OpenWrt on a modem router, or two routers, or modem+router with VoIP?

Hello !
Currently I have VDSL 100 from Telekom, I have FB7360 with FritzOS, I connect FB4020 with OpenWRT (planned to be replaced with RasPi4B with OpenWRT) to it, got some VLANs, then 4 Unifi APs with three SSIDs. It's so-called double NAT. I'm fairly inexperienced but I'm happy with the outcome here.

Now I want to set up elsewhere something similar in terms of Wifi need (6APs), but this time I would like to do it without double NAT. And in the new setting, 2-3 VoIP phones has to function reliably. (In my first setting I have a few phones, but just for fun: I don't need them. They are set up on FB7360 as prescribed.) I plan to get VDSL100 for this, too, but may upgrade to 250 at some point.
I've read about various possibilities as to how to avoid double nAT, like, getting a modem, or getting a router and use bridge mode, or DMZ or "Exposed host".
Another possibility is to get one modem-router with OpenWRT, but I saw this

looks rather complicated...

I am not sure what a good way to go for me.

I'm also undecided about double NAT. May be it's not so bad to keep double NAT, then I can just let the first router to do the phone, but may be someone wants to use getflix etc, supposedly it doesn't work with double NAT....

I would appreciate your suggestions as to what first router/modem I should get for my need, as well as about other concerns.

There currently aren't any devices with super-vectoring (250/40 MBit/s) supported by OpenWrt (while there are a couple doing plain VDSL2+vectoring/ profile 17b --> 100/40 MBit/s), so you will need a dedicated modem either way. A Fritz!Box with its own Fritz!OS can still do a pretty good job as VoIP/ SIP pbx, ATA, fax server and DECT based behind an OpenWrt router (IPoE mode, keeping the SIP session open by setting an SIP ping interval for every 30s). This would leave you with a three device setup, dedicated super-vectoring VDSL modem, mid- to highend OpenWrt router, 'something' to deal with your VoIP needs (a low-end -but OEM supported- Fritz!Box works well for this, if all your devices are using DECT, something like a Gigaset N510 IP Pro might do this job as well).

Given that OpenWrt compatible lantiq vr9/ VRX2xx devices supporting plain VDSL2+vectoring (100/40 MBit/s) can be found rather cheap (5-10 EUR) on the second-hand markets, it could also be a viable option to go with those for the time being and deferring the super-vectoring option to a later point in time, when that's actually on the table (just make sure that your chosen OpenWrt router has enough headroom for your desired WAN speeds).


Thank you very much for your info !
I'm not sure if I understood you right, you wrote that I would need three devices, but if I choose VDSL modem to be a fritzbox router, then I would just need two devices ? (but then I will have to find a right one so that I can avoid double NAT, if it's desirable that way)

And three devices would be needed if I do:
Pure Modem -- OpenWRT -- low-end FB for Phone (perhaps in IP client mode?) or DECT basis.

And for the choice of OpenWRT router, I guess I can follow what you wrote me before:

right ?

For the second option you are suggesting that I would install OpenWRT on, e.g. FB7360, that comes with VDSL2 100 capability, and do it with one router, is that right ? Isn't it rather difficult (for an inexperienced person) to connect VoIP to it ?

I recommend, what @slh already proposed: seperate modem and router function.

Currently you have a VDSL connection, in one or two years perhaps a fiber gigabit connection. In that case you just change the modem, everything else stays the same.

If you combine modem and router function in one device, then you'll narrow down your choice to a few devices. With separation of modem and router function, you'll have the choice of several hundred devices.

And now the VoIP part. It depends on your phone devices. If you have these analogue devices with the German TAE-Stecker, then you'll need a third device (e.g. a FB with VoIP) to connect these analogue devices.

But if you have real VoIP devices (those with a RJ45 plug), then there's no need for a third device. Just connect your VoIP devices with your router or switch and install a PBX software on your OpenWRT system. The OpenWrt repository contains asterisk, yate and some other.

I'm using yate and a happy camper with this solution. If you have further questions, don't hesitate to ask.

Thank you very much for your clarification !
Currently, I haven't bought any device for the new site, no phone, no router, no contract. I plan to order VDSL 100, or 250 (or upgrade later). Fiber won't come: I asked a Telekom technician, he said we have absolutely no hope:)
As for phone, if having analogue phone with FB with VoIP eliminates the necessity of installing PBX on OpenWRT, it might be easier for me: I'm kind of scared of pbx. If I use FB, I don't have to configure anything on OpenWRT for phone, right ? But I will check "yate" out: if it's not very hard, I might try... I can also do some practice, using my current site.

But slh is saying about FB "behind" OpenWRT (is it correct that "behind" means, so to say, closer to the ISP?) , in that case FB is a modem or bridge or whatever, but also pbx at the same time ?

No, with behind the router he surely? meant that the FB acting as dedicated VoIP base station sits inside your home network.
Like FB <-> OpenWrt router <-> DSL modem <-> ISP/internet.

IMHO this is the most versatile configuration. In fact I use something similar and used the flexibility this offers to exchange individual components (with a list of components I switched for the different functions):
VDSL2 modem: Speedport W723V, BT homehub 5a, Zyxel VMG1312-B30A
OpenWrt router: netgear wndr3700v2, turris omnia
VoIP base station: gigaset C610A IP

Yes, this takes more room and electricity than an all-in-one solution would. But it allows to ideally place the components: modem as close to the APL/TAE as possible, router and base station such that the dect/wifi coverage is optimized.
It also offers easy upgrade paths for each component without disrupting the rest, like switching from dsl to cable by replacing modem and authentication configuration in the router, and the VoIP base, if the ISP's SIP servers are used, or no change in VoIO base if non-ISP are used.... so a lot of flexibility.

