How to Setup OpenWRT with WAN [Solved]

Hi, I have an TP-Link Archer C2 v1 openwrt device page
Im running OpenWRT 24.10.0

I am not familiar with the more advance language and terminology that is used under the network settings page, however I am not completely new to networking & I know the fundamentals, I am afraid that I may misconfigure something as my WAN/ Internet network configuration is abnormal

My WAN/ Internet network configuration:

  • I get internet from a flat, my flat provides an RJ45 wall jack

  • I connect this to my router's WAN port via an Ethernet cable

  • Their network provides internet to me, it has client isolation & is somewhat locked down

  • To actually receive internet from this upstream network, I had to either (this is how it worked using the stock router firmware)

    1. Login with my account into their network captive portal & allow the MAC address of my router in my account (this gives me internet once I add it) & gives me internet forever
    2. Go into their captive portal, go to a page called "guest signup (24 hours)" input a real name + surname, press a button, I have internet for 24 hours now, for my whole router, not just the device I completed the captive portal on
    • I was thinking of capturing the packets & replaying it every 24 hours, so I could preserve my privacy
  • The ISP and Network is managed and owned by a big "managed Internet solutions" company

  • More Info from OpenWRT: https://imgur.com/a/BmUfJzl

  • I selfhost my own DNS on my homelab (fyi)

  • All of the services on my LAN use a reverse proxy with a lets encrypt cert

TL:DR;

  • How can I correctly setup my WAN/ Internet (what is the correct way)? Im currently getting internet atm, but I feel like i've configured something wrong/ insecurely
  • How can I prevent sharing any information/ traffic/ data about my network to the upstream WAN network (im thinking firewall rules)
  • Any other tips for my specific configuration/ settings to change? I would like to have a permissive firewall policy on my WAN

How did you configure it? Like this?

Don't change firewall settings.

I used method 2. but I haven't setup the automatic 24 hour packet replay yet, im doing it manually

Sounds good, im assuming the default OpenWRT firewall conf is permissive enough?

Why not add your router's MAC (or edit the WAN MAC to match your last device) to the flat's portal system?

I though you were seeking details on the restrictions, but yes OpenWrt's firewall permits traffic from LAN to WAN by default.

Well im aiming for privacy, my upstream ISP collects, stores, analyses and sells my traffic
If I dont have an account they cant do this/ know my identity
If I make my WANs mac the same as my last one, it will still be linked to my internet account with all my info

Would a VPN work in your case?

1 Like

Important detail - thanks. I only thought they wanted MAC, not to create an account.

They know where you plug in already.

Use a fabricated MAC?

I considered this, but I think its kind of redundant since all my devices already run tailscale and even my services on my LAN are encrypted with https, I was thinking more like firewall rules, possible blocking some outbound ports/ protocols?

  • Already blocked by default
  • NAT/masquerade is enabled, they only see the WAN IP they issued to you
  • You already use Tailsacle

Yep your right, but my landlord & my ISP are different companies, im pretty sure they dont actively share the exact flat -> port info with each other since when I had to make an account to add my routers MAC address access to my account (in order to get internet) they asked for my flat number & personal info, so im pretty sure they get all their info from the accounts

They use a MAC whitelist for internet, so you MUST either have your device/ routers MAC on an account/ do the 24 hour guest thing

1 Like

Ok...but what prevents you from making up a random MAC and adding it to your "account?

Does method 1 present another concern you failed to mention?

I thought you were asking which setup was best - I didn't understand you prefer method 2. My apologies.

My bad, i've kinda just spurted a lot of information without making it coherent

the TLDR is that my ISP will sell my traffic & data, my account is associated with my flat and my real information, so im trying to avoid using a static account, even if I add another MAC address to my account they will still associate the traffic with my real info

Correct :slight_smile:

1 Like

Well, since you use Tailscale, not sure how much "traffic & data" they're getting. But OK.

I noticed one last thing:

Not sure what this solves - except providing more traffic and data.


If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Alright, thanks for your help
OpenWRT has good defaults by the looks of it, so I wont really need to be doing much configuration, you eased my paranoid haha

1 Like

Do you always use another MAC, when you use the captive portal? On the other hand, when they associate the wall jack with your flat (i.e. switch 3 port 5 is flat 12) then they will always know from where the traffic originates.

1 Like

I mentioned this as well.

If they ever needed to identify the flat (and open the :door: :police_car: , it would take seconds.

The user wouldn't notice until :police_officer:

(Unplug each flat one-by-one until the traffic stops.)

1 Like

Adding OpenVPN or IPSEC within the OpenWrt router should prevent ISP eavesdropping, and depending on how (or where) you interface with tailscale, it would most likely be redundant either way - agreed. I suppose it depends how paranoid the privacy should be. If I were stuck in such a scenario I would configure a VPN connection from the OpenWrt router to a WAN-based VPS (the VPN server endpoint). From the VPS end you could possibly bridge to your tailscale account. A bit excessive, and if you are concerned about hiding the MAC address(s) associated with your account from some sort of captive portal then none of this will work. Overall, VPNs are the way to go when masking your network traffic.

1 Like

Im not doing anything illegal haha, in their ToS it said that they share personal data with 3rd parties & it reserves the right to store and analyses traffic

1 Like

Just be sure the hardware/software you are suing is controlled and operated by you and you only. Maintain data encryption (e.g., VPN) and ensure your browser is properly configured (e.g., hardened) and you should be good.

Running Tailscale is good solution but where is your Tailscale Exit Node to the Internet?

To achieve your privacy goals the Tailscale Exit Node would need to be at another location. It would need to be at a trusted location(friend/relative), alternatively you could use the integrated Tailscale Mullvad Exit Node.