What to lookout for when migrating (ARCH) Linux router to OpenWrt similar technology?

Hello again and apologies if this has been referred to elsewhere in our community.

On my ARCH LINUX Router I am going 'berserk' with trying to set it up as the IPTV home gateway so that I could connect the ISP supplied IPTV STB under 'its wing' inside its own managed systemd-networkd network.

In this current setup, systemd-network is responsible for 3 internal VLANS that it hands out as a trunk to other two OpenWrt subrouters (through the intervention of an unmanaged switch). There, at the OpenWrt routers, I can access the internet on all the configured VLANS but if I try to connect the ISP IPTV, it simply doesn't work.

Since this is a mixed/hybrid setup with several Linux distro's being used, I thought I would be better, somehow, harmonizing this by putting all of the decision-making systems talking in a same distro. (Yes, OpenWrt, off course).

The final goal is to use OpenWrt as similarly as possible to the current ARCH LINUX Router use case.

So, with the necessary adaptations:

Make 'the' would be OpenWrt router be able to both:

  1. Serve as a home router / gateway behind the ISP Gateway;
  2. Keep the services (NGINX Proxy Manager, and several other Docker services available therein);
  3. Basically, keep all needed data from one system to the other.

Is this reasonable?

Thank you.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hello @brada4.

Thank you for your interest and assistance.

I forgot to mention but I've already tried to use the ISP STB on the ARCH ROUTER, and couldn't actually make it. So I was directing all my efforts to that front, actually.

The OpenWrt on which I intend to connect the aforementioned STB has this information required by yourself. (I think) I have redacted the sensitive information. Please warn me if otherwise:

ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "asusrouter",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}


cat /etc/config/network :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77:81ad:7161::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option bridge_empty '1'
	option igmp_snooping '1'
	option igmpversion '3'

config device
	option name 'lan1'
	option macaddr 'redacted'

config device
	option name 'lan2'
	option macaddr 'redacted'

config device
	option name 'lan3'
	option macaddr 'redacted'

config device
	option name 'lan4'
	option macaddr 'redacted'
	option igmpversion '3'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '10.0.1.40'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '10.0.1.16'
	list dns '10.0.1.16'
	list dns '1.1.1.1'

config device
	option name 'eth1'
	option macaddr 'redacted'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'eth1:t'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'eth1:t'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '10.0.20.40'
	option netmask '255.255.255.0'
	option gateway '10.0.20.16'
	list dns '10.0.20.16'
	list dns '1.1.1.1'
	option ip6assign '64'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.30'
	option ipaddr '10.0.30.40'
	option netmask '255.255.255.0'
	option gateway '10.0.30.16'
	list dns '10.0.30.16'
	list dns '1.1.1.1'
	option ip6assign '64'

config device
	option name 'br-lan.20'
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option multicast '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'eth1:t'
	list ports 'lan4'

config interface 'iptv'
	option proto 'static'
	option device 'br-lan.40'
	option ipaddr '10.0.40.40'
	option netmask '255.255.255.0'
	option gateway '10.0.40.16'
	list dns '10.0.40.16'
	list dns '1.1.1.1'
	option ip6assign '64'

config device
	option name 'br-lan.40'
	option type '8021q'
	option ifname 'br-lan'
	option vid '40'
	option igmpversion '3'

cat /etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+tkip+ccmp'
	option key 'redacted'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'PT'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+ccmp'
	option key 'redacted'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+tkip+ccmp'
	option key 'redacted'
	option network 'iot'
	option disabled '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+tkip+ccmp'
	option key 'redacted'
	option network 'iot'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+tkip+ccmp'
	option key 'redacted'
	option network 'guest'
	option disabled '1'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'redacted'
	option encryption 'psk2+tkip+ccmp'
	option key 'redacted'
	option network 'guest'

cat /etc/config/dhcp :


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config dhcp 'iptv'
	option interface 'iptv'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

cat /etc/config/firewall :


config defaults
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'iot'

config zone
	option name 'guest'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'guest'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'iot dns'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'guest dns'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iot dhcp'
	list proto 'udp'
	option src 'iot'
	option dest_port '67 68'
	option target 'ACCEPT'

config rule
	option name 'guest dhcp'
	option src 'guest'
	option dest_port '67 68'
	option target 'ACCEPT'
	list proto 'udp'

config zone
	option name 'iptv'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iptv'
	option masq '1'

config rule
	option name 'iptv dns'
	option src 'iptv'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'iptv dhcp'
	option src 'iptv'
	option dest_port '67 68'
	option target 'ACCEPT'
	list proto 'udp'

config forwarding
	option src 'iptv'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'iptv'

Thank you.

Maybe you need to fix up multicast ttl to trick the stb, it is hard to tell without traffic dump ypu shuld not be sharing. AX4200 is decent replacement for arch box.

Hi again @brada4.

Thank you for your suggestions.

I am going to try out OpenWrt x86 on a live USB and see if it behaves well, and then I will proceed to migration of the system to that x86 version of OpenWrt

See you soon

Is igmpproxy installed?

Also you may try virtual hive of multiple router systems. Vyos, bsd etc.

Hi, @lleachii, in the Asus Router yes, in the ARCH ROUTER I've just installed it now.

@brada4 Virtual hive rings a bell, but I think I don't have the hardware to be able to do that have I?

I was referring to the OpenWrt.

Yes it is installed.

1 Like

I've checked Virtual Hive, This is it isn't it? I would have to check that sorry for my previous answer.

Install multiple routing virtual machines and connect them with virtual networks, like one for dns one for firewall then one for ids etc

Hi again, @brada4, that would be nice. One question though. How could I virtualize the ISP STB which is my main goal here? The ultimate purpose/goal is to be able to use the ISP's STB as one should when it is connected directly to the ISP hardware.

You likely need to bridge it to stb as if your router was not there, you can inspect traffic tho