OpenWrt router in a DMZ


I'm currently using the router from my ISP and it's very basic and has awful Wifi.
I'd like to use an OpenWrt router (I don't have it yet, I think I'll go with the BPI-R4 when it's released) but unfortunately my ISP router doesn't have a bridge mode.

I think the only way to use the OpenWrt router as the "main" router is through a DMZ: my ISP router will be configured to DMZ to the OpenWRT router, and I'll have an AP connected to the OpenWrt router for Wifi.

I have a self-hosted website so I need NAT, but I'd like to avoid double NAT.

Here are diagrams to show what I currently have and what I'd like to do.


What I'd like to do:

Is that possible or am I missing something? Do you have any caveat about this configuration?

Thank you for your help.

since you have an ethernet ont if possible replace the isp router directly with your openwrt router in order to avoid double nat

the rest is up to you


Thank you for your answer.

Unfortunately the link between the ONT and the ISP router is not RJ45 but an optical cable.
So I need to use the ISP router anyway.

I want to make the OpenWrt router the main router with all the firewall rules including NAT, so in case I have to create a new rule I only need to add this rule to OpenWrt.
To sum it up, the ideal would be I don't have to touch the ISP router anymore once DHCP is disabled and DMZ enabled to
If that's possible then I'm totally fine with it.

1 Like

since you want to solve that on top anyway, I would start small and look for a dedicated OpenWRT access point device first.
Get one that has more than 1 LAN port, then you can testrun your whole router scenario as well.

If your single NAT / DMZ scenario turns out unusable in that testrun, just add the OpenWRT access point to your regular ISP router and be happy about the better Wifi.
If the DMZ plan turns out well on top of that, consider to either continue using OpenWRT as a combined router/AP or get an additional more powerful dedicated OpenWRT router device as a sidekick for the OpenWRT AP.

Yes I want to get rid of the awful WiFi but that's not the only benefit I want from OpenWrt.

Basically I'd like to be able to use OpenWrt features for all devices connected to my LAN, both WiFi and RJ45.

From what I see it's not as trivial as I thought.
I have a spare Raspberry Pi 3 somewhere so maybe I can add a LAN port, try it acting as an OpenWrt router and see if it works as expected.

Thank you all for your help.

A tiny suggestion would be to set the ISP router to, and keep 192.168.1.x/24 for the OpenWrt network. Just because OpenWrt uses this subnet as default.

We don't know the Make/Model of your ISP Router so searching for either IP Passthrough or Bridge Mode would be what you are looking for to allow your OpenWRT Router to acquire your public ip. Once that is accomplished, disable all WiFi for both 2.4 & 5Ghz in the ISP Router.

Reply to @Wilthril , (s)he is the OP :wink:

1 Like


Then search for IP Passthrough Mode

1 Like

@Wilthril What's the Make/Model/ISP?


Please look at these 2 wiki articles: and
It should work. At least it worked for me. The only problem is if you are behind CG-NAT.

1 Like

My ISP is Orange and my ISP router is Livebox 5 (rebranded by the ISP).
Here is the info I can get:

Thank you all I'll have a look to the documentation.

It doesn't really matter for my proposed solution ( actually what you were looking for). Please look at the links to the wiki pages which I provided.
Kind regards

Thanks a lot, it seems that Poor Man's Bridge Mode is exactly what I need.
The listed drawbacks are expected and I can manage with them.

From what I've checked (compared WAN IP on my router and my IP on a website) I don't have CG-NAT so that's perfect.

I'll bookmark this and try it one I get my new router.

You need to look at you public IP address. Here is a discussion and more info:
It is not that bad if you do not want to open ports, however you mentioned self-hosted websites and this will cause issues. You will achive DMZ with the OpenWrt router, but if you are behind CGNAT you may struggle with your websites.

I also have a Livebox 5 with an ont connected via fibre, no possibility for bridge mode or ip pass through that I know off so DMZ it is for me :frowning:
I do have a Public IPv4 and IPv6 but YMMV

as per your requests (see initial post)
the banana pi bpi r4 also exists with an optical module


view this:

hi wiltrhil i'm french too you will be only static on orange your router et then place to dmz the router static

i'm use openwrt for my gaming home

disable upnp and reboot yoru box
translate french
salut wil pour effectuer cela desactive juste upnp active statique ip dans dhcp de ton routeur orange comme moi en et place dmz sur ton routeur, chez moi orange est different en france car je suis client pro

et je fais seulement une route :wink:

Yes I'm French, I'll add the translation after this :slight_smile:

I had no trouble so far for my website so for CG-NAT I think I'm covered, that's good but thank you for raising this potential issue in case I change my ISP.

I don't know if an optical module on the BPi will work, my optical cable is different than SFP+ but keeping the Livebox is not a big deal.

Anyway now I know what to do and it's what I expected (I'm not an expert in networking) so that's good, now what I need is the actual hardware.

Merci pour l'info.
Donc je ne suis pas derrière un CG-NAT, mais je m'en rappellerai si je change de FAI.

Pour le câble optique ça n'a pas l'air d'être du SFP+ du coup je ne sais pas si je vais pouvoir le brancher directement sur le BPi, mais ça c'est pas dramatique.

Je vais faire ce que tu conseilles et c'est ce que je pensais faire dès le départ, maintenant il ne me manque plus qu'à acheter le matos.