Questions about network setup

Hi all,
When I had a cable ISP, I had a provider modem that I could use in bridge mode and use my OpenWRT router behind it which worked great. Now that I moved, I only have VDSL available which let me rethink my network structure a bit.
To get online quickly after moving, I just setup a very simple network without any VLANs or stuff like that, but I would like to change that.

Current setup:

  • FritzBox 7530 (stock firmware) as VDSL modem and WLAN router with DHCP
  • TL-WDR3600 (OpenWRT) as AP in the basement, connected via PowerLAN
  • all devices in the same subnet

Available additionally:

  • 2 more old TP-Link routers with OpenWRT, WiFi 4
  • Proxmox server with 5 network ports (onboard + Intel T350)
  • unmanaged 8 port switch

What I would like to do is to segment the network so that potentially unsecure IoT devices get their own subnet, guest network, etc. If it is possible to run a OPNsense as router/firewall, that would be a plus.

Ideally, it would probably look as follows:
WAN -> Modem -> OPNsense (virtualized on Proxmox) -> APs and wired connections via switch

The problem is that the FritzBox 7530 is both my only modem and my fastest WiFi AP. Luckily, I saw that the FritzBox is OpenWRT compatible. Is it possible to use it as both modem and AP, but not as router with OpenWRT? That means:
WAN -> (Fritz wan port) -> FritzBox as modem -> (Fritz lan port 1) -> (server lan port 1) OPNsense -> (server lan port 2) -> (Fritz lan port 2) -> Fritz Box as AP

If not, would you rather:

  1. just install OpenWRT on the FritzBox and drop the OPNsense idea

  2. get a separate modem with bridge mode capability so OPNsense can do the routing and use the FritzBox as AP (with OpenWRT for VLANs)

  3. do double NAT, i.e. FritzBox as first router with WiFi disabled and only OPNsense connected and setup as exposed host

  4. (not sure if this is possible with OpenWRT) use exisiting FritzBox in bridge mode and use OPNsense as router
    4a. with existing WiFi 4 APs behind OPNsense
    4b. get a new WiFi 6 AP with VLAN capability (recommendations? is the TP-Link AX23 any good?)

Lots of questions. I'm looking forward to your advice.
Thanks in advance!

Since you are posting in the OpenWrt forum, one would expect to receive comments about that only.
The 7530 supports OpenWrt, but read carefully about certain limitations (like AX) or incompatibilities (like DECT).

1 Like

Well, in my opinion OpenWRT and OPNsense could go well together, so I don't really see why people in the OpenWRT forum should advocate against it.

I'm aware of the limitations of the FritzBox 7530. I have the non-AX version of the router and do not use DECT. However, since it's my only VDSL router, I sure want to double check that everything will work before flashing. Will it work with VLANs and multi SSIDs?

And would my first idea actually work with OpenWRT flashed on the FritzBox?

Cheers

If this is your opinion you could simply ask how to make the 7530 a passthrough bridge. Other than that there are people, including myself, who are not familiar with OPNsense nor whether it goes well with OpenWrt.

https://openwrt.org/docs/guide-user/network/wan/isp-configurations?s[]=bridge#tpg_adsl2

Yes that is possible, whether it is a good idea really depends on whether you believe the DSL-to-opensense-wan bridge to be unescapable or not. I use my 7520 (running OpenWrt, as FritzOS does not alllow this configuration) as bridged modem in front of my OpenWrt-based primary route. And in one of the forum threads a poster posted a config that implements your desired configuration, by adding bridged AP functionality to the FB. Personally I have not made that switch, since I am a bit uneasy about trusting the dsl-bridge to be unescapable (but I assume I am overly cautious).

That said, what functionality will OPNsense give you that makes it desirable? I would guess that for typical home use OpenWrt would allow pretty much the same functionality (a bit less in some areas, a bit more in others)?

Well, OPNsense has a couple more features like IPS/IDS and furthermore it's a bit more GUI-configurable for stuff like VPN Server which works in OpenWRT, too, but is a bit less user-friendly. The main reason I thought it would be useful is acutally, because I think it's easier to configure especially for my VMs on the Proxmox hosts, but I guess that would work with OpenWRT, too.

After all, I guess you're right that OpenWRT would probably suffice as a home user... I think, I'll give it a shot, flash OpenWRT on my FritzBox 7530 and see if something that I would like to have is missing/not working. I can then always try to put the FB into a bridge modem and dumb AP afterwards. @moeller0 I could not find the thread you were referring to. Any chance you still have know where to find it?

