This page describes how to connect to networks of different commercial Internet service providers. At this time, the DSL configurations described below only apply to devices using Lantiq SoC. There is no DSL support for Broadcom devices.
A good way to configure your internet is using two devices: A dedicated modem that just accepts all ATM traffic and bridges it to its ethernet port, and a second device that acts as a router to your internal LAN, and the WAN port authenticates to your ISP via pppoe, and is physically connected to the first device over ethernet cable.
Below, I show two configs, one config for the modem, (here Netgear DM200 ADSL2+/VDSL modem) and the second config showing the necessary authentication to TPG ISP for the second device (another OpenWRT router).
package network config atm-bridge 'atm' option vpi '8' option vci '35' option encaps 'llc' option payload 'bridged' config dsl 'dsl' option annex 'a2p' option fwannex 'a' option firmware '/lib/firmware/lantiq-vrx200-a.bin' option xfer_mode 'atm' config interface 'lan' option type 'bridge' option ifname 'eth0 nas0' option proto 'none' option auto '1' config device 'lan_dev' option name 'eth0' option macaddr 'yy.yy.yy.yy.yy.yy' config device 'wan_dev' option name 'nas0' option macaddr 'xx.xx.xx.xx.xx.xx'
Second device authenticates to ISP with:
config interface 'wan' option ifname 'eth1' option proto 'pppoe' option username 'firstname.lastname@example.org' option password 'zzzz'
EDPnet provides VDSL services through PPPoE and VLAN tagging. Keep in mind the DSL state monopolist (Proximus) still manages the backbone and keeps a whitelist of allowed modems (a few third party models, mostly AVM FRITZ!Box, and their own Proximus B-Box models).
The VLAN tagging is as follows:
The following works for an AVM FRITZ!Box 7362 SL running master (stable support won't appear with a post 18.06 release) with the whitelisted Lantiq blobs pulled off my 7490. Besides this, the default VDSL values OpenWrt uses seem to be OK. You get reset to a fallback profile after a while, so there might be some additional background checks going on that go beyond the Lantiq driver version.
config interface 'wan' option ifname 'dsl0.10' option proto 'pppoe' option username 'b1xxxxxx' option password 'xxxxxx' option ipv6 '1'
Bell Canada Fibe provides for fiber to the home (FTTH).
They use VLAN tagging and PPPoE protocol.
The VLAN tagging is usually as follows:
config interface 'wan' option ifname 'eth1.35' option proto 'pppoe' option username 'b1xxxxxx' option password 'xxxxxx' option ipv6 'auto' config interface 'wan6' option proto 'dhcpv6' option reqaddress 'try' option reqprefix 'auto' option ifname '@wan'
Telfort provides settings for xDSL and glassfiber. They use VLAN tagging and IPoE protocol - so DHCP in OpenWrt.
The network protocols are layered in this way:
A sample config for VDSL would look like (Tested with OpenWrt 18.06.1 r7258-5eb055306f)
config atm-bridge 'atm' option encaps 'llc' option payload 'bridged' option nameprefix 'dsl' option vci '34' option vpi '0' config interface 'wan' option proto 'dhcp' option ifname 'dsl0.34' # option ifname 'ptm0.34' # LEDE 17 option type 'bridge'
XS4ALL is another ISP from KPN like Telfort. They offer DSL and FTTH connections. For DSL it is possible to use your own router, but since latest techniques use profile 35b to get 200+ Mbit speeds over a single line, it's better (for speed) to put the provided FritzBox in bridge mode and use OpenWRT as if directly on FTTH connection.
