Table of Contents

This page is also available in Dutch.


This article describes how to set up VDSL for Freedom.nl, using my own modem and router combination. I use this setup at my parents' house. They only use the internet; they do not watch “legacy” TV, nor do they have a landline phone. So the network setup is relatively simple.

I opted not to receive Freedom's Fritzbox because I had no intention of ever using it. Those things offer way too much functionality to my liking, without providing any source code. All I want is a dumb modem that does as little as possible. It should convert the DSL to an ethernet trunk, and nothing more.

Luckily, Freedom is one of the few ISP's in the world not pushing mandatory devices on their customers. In fact, they let you select whether you want any of their hardware during the ordering process, and they even give a small discount if you don't want any.

I am a big proponent of modem and router freedom, so I do not agree with the current situation of nearly all ISP's forcing modemrouters upon their subscribers. The Germans call this Routerzwang. (Of course, they have a word for it…)

As my modem, I use a DrayTek Vigor 165, which I configured as a fully transparent bridge, meaning that it has no internet access of its own. Unfortunately, no FOSS DSL modems seem to exist, so this seemed to be the best compromise. I don't trust the Vigor at all, but at least it can be sandboxed completely.

All the actual work would be done by my trusty TP-Link TL-WDR4300 running OpenWrt. Because this device has an Atheros AR9344 chipset, it requires no blobs to operate.



Configuring the DrayTek Vigor 165 modem

The Vigor 165 has to be configured in MPoA Full Bridge Mode. Unlike the Vigor 130, which had to be put in Bridge Mode to let your router handle 802.1Q VLAN tags, this does not work at all with the Vigor 165. In fact, I found out that Bridge Mode on the Vigor 165 actually strips all 802.1Q headers, so Full Bridge Mode has to be used instead.

Contrary to what DrayTek's documentation states, no VLAN tag insertion has to be done by the Vigor at all. It can all be left disabled, and the OpenWrt router can tag the internet traffic while still being able to access the Vigor's web interface and SSH server, when configured correctly.

In the following steps, I'll describe how to set up the Vigor 165 to be a transparent bridge. I wanted the following things to work:


Setting up VLAN tagging

VLAN tagging should not be done by the Vigor. So under Internet Access > General Setup set all three dropdown boxes to Disable.
I also set the DSL Mode to VDSL2 Only while I was at it, but that should probably not be important.

Save the settings, but don't reboot yet.

Setting up MPoA full bridge mode

Under Internet Access > MPoA / Static or dynamic IP, set MPoA (RFC1483/2684) to Enable and tick the Enable Full Bridge Mode box.

While I was at it, I also entered the ADSL configuration properly, although it's not needed for VDSL. Freedom has documented their settings here.

Save the settings, but don't reboot yet.

Setting up the LAN so the modem can still be reached

Under LAN > General Setup, change the 1st IP Address to 192.168.200.1 and set DHCP Server configuration to Disable.
On the LAN 1 IPv6 Setup tab, set DHCPv6 Server to Disable Server.

Save the settings, but don't reboot yet.

Setting up NTP time synchronization

Because the Vigor will be unable to access the internet itself, it should get its NTP clock from the OpenWrt router.

Under System Maintenance > Time and Date, set Time Server to 192.168.200.2.

Save the settings, but don't reboot yet.

Enabling Jumbo Frames

This can't be done through the GUI, so we will have to SSH to the Vigor:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o Ciphers=+aes128-cbc admin@192.168.1.1

Then enable Jumbo Frames:

port jumbo on
port jumbo 9022


Rebooting the modem

Go to System Maintenance > Reboot and select Using current configuration. Then click the Reboot Now button.



Configuring the OpenWrt TL-WDR4300 router

The OpenWrt router will serve as the actual endpoint in the IP network. All packets just pass through the modem unaltered.

This means that the router will have to serve as a VLAN capable switch, a PPPoE client, a NAT gateway, a DHCPv4 and DHCPv6 server, an IPv6 RA server for SLAAC and a caching DNS server. It will also have to serve as an NTP server so the Vigor can set its clock, for which we have to set up a separate (untagged) VLAN. Using that VLAN, we'll also be able to access the Vigor's configuration pages, SSH server, and so on.

Setting up VLANs

First, we have to set up the switch. In /etc/config/network, change the bottom config switch_vlan parts as follows:

# This is the LAN VLAN, bridging the four yellow LAN ports
config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
 
# This is the untagged WAN VLAN to access the Vigor on the blue WAN port
config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
 
# This is the tagged WAN VLAN to access the internet, passing through the Vigor
config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 1t'



Setting up the WAN interfaces

Higher up in /etc/config/network, change the wan and wan6 interfaces as follows.

# This sets the ethernet adapter's MTU to 1508, so we can use MTU 1500 in the PPPoE tunnel
config device
	option name 'eth0'
	option mtu '1508'
 
# Set the LAN MTU to 1500
config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
 
config interface 'lan'
	option device 'br-lan'
	option mtu '1500'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
 
# This is the untagged interface to talk to the Vigor
config interface 'modem'
	option device 'eth0.2'
	option mtu '1500'
	option proto 'static'
	option ipaddr '192.168.200.2'
	option netmask '255.255.255.0'
	option force_link '0'
 
# This is the tagged WAN VLAN to access the internet, passing through the Vigor
# Set the MTU to 1508, because PPPoE has 8 bytes overhead
config interface 'wan'
	option device 'eth0.6'
	option proto 'pppoe'
	option mtu '1508'
	option username 'fake@freedom.nl'
	option password '1234'
	# Not necessary, but I prefer extra logging
	option pppd_options 'debug'

Be sure to completely remove the wan6 interface, as it is not needed. The PPPoE tunnel will create a virtual IPv6 WAN interface automatically.

In /etc/config/dhcp, add the modem interface:

config dhcp 'modem'
	option interface 'modem'
	option ignore '1'
 
config dhcp 'wan'
	option interface 'wan'
	option ignore '1'



Setting up the firewall

In /etc/config/firewall, add the modem zone and allow the lan zone to access it:

config zone
	option name 'modem'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option network 'modem'
 
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'
 
config forwarding
	option src 'lan'
	option dest 'modem'
 
config forwarding
	option src 'lan'
	option dest 'wan'



Setting up the NTP server

In /etc/config/system, add the enable_server parameter:

config timeserver 'ntp'
	option enabled '1'
	option enable_server '1'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'


In /etc/config/firewall, add a rule to allow the incoming NTP traffic:

config rule       
	option name 'Allow NTP from modem'
	option src 'modem'
	option src_ip '192.168.200.1'
	option family 'ipv4'
	option dest_port '123'
	option proto 'udp'
	option target 'ACCEPT'



Applying the settings

Finally restart a bunch of daemons:

service network restart
service firewall restart
service dnsmasq restart
service odhcpd restart
service sysntpd restart

Or just:

reboot



Success?

If you followed everything correctly, you should now receive a /32 IPv4 address and a /48 IPv6 prefix on your pppoe-wan interface.

Connected LAN clients should get a DHCPv4 lease, a DHCPv6 lease and a SLAAC address.

You should be able to access your Vigor on http://192.168.200.1/, and your Vigor should have been able to pick up the time from your router.