Use ISP's router as a switch for a OpenWrt router

I have a OpenWrt router and a router/modem from my ISP. Currently my ISP's router is connected to the WAN port on the OpenWrt. DHCP is disabled on the ISP's router and I have set up static IPs for both my routers. My goal is to use the ISP's router as a switch to have more ports for my network. I tried to connect the ISP's router to a LAN port and changed the WAN interface to br-lan. After that my DHCP on the OpenWrt stopped working. Now I changed it back to WAN. Which configuration changes do I need on my OpenWrt to be able to connect new devices to the ISP's router and have them assigned an IP by OpenWrt?

Best regards and thanks in advance for the help

Just buy a switch. It is very unlikely you will be able to configure the isp router as you desire (unless it has vlan capability, but you’d only gain at most 2 ports).

1 Like

My ISP's router is located inside a box in the wall where all my ethernet cables are routed through. The space is very limited. Also I don't need any VLAN support.

What I’m saying is that the isp router would have to support user-configurable VLANs in order to function as a switch for your OpenVPN router. The setup would be mildly complex and would only give you 2 extra ports. Just get a cheap and small 5 port switch, since it is unlikely that you’ll be able to setup the isp router correctly for the desired outcome.

The setup would work if I put a switch between my OpenWrt and the ISP's router and have two cables connected to the OpenWrt (1x LAN, 1x WAN). I don't get why this wouldn't be possible with just OpenWrt in software.

Counting on IP addresses to segregate traffic through an unmanaged switch is a very dicey solution. Also an interface that is in a bridge (br-lan) gets controlled by the bridge, it can't hold another IP address for a different function.

1 Like

You want to expand the number of available ports on your openwrt router, right? You simply need to add a switch. There is no reason to put a switch between your isp router and tour OpenWrt router - just plug the switch into the openwrt router and be done.

If this is not workable, physically speaking, maybe you can draw a diagram with what you are trying to achieve including the wiring and constraints.

Untitled Diagram
This is my current setup. I want to connect devices via the wall outlets in the rooms to my OpenWrt. Currently this is not possible because I have my ISP's router connected over the WAN port to my OpenWrt.

How much available space is in the network box? Can you fit a small switch like [this one](TRENDnet 5-Port Unmanaged Gigabit GREENnet Desktop Metal Switch, TEG-S50g, Ethernet Splitter, Ethernet/Network Switch, 5 x Gigabit Ports, Fanless, 10 Gbps Switching Fabric, Lifetime Protection (1”x2.8”x4.6”)

Also, do you need the isp router? Is it a modem+router, or just a router? It would be better to eliminate one of the routers. If your openwrt router is really only being used as a means of setting up a WiFi network, you could make it a dumb ap and make the isp router the main router that controls the network.

There's no space left. The ISP's router is necessary because it's also a modem. To my understanding a switch would only work if I had two ethernet cables from my network box to my OpenWrt (1x for LAN to the other rooms and 1x for WAN). The OpenWrt also creates a seperat WiFi network which gets tunneled through a VPN. Therefor both routers are necessary.

The limitation isn't in OpenWrt router here; it's in the ISP router. In your current situation you have the ISP router as a main router and OpenWrt a downstream router, making two distinct networks. Now you want to make ports of the ISP router as part of the "downstream" network. Can you do that or not, that's up to your ISP router. If that ISP router was running OpenWrt then it would have been possible (if the hardware support it).

Otherwise you would need to go for one of the other solutiins: eithet add a switch to extend OpenWrt LAN to the patch panel, or connect ISP router to OpenWrt LAN port instead of WAN, so everything becomes like a one happy family. You would lose some OpenWrt functions in this scenario.

You can connect the two routers LAN-LAN and still make a separate subnet for some of OpenWrt clients. Though, that will become a separate network, and the rooms will remain on the ISP subnet.

If you want all clients to be on OpenWrt network then you have to look into the ISP router and see if it supports VLANs

It appears that you are trying to do something similar to this. It can be done if your ISP router supports it (which is unlikely).

My ISP's router is already acting like a dumb network switch. I just need the right OpenWrt configuration to be able to have the WAN interface on e.g. LAN1 of the OpenWrt and also have LAN1 working as a regular LAN port.