FTTH (Fibre) and VDSL connections result in VLANs 6, and 4. That is, connecting the ethernet cable from the fibre's NTU or from the bridged VDSL modem, to your WAN port does nothing by itself. Internet is provided over a PPPoE connection over VLAN6, username and password don't matter here, as long as they are set. Thus, to bring up your WAN device which gets your public IP addresses (XS4ALL does both IPv4 and IPv6), configure like this:
config interface 'wan' option ifname 'eth0.6' option proto 'pppoe' option username 'FB7581@xs4all.nl' option password '1234' option ipv6 'auto' option mtu '1508' # only works for FTTH since FritzBox doesn't support higher MTU config interface 'wan6' option proto 'dhcpv6' option reqaddress 'try' option reqprefix 'auto' option ifname '@wan'
If you use telephony and use FTTH, easiest is to connect the (unused) provided FritzBox as regular client to your OpenWRT lan. You can configure the FritzBox to take internet from there and provide telephony (which is just SIP).
If you use TV, in the old setup (before March 2019) you could just bridge VLAN4 to your STBs (the black receivers provided by XS4ALL). This is called bridged mode. However, starting from March 2019, bridged mode is no longer provided and instead, routed mode has to be setup. The obvious change visible is the additions of “interactive TV” in the STBs. Routed mode, is much like described in IPTV / UDP multicast. It has a small specific twist for XS4ALL though. The official documentation for this can be found at XS4ALL's modem setup (Dutch).
For this to work, you need to install igmpproxy. For clarity, we use 3 different zones: wan, iptv and stbitv.
First, configure an interface, DHCP client for iptv, the VLAN 4 interface. Important, it needs to set Vendor Class Identifier to IPTV_RG, and ignore any default gateway or dns servers advertised. The DNS is bogus (per the docs), the default route is what we don't want to use, because we want to use our real internet connection. In the DHCP reply is an additional route, you don't see this in luci, but it's correctly added to your routing table, and it basically includes all the traffic that needs to go over VLAN 4. This is basically why we don't need the default route.
config interface 'iptv' option type 'bridge' option ifname 'eth0.4' option proto 'dhcp' option defaultroute '0' option peerdns '0' option vendorid 'IPTV_RG'
Also create a firewall zone for this interface, that sets masquerading (like wan, we need to NAT some traffic over this interface):
config zone option name 'iptv' option input 'ACCEPT' option output 'ACCEPT' option network 'iptv' option masq '1' option mtu_fix '1' option forward 'REJECT'
Next, configure a new interface for the STBs. I isolated them on their own VLAN 7, but I think you could also plug them into an existing client network. Since there will be multicast traffic over this, you do want to separate the traffic using igmp snooping. Ensure you enable this, and if you use switches inbetween that they also enable this, else you'll flood your entire network. This is particularly bad if you have wlans in your network. The following is just what I used for this description.
config interface 'stbitv' option type 'bridge' option proto 'static' option ifname 'eth0.7' option ipaddr '10.3.0.1' option netmask '255.255.255.0' option igmp_snooping '1'
The STBs don't need any special DHCP tricks, so you just need to hand out IPs in the normal way. Only IPv4 is supported. Create firewall zone for this network, and “glue” that zone together with the iptv and wan zones, such that traffic can go both ways:
config zone option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option name 'stbitv' option network 'stbitv' config forwarding option dest 'wan' option src 'stbitv' config forwarding option dest 'iptv' option src 'stbitv'
Now, the last remaining bit needs to be done, which is forwarding the multicast packets that the STBs request. Since the OpenWRT router now is the terminating node as seen from the XS4ALL network, any multicast traffic arriving at the router, needs to be forwarded to the STB in the network that requested it. This is done by igmpproxy. For the proxy, upstream is the XS4ALL network, downstream the STBs in the client network. Quickleave feature is necessary to quickly terminate unnecessary streams (happening when switching between channels, “zapping”). As such, the following configuration is sufficient:
config igmpproxy option quickleave 1 config phyint option network iptv option zone iptv option direction upstream list altnet 0.0.0.0/0 config phyint option network stbitv option zone stbitv option direction downstream
Final remaining thing is to enable and start igmpproxy using
/etc/init.d/igmpproxy enable and
Once you applied all this, ensure you got a 10.200.x.y IP address on the iptv interface. Check with
netstat -rn that there is a route for destination 18.104.22.168 (could be slightly different) added with gateway your 10.200.x.1 IP address. Interface should be
br-iptv if you followed above example. If that seems ok, and igmpproxy is running, shutdown your STBs and restart them. They should come up quite normal and settings/system should now report “routed mode”. If you get any errors reported by the devices, check the multicast traffic gets forwarded (it attempts this while STB boots) using tcpdump or something. Also check if regular internet works correctly from the STB client network.
