Rpi4 < $(community_build)

Thought I'd just add a comment on getting this community build working with the Eir's (Irish ISP) FTTH setup, since it might help other people. There's a few comments earlier on about how the Pi doesn't have the switch fabric, but they seemed to be in the context of LAN connections, not WAN connections. Eir require packets to be tagged on VLAN 10, and their provided VDSL2 modem is also able to take the ethernet feed from the optical network terminal, and handles the VLAN tagging.

Assuming the WAN interface is eth1 (say a USB dongle), then the following steps worked for me:

  • Go to Network > Interfaces > Devices
  • Add a new device configuration
  • Set the type to 802.1q
  • Alias it on top of eth1
  • Set the VLAN ID to 10
  • Save the new device
  • Go to Network > Interfaces > Interfaces
  • Add a new interface (or edit your existing one)
  • Set the type to DHCP client (no need for PPPoE, unlike their DSL offering)
  • Use the eth1.10 device (Software VLAN)
  • Make sure it's in the WAN firewall zone
  • Save
  • Repeat new interface steps, but set DHCPv6 client as the type (Eir offer IPv6)

The status of the interfaces should update to show IPs being assigned.

Without the VLAN 10 stuff, and using the base eth1 device, IPs don't get assigned.

Might help someone else with a different ISP that uses the same approach. How you find out your ISP needs VLAN tagging - no idea; I discovered that Eir do this by searching the 'net.

Eir headend -> fiber distribution on pole -> termination point in house -> ONT (Huawei of some sort) -> Ethernet cable -> Pi USB dongle (WAN/WAN6) -> Pi (OpenWRT) -> Pi onboard Ethernet (LAN) -> Ubiquiti switch -> home network


why you can't create a bridged connection with FTTH equipment?
Is this limitation forced from the ISP side?

I may have been unclear - that set of steps removes the ISP modem from the equation, and the Pi is talking directly to the optical network terminal. Previously I had to have it inline, with OpenWRT doing PPPoE negotiation, and the modem in bridge mode (since that was FTTC with VDSL from cabinet to modem).

I asked this question because I have heard from people using FTTH that you can't create bridge connection with the fiber equipment because it is not allowed from the ISP side. You can only use DHCP from the FTTH equipment but it creates the issue of double NAT. How to overcome the issue of double NAT?
I am also using FTTC connection VDSL.

As far as I can tell, Eir aren't doing anything that causes double-NAT. I get a /23 and a /56, and OpenWRT passes the /56 through as a /60 for the LAN. If you don't specify VLAN 10 on the WAN ports, you don't get any addresses from Eir.

For FTTC, I had to keep the F3000 (Eir's model number, it's a Sagemcom under the hood and can be broken in hilarious ways) in bridge mode to convert the VDSL to Ethernet, and then configure a WAN interface as PPPoE and send the right secret; I presume the F3000 was doing the VLAN 10 stuff.

When I initially switched to FTTH, I kept the F3000 inline - all that changed in that setup was the VDSL phone line was unplugged, and the ONT ethernet cable was plugged into the WAN port of the F3000. OpenWRT was still doing PPPoE and it all still worked somehow.

1 Like

Yep, the IP ranges assigned to the Pi's public interface line up with what external sites see.

1 Like

If FTTH is passing you public IP addresses then I think it is a bridged connection betweem openwrt and FTTH equipment via VLAN. And what about FTTC what was its setup? You mentioned pppoe, I am also using the same thing but you set it up via specifying VLANS in it? And were you also getting your TV service from it? Via IPTV?


For my setup I specified no vlans and there are two vlans i think mentioned in my modem and both are in bridged connection and I am able to use both internet and IPTV without specifying any vlans in wan setup.

No TV service. Technically the F3000 also provides me with a VoIP registration (I presume when it's not in bridge mode), but I don't use that either.

No, for the PPPoE configuration I wasn't using VLANs at all - the F3000 was in the path at that point.

Zeroth setup:
DSL headend -> Filtered phone socket -> RJ11 cable -> F3000 (modem mode) -> home network

Stock config :slight_smile: There's a RPi doing pihole stuff floating around in here, and after getting frustrated with the F3000's inability to change the LAN addressing properly (wrote it up at https://www.cricalix.net/2020/05/28/eir-f3000-fst-5366-pains/, and the post after that), I dropped OpenWRT into the mix.

First setup:
DSL headend -> Filtered phone socket -> RJ11 cable -> F3000 (bridge mode) -> Pi's USB connector (WAN) -> OpenWRT -> Onboard ethernet (LAN)

OpenWRT was configured to use PPPoE for the WAN interface, sending the relevant CHAP secret that's documented pretty well on the 'net. F3000 was doing VDSL -> ethernet conversion. It may or may not have been doing VLAN tagging.

Second setup:
Fiber headend -> termination point -> ONT -> RJ45 cable -> F3000 (bridge mode) -> Pi's USB connector (WAN) -> OpenWRT -> Onboard ethernet (LAN)

Here, all that changed was the input to the F3000. I hadn't changed OpenWRT, and was rather surprised when it all continued to work.

Third setup:
Ripped out the F3000, enabled two aliased VLAN devices on top of the USB dongle, set one to DHCP, one to DHCPv6. No more PPPoE setup (see parent comment for the line diagram).

1 Like

There is DHCP server running on ONT?

