Inserting my openWRT router between ISP's ONT and router *transparently*

My ISP's router box "NeufBox 6V" provides 3 services (most french ISP do "triple-play") :

  • routing (1 GbE and 802.11ac Wifi)
  • telephone
  • TV streams
    To do that, it uses a specific list of tcp and udp ports.

I would like to insert my openWRT router between the NeufBox and the ONT, as transparently as possible so that it still providing services, but using my own device for the routing. The key issue is I'd want the Neufbox to use the real public IP adress, as it is now, to make sure all services remain unaffected by my router.

The objective is to have the inserted router be completely transparent, as seen from the ISP devices. I think that's a useful setup in many situations, and tried to come up with ways to do that.

My plan is :

  1. relay dhcp packets between the NeufBox and my ISP so that it is configured just as it is now, while intercepting the network parameters to configure eth0 on my own router.
  2. forward all the TCP and UDP ports used for telephone to the Neufbox
  3. set the eth0 MAC adress on my router to be the same as the NeufBox, and do what it takes to receive all packets sent by the gateway, so either :
    3.a set eth0 IP adress to the public adress (the one given in the DHCP offer from the ISP). But then I don't know how I could configure routing on my router to forward packets to the NeufBox, as its IP adress is the same as my eth0.
    3.b set eth0 IP adress to a private adress, say, and DNAT/SNAT all incoming/outgoing internet packets to this adress, meanwhile proxying arp requests to/from the Neufbox so that the ISP gateway can send ethernet packets to my router.

I don't see what could fail with the 3.b alternative, even if it is a bit ugly. But I haven't yet tried.

Does anyone has any hints on this plan ? Any ways to make 3.a work (I'd prefer avoiding 3.b if possible) ?

Oh, and I know it would be easier to subscribe to SIP phone account and just get rid of the ISP device, or use my openWRT below the NeufBox in a DMZ. That is not the point of this post.

I don't know from where people keep getting this transparent magic box idea from.
No, it can't be done.
Get rid of your ISP box, profit.

1 Like

Someone asked a similar question the other day. I think you were a poster in that thread too.

This Wiki entry seems to imply it's possible: but it's unclear that it's actually referring to the ISP device:


I provided an option; but it would work in their authentication use case.

Well, I don't think configuring a router to forward a given set of ports to one of its LAN ports while keeping all the other ones for itself requires magic.

In the plan I oulined, what do you think would be a no-go ?

This is a simple port forward/DMZ then - see example here:

FYI, this will not do (and isn't) what you described in Post No. 1 though.

Right, my objective is not a simple port forward. I want to configure my router to sit in the middle, forwarding a set of ports AND dhcp AND arp.

In details you're right it's not that simple, so it's not what the post you linked did.

My plan is uncommon, but I think I'll end up trying it out.

Did you see the steps in the "Half Bridge" link?

I would suggest trying that then.

Sure you can configure an OpenWrt 'router' to bridge two ports and essentially pass ethernet frames through the OpenWrt device pretty transparently. What ypu will not be able to do is use that device to access the internet... To do that this device will need to use some of the port space you want for the neufbox, so you can't have your cake and eat it...

Yes, thank you. My ISP no longer offers this setting, only a "DMZ" mode, which is what I'm using atm.
This way I can use my own router without double nat, but with around 1700 tcp and udp ports reserved by the ISP box (thus not forwarded to my router), I think every new connection initiated on my LAN has a small risk of failing due to using one of those). And although my ISP gives me an IPv6 range, it is very badly handled by the supplied NeufBox.

Anyway, reading about bridging made me investigate possibilities of linux bridging, and I found : filtering is possible in the bridge.
And I think that's actually the best, cleanest way to do what I want : bridge the ISP gateway to the ISP box, but filter packets not matching the specified ports and redirect those to the IP prerouting hook so my router will route them.

I'll try that in a week or two.

1 Like

The NeufBox does specify the full list of the ports it needs for itself. So, yeah, bridging and filtering all the non-reserved ports for my own use should work pretty good.

:face_with_raised_eyebrow: bridge filtering is one thing

But anything else you've said there.... doubt it.

Well, ebtables does provide :

  • the required targets

-t, --table

broute is used to make a brouter, it has one built-in chain: BROUTING . The targets DROP and ACCEPT have a special meaning in the broute table (these names are used instead of more descriptive names to keep the implementation generic). DROP actually means the frame has to be routed, while ACCEPT means the frame has to be bridged.

  • and the required filtering rule, in the ip extension :

--ip-destination-port [!] port1[:port2]
The destination port or port range for ip protocols 6 (TCP), 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted, 0:port2 is used; if port2 is omitted but a colon is specified, port1:65535 is used. The flag --ip-dport is an alias for this option.

I discovered that brouters are a thing, and I believe that's very promising for my use case.

I found v6brouter scripts wrote by cvmiller for openWrt 15.05.1, with detailed explainations. Not exactly what I want to do, but looks like a pretty solid example to work from. Problem is, it seems the broute table was dropped on the way from ebtables to newer nft implementation. There might not be a simple way to redirect a packet from the bridge layer to the routing layer in some (future ?) versions of netfilter on openWrt.

f you have time to waste I wish you a lot of fun
I doubt that in the end you will not return to using the NeufBox alone

I'm at Orange with a LiveBox 6 !!!

I use OpenWrt only for WIFI as:

LiveBox 6 < - Wifi 5GHz - > OpenWrt + USB / Samba < - Lan - > TV UHD + computers