PPPoE with /29 routed public subnet

MisterW · August 6, 2025, 1:21pm

Our ISP provides a xxx.xxx.xxx.104/29 subnet over a PPPoE connection.
Currently the connection is provided by an ISP supplied TG589 router but this is getting a bit 'long in the tooth' and with FTTP available in the near future I'd like to replace it with a more capable OpenWrt system.

Of the 5 available public IPs, three are used

a vpn server
a web server
a firewall connecting the local LAN

Initially I'd like to replicate this configuration with OpenWrt
To this end I've configured an x64 implementation of Openwrt, its has 3 NICs used as

LAN - would be where 192.168.x.0/24 clients are NAT'd out through a single IP address from my block
WAN - would be where my Openwrt device connects to my Modem/ONT and makes the PPPoE connection
Public subnet - would have machines that can have public addresses assigned directly to them

NB in the initial configuration LAN is only used for access to Openwrt for configuration and has a static IP connected to the current LAN

Having read many topics on how to use Openwrt with a public routed subnet I'm still confused ...
My current configuration basically adds a 'public subnet' interface to the standard WAN & LAN, in its own firewall zone with forwarding enabled to/from the WAN zone
Masquerading is disabled for non-local (192.168.0.0) addresses.

The initial configuration correctly establishes the PPPoE connection but devices on the public subnet aren't reachable. The PPPoE WAN obtains the correct xxx.xxx.xxx.110 as the router IP.

Can anyone help with where I'm going wrong please ?

Thanks

The network and firewall config are as follows:-

config globals 'globals'
	option ula_prefix 'fdf5:c21d:d145::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.42.29'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'pppoe'
	option username 'xxxxx'
	option password 'xxxx'
	option ipv6 'auto'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'

config device
	option type 'bridge'
	option name 'br_public'
	list ports 'eth2'
	option bridge_empty '1'

config interface 'public_subnet'
	option proto 'static'
	option device 'br_public'
	option ipaddr 'xxx.xxx.xxx.104'
	option netmask '255.255.255.248'
	option gateway 'xxx.xxx.xxx.110'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list masq_src '192.168.0.0/16'
	option log '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'lan_public'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'public_subnet'

config forwarding
	option src 'lan_public'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'lan_public'

pavelgl · August 6, 2025, 1:47pm

Why don't you use a wan bridge as a device?

config device
	    option type 'bridge'
	    option name 'br-wan'
	    list ports 'eth1'
	    list ports 'eth2'

config interface 'wan'
	    option device 'br-wan'
	    option proto 'pppoe'
	    ...

Remove the static route and the additional zone and forwardings.
I assume the devices with public IPs rely on their own firewalls, right?

_bernd · August 6, 2025, 1:56pm

I would go probably with proxy arp and routing of /32 addresses.

A dictated firewall zone makes sense to apply individual rules.

_bernd · August 6, 2025, 1:59pm

Site note. Yes I know most ISP are shit.

But a more sane approach would be:

Having a (pppoe) connection with just a single ip and additional network routed.

Split up a layer 2 is hazzle all the time.

MisterW · August 6, 2025, 2:22pm

Correct.

I’m willing to give that a try, but would that not mean that public IP traffic was sent on the native eth1 port rather than encapsulated in the PPPoE ?

pavelgl · August 6, 2025, 2:59pm

In any case, eth1 and eth2 would be exposed to the same traffic because it is the same ISP.

However, the wan interface will only accept encapsulated traffic destined for x.110 and allowed by the router's firewall.

MisterW · August 6, 2025, 4:51pm

Thanks, it that case I’ll give it a try and report back. Might be a day or two before I can get some ‘downtime’ to swap out the current router for testing…