Not according to your description above (or at least my interpretation of it)... the ISP router is a modem + router. Unless you have the ISP device configured as a bridge/pass-through, it is serving as a router. The best way to determine the current functionality of the ISP device is to look at the WAN IP address of your OpenWrt router. If it is RFC1918 addressing, your ISP device is serving as a router. Please provide us with the first two octets of your IP address on the WAN of the OpenWrt device (aaa.bbb.ccc.ddd --> just provide aaa.bbb - this won't reveal you actual full IP address, but will help us determine if this is a public IP address or not).

If you want your OpenWrt router to serve as a dumb AP (and it can include OpenVPN capabilities, but only for the wifi in this scenario), it is possible to bridge these ports. However, if it is serving as a router, this is not possible, by definition. There is one way you can physically setup the configuration to allow multiple networks across a wire, but this involves VLANs (which is usually possible on OpenWrt, but not likely possible on your ISP device).

Edit: your diagram clearly shows that the isp device is acting as a router. So it is absolutely not a dumb switch. This means that you cannot really achieve what you want without adding a switch to the equation. And this is not an issue with openwrt - it is fundamentally how routers and switches work that require things to be as they are and prevent you from doing what you want, and the presumed lack of user accessible vlan configuration options on your isp router.
Connecting the two routers as you have proposed will likely cause problems. You will need to find another way - maybe install a larger network cabinet or have some equipment outside the box.

The ethernet ports on the router are acting like a dumb switch. The router also has it's own IP to be used as the gateway for the OpenWrt. You can imagine the same setup with a switch instead of the ISP's router and one computer connected to it, which has it's own IP on a different subnet. It does not give out any IPs via DHCP.

So yes and no. A typical consumer wifi router is a wifi AP + switch + router. The switch in the router is likely just a dumb switch. A dumb/unmanaged switch is only supposed to connect to a single network -- passing multiple networks through an unmanaged switch is not the intended use case and is not technically supported. Because the dumb switch inside the ISP device is already connected to the routing system, it has a connection to that network. Even though DHCP is disabled on the ISP router and the two LANs are distinct, it is still not a good idea to connect another network through that unmanaged (embedded) switch. It may work, but it may also cause problems under certain circumstances.

Go ahead and connect them if you want -- nobody is going to stop you. This is extremely bad practice, but if it physically and logically works in your situation, it works.

NOTE FOR FUTURE READERS OF THIS THREAD: I hope it is clear that the OP's network design is highly discouraged as it is a recipe for network problems (and potentially security issues under certain conditions). Also, to be completely clear, this is not an OpenWrt related issue, either, as it is fundamentally something that should be handled by an auxiliary switch in the OP's network cabinet, or a vlan aware smart switch embedded in the main router.

1 Like

Since when do Layer-2 switches care about IP addresses and subnets? I like communities which just try to tell you that your doing everything completely wrong and don't address the actual question.

The point is not that it won't work -- it very well may be okay. However, putting two networks through an unmanaged switch can have a bunch of unintended consequences and can result in network and/or security issues. It is ill-advised to do what you want to do for a lot of reasons.

Because I don't feel like explaining everything myself, I am literally just copy/pasting from another source (and for the record, this doesn't even address non IP protocols, mDNS discovery, and other sticking points that may arise)...

At an ethernet level if you use one unmanaged switch you will only have one network.

At the IP level things get more complicated. Assuming that the two "networks" have non-overlapping subnets and there is no special routing configured then unicast traffic will not pass directly between the networks as the clients will see it is "out of network" and send it to the default gateway. The default gateway can then chose whether to pass it onwards to the other subnet or not (there is also an ICMP packet type that allows the gateway to tell clients to send future packets directly)

I'm not sure what will happen to packets sent to the subnet broadcast address, I expect machines in the other subnet will discard them but i'm not positive on that.

Packets sent to will be received by all systems connected to the ethernet network. Unicast replies to them on the other hand will probablly only get through if there is a router available to do so (see above). This may confuse some systems.

A malicious device on one subnet could easilly detect that the other subnet exists and establish an address on it.

It's not uncommon to run multiple subnets on the same ethernet network due to address space constraints but you should not consider them isolated from a security perspective and you should be careful about anything that relies on broadcasts.

I can easily change the IP of my ISP's router to the same subnet as the OpenWrt. The reason I was going for two subnets was that my devices should always route through the OpenWrt. In summary I would have a double NAT. Because of firewall settings I need my OpenWrt to do NAT. My firewall rules look like this:
Without the NAT on my OpenWrt a device on lan2 could access the internet without going through the VPN. Therefor I was choosing two subnets with one only known to my OpenWrt and the ISP's router.