Connecting OpenWrt behind ISP router without bridge or modem only mode

willowen100 · January 31, 2022, 3:20pm

I've been running a Linksys WRT1900ACSv2 for a few years now as the front facing device, and has always been directly connected to my ISP's ONT (optical network translator) allowing me to receive a public IP address on the PPPoE interface of OpenWrt.

Recently here in the UK the ISP BT have already started cutting all of the copper telephone lines and pushing the use for DECT phones for VoIP. This unfortunately means I will now have to run my OpenWrt router behind my ISP's one to be able to use my landline, and this introduces problems of its own such as double NAT.

At the moment I can confirm that the OpenWrt firewall is working because I have tested my DNAT and SNAT rules to achieve open NAT on my PS4 Call of Duty game for example. Additionally I have UPnP working using a STUN server as the OpenWrt router is unable to detect the public/WAN IP address behind my BT router.

I've got this working by placing the OpenWrt router into the BT router's DMZ and opening TCP/UDP 1-65535 on the BT router to the OpenWrt router.

Between the BT router and the WAN interface in OpenWrt I have used the IP address subnet 192.168.20.0 with two static IP addresses either end so no DHCP at all. The BT router acts as the gateway with an IP address of 192.168.20.254 and the OpenWrt interface's IP address is 192.168.20.1.

On the WAN OpenWrt interface I have defined the DNS servers and the IPv4 gateway which all of my other VLANs pick up. This interface is tied to a VLAN, VLAN 20 it's untagged port in the physical LAN port 3 and is attached to one of the LAN ports on the BT router.

On each OpenWrt VLAN other except for the WAN interface I have DHCP enabled.

Now all of this works using IPv4 but I would like to setup IPv6 and my understanding of IPv6 is still somewhat basic. Below is the IPv6 status page on my BT router.

How do I setup DHCPv6 on OpenWrt and allow it to talk to the gateway (the BT router)? I was looking at the example found here on the OpenWrt Wiki but they all use public IP addresses.

Essentially I want to create static IPv6 addresses for all of the VLAN with DHCPv6 and for OpenWrt to communicate with the gateway via IPv6 too. Can some one some shed some light please?

trendy · January 31, 2022, 6:28pm

The SmartHub2 has a /56 prefix, so it should delegate a prefix to OpenWrt as soon as you connect it.That is you have not changed something from the default configuration.

slh · January 31, 2022, 10:58pm

Just to get into this sub-topic, VoIP/ SIP is a relatively standardized protocol. If your ISP provides you with the required account data, you don't need to use their router. There are SIP ATAs and SIP DECT base stations which can be used behind your router (e.g. OpenWrt, those can also be locked into their own VLAN/ firewall zone), replacing the need for the ISP router. Depending on the ISP's OEM firmware, you may even be able to use their router as a client device behind your router in that capacity (e.g. the AVM Fritz!Box[0] all-in-one devices popular in Germany can be used that way, even if that isn't widely publicized).

--
[0] only two non-standard configuration settings necessary, configuring the Fritz!Box in "IPoE" mode as client device behind another router and regularly pinging the SIP server from the inside, to keep the SIP connection alive (hole punching into the firewall).

bill888 · February 1, 2022, 7:00am

fwiw, sadly in the UK, BT and a number of other major ISPs refuse to provide technical information or support 3rd party voice adapters (ATA). They all insist customers must use the ISP router for VoIP.

The only exception is TalkTalk who appear to be 'trialling' Grandstream ATA, to perhaps be offered in the future to use alongside the Amazon Eero router they currently provide to ultrafast FTTP service customers.

willowen100 · February 1, 2022, 8:52am

There is a very good discussion on the Think Broadband forums https://forums.thinkbroadband.com/fibre/4664092-bt-fttp-with-digital-voice-alternative-to-smart-hub-2.html?fpart=all&vc=1

To summarise, BT won't provide the details, the SIP is encrypted and someone tried reverse engineering using a custom PPPoE. There is also talk about OpenWrt somewhere in there too if I remember correctly.

If I can get IPv6 working between the two routers not only will it help me out but it will most likely help others who are in the same boat.

Openreach fibre lines are provided to a lot of UK ISPs such as BT, Sky, Plusnet, TalkTalk etc. Virgin Media also have their own digital phone system which connects through their 'Hub'.