Last question: Since the FB is my only modem, is it possible to flash the original firmware back in case something does not work? Not sure how tolerant the people around me are if the internet is not working :smiley:

Look here:

Mind you, I have only tried a less ambitious bridged-modem configuration myself:

No idea about reflashing FritzOS, I expect this device to live out the rest of its life under OpenWrt :wink:

1 Like

Thanks for the link, although I do not really understand the setup. So, their first device (7362sl) is both modem and dumb AP?

As said, I'll probably start off using the FritzBox as modem and router first and see if this fulfills my needs. Is there a way to find out the required setup parameters for the dsl from my current FritzOS webinterface? I would like to have as little downtime as possible. I already found this page. Is the information here up-to-date?

Yes, exactly that.

Very reasonable starting point!

Since I used FritzOS last in 2008 IIRC I have no idea.

Unfortunately, yes and no, yes the general idea still works, but no the details are slightly different... Which ISP are we talking about again?

Telekom (Germany). FritzOS says VDSL2 17a G.Vector (ITU G.993.5). Credentials are **** (hidden) in FritzOS, probably I'll find them in a letter or something. Will look for that later.

Ah, on a telekom link you can log into the Kundencenter and enable an option that will make password and username optional (they instead use the line ID from the DSLAM) that way username and password can be avoided.

Great, thanks a lot for your help. I'll try it on the weekend and will report :slight_smile:

Hey @moeller0,
I managed to install OpenWRT on mit FB. However, I cannot go online. Not sure what I am missing. I followed the docs, but there was a problem with the symlinking. I assume it should be ln -s /lib/firmware/xcpe_8D1507_8D0901.bin /lib/firmware/vdsl.bin, right?

I activated the easy login in the telekom Kundencenter, but what do I have to configure in OpenWRT? I tried all options for the WAN interface, but it did not connect.

You configure it with username and password as normal, except that the username/ password aren't checked anymore - so you can insert anything, e.g. (literally, no redactions):

config interface 'wan'
        option proto 'pppoe'
        option ipv6 '1'
        option device 'eth0.7'
        option username 'user@t-online.de'
        option password 'pass'
1 Like

Ohh, that helped. Thanks! I thought I have to use DHCP client or something. It works now. Yay, going to bed now and will play around with it tomorrow :slight_smile:

That would be nice, as PPPoE is quite a -useless- performance drain, but tcom still insists on PPPoE - and PPPoE only works with username/ password (but nothing requires that the PPPd server actually checks those).

1 Like

After the DSL is working, I realized, my POTS telephone is no longer working. So I have to configure something in addition for this? The device page just says, DECT will not work, so I assume, POTS will still work?

Ah, sorry, under OpenWrt the fritzbox telephony will not work, neither dect not pots...
When VoIP/SIP was introduced over a decade ago, I bought a dect/VoIP base station and have never looked back. I guess I forgot that many users still appreciate an all in one telephony router...

My personal solution to this is using a low-end, but still fully supported, AVM Fritz!Box (in a jailed off VLAN) running Fritz!OS behind my OpenWrt router in IPoE mode, modem disabled, routing disabled, wlan disabled, only acting as SIP pbx, voice answering machine, SIP ATA and DECT base.

Why this over a dedicated DECT base?

  • I do still need at least one FXS port (for a fax machine)
  • I do need DECT, and my existing DECT handsets need to work with it (Gigaset as28h and CL570HX)
  • I do need desk SIP phones
  • I do need a simple answering machine
  • I want to be able to block certain incoming (spammer-) numbers
  • I need all of those to integrate reasonably well (I wouldn't need it to be one box, but those services need to interoperate without too much fuzz)
  • I don't trust the security- and maintenance status of these dedicated DECT bases too much (Gigaset, quo vadis…)
  • if AVM can do one thing well, it's handling phones
  • the dedicated Fritz!Box doing this can be easily replaced, when it goes EoL (which is soon going to be needed, but mine had a 7 year service life so far, the 7510 would do - but I'm not too convinced about its mid-term support state)
1 Like

Yeah, I had my reservations initially in 2013 how long before lack of support would force me to retire otherwise functioning hardware. Turns out that base station got a pretty steady stream of updates (I believe the last from 2023)... (by virtue of being essentially a repackaged base station also used in their business line). What the future brings, hard to say, I guess I will need to decide whether to go the Fritz route or another dedicated SIP box. Then again the future of AVM is also a bit hazy right now (not bankruptcy like Gigaset, but they seem to be looking for a buyer), IIRC...

1 Like