OpenWrt with XS4ALL Vectored VDSL2 using a DrayTek Vigor 165 bridge

When my street cabinet was upgraded and I could finally get Vectored VDSL2, I was able to return to XS4ALL, using my own modem and router combination. I only use the internet; I do not watch TV, nor do I have a home phone. So my network setup is relatively simple.

I declined receiving XS4ALL's Fritz!Box because I had no intention of ever using it. Those things offer way too much functionality to my liking, without providing any source code. All I want is a dumb modem that does as little as possible. It should convert the DSL to an ethernet trunk, and nothing more.

I am also a big proponent of modem and router freedom, so I do not agree with the current situation of ISP's forcing modemrouters upon their subscribers. The Germans call this Routerzwang. (Of course, they have a word for it…)

So instead of leasing a Fritz!Box, I bought a DrayTek Vigor 165 VDSL2 modem, with Supervectoring / Vplus / 35B support, which I configured as a fully transparent bridge, meaning that it has no internet access of its own. Unfortunately, no FOSS xDSL modems seem to exist, so this seemed to be the best compromise. I don't trust the Vigor at all, but at least it can be sandboxed completely.

All the actual work would be done by my trusty TP-Link TL-WDR4300 running OpenWrt. Because this device has an Atheros AR9344 chipset, it requires no blobs to operate.

vigor165.jpg



Configuring the DrayTek Vigor 165 modem

The Vigor 165 has to be configured in MPoA Full Bridge Mode. It took me a while to figure everything out, because DrayTek's documentation is mostly incorrect Engrish, and setting names seem to differ completely between the older Vigor 130 and the 165. The Vigor 165 offers two bridge modes: Bridge Mode and Full Bridge Mode.
Unlike the Vigor 130, which had to be put in Bridge Mode to let your router handle 802.1Q VLAN tags, this does not work at all with the Vigor 165. In fact, I found out that Bridge Mode on the Vigor 165 actually strips all 802.1Q headers, so Full Bridge Mode has to be used instead.

Contrary to what DrayTek's documentation also states, no VLAN tag insertion has to be done by the Vigor at all. It can all be left disabled, and the OpenWrt router can tag the internet traffic while still being able to access the Vigor's web interface and SSH server, when configured correctly.

In the following steps, I'll describe how to set up the Vigor 165 to be a transparent bridge. I wanted the following things to work:

  • The LAN1 port on the Vigor 165 should essentially become an unfiltered ethernet trunk;
  • The Vigor 165 should be completely unable to access the internet itself - as I don't have any source code, it can't be trusted;
  • The OpenWrt router should handle 802.1Q tags and the PPPoE session;
  • The Vigor's web interface and SSH server should still be reachable from the LAN on the OpenWrt router;
  • The Vigor's clock should be synchronized over NTP from my LAN;
  • Every other functionality of the Vigor 165 should be disabled completely.


Setting up VLAN tagging

VLAN tagging should not be done by the Vigor. So under Internet Access > General Setup set all three dropdown boxes to Disable.
I also set the DSL Mode to VDSL2 Only while I was at it, but that should probably not be important.

Save the settings, but don't reboot yet.

Setting up MPoA full bridge mode

Under Internet Access > MPoA / Static or dynamic IP, set MPoA (RFC1483/2684) to Enable and tick the Enable Full Bridge Mode box.

While I was at it, I also entered the ADSL configuration properly, although it's not needed for VDSL. XS4ALL has documented their settings here.

Save the settings, but don't reboot yet.

Setting up the LAN so the modem can still be reached

Under LAN > General Setup, change the 1st IP Address to 192.168.100.1 and set DHCP Server configuration to Disable.
On the LAN 1 IPv6 Setup tab, set DHCPv6 Server to Disable Server.

Save the settings, but don't reboot yet.

Setting up NTP time synchronization

Because the Vigor will be unable to access the internet itself, it should get its NTP clock from the OpenWrt router.

Under System Maintenance > Time and Date, set Time Server to 192.168.100.2.

Save the settings.

Rebooting the modem

Go to System Maintenance > Reboot and select Using current configuration. Then click the Reboot Now button.





Configuring the OpenWrt TL-WDR4300 router

The OpenWrt router will serve as the actual endpoint in the IP network. All packets just pass through the modem unaltered.

