Help request for router configuration

BarbaPin · February 28, 2026, 7:20pm

Hello team,
I need some help for the configuration of my ASUS router with 24.20.5, since my goal is to partly replace an ISP router with it, but keeping VoIP service on the ISP router (a VX830v TP-Link with proprietary firmware).
The following picture shows the topology change I'm aiming at.

ISP is using FWA access modem, which is connected to the VX830v (handling VoIP service) and then there is a cascaded ASUS (ASUS-STUDIO) with OpenWRT handling my home network.

The ethernet cable bewteen modem and VX830v carries 3 services:

modem management (no VLAN, modem is acting as DHCP server)
Internet access with public IP (VLAN 10, modem is acting as DHCP server)
VoIP service (VLAN 20, again modem is acting as DHCP server).
The configuration of the modem, and the VLANs, cannot be changed.

The VX830v WAN is setup accordingly, with 3 "interfaces" as shown in the picture:

ipoe_0_0_d (no VLAN) for management
ipoe_20_1_d (VLAN 20) for VoIP
ipoe_10_2_d (VLAN 10) for Internet and TR069.

I need to keep the VX830v for VoIP, but I do want to use my ASUS as the front end to the modem.
I have no VLAN-capable switch to put connect to modem, so the ASUS must handle VLANs 10 and 20 towards modem and VX830v.

So the WAN port of VX830v will connect to LAN3 of the ASUS, and the WAN port of ASUS will connect to the modem. Of course ASUS port will need to carry modem management, VLAN 10 (Internet) and VLAN 20 (VoIP).
VLAN 10 will be used as Internet gateway by ASUS (no longer by VX830v, so VLAN 10 will "terminate" inside ASUS-STUDIO acting as DHCP client), while VLAN 20 must be stretched to VX830v which is the DHCP client without modification of the traffic.
Modem management (no VLAN) must as well be terminated inside ASUS-STUDIO (DHCP client).
ASUS-STUDIO is also supplying Wireguard and ADblock-lean, as well as DDNS client to DYNU.

ASUS-STUDIO is 192.168.10.1/24, and is acting as DHCP and DNS server for my home network, while VX830v is 192.168.10.2/24.
192.168.10.0/24 is the home network subnet (used as Intranet).
I also use 192.168.12.0/28 for Wireguard, and 192.168.11.0/24 as LAN subnet for VX830v (just when I connect to this box for local management).

As can be seen in this post, my attempt to configure ASUS-STUDIO did somehow reach the goal as can be seen below (192.168.192.0/24 is used for modem management)....

... but @psherman correctly pointed out there are many errors, especially in the VLAN configuration.

So I am asking your support to rework it out.

Here is the schematic of the solution:

This is the "interface" panel of Luci

This is the "device" panel (there is no "VLAN filtering" configuration in any of the bridges)

And here is network config of ASUS-STUDIO (client part of Wireguard removed)

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:9f6a:ecc7::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        option bridge_empty '1'
        option priority '1000'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option stp '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option defaultroute '0'
        option delegate '0'
        option force_link '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'lan2'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config device
        option name 'phy0-ap0'

config device
        option name 'phy1-ap0'

config device
        option name 'wan'
        option ipv6 '0'
        option macaddr '50:EB:F6:83:1C:A7'


config device
        option type '8021q'
        option ifname 'wan'
        option vid '10'
        option name 'wan.10'
        option ipv6 '0'
        option macaddr '50:EB:F6:83:1C:A6'

config interface 'Internet'   <<<==== Internet
        option proto 'dhcp'
        option device 'wan.10'
        option hostname 'Internet'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option delegate '0'

config interface 'Gestione'    <<<===== modem management
        option proto 'dhcp'
        option device 'wan'
        option hostname 'Gestione'
        option defaultroute '0'
        option peerdns '0'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-VoIP'
        option bridge_empty '1'
        option ipv6 '0'
        list ports 'lan3.20'
        list ports 'wan.20'

config device
        option type '8021q'
        option ifname 'lan3'
        option vid '20'
        option name 'lan3.20'
        option ipv6 '0'
        option isolate '1'

config device
        option type '8021q'
        option ifname 'wan'
        option vid '20'
        option name 'wan.20'
        option ipv6 '0'

config interface 'VoiPtunnel'
        option proto 'none'
        option device 'br-VoIP'
        option defaultroute '0'
        option delegate '0'

config route
        option interface 'lan'
        option target '192.168.11.0/24'    <<<==== subnet of VX830v LAN
        option gateway '192.168.10.2'

Firewall panel:

This is the part for "voIP" (nothing special indeed -- masqeradind (NAT) is performed by VX830v)

And finally the firewall config (Wireguard omitted).

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        option mtu_fix '1'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'Gestione'
        list network 'Internet'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest '*'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config zone
        option name 'VoIP'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option log '1'
        option family 'ipv4'
        list network 'VoiPtunnel'

Note: log is showing the following warning, but the VoIP service is correctly working and the VLAN 20 interface of VX830v is ok

Sat Feb 28 20:05:18 2026 kern.warn kernel: [48435.042238] reject VoIP in: IN=br-VoIP OUT= MAC=ff:ff:ff:ff:ff:ff:ee:fa:c4:fe:2b:40:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=62124 PROTO=UDP SPT=68 DPT=67 LEN=556

Thanks in advance for any help, appreciated

anon63541380 · March 1, 2026, 11:50am

You can sniff packets on the wire and put voip in a separate vlan and have your router between roof antenna and phone-router.Ie wan connection is wan.20 and then bridge (without ip config) wan.10 and to vlan10 on one of lan ports.

mk24 · March 1, 2026, 12:44pm

The VoIP VLAN should only trunk through the OpenWrt router as a layer 2 switch. OpenWrt does not need to hold an IP address on this VLAN. You do need to declare an Interface for VLAN 20 with protocol Unmanaged (proto none in the CLI) in order for the DSA or software bridge to start up.

