Configuring Internet Connectivity Linksys WRT1200AC 22.03.2 VDSL Telekom PPPOE

Hi,

i'm having problems configuring my Linksys WRT1200AC router after updating from a pretty old OpenWRT version (17x or 18x) to the lattest 22.03.2 which is supportet for this router. I could therefore not restore my old config and started from scratch.

I'm using a Deutsche Telekom VDSL 50 IP contract.
There is a Draytek Vigor 130 Modem before the OpenWRT Linksys rouer installed with the latest firmware and configured like in this example: https://www.draytek.de/vigor130165166167-modem-konfiguration-fuer-die-pppoe-einwahl-eines-routers.html
MPoA enabled in Briged Mode, VLAN Tag 7 set, IP Address 192.168.1.1/24, DHCP disabled

I also tried reinstalling the OEM Firmware at the Linksys router and with this i could connect to the Internet and everything was working. So the problem must be with my OpenWRT configuration.

Basically i did not much; setting Password, Time and then tried to configure the Interface.

Config 1:

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:60d5:42ee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config device
        option name 'wan'
        option macaddr 'c2:56:27:b8:d6:49'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username 'XXXX
        option password 'XXXX'
        option ipv6 'auto'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

/etc/config/firewall:

onfig defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

Config 2:
i tried adding this:

/etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:60d5:42ee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config device
        option name 'wan'
        option macaddr 'c2:56:27:b8:d6:49'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option password 'XXXX'
        option ipv6 'auto'
        option username 'XXXX'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'modem'
        option proto 'static'
        option device '@wan'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

/etc/config/firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'modem'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

What did i miss? What is the problem?
Since the config documented here is still using ifnames i guess it is not valid anymore correct?

Yes as i wrote this does still use the ifname configuration which is not support with the new firmware anymore, correct? At least this gives an error.

may be something like this:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:60d5:42ee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
		list ports 'wan'

config device
        option name 'wan'
        option macaddr 'c2:56:27:b8:d6:49'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config interface 'wan'
        config interface 'wan'
	    option proto 'pppoe'
	    option force_link '1'
	    option username 'user'
	    option password 'pass'
	    option ipv6 'auto'
	    option device 'br-lan.7'
	    option peerdns '0'
	    option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

With this config the router is not accesible via ssh or LUCI anymore and i had to do a hard reset. At least he was neither on 10.10.10.1 or on 192.168.1.1 (all though he should be reachable on the first address of course).

Removing the doubled line config interface 'wan' did not change that (since i thought it should be there only once).

What exactly is the config bridge-vlan section for? The vlan tagging is taken care of by the Draytek moden. Or is this something else?

Thanks for any clarification or additional hints

A section like this is only needed for a VLAN-aware bridge to specify which ports are members of which VLANs. A section is needed for every VLAN, and since that config doesn't specify a VLAN for any of the LAN ports (either tagged or untagged) it is clear why you weren't able to access the device anymore.

However, in this case there is no reason for the WAN port to be part of the bridge in the first place. If the modem didn't already take care of VLAN tagging, you would just use option device 'wan.7' on the WAN interface to enable tagging in the router.

3 Likes
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:60d5:42ee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
	list ports 'wan'
	
config device
        option name 'wan'
        option macaddr 'c2:56:27:b8:d6:49'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'wan:t'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config interface 'wan'
        config interface 'wan'
	    option proto 'pppoe'
	    option force_link '1'
	    option username 'user'
	    option password 'pass'
	    option ipv6 'auto'
	    option device 'br-lan.7'
	    option peerdns '0'
	    option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

This is why is wan is part of the bridge: [HELP] DSA VLAN behind ISP router on bridge mode. Cannot get IP on 22.03, but could get it on 19.07.10

Any case, this probably need adjustement because I have Pppoe but not vdsl
:+1:

1 Like

Having set up two VLANs within br-lan (now also including wan), need to change the lan interface's device to br-lan.1 to keep the LAN Ethernet ports working.

It's a good idea to start up a wifi AP and log in by wifi so you won't need to reset if the Ethernet is misconfigured.

This latest config should work, are you seeing any logs about the pppoe connection?

This is wrong. The modem's IP is 192.168.1.1, so your IP needs to be something in the same subnet but not exactly the same number, such as 192.168.1.2.

2 Likes

By latest config are you refering to the latest config by lopez67876 with the bridged VLANs?
And if yes, then i need to remove the VLAN tagging at the modem correct?

I was unsure about the part with the modem too. However this only guarantees me access to the modems Admin interface and has nothing to do with the Internet Connection right?

Right.

The modem need not be using VLAN tags unless there is no way to avoid it. However the latest configuration expects the modem to be using VLAN tag 7, and it should work that way as well.

Also if the modem can convert from pppoe to ipoe internally, the router can use the default ipoe configuration.

