The following is meant as roundup
Network devices can operate in 3 different modes:
OpenWrt as Client Device - Connecting the device to an existing network
If you want to connect your device to an existing network to provide additional functions (for example, you just want to use the Wi-Fi network it provides, the additional ethernet ports, or the device is a NAS serving files over the network, or a mini-server offering some other service).
OpenWrt as router device
If you want to run OpenWrt in its default router configuration, where the device routes traffic between several LAN devices connected to the LAN ports and another network on the WAN port (commonly to an “ethernet modem” that is in fact acting as a gateway).
OpenWrt as a gateway device
Your device also behaves as router. But in contrast to the 'as router device' mode, in this mode your device either uses an integrated modem to connect to the Internet or has an external modem attached on its WAN port that needs one of the following protocols for proper operation: WAN interface protocols.
Are you an OpenWrt newcomer? Does this page with lots of technical network information seem scary? Are you worried that you don't know enough to make these decisions now?
→ Just stop reading and use the default configuration for now. Your device will act as a router in a cascaded double NAT scenario which will work just fine for normal internet access, so you don't have to do anything.
→ Alternatively, get familiar with OpenWrt first, then come back later and decide how to proceed.
Double NAT is an issue that exists solely with IPv4. In a few decades, when the whole world is fully IPv6 enabled devices, this won't be a problem anymore, as IPv6 strictly forbids NAT. In the meantime for IPv4, act according to this how-to.
The problem of IPv4 is that if you simply add an additional IPv4 router to an existing router of your ISP (internet service provider), you will face a problem called double NAT - both the newly added router and the existing ISP-supplied router do NAT, resulting in your client data traffic being “NATed” twice before it reaches the internet.
This double NAT scenario won't cause problems for basic tasks like browsing the internet, but it can cause problems when you are trying to host servers at home that you want to be reachable from the internet, or when doing peer-to-peer online gaming (which often uses the UDP protocol and does some funny firewall stuff called “UDP hole-punching”).
To deal with this double NAT problem and use IPv4 as flawlessly as possible, you need to choose how OpenWrt gets connected on its upstream side from several options. Note that in all these examples, the OpenWrt device is assumed to be on the “inside” of the network, i.e. clients ↔ OpenWrt device ↔ ISP device ↔ Internet. Since the OpenWrt device is our main concern, we'll refer to upstream and downstream connections relative to it:
There is a range of options to connect the upstream side of OpenWrt to your existing home network. Each option tries to work around the double NAT problem with different technical tricks or configuration:
|double||OpenWrt as router acting in default cascaded router double-NAT configuration||clients ↔ OpenWrt router with NAT ↔ ISP router with NAT ↔ Internet|
|single||OpenWrt as router and having an internet ISP device configured as modem-bridge||clients ↔ OpenWrt router with NAT ↔ ISP bridge (no NAT) ↔ Internet|
|double||OpenWrt as router in double-NAT configuration with Dualstack Lite on ISP side||clients ↔ OpenWrt router with NAT ↔ ISP router with DS-Lite NAT ↔ Internet|
|single||OpenWrt as router with disabled NAT, additional routing rules in both routers||clients ↔ OpenWrt router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet|
|single||OpenWrt as router, OpenWrt router being “exposed host” in the ISP router||clients ↔ OpenWrt router with NAT ↔ ISP router with NAT + “exposed host” feature ↔ Internet|
|0||look-out: OpenWrt as router in IPv6 only configuration + ISP router||clients ↔ OpenWrt router (no NAT) ↔ ISP router (no NAT) ↔ Internet|
|single||OpenWrt as gateway using either OpenWrt-device-built-in or external modem||clients ↔ OpenWrt as gateway with NAT ↔ built-in/external modem (no NAT) ↔ Internet|
|single||OpenWrt as switch (connected by wire or access point or as wifi repeater)||clients ↔ OpenWrt as switch (no NAT) ↔ ISP router (with NAT) ↔ Internet|
Note that for all of these upstream connection variants, the following applies:
This is the default (and easiest) option for your OpenWrt device. For this scenario you simply connect the OpenWrt WAN port to an unused LAN port of your existing ISP router.
So what's the problem? Some traffic scenarios do not work through double NAT, such as hosting servers or playing online games.
The problem isn't so much IPv4 NAT, it's a combination of:
Unfortunately the firewall details aren't a fully standardized behavior. And the NAT behavior that happens in parallel isn't predictable either - every router has a slightly different method of deciding how to map addresses to ports on outgoing traffic. Most games and game consoles report this as the “NAT status” of your router, using four broad categories of open, moderate, strict, and blocked, which aren't standardized either - each game vendor may use them for slightly different technical details.
