===== OpenWrt with Freedom Internet VVDSL2 using a DrayTek Vigor 165 modem and a TP-Link TL-WDR4300 router ===== This page is also available in [[handleidingen:netwerk:openwrt-freedom-vdsl|Dutch]]. ---- This article describes how to set up VDSL for [[https://freedom.nl/|Freedom.nl]], using my own modem and router combination. I use this setup at my parents' house. They only use the internet; they do not watch "legacy" TV, nor do they have a landline phone. So the network setup is relatively simple. I opted not to receive Freedom's Fritzbox because I had no intention of ever using it. Those things offer **way** too much functionality to my liking, without providing any source code. All I want is a dumb modem that does as little as possible. It should convert the DSL to an ethernet trunk, and nothing more. Luckily, Freedom is one of the few ISP's in the world not pushing mandatory devices on their customers. In fact, they let you select whether you want any of their hardware during the ordering process, and they even give a small discount if you don't want any. I am a big proponent of modem and router freedom, so I do not agree with the current situation of nearly all ISP's forcing modemrouters upon their subscribers. The Germans call this **[[https://de.wikipedia.org/wiki/Routerzwang|Routerzwang]]**. (Of course, they have a word for it...) As my modem, I use a [[https://tweakers.net/pricewatch/1312228/draytek-vigor-165-annex-a.html|DrayTek Vigor 165]], which I configured as a fully transparent bridge, meaning that it has no internet access of its own. Unfortunately, no FOSS DSL modems seem to exist, so this seemed to be the best compromise. I don't trust the Vigor at all, but at least it can be sandboxed completely. All the actual work would be done by my trusty [[https://www.tp-link.com/nl/home-networking/wifi-router/tl-wdr4300/|TP-Link TL-WDR4300]] running [[https://openwrt.org/|OpenWrt]]. Because this device has an Atheros AR9344 chipset, it requires no blobs to operate. ---- \\ ==== Configuring the DrayTek Vigor 165 modem ==== The Vigor 165 has to be configured in **MPoA Full Bridge Mode**. Unlike the Vigor 130, which had to be put in **Bridge Mode** to let your router handle 802.1Q VLAN tags, this does not work at all with the Vigor 165. In fact, I found out that **Bridge Mode** on the Vigor 165 actually //strips all 802.1Q headers//, so **Full Bridge Mode** has to be used instead. Contrary to what DrayTek's documentation states, //no VLAN tag insertion has to be done by the Vigor at all//. It can all be left disabled, and the OpenWrt router can tag the internet traffic while still being able to access the Vigor's web interface and SSH server, when configured correctly. In the following steps, I'll describe how to set up the Vigor 165 to be a transparent bridge. I wanted the following things to work: * The LAN 1 port on the Vigor 165 should essentially become an unfiltered ethernet trunk; * The Vigor 165 should be unable to access the internet itself: as I don't have any source code, it can't be trusted; * The OpenWrt router should handle 802.1Q tags and the PPPoE encapsulation; * The OpenWrt router should be able to use [[https://tools.ietf.org/html/rfc4638|RFC 4638]] / Baby Jumbo Frames; * The Vigor's web interface and SSH server should still be reachable from the LAN on the OpenWrt router; * The Vigor's clock should be synchronized over NTP from my LAN; * Every other functionality of the Vigor 165 should be disabled entirely. \\ === Setting up VLAN tagging === VLAN tagging should **not** be done by the Vigor. So under **Internet Access** > **General Setup** set all three dropdown boxes to ''Disable''.\\ I also set the **DSL Mode** to ''VDSL2 Only'' while I was at it, but that should probably not be important. Save the settings, but don't reboot yet. \\ \\ === Setting up MPoA full bridge mode === Under **Internet Access** > **MPoA / Static or dynamic IP**, set **MPoA (RFC1483/2684)** to ''Enable'' and tick the ''Enable Full Bridge Mode'' box. While I was at it, I also entered the ADSL configuration properly, although it's not needed for VDSL. Freedom has documented their settings [[https://freedom.nl/helpdesk/internet/algemene-instellingen|here]]. Save the settings, but don't reboot yet. \\ \\ === Setting up the LAN so the modem can still be reached === Under **LAN** > **General Setup**, change the **1st IP Address** to ''192.168.200.1'' and set **DHCP Server configuration** to ''Disable''.