PPPoE interface in the ‘wan’ zone and the modem interface in the ‘modem’ zone. The guest wifi is in the ‘guest’ zone

One weird thing though is that in LuCi I set SSH exclusively to the ‘lan’ zone but was still able to log on from the guest network. So I added a firewall rule to prevent this. What did I mis-configure or is this a bug?

/etc/config/network

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

config interface 'wan'
	option proto 'pppoe'
	option ifname 'eth0.7'
	option username 'XXX@sXX.bbi-o2.de'
	option password 'XXX'
	option ipv6 'auto'
	option peerdns '0'
	option dns '80.241.218.68 46.182.19.48'
	option mtu '1492'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option auto '0'
	option ifname '@wan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5t'
	option vid '7'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option type 'bridge'

config interface 'modem'
	option proto 'static'
	option ifname 'eth0.2'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'


/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall 

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'XXXX::/6'
	option dest_ip 'XXXX::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'XXXX::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'GuestDNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'GuestDHCP'
	option src 'guest'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config include
	option path '/etc/firewall.user'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guest'

config zone
	option name 'modem'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'Modem modem'

config forwarding
	option dest 'guest'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'modem'
	option src 'lan'

config rule
	option proto 'tcp udp'
	option name '-GuestSSH'
	option src 'guest'
	option target 'REJECT'