Interface configuration for subnet behind ISP's router

Hi there,

I have a few questions about the basic setup of a subnet behind an ISP's router. As a complete newbie, I have looked at a rough guide (OpenWrt auf FRITZ!Box 4040 in german).

The configuration there looks like this:

  • Establishing internet connection through ISP router
  • Connection of OpenWrt device without modem to ISP router (LAN of ISP to WAN of OpenWrt)
  • Routing rules in ISP router for OpenWrt subnet to WAN port of OpenWrt device
  • Connection of the clients with OpenWrt device (either via LAN or Wifi)

The idea is that the ISP router, as a rental device and property of the ISP, serves only as an access point to the Internet.

From the OpenWrt documentation I have already seen that it is important that the two subnets ISP and private must not be in the same IP address range. However, it doesn't go into further detail there about configuring the interfaces – so I guess that's not necessary? In the guide above LAN, WAN and Wifi of the OpenWrt device are configured with static IP address. In OpenWrt the default is "br-lan".

As a newbie, it's not really clear to me what the significance of these differences are. So I would appreciate some enlightenment on this. :slight_smile:

To make my request a bit simpler again and not to scare anyone off with the linked instructions in German :grinning::

In principle, the ISP router should be considered untrusted. My devices should only connect to the OpenWrt device. Since the OpenWrt device has no modem, the ISP router is necessary. Also, the OpenWrt device is to act as a DNS server for my devices.

In the above context I read that configuration as exposed host and double NAT are to be avoided. :thinking:

First of all, as long you ensure different subnets on both routers, OpenWrt would already 'work' as-is, without any other configuration. Yes, this double-NAT setup is not ideal, but you still have a working internet connection that way.

In an ideal situation, you'd do away with the ISP router completely - either by relegating it to pure modem duties (if the ISP's firmware allows that (e.g. via PPPoE-passthrough), terminating the PPPoE session on your OpenWrt router instead; this also implies that the ISP router can no longer cover your landline/ VoIP phone services) XOR physically replacing it by a pure VDSL modem. In this setup all the security decisions are made on the OpenWrt device, your external WAN IP terminates there and port forwardings/ VPN setups, UPnP and similar advanced features work as intended. In Germany this is possible as explicitly covered by law, the ISP cannot interfere with this operation (as they sometimes like to and did in the past).

Kind of a middle ground would be retaining the ISP router as router (including phone services, if you like) and running your OpenWrt router without NATing behind that (this requires the ability to configure a static route on the ISP router to your OpenWrt subnet) and disabling masquerading. This still largely depends on the ISP router behaving 'sanely' and safely, with port-forwardings et al having to be done twice.

1 Like

I guess the last scenario would be reasonable for me as the ISP router allows routing. However, I'm not sure, what this means for the interface configuration in OpenWrt. So far, I only changed the IP adress of the lan interface and enabled WLAN.

If I'm right, I have to configure the wan with a static IP adress in the subnet of the ISP router (which is 192.168.178.x) and the lan to a different (e. g. the OpenWrt's default Than, in the ISP I need a route for directed to the OpenWrt wan interface.
Is this correct?