This enterprise VoIP and Internet services package includes a Thomson/Technicolor gateway which can be configured (by the tecnician only) in bridge mode, at installation time. In this configuration, the connection presents itself untagged at the gateway's switch port 4. The Internet service is somewhat unusual. The addressing is static, and the configuration provided is (as an example) something along these lines:
Both the Local and Remote WAN IP addresses belong to a /30 subnet. Inbound traffic arrives at the interface with the Internet IP address as the destination. To configure this connection on an OpenWrt device (let's assume interface eth1), on /etc/config/network, we need:
config interface 'wan' option ifname 'eth1' option proto 'static' list ipaddr '22.214.171.124/32' list ipaddr '100.64.194.2/30' option gateway '100.64.194.1'
Now, since the addressing is static, we can do source NAT instead of masquerading. To do so, we configure /etc/config/firewall as follows:
config redirect option name 'MEO SNAT' option src 'lan' option dest 'wan' option proto 'all' option src_dip '126.96.36.199' option target 'SNAT'
Deutsche Telekom provides a documentation for their network here: https://www.telekom.de/hilfe/geraete-zubehoer/telefone-und-anlagen/informationen-zu-telefonanlagen/schnittstellenbeschreibungen-fuer-hersteller
BNG is short for Broadband Network Gateway and Deutsche Telekom's new platform. Customers are successively migrated and usually receive a letter in the mail announcing the change.
On the old platform the customer can just setup PPPOE and the Internet connection comes up. With BNG the traffic that leaves the WAN port needs to be tagged with VLAN 7 (Details).
As an example suppose you have a modem in bridge mode that is unable to handle VLAN tagging. The router connected to the modem needs to add the VLAN tag in this case. Example for Archer C7 V2 below.
config interface 'wan' option proto 'pppoe' option username '...@t-online.de' option password '...' option ipv6 'auto' option ifname 'eth0.2' config switch_vlan option device 'switch0' option vlan '2' option ports '1 6t'
config interface 'wan' option proto 'pppoe' option username '...@t-online.de' option password '...' option ipv6 'auto' option ifname 'eth0.7' config switch_vlan option device 'switch0' option vlan '7' option ports '1t 6t'
So if you receive a letter about the platform change and your Internet access goes down, try adding the VLAN tag to the WAN port and see if it comes up again.
Some more details that may be of interest:
|IPv6 address||PPPoE (link-local with dynamic sub-prefix)|
|IPv6 gateway||n/a (static route to WAN device needed)|
|IPv6 prefix delegation||n/a (assign 2a01:170:xxxx::/48 manually to LAN device(s))|
config interface 'wan' option proto 'pppoe' option ifname 'eth0.7' option ipv6 '1' option username '...#tal@bsa-vdsl' option password '...' config route6 option interface 'wan' option target '::0/0' config interface 'lan' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ifname 'br-lan' option ip6addr '2a01:170:xxxx:yyyy::1/64'
When migrating from Annex B to Annex J, connection properties seem to have changed to require using VLAN 7.
The complete username (as opposed to the simplified form used by Fritz!Boxes 'email@example.com') can be obtained from a packet capture from a Fritz!Box (if internet is so far provided via one).
