Configure OpenWrt Router in Bridge Mode


I am new to OpenWRT; because of an Amazon Review I decided to buy a Zyxel VMG1312-B30 and use it with a TP-Link Archer Router with OpenWRT. My Internet Service Provider is rather small and brought VDSL via FTTC to our house.
I set the Zyxel Modem into Bridge Mode and configured the TP-Link Router with OpenWRT on it. Everything works great - even the QoS (which is the reason I switched to this setup from an older Fritzbox) - but I am still confused about my WAN settings: It works as a DHCP client right now but shouldn't PPPoE be the right protocol in this case? I tried to change this setting but since my connection works without any login data from my provider (it was just plug & play with the Fritzbox and the Zyxel device), I am really not sure if this is correct. I would not care about this but I realized that port forwarding is not possible - even though tcpdump shows me something when I use an online tool ( to check a port that I need in able to reach my NAS. Is the protocol (DHCP instead of PPPoe) an issue in this case and could it be related to my problems with port forwarding?

which NAS do you have?
there are alternative solutions without port-forwarding.

An old DS212+ from Synology. I tried QuickConnect but it's too slow since the device is really old. Synology support adviced me to try Port Forwarding.

But apart from the NAS: Do you think that the fact that these ports appear to be closed even after I setup forwarding is connected to the wan interface's protocol?

Maybe you reveal the name of the ISP so we can try finding some documentation. Some ISPs do use DHCP after all.

Also which port are you trying to forward?

Oh sure, I just thought that the name wouldn't be useful but I gladly share it with you: They are called Thüga Connect ( and are affiliated with a local energy supplier

Ports are 7001 and 443

I think you are right when it comes to DHCP - I just found this piece of information: There they state that the router has to be configured as DHCP client. So that should mean that my WAN interface's settings are correct

1 Like

According to your ISP's documentation DHCP is correct, no PPPoE required, which is IMHO a good thing...

Ah you found the same information already....

What IP4 address does your router report? Please replace the last segment with XXX, like
The question is, does your ISP use carrier grade NAT in which case port forwarding will get tricky.

try tailscale if you don't want to mess with any networking.
Try wireguard if you want to dig a little deeper. Tailscale is in fact based on wireguard.
Also try zero-tier, again no networking knowledge is required.

The address starts with 91.137.67.XXX

I'm also going to share some information about my port forwarding attempts:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Synology'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5001'
        option dest_ip '192.168.1.XXX'
        option dest_port '5001'

This is what I get via tcpdump when I use

16:02:43.657601 IP > 91.137.67.XXX.5001: Flags [S], seq 744830425, win 14600, options [mss 1460,sackOK,TS val 3953384895 ecr 0,nop,wscale 8], length 0

I just switched to my iPad and decided to test it there. This made me realize that even though I deactivated IPv6 following this instruction , I had an IPv6 address and also a different external IPv4 address than what the router and my PC (wired connection) show. In fact, it looks like cgn nat is active since the address starts with 100… Am I right here? I just don‘t understand why router and PC still show the 97… IPv4 address.
Would it be a good idea to ask my ISP for a true IPv4 address? It looks like that‘s an option I could add to my plan for 3€ per month

EDIT: nevermind, I just didn‘t know about apples privacy relay feature… once it is deactivated, I got the same IPv4 and no IPv6 address…

Thanks, that is a public IPv4 address. I am impressed, your ISP is doing quite well! No PPPoE (which is costly for a router as every data packet needs to be either en- or decapsulated, which is avoidable work), but DHCP and also no CG-NAT. Maybe you ask whether they might block ports for their customers for security reasons?

Since you already have a dynamic public IPv4 address that might be a static public IPv4 address, if so, I am even more impressed by your ISP...

1 Like