Hm okay, i tried this and still ended up with a Router which did not come back "Network unavailable" also WLAN did come up but i was not able to get an IP for my wireless interface.
And i have no clue why :confused:

Is the Switch port "wan" the correct device? Or do i have to use the Ethernet Switch "eth0"? I mean i also tried this option and it changed nothing, but just that i know which is 100% correct.

Okay well i tried the config with the modem and assigned 10.10.10.2 to the modem and changed this in the config interface 'modem' but it was still not accesible or ping-able.

https://forum.openwrt.org/t/solved-mochabin-wan-over-sfp-vdsl2-modem-deutsche-telekom/147676/6?u=lopez67876

onfig interface 'loopback'                                                                                                                
        option device 'lo'                                                                                                                 
        option proto 'static'                                                                                                              
        option ipaddr '127.0.0.1'                                                                                                          
        option netmask '255.0.0.0'                                                                                                         
                                                                                                                                           
config globals 'globals'                                                                                                                   
        option ula_prefix 'fd06:ea47:0330::/48'                                                                                            
                                                                                                                                           
config device                                                                                                                              
        option name 'br-lan'                                                                                                               
        option type 'bridge'                                                                                                               
        list ports 'eth1'                                                                                                                  
        list ports 'lan0'                                                                                                                  
        list ports 'lan1'                                                                                                                  
        list ports 'lan2'                                                                                                                  
        list ports 'lan3'                                                                                                                  
                                                                                                                                           
config interface 'lan'                                                                                                                     
        option device 'br-lan'                                                                                                             
        option proto 'static'                                                                                                              
        option ipaddr '192.168.1.1'                                                                                                        
        option netmask '255.255.255.0'                                                                                                     
        option ip6assign '60'                                                                                                              
                                                                                                                                           
config device                                                                                                                              
        option name 'br-wan'                                                                                                               
        option type 'bridge'                                                                                                               
        list ports 'eth0'                                                                                                                  
        list ports 'eth2'                                                                                                                  
                                                                                                                                           
config interface 'wan'                                                                                                                     
        option device 'eth0.7'                                                                                                             
        option proto 'pppoe'                                                                                                               
        option username '******************0001@t-online.de'                                                                         
        option password '*************************'                                                                         
        option ipv6 'auto'                                                                                                                 
        option mtu '1500'                                                                                                                  
                                                                                                                                           
config interface 'wan6'                                                                                                                    
        option device 'br-wan'                                                                                                             
        option proto 'dhcpv6'

Assuming you used the configuration previously posted by @lopez67876: Did you adjust the LAN interface section to use option device 'br-lan.1', as mentioned by @mk24?

(Unless the switch driver for this device is buggy, there still shouldn't be any need for the WAN port to be part of the bridge, though. Standalone ports are supported by DSA.)

This configuration won't work, as the interfaces of the Mochabin do not match those on @jkb's WRT1200AC.

No, eth0 is the interface which is internally used for communication between the switch and the CPU. You shouldn't use it directly (it won't work anyway).

What's weird is that your original configuration ("Config 1") didn't work, because it looks right to me (assuming the Vigor is actually configured to do the VLAN tagging/untagging).

2 Likes

Okay with the help from all of you i finally got it working!

I disabled the VLAN tagging at the moden now and activated the VLAN tagging at the router.

This is my /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd07:60d5:42ee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config device
        option name 'wan'
        option macaddr 'c2:56:27:b8:d6:49'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '7'
        list ports 'wan:t'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config interface 'wan'
        option proto 'pppoe'
        option force_link '1'
        option ipv6 'auto'
        option device 'br-lan.7'
        option peerdns '0'
        option metric '10'
        option password 'xxx'
        option username 'xxx'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'modem'
        option proto 'static'
        option device '@wan'
        list ipaddr '10.10.100.2/24'

So thank you!!

The only thing that is not working, that i can access the modem through the router. However this has not a high priority for me.
I sticked to this guide: https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat which suggests to put the modem and router to a different subnet and then adding a new interface at the routher with an ip different from the modems but in the same subnet. That makes sense to me, however a ping resulsts in Destination Host Unreachable. I read some more in the forum and some users wrote that it is not that straightforward when using PPPoE and another used VLANs at the modem (Accessing Home Hub 5 bridged modem through a router - #6 by moeller0) and router for accessing the modem - however i'm not able to do that with my moden. I can ping the interface of the different subnet (10.10.100.2) but it seems that the modem is not responding or the interface does not forward packages to the modem or wont let any back in.

1 Like

Using option device '@wan' for the modem interface means that it will also use VLAN 7, which is not going to work. You need to add an additional VLAN to the bridge (e.g. VLAN ID 10), which has the WAN port as its only member, set to untagged. Then you can use option device 'br-lan.10' for the modem interface.

If I remember correctly from when I was using a Vigor 130 as a modem myself, that device only allows access to the management interface from its own subnet. That means you'll need to enable masquerading for the modem zone in the firewall config. (If that restriction wasn't there, then adding a static route for your LAN subnet on the modem would also work.)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.