\\ On the **LAN 1 IPv6 Setup** tab, set **DHCPv6 Server** to ''Disable Server''. Save the settings, but don't reboot yet. \\ \\ === Setting up NTP time synchronization === Because the Vigor will be unable to access the internet itself, it should get its NTP clock from the OpenWrt router. Under **System Maintenance** > **Time and Date**, set **Time Server** to ''192.168.200.2''. Save the settings, but don't reboot yet. \\ \\ === Enabling Jumbo Frames === This can't be done through the GUI, so we will have to SSH to the Vigor: ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o Ciphers=+aes128-cbc admin@192.168.1.1 Then enable Jumbo Frames: port jumbo on port jumbo 9022 \\ === Rebooting the modem === Go to **System Maintenance** > **Reboot** and select ''Using current configuration''. Then click the ''Reboot Now'' button. \\ \\ ---- \\ ==== Configuring the OpenWrt TL-WDR4300 router ==== The OpenWrt router will serve as the actual endpoint in the IP network. All packets just pass through the modem unaltered. This means that the router will have to serve as a VLAN capable switch, a PPPoE client, a NAT gateway, a DHCPv4 and DHCPv6 server, an IPv6 RA server for SLAAC and a caching DNS server. It will also have to serve as an NTP server so the Vigor can set its clock, for which we have to set up a separate (untagged) VLAN. Using that VLAN, we'll also be able to access the Vigor's configuration pages, SSH server, and so on. \\ \\ === Setting up VLANs === First, we have to set up the switch. In ''/etc/config/network'', change the bottom ''config switch_vlan'' parts as follows: # This is the LAN VLAN, bridging the four yellow LAN ports config switch_vlan option device 'switch0' option vlan '1' option ports '0t 2 3 4 5' # This is the untagged WAN VLAN to access the Vigor on the blue WAN port config switch_vlan option device 'switch0' option vlan '2' option ports '0t 1' # This is the tagged WAN VLAN to access the internet, passing through the Vigor config switch_vlan option device 'switch0' option vlan '6' option ports '0t 1t' \\ \\ === Setting up the WAN interfaces === Higher up in ''/etc/config/network'', change the ''wan'' and ''wan6'' interfaces as follows. # This sets the ethernet adapter's MTU to 1508, so we can use MTU 1500 in the PPPoE tunnel config device option name 'eth0' option mtu '1508' # Set the LAN MTU to 1500 config device option name 'br-lan' option type 'bridge' list ports 'eth0.1' config interface 'lan' option device 'br-lan' option mtu '1500' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' # This is the untagged interface to talk to the Vigor config interface 'modem' option device 'eth0.2' option mtu '1500' option proto 'static' option ipaddr '192.168.200.2' option netmask '255.255.255.0' option force_link '0' # This is the tagged WAN VLAN to access the internet, passing through the Vigor # Set the MTU to 1508, because PPPoE has 8 bytes overhead config interface 'wan' option device 'eth0.6' option proto 'pppoe' option mtu '1508' option username 'fake@freedom.nl' option password '1234' # Not necessary, but I prefer extra logging option pppd_options 'debug' Be sure to completely remove the ''wan6'' interface, as it is not needed. The PPPoE tunnel will create a virtual IPv6 WAN interface automatically. \\ \\ In ''/etc/config/dhcp'', add the ''modem'' interface: config dhcp 'modem' option interface 'modem' option ignore '1' config dhcp 'wan' option interface 'wan' option ignore '1' \\ \\ === Setting up the firewall == In ''/etc/config/firewall'', add the ''modem'' zone and allow the ''lan'' zone to access it: config zone option name 'modem' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option network 'modem' config zone option name 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option network 'wan' config forwarding option src 'lan' option dest 'modem' config forwarding option src 'lan' option dest 'wan' \\ \\ === Setting up the NTP server === In ''/etc/config/system'', add the ''enable_server'' parameter: config timeserver 'ntp' option enabled '1' option enable_server '1' list server '0.openwrt.pool.ntp.org' list server '1.openwrt.pool.ntp.org' list server '2.openwrt.pool.ntp.org' list server '3.openwrt.pool.ntp.org' \\ In ''/etc/config/firewall'', add a rule to allow the incoming NTP traffic: config rule option name 'Allow NTP from modem' option src 'modem' option src_ip '192.168.200.1' option family 'ipv4' option dest_port '123' option proto 'udp' option target 'ACCEPT' \\ \\ === Applying the settings === Finally restart a bunch of daemons: service network restart service firewall restart service dnsmasq restart service odhcpd restart service sysntpd restart Or just: reboot \\ \\ ==== Success? ==== If you followed everything correctly, you should now receive a /32 IPv4 address and a /48 IPv6 prefix on your ''pppoe-wan'' interface. Connected LAN clients should get a DHCPv4 lease, a DHCPv6 lease and a SLAAC address. You should be able to access your Vigor on [[http://192.168.200.1/]], and your Vigor should have been able to pick up the time from your router. \\ \\ ----