[Solved] OpenWrt behind FritzBox - WAN as DHCP-Client - No Internet Connection

I want to use a Vodafone 904 xDSL router with OpenWrt behind a FritzBox.
For this I have a LAN connection of the FritzBox connected to the WAN port of the OpenWrt router.
The WAN port has been configured as follows:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd38:585c:374a::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list ifname 'eth0.1'
	list ifname 'eth0.66'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '18:83:bf:ce:fc:b0'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'

config device 'wan_dev'
	option name 'dsl0'
	option macaddr '18:83:bf:ce:fc:b1'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config switch
	option name 'switch1'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch1'
	option vlan '1'
	option ports '0 1 2 3 6t'

config device 'inic_dev'
	option name 'eth0.3'

config interface 'inic'
	option proto 'none'
	option ifname 'eth0.3'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option fid '3'
	option ports '5 6t'

config device 'wlan_dev'
	option name 'eth0.66'

config device 'guest_wlan_dev'
	option name 'eth0.71'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '66'
	option fid '4'
	option ports '5t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '71'
	option fid '5'
	option ports '5t 6t'

The router also receives an IP from the FritzBox network, however, the router and the connected devices have no Internet.
A ping from the OpenWrt router to FritzBox is also not possible (Tested by ssh).
I think the firewall of the OpenWrt router blocks something.
Here is the config of the firewall:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# include a file with users custom iptables rules
config include
	option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

I hope someone can help me. I searched Google and the forum, but found nothing.

The router should be properly configured out of the box for the usual use (WAN-LAN) with firewall configured to allow LAN to WAN access but not the other way around.

Do you know if your ISP required MAC cloning or certain VLAN ID? Have you tried connecting a PC directly to the FritzBox and see if you have connection?

I'm not sure which router is Vodafone 904 xDSL. Is that Arcadyan? I don't seem to find an official OpemWrt build for it, unless it's under a different name. But out of curiosity, if your 904 router has xDSL modem, is there a reason you don't just use it as a modem and remove the FritzBox?

1 Like

First since you're not using the integral DSL modem, comment out or delete all the DSL related stuff.

Like @Hegabo, I'm not sure what you are trying to do with the switch and VLANs, but one thing to never ever do is use plain eth0 without a VLAN number. All VLANs in the switch (that the CPU needs to see) must be tagged to the CPU port, and all references to eth0 attaching it to a network need to have the VLAN number.

I would suggest resetting to default configuration, then re-purpose one of the etherports to be WAN, make the WAN network a DHCP client (also specify a hostname so you can find it in the main router). Then plug that into an untagged port from your main LAN, so you have a basic routed client with Ethernet backhaul. Once you see how that works, then you can get fancier with VLANs.

2 Likes

This is the Hardware:
https://oldwiki.archive.openwrt.org/inbox/arcadyanastoria/arcadyan_astoria_easybox_904xdsl_r01

The Hardware ist not officially supported.
I use this Firmware:

My Provider (Vodafone Germany) needs VLAN Tagging, but not when I use the Openwrt Router as DHCP Client.

As factory default wan interface configured with pppoe.

I have connect PC direct to LAN Interface from FritzBox and the work.

The firewall of Openwrt Router allow traffic from Lan to wan.

I don't want to use Openwrt Router only because the hardware from Fritzbox is better and I use Fritz to Fritz VPN to connect two different network's.

I do not understand, for example, why even the openwrt router can not ping to fritzbox
over ssh.

I hope u understand me, sorry for my bad english.

@mk24
I try what you say tomorrow.

That is

config interface 'wan' 
    option proto 'dhcp' 
    option ifname 'eth0.2'

Also I noticed that you have multiple VLANs with same ports settings.

2 Likes

The VLAN configuration for this particular router is rather special and complicated, as it includes two different hardware switches (lantiq and realtek) just as well as connecting the dedicated rt3883 WLAN SOC via (wired!) VLAN as well, with lots of implicit VLAN requirements. It's not an easy or beginner friendly device.

2 Likes

@Hegabo and @mk24
I am ashamed. That was too easy. It works. Thank you!!
I only tried eth0.1.

@slh
That's why I do not understand the many VLANs myself.

Is it possible to assign LAN port 1 - 4 different VLANs?
As far as I can see, all LAN ports are summarized as an interface. Probably I can not differentiate but would have to connect a switch with VLAN tagging on the router?

Yes, but not in a particularly straight forward way (as different ports are on different switches), you'll need to read the thread on the archived forum for a glimpse into the gory details. Accomplishing this would be much easier on a more conventional router.