1 Like

Thank you for the explanation ! Then it makes sense that slh is talking about "3 devices". I was confused by the word "behind". (I get also confused by uplink/downlink....)
I will have a lot of place for routers etc, there is going to be a patchpanel in a basement. (It's not a "home", let's say, a small business.)

And yeah, I would like and would need that one component can be modified without disrupting the other parts.
One question: when you replace a modem, what exactly do you have to change in OpenWRT router ? I didn't understand what you meant by "authentication configuration in the router".

Ideally nothing, but in my case both modems required different configuration to also reach the DSL status information, so I did make a few VLAN related changes, but that could have been avoided, if I had not desired to see DSL error stats (or if I had known the limitations of the Zyxel modem when I set up te BTHH5A, I am sure a common configuration should be possible).

Well, if you change ISPs you will get a different username and password and you might also change the access method, e.g. from PPPoE for DSL@Telekom to DHCP or DS-lite@Vodafone-Cable. But it is even possible to use a packet like mwan3 to configure concurrent access via DSL and cable at the same time, allowing for a seamless switch between ISPs (at least in theory, I have never tried that, since I am too cheap to pay for two ISPs at the same time)

OK, now I understood better: the access info to ISP has to be entered on the router, not on the modem.
Now, as I look at my current VDSL100, on the FB7360 there are four boxes with long numbers and a password. (Anschlusskennung, Zugangsnummer, Mitbenutzernummer, Persönliches Kennwort: that came to me per regular post) But when I look at OpenWRT PPPoE, I see only two boxes: PAP/CHAP username, and password. And then there are two more things to be left empty for autodetect. I would appreciate if you could tell me what number goes into which box ?

Ah, so Deutsche Telekom really just uses a username and a password over PPPoE/PAP, it just has some internal rules how to construct the username from the given komponents: Anschlusskennung, Zugangsnummer, Mitbenutzernummer.

For me, I had to concatenate:
as an example:
Anschlusskennung (12 digits): 111111111111
Zugangsnummer (12 digits): 222222222222
Mitbenutzernummer (4 digits): 3333
persoenliches Kennwort: 44444444

resulted in the following entries in /etc/config/network:

option username ''
option password '44444444'

And then you need to configure your VoIP base station....

Now I looked for PPPoE in forum and saw many postings about PPPoE connection dropping, or not working properly. Especially I saw several about wrt1200ac, wrt1900ac (these are the routers I'm considering on for my new project.) So I'm worried a bit. Is it a known problem, one has to be ready for ?

On the other hand, I suppose majority of OpenWRT users are using Modem+Router, so it should work stably ?

Wow, thank you for your quick reply !! It's very interesting !! And it's written nowhere, that you have to it this way ! Or is it somewhere on telekom site ?

I have a linksys pap2t. That also had two boxes, and I didn't know what to do. But in the end I entered the login info of customer service page, then it worked. (login name is I don't understand why....


Well, Deutsche Telekom actually introduced a system called easy login a few years ago, where your line is identified by its line-id, information injected by the DSLAM (or some other node on the telekom side), so neither password nor username are required (unless you disable his easy login). Now, many routers still require you to enter something, but Telekom will just ignore PPPoE/PAP supplied username and password if easy login is activated (and I believe it is activated by default).

Thanks a lot for the links !
Now I checked my preference on Telekom, easy login was indeed activated. This would mean, as long as I use Telekom, on the router behind the modem, I don't actually have to enter a correct access info, as long as there are something entered ?

With my pap2t, I think it wasn't the result of easy login: I tried many different things and all failed except my gmail address.

Just having looked this up and realized this is not a router but an analog telehone adapter (ATA), I agree, easy login should not matter for this... But I have no first hand experience with this device so I will refrain from further speculation.

Even if you do explicitly disable easy-login, DTAG will take every opportunity to silently enable it again…

I am getting to be interested in this two-WAN option. Are the phones/base going to understand where they should be connected if I configure them as if there is just one WAN ?

As I said, I never tried that, but I assume that VoIP base station already need to deal with changing IP addresses so things should be okay. BUT, for example O2 requires one to use its own DNS servers to resolve the addresses of its VoIP/SIP servers, and that might only work from with in its own network, so this needs testing and deoends on your VoIP provider. At least that is my best guess, as stated before, I never played with mwan3/multi-homing myself.

First thank you for your comment about two-WAN thing.
Now, regarding your comment above, if I want OpenWRT router to be ready for both modem and another router (double NAT), can I just set up two WAN interfaces, one with PPPoE, one with DHCP client (as it comes by installation), and put them in Firewall Zone WAN, would the right one just start working and do the job when I connect the router to modem or router ? Right now I just have one internet contract and have no modem around, so I can't experiment: I created "WANPPPoE" with username and password entered, so far it's doing nothing because OpenWRT is connected to FB7360. It doesn't seem to be disturbing anything. It would be nice if it starts working right away in case I get a modem.

I do not think this will work out of the box like this... personally I would probably try with the mwan3 package, which seems to offer most of what you want to use. But again, for lack of a second link, I never played with multi-homing my home network, so I am not the best person to discuss this specific topic with.