This means that the router will have to serve as a VLAN capable switch, a PPPoE client, a NAT gateway, a DHCPv4 and DHCPv6 server, and an IPv6 RA server for SLAAC. It will also have to serve as an NTP server so the Vigor can set its clock, for which we have to set up a separate (untagged) VLAN. Using that VLAN, we'll also be able to access the Vigor's configuration pages, SSH server, and so on.

I prefer using SSH and vi to configure OpenWrt, but I'll also try to document the GUI.

Setting up VLANs

First, we have to set up the switch. In /etc/config/network, change the bottom config switch_vlan parts as follows:

# This is the LAN VLAN, bridging the four yellow LAN ports
config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3 4 5'
 
# This is the untagged WAN VLAN to access the Vigor on the blue WAN port
config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
 
# This is the tagged WAN VLAN to access the internet, passing through the Vigor
config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 1t'


If you prefer to use LuCI, set up Network > Switch like this:

Click Save, but don't apply it yet.

Setting up the WAN interfaces

Higher up in /etc/config/network, change the wan and wan6 interfaces as follows:

# This is the untagged interface to talk to the Vigor
config interface 'modem'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.100.2'
	option netmask '255.255.255.0'
	option force_link '0'
 
# This is the tagged interface to talk to XS4ALL
# Note that you do not need the separate wan6 interface: remove it!
config interface 'wan'
	option ifname 'eth0.6'
	option proto 'pppoe'
	option username 'xs4all'
	option password 'xs4all'


In /etc/config/dhcp, add the modem interface:

config dhcp 'modem'
	option interface 'modem'
	option ignore '1'
 
config dhcp 'wan'
	option interface 'wan'
	option ignore '1'


If you prefer to use LuCI, set up Network > Interfaces > Modem like this:

Also make sure to tick the Ignore interface box under DHCP Server and disable everything under DHCP Server > IPv6 Settings.
On the Advanced Settings tab, untick the Force link box.

Click Save, but don't apply it yet.

Then set up Network > Interfaces > WAN like this:

Click Save, but don't apply it yet.

Also be sure to completely remove the WAN6 interface, as it is not needed. The PPPoE tunnel will create a virtual IPv6 WAN interface automatically.

Setting up the firewall

In /etc/config/firewall, add the modem zone and allow the lan zone to access it:

config zone
	option name 'modem'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option network 'modem'
 
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'
 
config forwarding
	option src 'lan'
	option dest 'modem'
 
config forwarding
	option src 'lan'
	option dest 'wan'


If you prefer to use LuCI, go to Network > Firewall and add a modem zone like this:

Click Save, but don't apply it yet.

Setting up the NTP server

In /etc/config/system, add the enable_server parameter:

config timeserver 'ntp'
	option enabled '1'
	option enable_server '1'
	list server '0.openwrt.pool.ntp.org'
	list server '1.openwrt.pool.ntp.org'
	list server '2.openwrt.pool.ntp.org'
	list server '3.openwrt.pool.ntp.org'


In /etc/config/firewall, add a rule to allow the incoming NTP traffic:

config rule       
	option name 'Allow NTP from modem'
	option src 'modem'
	option src_ip '192.168.100.1'
	option family 'ipv4'
	option dest_port '123'
	option proto 'udp'
	option target 'ACCEPT'


If you prefer to use LuCI, go to System > System and tick the Provide NTP server box.

Click Save, but don't apply it yet.

Then go to Network > Firewall > Traffic Rules and add a rule for the incoming NTP traffic:

Click Save, but don't apply it yet.

Applying the settings

When you used the command line, restart a bunch of daemons:

service network restart
service firewall restart
service dnsmasq restart
service odhcpd restart
serivce sysntpd restart

Or just:

reboot


If you prefer to use LuCI, click Save & Apply.

Success?

If you followed everything correctly, you should now receive a /32 IPv4 address and a /48 IPv6 prefix on your WAN interfaces.

Connected LAN clients should get a DHCPv4 lease, a DHCPv6 lease and a SLAAC address.

You should be able to access your Vigor on http://192.168.100.1/, and your Vigor should have been able to pick up the time from your router.