The configuration of the interfaces should look like this (tested on r6788-7ff31bed98):
config dsl 'dsl' option tone 'bv' option annex 'j' config interface 'wan' option proto 'pppoe' option password '***' option delegate '0' option ipv6 'auto' option username '1und1/(***)firstname.lastname@example.org' option ifname 'dsl0.7' config device 'wan_dev' option macaddr '***' option name 'dsl0'
The network protocols are layered in this way:
You global routed IPv4 address and a some IPv6 subnets
When the network supports VDSL vectoring, but the VDSL modem does not support it, the device will be put into a fall back mode using only the lower 2.2 MHz of the band, this results in reduced rates like 13 MBit/s down and 1.4 MBit/s up instead of 50 MBit/s. Details: https://telekomhilft.telekom.de/t5/Telefonie-Internet/Fallbackprofil-bei-Vectoring/ta-p/2431567
Example VDSL configuration for Lantiq based devices:
config dsl 'dsl' option annex 'a' option tone 'av' option xfer_mode 'ptm' config interface 'wan' option proto 'pppoe' option _orig_ifname 'ptm0' option _orig_bridge 'false' option ifname 'dsl0.7' # OpenWRT 18 # option ifname 'ptm0.7' # LEDE 17 option username 'H1und1email@example.com' option password 'abcdefghijklm' option ipv6 'auto'
Configuration examples for LEDE 17 and OpenWRT 18.
Virtually all ISPs in the UK use PPPoA protocol with the exception of Sky Broadband who use MER and also PPPoA on some exchanges.
config dsl 'dsl' option annex 'a' option tone 'a' option xfer_mode 'atm' option line_mode 'adsl' config interface 'wan' option proto 'pppoa' option username 'your username' option password 'your password' # option username 'firstname.lastname@example.org' # BT ADSL # option password ' ' # Apparently requires any non-empty password such as a space character. # option username 'email@example.com' # Sky ADSL on ex-o2 enabled exchanges. # option password '' option vpi '0' option vci '38' option encaps 'vc' option ipv6 'auto'
Ensure that ATM Bridge section has been deleted, otherwise PPPoA will not connect to broadband service. It can be deleted using LuCI.
config atm-bridge 'atm' # Remove entire section for PPPoA
BT group also supports PPPoE protocol.
config dsl 'dsl' option annex 'a' option tone 'a' option xfer_mode 'atm' option line_mode 'adsl' config atm-bridge 'atm' option encaps 'llc' option payload 'bridged' option vci '38' option vpi '0' config interface 'wan' option ifname 'dsl0' # option ifname 'nas0' # for LEDE 17.01 option proto 'pppoe' option username 'your username' option password 'your password' # option username 'firstname.lastname@example.org' # BT ADSL # option password ' '
The network protocols are layered in this way:
BT group and Vodafone uses PPPoE protocol.
config dsl 'dsl' option annex 'b' option tone 'a' config interface 'wan' option ifname 'dsl0.101' # option ifname 'ptm0.101' # for LEDE 17.01 option proto 'pppoe' option username 'email@example.com' option password ' '
TalkTalk uses DHCP protocol.
config dsl 'dsl' option annex 'b' option tone 'a' config interface 'wan' option ifname 'dsl0.101' # option ifname 'ptm0.101' # for LEDE 17.01 option proto 'dhcp'
Sky and NOW uses MER protocol. Configure as for DHCP. Refer to following thread for additional instructions: SkyUser
(If using ISP-provided router-modem)
* Delete the WAN connection form your ISP router. Create another one as Bridge. Use the following data for the connection:
VPI/VCI: 0/35 Encapsulation Type: LLC Service Type: UBR Type: Bridge Connection
* For OpenWrt, you will need to add or edit the following in /etc/config/networks for interface WAN. You should replace the username and password with those given to you by your ISP.
config interface 'WAN' option proto 'pppoe' option ifname 'eth0.2' option username '******@tedata.net.eg' option password '********' option ipv6 'auto' option mtu '1420' option auto '0'