Start out simple. The ISP router probably only needs VLAN 20 from the modem for the phone service to work.

I didn't find a "Studio" model so not certain what chipset it has. Does it also have an RT model number?

BarbaPin · March 1, 2026, 6:16pm

That's what I think I've done.

I did not use any "VLAN filter" since I already bridged the VLANs (not the physical devices, since WAN of course must as well carry VLAN 10 for Internet.

Sorry ASUS-STUDIO is the box name. This is a RT-AX53U (WiFi6)

Not sure I understand. Voip is VLAN 20 and must be bidged between LAN3.20 and WAN.20.
VLAN 10 is for Internet.

anon63541380 · March 1, 2026, 6:37pm

You have to remove lan3 port from br-lan to manage vlans independently, better post resulting copy of /etc/config/network (wg removed) in place of pictures.

BarbaPin · March 1, 2026, 7:00pm

If I remove LAN3 from the bridge, I lose the reachability of the TP-Link @192.168.10.2.
The network config is in the OP.

anon63541380 · March 1, 2026, 7:38pm

Yes, tplink is drgraded to a phone cord

mk24 · March 1, 2026, 8:04pm

It's a MT7621 chip, so it is DSA. With DSA use one bridge with bridge-vlans inside the bridge. Add the wan port to the existing br-lan. If the default configuration does not have VLAN filtering on br-lan, you will need to enable it, make the existing lan ports untagged on a VLAN number (conventionally 1), and change the lan Interface's Device from br-lan to br-lan.1

First though start up a wifi AP on lan and connect to the router via wifi so you should not lose connection while changing the Ethernet.

anon63541380 · March 1, 2026, 8:16pm

There is no DSA quickpath to outside DSA, pretty indifferent whether you go one or other way.

mk24 · March 1, 2026, 8:18pm

The MT7621 has all 5 physical ports in one switch, so when you use one bridge, DSA will switch them by hardware. Not that it matters that much for VoIP.

anon63541380 · March 1, 2026, 8:20pm

On AX53U wan is cut out to 2nd serdes and goes via CPU either way. Similarily priced filogic is other thing.

BarbaPin · March 1, 2026, 9:15pm

Let me elaborate my point.
I can only use the WAN port of the TP-Link to reach it from the ASUS (hence from my home network).
The WAN of TP-Link must carry VLAN 20 for VoIP and (I forgot to point this out, sorry) must as well reach an NTP server (needed for VoIP as well) -- in the initial setup, NTP server is reached via ipoe_10_2_d (Internet), but Internet is now connected to ASUS; so I decided to keep LAN3 in br-lan (because it is in the same L2 broadcast domain as LAN1 and LAN2 and WiFi) and assign the IP address 192.168.10.2/24 to interface ipoe_0_0_d.

If LAN3 is removed from br-lan, how will it be possible to reach the TP-Link from ASUS at L3?
LAN3 must be L2 ASUS side, since the L3 IP address must be on TP-Link side.

You mean "degraded"? That is true in practice, but TP-link must be able to reach NTP (not possible via VLAN 20).

Let's see if I have understood your suggestion.
Is this what you mean? (each port is UNTAGGED + NATIVE VLAN on VLAN 1)

Then the current interfaces would map this way...?

Gestione  ==> wan
Internet ==> br.lan.10
VoiPTunnel ==> br.lan.30
lan ==> br-lan.1

I suspect this might screw up the TP-link, but if you confirm... I will try
NB: br-lan would be a misleading name at this point, so I will probably change it to br-switch or something like it

anon63541380 · March 1, 2026, 9:19pm

It is TWENTY - two-zero - in the first diagram.

BarbaPin · March 1, 2026, 9:22pm

My AX53U has got 1 WAN port and 3 LAN ports. In the future I am considering Flint2 as a replacement!

I'm sorry, I don't understand this point. Cannot understand what you mean by "serdes", apologies.

BarbaPin · March 1, 2026, 9:23pm

My fault! It's 20 in the figure above.
Is my attempt to DSA correct?

mk24 · March 1, 2026, 9:24pm

First remove your trunk ports (lan3 and wan) from the LAN VLAN 1.

It's going to get complicated if you need to provide VLAN 10 to the ISP router as a different network than VLAN 10 from the modem. Hopefully you don't actually have to do that, and the VoIP service will work with only VLAN 20.

anon63541380 · March 1, 2026, 9:30pm

It is what normally is understood as network card , on a normal desktop one network card is linked to one port, here one card seen by CPU handles WAN port, another a switch with 3 ports.

BarbaPin · March 1, 2026, 9:35pm

Ok. Shall I set them Not member or is Primary VLAN?
I need the Gestione interface (with no VLAN) towards to modem (as DHCP client).

No, VLAN 10 terminates inside ASUS.
In the figure above, I only tagged WAN.
TP-Link will have VLAN 20 for VoIP and no VLAN for reaching ASUS and Internet (including NTP server).
I mean: since TP-link will NAT outgoign traffic on interface ipoe_0_0_d with its L3 address 192.168.10.3, it will reach Internet via ASUS.

anon63541380 · March 1, 2026, 9:39pm

It should be br-lan.10 for internet access.

BarbaPin · March 1, 2026, 9:48pm

The FWA modem must be managed via WAN (no VLAN).
It does not respond to management on VLAN 10 (for security reasons, since VLAN 10 is Internet).