The following is meant as roundup
Network devices can operate in 3 different modes:
OpenWrt as Client Device - Connecting the device to an existing network
If you want to connect your device to an existing network to provide additional functions (for example, you just want to use the Wi-Fi network it provides, the additional ethernet ports, or the device is a NAS serving files over the network, or a mini-server offering some other service).
OpenWrt as router device
If you want to run OpenWrt in its default router configuration, where the device routes traffic between several LAN devices connected to the LAN ports and another network on the WAN port (commonly to an “ethernet modem” that is in fact acting as a gateway).
as gateway device
Your device also behaves as router. But in contrast to the 'as router device' mode, in this mode your device either uses an integrated modem to connect to the Internet or has an external modem attached on its WAN port that needs one of the following protocols for proper operation: WAN interface protocols.
You are a OpenWrt newcomer? Does this page with lots of technical network information seem scary? Are you worried that you don't know enough to make these decisions now?
→ Just stop reading and use the default configuration for now. Your device will act as a router in a cascaded double NAT scenario which will work just fine for normal internet access, so you don't have to do anything. or…
→ Get familiar with OpenWrt first, come back later and decide
Double NAT is issue that exists solely with IPv4. In a few decades, when the whole world is fully IPv6 enabled, this won't be a problem anymore, as IPv6 strictly forbids NAT, in the meantime for IPv4, act according to this how-to.
Problem of IPv4 is: If you simply add an additional IPv4 router to an existing router of your ISP (internet service provider), you will face a problem called “double NAT”: your newly added router does NAT and the existing router also does NAT, resulting in your client data traffic being NATed twice, before it reaches the internet.
This double NAT scenario won't cause problems on basic tasks like browsing the internet or reading mails. But it can cause problems, when you are trying to host servers at home that you want to be reachable from the internet or when doing peer-to-peer online gaming (which often uses UDP protocol and does some funny firewall stuff called “UDP-hole punching”)
To deal with this double NAT problem and use IPv4 as flawlessly as possible, you need to choose between several options, how OpenWrt gets connected on its upstream side
You basically have the following options to connect the upstream side of OpenWrt to your existing home network: Each option tries to work around the double NAT problem with different technical tricks or configuration.
|double||OpenWrt as router acting in default cascaded router double-NAT configuration||clients ↔ OpenWrt router with NAT ↔ ISP router with NAT ↔ Internet|
|single||OpenWrt as router and having an internet ISP device configured as modem-bridge||clients ↔ OpenWrt router with NAT ↔ ISP bridge (no NAT) ↔ Internet|
|double||OpenWrt as router in double-NAT configuration with Dualstack Lite on ISP side||clients ↔ OpenWrt router with NAT ↔ ISP router with DS-Lite NAT ↔ Internet|
|single||OpenWrt as router with disabled NAT, additional routing rules in both routers||clients ↔ OpenWrt router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet|
|single||OpenWrt as router, OpenWrt router being “exposed host” in the ISP router||clients ↔ OpenWrt router with NAT ↔ ISP router with NAT + “exposed host” feature ↔ Internet|
|0||look-out: OpenWrt as router in IPv6 only configuration + ISP router||clients ↔ OpenWrt router (no NAT) ↔ ISP router (no NAT) ↔ Internet|
|single||OpenWrt as gateway using either OpenWrt-device-built-in or external modem||clients ↔ OpenWrt as gateway with NAT ↔ built-in/external modem (no NAT) ↔ Internet|
|single||OpenWrt as switch (connected by wire or access point or as wifi repeater)||clients ↔ OpenWrt as switch (no NAT) ↔ ISP router (with NAT) ↔ Internet|
Note that for all of these upstream connection variants, the following applies:
This is the default (and easiest) option for your OpenWrt device, right after the OpenWrt installation for off-the-shelf devices sold as “router”, that have 1 Ethernet-WAN port and some Ethernet-LAN ports, because for this scenario you simply connect the OpenWrt WAN port to an unused LAN port of your existing ISP router.
So whats the problem? Some traffic scenarios may not work, line hosting servers for the internet or playing online games.
The problem isn't so much IPv4 NAT (=Network address translation), it's a combination of:
Unfortunately the firewall details aren't a fully standardized behavior. And unfortunately the NAT behavior that happens in parallel isn't predictable either: Every router may decide a little bit differently how it maps addresses and ports on outgoing traffic. Most games and game consoles report this as “NAT status” of your router, using 4 different high level categories “open, moderate, strict, blocked”, which aren't standardized either - each game vendor may use them for slightly different technical details.