I have no idea. It's a black box as far as I'm concerned; it could be it comes up and talks to the head-end and gets a range to hand out. It could also be that it's just a protocol converter, and the DHCP request from the Pi goes all the way back to the ISP's servers.

Packaging for it says it's a HW model HN8M8010TsG02, and the description says OptiXstar HN8010Ts XGS-PON.

1 Like

then I think it might be just optical terminal and not a combination of fiber optic, router and wireless terminal. Just like I have modem router wlan combo but I am just using modem part as bridge and my own pi4 router and my own wireless access points.

I think it is great you are able to use your own router with FTTH.

Is it fine to show your IP address like that?



From an IPv4 perspective:

  1. It's DHCP. If I spoof my MAC and renegotiate the DHCP request to the ISP, I'll end up on a different address range. Heck, might not even need to spoof the MAC.
  2. It's not like IP addresses are secret. You can nmap the entire internet if you want to (though your ISP might notice) to see what addresses have active hosts. Check out shodan.io if you've not heard of it before.
  3. OpenWRT's default configuration is 'default deny' on the firewall for packets that originate on the WAN side and land on the WAN interface.
  4. The IPv4 address is NAT'd anyway, and the internal IPv4 range is RFC1918.

From an IPv6 perspective:

  1. Similar story for DHCPv6. Change the client ID on the DHCPv6 request, and the ISP will issue a new range - just did that to prove it :slight_smile: I'm no longer on '191b'.
  2. Firewall again. Same rules about WAN => LAN apply. I've got several Linux boxes hanging around on the LAN, with "public" IPv6 addresses, and none are reachable from outside my home network.
  3. iOS and Windows both have the concept of privacy addresses when it comes to IPv6, and will rotate through IPs unless you configure them not to.

In the current configuration, the worst that could happen is someone decides to DoS my network range. The Pi will probably fall over under the load.


so i've uploaded a /tftpboot 'sample' zip with (draft) config generator...: https://rpi4.wulfy23.info/misc/tftpboot/

came in handy for me over the last day or two messing with a laptop I can't open (easily)...
currently sort of has;

  • clonezilla
  • debian 11 netboot installer
  • gparted
  • openwrt x64 initramfs
  • some other minor stuff

really only for experts at this stage... but may add some 'per-device' and special network device specific stuff ( cisco / ubiquiti ) in the future...

it's ~ 750M and you'd need twice that to unpack it... so try to keep a local copy of the .tar unless the version number changes...

it's not rpi4 specific so anyone with extroot / x64 / 2G free should be able to use it...

1 Like

I am waiting for the integration of IDS, IPS and DPI tool you mentioned some time ago. I think it was DPI.

not sure if that was crowdsec... there were a few in that list... crowdsec is not exactly the above but it's a good middle ground...

I did spend two days on it... and i'd say it has good integration potential but am holding of a few months for some things to be resolved...

(breaks when you include it in an image... but anyone wanting to have a play with it, with intermediate skills or above is welcome to install and try it out 'post-upgrade'... it's great for exposed servers but stats from typical natting routers would be interesting to see)

1 Like

persistent usb nic names

following on from



next build will incorporate the ability to make usb-nics persistent


this is how it works...


### enable the logic as a whole
uci set network.globals.persistent_nic='1'
uci commit network


### for every usb nic
uci set network.rummy.mac_original='00:00:e8:00:44:bf'
uci commit network
### update the uci logical interface underlying device eth+last6chars
uci set network.rummy.device="eth0044bf"
uci commit network

so you can leave the first wan untouched: edit: no it will need to be added also...

edit: macaddr(normal override if underlying 'mac_original') will work if it's in the interface ( not device ) section...

there is a bug with macaddr in the device section (move macaddr overrides to the interface section if it's a use adapter to be renamed and you want it overidden until the bug is fixed)

for extra wan interfaces repeat step2...


  • no device bridges etc. for now
  • usb only

for anyone not on this build you can get the hotplug.d/net/000-kickanic here


Hi Wulfy23: thank you for this wonderful build. I got your build up and running on rpi4 without a problem. It's running very nice.
I have a strange question regarding DHCP server on rpi4.
I am connecting Telekom router + rpi4(openwrt)+ Xiaomi Ax3600(as Access-Point for WiFi)
What I want to ask is how should I setup the DHCP server so that I have 0 issues in blocking ads and also in terms of IP address conflict.
How should I proceed further? I mean should I setup static dns Address in my Router and let rpi4 manage DHCP server and the Xiaomi Ax3600 in AP-Mode?

Is this setup correct? If so how can I do the DHCP setting in openwrt??? Can I switch off the DHCP server on Telekom router? Will it work if I do so?

Sorry for asking so many questions at a time.

Hoping to get a reply from you soon.

Thanks in advance

1 Like

Thanks, glad it's working for you...


I had started to write some general advice then it grew over 250 words...

You questions are all kinda general networking (i.e. not directly related to anything to do with this build at all) related...

(they are also really broad)

so best to open a brand new, dedicated thread for it... ( many more people will see it and have the chance to help )

when you do please link to your post above ( the 'link' icon at the bottom of the post )... people will want to know if your Telecom device is 'natting' / not-bridged ( what kind of address it hands out and how )


I'm just about to purchase a Pi4 to use as my main router on a 1gb fiber connection. I just want it rock solid with SQM , is the Pi 4 2GB version good enough, or do I need go for the 8GB ? (I'll just be running openwrt and a couple of small packages I guess).

Also, is DCHP Optiion 61 possible on this build ?