1 Like

If you set an external port to be tagged, the device on the other end of the cable needs to be VLAN capable and set up to tag with matching VLAN numbers. This is commonly used to send a "trunk" of several networks between two routers.

VLANs inside the switch are used to make separate networks internally from the CPU out to different port(s). When the port is set to untagged, the tags are removed before sending data on the cable. The use of VLANs inside the switch have no effect on a device on an untagged port. Arbitrary VLAN numbers can be used.

1 Like

@slh

Which thread you mean?
According to wiki:
Ethernet: RTL8367RB 4x 10/100/1000 Mbit/s vlan support

use all 4 LAN-Ports the same Hardware Switch (Realtek).

@mk24
So if I understand you correctly, I can put the VLAN ID's on the LAN ports, connect a switch with VLAN function, and assign ports to the VLAN I want. The VLAN must be configured on both the router and the switch.

I understand the 2nd part so that this is also possible directly for the 4 LAN ports of the router?
For this, the corresponding port must be tagged with the desired VLAN? I do not know how to configure a single port, as these are only displayed as 1 interface.

What @slh is saying the internal switch in the Lantiq CPU is also involved, sending to the Realtek switch. So for example if you want to add another network from the CPU to one of the Ethernet ports, you'd have to add a VLAN to both switches.

This is all inside the router. If you're using ordinary devices that don't require tagging you don't need any extra hardware outside.

1 Like

@mk24

Short explanation I was actually before.
I would like to create several VLANs to separate different device classes and restrict access to each other via firewall.

Attached is a screenshot of the switch config.

I have (not seen in the picture) created a VLAN 102, assigned to both switches. Tagged CPU and LAN at Lantiq and CPU and LAN2 at Realtek. After that, WLAN did not work anymore, internet was not working anymore, etc.

Can someone explain to me from the drawing what I need to hire?

It looks like "LAN "on the Lantiq switch is the link to the Realtek switch that runs the four yellow ports, and WAN is the other physical port. Confirm by unplugging the cable from the black WAN port, the icon should change to disconnected.

The link between the switches should be tagged in all the VLANs that are of interest to the Realtek switch. Do not have tagged and untagged on the same port. So in the LAN column, change VLAN 1 to tagged then add more if you want.

For these internal VLANs it is conventional to use sequential numbers starting from 1. Likely not the case here, but some old chips did not like numbers higher than 15, and others have a limit of 128.

1 Like

You have right with WAN-Port.

Since I tagged VLAN 1 an Lantiq Switch to "LAN", the WLAN don't work. I am not receive IP with WLAN.
With LAN I receive IP and have access to WebIF, but no more access to Internet.
Since I reboot the OpenWrt after tagged VLAN 1, the Router don't boot more. It only shows Error on Display from Router. I must reset with fullimage.img und install sysupgrade.bin.

Have you read what @slh referred to? It seems that the WLAN is an Ethernet-like device on this model.

1 Like

Yes I have read, but I know no details, because I do not know which thread he refers to.
But this is definitely not an explanation why the router apparently also destroys his system.
It seems to me with this router really not an optimal condition for my imagination to be.

Do yourself a favour and pick some simpler/ more conventional hardware for your experimenting (you can find lots of interesting stuff very cheap on the used market), the easybox 904 xDSL really isn't any fun when it comes to non-trivial VLAN setups, due its hardware specific complexities.

1 Like

@slh
Do you have any recommendation for a model? May cost a few euros. The cost should not be the problem. If there are appropriate routers, but I would have another request. The router should support several SSIDs which I can assign to different VLANs.

Thank you all for you help. Very fast and friendly.

It really depends on what you're looking for in terms of performance and features.

  • most of the contemporary ar71xx/ ath79 should work fine (>8 MB flash, at least 128 MB RAM)
  • if you want a VDSL modem onboard, the BT Home Hub 5 Type A is always worth looking at.
  • usually I'd (strongly) recommend ipq40xx, but that's a bit limited in terms of VLAN configurability until it switches to DSA switch drivers.
  • mt7621 should be nice, if you aren't looking for top CPU performance (but fast routing/ networking acceleration).
  • entry level mvebu (or top end, depending on your interests/ price frame) would do the job
  • depending on your budget, ipq806x is also worth looking at.

The Easybox 904 xDSL just ist very special and fragile in many regards, particularly in terms of the switch setup, basically all other routers are easier to work with. Top ten routers currently in use? would be a potential selection (avoid ipq40xx for the time being, if you're after VLAN specifics).

1 Like