So should you use this double NAT scenario and be happy with it? It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. - if you just do browsing and email, you don't have to care (your internet browsing will not even be slowed down by double NAT) - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT - check if your usual online games work flawlessly
Most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-laggy UDP packets to your game client. Usually those tricks can only bypass a single NATed home router, not two as in double NAT. You will find out, if you either cannot connect at all to online sessions or if there is noticeably more game lag than usual (more lag happens because most games will first try to fallback from UDP to TCP, before giving up, if the so called “UDP hole punching” through your 2 firewalls/NATs won't work - this TCP-fallback will sometimes be noticeable). Most online games report this as “NAT status” in the game settings. Your aim usually will be to either have this status “open” or “moderate”. If your game engine reports anything else, it is usually failing on your two firewalls and double NAT, and it will then fallback to the slower TCP and can even fail completely to connect to a game session (and you should be able to notice that, if you are left alone in an online game session).
The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabled. Just keep in mind: don't try to fix problems that you do not have.
Mostly for cable internet, you can often choose to reconfigure your ISP cable router into either router mode or bridge mode. Sometimes you have to configure this in nested online portal menus of your ISP (and not on your ISP router web GUI).
When set to bridge mode, the ISP router starts behaving like a pass through device: it will superficially act as a modem and will authenticate you as a legitimate customer, but will otherwise just pass through the IPv4 traffic unchanged to your OpenWrt router. The firewall and NAT and DHCP and all the normal “router” services of the ISP device will simply be disabled when set to bridge mode.
If you require a bridged ISP router, learn how to set it up properly here.
Often you do not have a choice whether your ISP gives you a real IPv4 address or a discredited dual-stack lite IPv4 address. If you want to understand Dual-Stack Lite in contrast to regular dual stack, please research the full story on Wikipedia or RFC 6333.
Very often Dual-Stack Lite is offered as a default package by cable TV- or fiber-based ISPs. A key feature of DS-Lite is that it has so called carrier-grade NAT happening in some network equipment several blocks away from your home at your ISP's site, not in your ISP router at home.
It is important to mention that Dual-Stack Lite and this carrier-grade NAT isn't really implemented in a standardized way. It can have slightly different implementation behaviour, depending on the actual equipment that the ISP has bought and how this equipment is configured.
Sadly this technique won't help you to expose any home services over IPv4 on the internet - this won't be possible with DS-Lite in any case. But if online gaming over DS-Lite is your only concern, you might want to check if your double NAT on IPv4 is a problem at all in your favorite online games. Nowadays, often the carrier-grade NAT of DS-Lite is configured in a manner very friendly to online games, resulting in a “moderate” NAT rating in the game engine even when having the additional OpenWrt NAT cascaded in front of it and even when running with default firewall rules.
So if gaming (and game-related UDP peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your online games first and their reported NAT status, before investing extensive time in solving a double NAT problem that might not even cause a problem in everyday use.
Using this scenario depends on whether your ISP router supports custom routing rules. This requires that your ISP router allows you to define forward routing rules (often ISP routers are restricted in function and do not allow this).
The idea is of this solution is
Only some ISP routers have this feature, sometimes called a DMZ (demilitarized zone), DMZ for single server, exposed host, or poor man's bridge mode (there is no standardized name). This feature enables your ISP router to define a single one of its downstream clients to be a so called “exposed host”. The ISP router will then forward all incoming Internet traffic from its upstream side to this “exposed host”.
This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: for obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router.
Remember you still need to define the usual port forwarding rules in your OpenWrt router if you want to expose OpenWrt-connected servers to the Internet, since we haven't set up an exposed host on the internal network.
Drawbacks of this method are: - the feature may not be supported by your ISP router, you'll have to find out if it does - the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any careless or extraneous rules to the ruleset - one of your ISP router ports is now without firewall protection, so be careful with this one downstream ISP router port in case you ever connect something else to it
Learn how to set up a “poor man's bridge” here.
Obviously this ideal world does not yet exist, it's just a prospect for much later. Once this happens, the previous chapters of this page can be ignored. This will then be the default and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases. There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed, and no more discussion whether an “exposed host” configuration is needed. You will be able to choose three ways of running OpenWrt:
If your OpenWrt device has no WAN port at all out of the box and has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in “bridge mode” (either full bridge or half bridge), this is for you.
See this tutorial.
If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network.
OpenWrt as a wireless repeater (also called wireless range extender) takes an existing signal from a wireless router or wireless access point and rebroadcasts it to create a second network.
For more information, refer to Wifi Extender or Repeater or Bridge Configuration.
Note: In case you are interested in creating a so called “wireless mesh” instead of a wireless repeater, you will have to refer to other projects like libremesh.org at this time.
As a wireless access point, OpenWrt connects to the existing network by wire. OpenWrt then acts as a networking device that allows your Wi-Fi devices to connect to the wired network over OpenWrt.
This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, as no firewall is active on the OpenWrt device.