So should you use this double NAT scenario and be happy with it? It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. - if you just do browsing and mailing, you don't have to care (your internet browsing will not even be slowed down by double NAT). - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT - check, if your usual online games work flawlessly.
Now most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-lagging UDP packets to your game client. Usually those tricks can only bypass a single NATed home router, but not 2 of them. You will find out, if you either cannot connect at all to online sessions or if there is noticeably more game lag than usual (more lag happens, because most games will first try to fallback from UDP to TCP, before giving up, if the so called “UDP hole punching” through your 2 firewalls/NATs won't work. This TCP-fallback will sometimes be noticeable). Most online games report this as “NAT status” in the game settings. Your aim usually will be to either have this status “open” or “moderate”. If your game engine reports anything else, it is usually failing on your 2 firewalls+double NAT and it will then fallback to the slower TCP and can even fail completely to connect to a game session (and I guess you should be able to notice that, if you are left alone in an online game session).
The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabled Just keep in mind: Don't try to fix problems that you do not have.
Mostly for Cable internet, you can often choose to reconfigure your ISP cable router into 1 of 2 operation modes:
Sometimes you have to configure this in in nested online portal menus of your ISP (and not on your ISP router GUI).
When set to bridge mode, the ISP router starts behaving like a pass through device: it will only authenticate you as a legitimate customer, but will otherwise just passthrough the IPv4 traffic unchanged to your OpenWrt router. The firewall and NAT and DHCP of the ISP device will simply be disabled, when set to bridge mode.
Often you do not have a choice, whether your ISP gives you a real IPv4 address or an often discredited dual stack lite IPv4 address. (please research the full story e.g. on wikipedia, if you want to understand what Dualstack Lite is, in contrast to dual stack)
Very often dual stack lite is offered as default package by TVcable- or fiber-based Internet providers. A key feature of DS-Lite is, that it has so called carrier-grade NAT happening in some network equipment several blocks away from your home at your ISP's site, not in your ISP router at home.
Now it is important, to mention that dual stack lite and this carrier-grade NAT isn't really implemented in a standardized way. It can have slightly different implementation behaviour, depending on the actual equipment that the ISP has bought and depending on how this equipment is configured.
Sadly this won't help you, to expose any home services over IPv4 on the internet - This won't be possible with dual stack lite in any case.
But if online gaming over DS-Lite is your only concern, you might want to check if your double NAT on IPv4 is at all a problem in your favorite online games. Nowadays, often the carrier grade NAT of DS Lite is configured very online game-friedly, resulting in a “moderate” NAT rating in the game engine even when having the additional OpenWrt NAT cascaded in front of it and even when running with default firewall rules.
So if gaming (and game related UDP-peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your favorite games first and their reported NAT status, before investing extensive time in solving a double NAT problem that maybe does not even cause a problem for you.
Using this scenario depends on, whether your ISP router supports custom routing rules.
This requires that your ISP router allows to define forward routing rules (often ISP routers are functional restricted in function and do not allow this).
The idea is of this solution is
This is an optional feature of your ISP router (so it could be that your ISP router may not support this). Sometimes this feature is called “DMZ for single server”, “exposed host” or “poor man bridge mode” (there is no standardized name)
The feature enables your ISP router to define a single one of its downstream ports to be a so called “exposed host”. The ISP router will then forward all incoming Internet traffic from its upstream side to this “exposed host”.
This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: For obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router.
(Remeber you still need to define usual port forwarding rules in your OpenWrt router, if you want to expose OpenWrt-connected-servers to the Internet)
Drawbacks of this method are: - the feature may not be supported by your ISP router, you'll have to find out if it does - the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any non-needed careless extra rules to the default OpenWrt firewall rule set - one of your ISP router ports is now without firewall protection. So be careful with this one downstream ISP router port now, in case you ever connect something else to this port.
Obviously this ideal world does not yet exist. Its just a look-out for much later.
Once this happens, the previous chapters of this howto can be ignored
This will then be the default (and easiest) and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases.
There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed and no more discussion whether a “exposed host” config is needed.
If your OpenWrt device has no WAN port at all out of the box adn has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in “bridge mode” (either full bridge or half bridge), this is for you.
See this tutorial
If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network.
OpenWrt as a wireless repeater (also called wireless range extender) takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network.
Note: In case you are interested in creating a so called “wireless mesh” instead of a wireless repeater, you will have to refer to other projects like libremesh.org at this time.
As a wireless access point, OpenWrt connects to the existing network by wire. OpenWrt then acts as a networking device that allows your Wi-Fi devices to connect to the wired network over OpenWrt.
This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, as no firewall is active on the OpenWrt device.