Openreach also own most of the telephone infrastructure (the copper telephone lines) and these will be phased out eventually.

I think the idea of being able to run your own hardware behind the ISP is going to become more apparent. Once I get all of this working I intend to write a guide on the OpenWrt Wiki as I can see there being a real need for it.

bill888 · February 1, 2022, 6:40pm

fwiw, have you seen this thread on similar subject of IPv6 with an OpenWrt router behind BT smart hub, posted in 2017 on BT forum?

https://community.bt.com/t5/Archive-Staging/How-to-get-IPv6-working/td-p/1732761

willowen100 · February 2, 2022, 11:33am

I'll give it a read and have a play around.

willowen100 · February 21, 2022, 12:18pm

Sorry for the very late reply. I have literally been busy re-arranging my new DIY desk and re-cabling that and my server rack.

I've managed to get IPv6 working but it's not what I was expecting and there are some things I'm unsure of or I can't get to work. If I'm honest all of this IPv6 stuff is confusing. I've been on this for months trying to get my head around it all, even to the point I actually wrote a quite in-depth draft forum post with my frustration and confusion with IPv6 in OpenWrt but I haven't posted it yet...

To get things working I created a DHCPv6 client interface on OpenWrt and attached it to my VLAN, VLAN 20 which is an untagged port that physically connects to one of the LAN ports on the BT router.

OpenWrt WAN6 interface General Settings

To allow the pass through of the public prefix to my other VLANs/interfaces I had check the Delegate IPv6 prefixes box under Interfaces > WAN > Advanced.

Under Interfaces > WAN6 > DHCP > IPv6 I have enabled Designated maser and set everything to Relay mode.
OpenWrt WAN6 interface DHCP IPv6 Settings

On the LAN side of things for example using my private LAN I created a local, static IPv6 address. Now I've discovered a couple of ways of defining this, one is setting a manual interface IP address on the General Settings tab or using the IPv6 assignment length, IPv6 assignment hint and IPv6 suffix. They both produce the same interface IP address except for the latter prefixes the IP address using the IPv6 ULA-Prefix found under the Global network options tab. However, what's the difference? I have noticed that if I enable the IPv6 assignment length under Interfaces > Private > Advanced Settings tab the IPv6 settings disappear from the General Settings tab.

If I've understood prefix delegation (also written as PD) correctly, this is a set range of the public IPv6 address provided by the ISP that prefixes the overall IPv6 address? From my understanding of IPv6, every interface has it's own 64-bit address which means there are 18,446,744,073,709,551,616 unique client IP address combinations available. My ISP provides a /56 prefix which leaves me 256 VLANs (subnets) and so I've tried to take advantage of this by using the IPv6 assignment hint parameter.

If you've guessed, my private VLAN has the ID 5! You can see this number in the 3rd octet of the IPv4 address as well as the IPv6 address. Additionally the network address is 1 in the IPv4's 4th octet and this is uniform with the IPv6 address' interface where I have used ::1 in the IPv6 suffix parameter.
OpenWrt PRIVATE interface status

When I could connect my OpenWrt router directly to the internet without piggybacking through my ISP's router, I used to be able to see the 8-bit subnet from my varying VLANs in online IPv6 tests. Now that I'm behind the ISP router the IPv6 assignment hint parameter doesn't appear to work and now it just shows as 01 no matter what VLAN I'm doing a IPv6 test from.

Using the annotated IPv6 breakdown diagram below, say I have a VLAN with the ID 12 and it's local IPv4 address is 172.16.12.1 and the local IPv6 address is fdb0:dc72:61cd:12::1/64 taking the IPv6 ULA-Prefix from Network > Global network options on LuCI which is fdb0:dc72:61cd::/48,

this would usually give me an global unicast address like the below.

My final questions bring me to firewalling and updating DDNS. If I wanted to host something on my computer/server and access it via from outside my LAN in the public IP address space how would I do this with IPv6? I'm aware there is no NAT with IPv6 like there is with IPv4 which is where some of the confusion may be. Typically with IPv4 I would assign a static IP address with DHCP to the device I want to provide access to and create a traffic rule/port forward to allow access.

I have noticed with the IPv6 tests I've been doing through my web browser that the interface ID (the last 64-bits) keep changing from the computer that is initiating the test. I do remember reading briefly about RFC 4941, Privacy Extensions for Stateless Address Autoconfiguration in IPv6 such as in this IBM documentation here. With no NAT and the vast number a 128-bit IPv6 holds, there is enough IP addresses for every device in the world to do peer to peer connectivity. Obviously from a security standpoint that would be a nightmare if everyone could connect to one another! I'm assuming by default there are firewall rules in place on all operating systems, routers etc that stop unauthorized IPv6 access? I can see why the privacy extensions are used because unlike with EUI-64, the interface ID originates from the interface's/device's MAC address with FFFE stamped into the middle and the 7th-bit flipped.

This makes me question how do you implement firewall traffic rules for an interface that keeps changing? My computer has the following IP addresses but non of them match the IPv6 address seen on the online IPv6 tests.

Get-NetIPAddress -InterfaceAlias "WiFi" | Format-Table -AutoSize -Property IPAddress, PrefixOrigin, PrefixLength 
IPAddress                               PrefixLength PrefixOrigin        
---------                               ------------ ------------        
fe80::c72:2288:d15:a5b3%5                         64 WellKnown           
fd76:92b8:37a:0:b595:6b59:cd48:800a              128 RouterAdvertisement 
fd76:92b8:37a:0:c72:2288:d15:a5b3                 64 RouterAdvertisement 
2a00:dead:beef:ab01:b595:6b59:cd48:800a          128 RouterAdvertisement 
2a00:dead:beef:ab01:c72:2288:d15:a5b3             64 RouterAdvertisemenk 
192.168.5.145                                     24 Dhcp

Looking at the table above, straight away I noticed the DHCPv6 wasn't working on my OpenWrt Private interface and instead was showing the IPv6 ULA prefix from my BT router. I fixed this by enabling the Delegate IPv6 prefixes checkbox. Let's try that again.

Get-NetIPAddress -InterfaceAlias "WiFi" | Format-Table -AutoSize -Property IPAddress, PrefixOrigin, PrefixLength 
IPAddress                                      PrefixOrigin PrefixLength 
---------                                      ------------ ------------ 
fe80::c72:2288:d15:a5b3%5                         WellKnown           64 
fdb0:dc72:61cd:5::b60                                  Dhcp          128 
fd76:92b8:37a:0:f805:f787:9f06:3759     RouterAdvertisement          128 
fd76:92b8:37a:0:c72:2288:d15:a5b3       RouterAdvertisement           64 
2a00:dead:beef:ab01:f805:f787:9f06:3759 RouterAdvertisement          128 
2a00:dead:beef:ab01:c72:2288:d15:a5b3   RouterAdvertisement           64 
192.168.5.145                                          Dhcp           24

In regards to DDNS, putting aside how the allowed firewall traffic rule is implemented, a domain name can only be registered to a single IP address. With IPv4 you can host multiple things behind a single WAN IP entry point and using network address translation specifically DNAT to rewrite outside ports to internal ports. However, there is no NAT with IPv6 as far as I'm aware. After reading this article DNS AAAA records can only be registered to a single interface on the internal network as IPv6 is a direct connection. "If you run a dynamic DNS client on the router, then only the router's DNS record is updated, and there is still no way to access home PCs".

In my case the ISP delegation prefix would dynamically change but the interface ID would always stay fixed. Therefore this would mean I would need multiple domains/subdomains all with their respective interfaces tied to. DuckDNS only allows a-z, 0-9 and - so this would mean if I wanted to reach my VPN endpoint for example I would need something like vpn-example.duckdns.org with a DDNS update script to update the prefix + interface ID to this domain name. At the same time, if I wanted to reach my Plex server as this has a different interface ID but shares the same dynamic prefix delegation this would need a domain like plex-example.duckdns.org.

Luckily enough there is a site called https://dynv6.com/ that allows you to update the ISP prefix whilst holding DNS records for all of the interfaces which are accessible via sub, sub-domain. You specify and update your ISP prefix like any DDNS updater, register the A and AAAA records to domain names using your device's interface IDs and then it marries up the dynamic prefix with the static interface IDs.