Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:network:switch_router_gateway_and_nat [2018/10/13 07:49] – [路由器 vs 交换机 vs 网关] lujimmyzh:docs:guide-user:network:switch_router_gateway_and_nat [2021/07/01 07:44] – [OpenWrt as wireless access point (wireless-to-wired switch)] biaji
Line 1: Line 1:
-=====NAT如何影响您的设备以路由器、交换机,还是网关模式运行=====+=====路由器、交换机网关及NAT ======  
 +参见:  
 +[[docs:guide-user:network:openwrt_as_clientdevice|OpenWrt作为客户端设备]],  
 +[[docs:guide-user:network:openwrt_as_routerdevice|OpenWrt作为路由器设备]]
 以下是摘要: 以下是摘要:
-  * 您可以决定配置交换机,路由器,还是网关设备 +  * 您可以决定将设备配置交换机,路由器亦或网关设备 
-  * 您可以决定在个人家庭网络情况下如何处理IPv4双NAT问题 +  * 您可以决定在个人家庭网络情况下如何处理IPv4双NAT问题 
-===== 路由器 vs 交换机 vs 网关 =====+ 
 +===== OpenWrt的角色 =====
  
 网络设备可以在3种不同的模式下运行: 网络设备可以在3种不同的模式下运行:
  
-**[[docs:guide-user:network:lede_as_clientdevice|OpenWrt作为客户端接入已有网络的设备]]**\\ +* **客户端**如果您想将设备连接到现有网络以提供其他附件功能,如无线网络、额外的以太网端口,抑或通过网络提供文件服务的网络附属存储(NAS)设备,甚至可以是一个能提供其他服务的迷你服务器。
-如果您想将设备连接到现有网络以提供其他附件功能,如无线网络、额外的以太网端口,抑或通过网络提供文件服务的网络附属存储(NAS)设备,甚至可以是一个能提供其他服务的迷你服务器+
  
-**[[docs:guide-user:network:lede_as_routerdevice|OpenWrt作为路由设备]]**\\ +* **路由**如果您使用OpenWrt默认的路由模式,这时设备充当多个连接到LAN端口的局域网设备和WAN端口(通常是“以太网调制解调器”,实际上充当网关)上的另一个网络之间的路由
-如果您使用OpenWrt默认的路由模式设备连接到LAN端口的多个LAN设备和WAN端口上的另一个网络之间路由流量(通常是“以太网调制解调器”,实际上充当网关)。+
  
-**OpenWrt作为网关设备**\\ +* **网关设备**您的设备也可以充当网关。但与“路由器设备”模式相反,您在网关模式下的设备要么使用集成调制解调器连接到Internet,要么在其WAN端口上连接外部调制解调器,需要包括[[docs:guide-user:network:wan:wan_interface_protocols|WAN接口协议]]才能正常运行。
-您的设备也可以充当网关。但与“路由器设备”模式相反,您在网关模式下的设备要么使用集成调制解调器连接到Internet,要么在其WAN端口上连接外部调制解调器,需要包括WAN接口协议才能正常运行。+
  
-===== Router/Gateway and Double NAT problem with IPv4 or mixed IPv4/IPv6  ===== 
  
-<WRAP center round todo 90%+===== 作为路由器/网关时,IPv4或混用IPv4/IPv6情况下需要面对的双NAT问题  ===== 
-You are a OpenWrt newcomer? Does this page with lots of technical network information seem scary? Are you worried that you don't know enough to make these decisions now?\\  +<WRAP todo> 
--> Just stop reading and use the default configuration for now. Your device will act as a router in a cascaded double NAT scenario which will work just fine for normal internet access, so you don't have to do anything. or...\\ +您是OpenWrt的新手么?这个页面里的各种网络技术信息是不是看起来很可怕?感觉无所适从了?\\ 
--> Get familiar with OpenWrt first, come back later and decide+-> 您可以选择暂时放弃,转而使用默认配置。您的设备在双NAT场景下会作为一个路由工作,一般来说访问因特网不会有任何问题,您什么都不需要做。\\ 
 +-> 或者,先看看[[docs:guide-quick-start:start|熟悉OpenWrt]],回头再来决定下一步怎么做。
 </WRAP> </WRAP>
  
-[[docs:guide-user:network:integrating-lede-introduction|Double NAT]] is issue that exists solely with IPv4. In a few decades, when the whole world is fully IPv6 enabled, this won't be a problem anymore, as IPv6 strictly forbids NAT, in the meantime for IPv4, act according to this how-to.+[[docs:guide-user:network:integrating-openwrt-introduction|NAT]]是一个仅在IPv4下才存在的问题。在不远的将来,当全世界都是支持IPv6的设备时,这个问题也将不复存在。因为IPv6已经禁用了NAT。不过目前,您可以遵循此页面来解决问题。
  
-Problem of IPv4 is: If you simply add an additional IPv4 router to an existing router of your ISP (internet service provider), you will face a problem called "double NAT": your newly added router does NAT and the existing router also does NAT, resulting in your client data traffic being NATed twice, before it reaches the internet.+IPv4的问题在于:当你在现存的路由和ISP(互联网服务提供商)之间加上一个IPv4路由的时候,你就会遇到这个名为 **双NAT** 的问题——新加的路由和现存的ISP提供的路由都做了NAT,最终导致客户端的数据在抵达因特网之前被“NAT”了两次。
  
-This double NAT scenario won't cause problems on basic tasks like browsing the internet or reading mails. +在一般情况下,比如浏览互联网的时候,这种双NAT的场景不会造成什么问题。但当你想在家里建一个服务器,以供互联网访问的时候,亦或玩一些端到端连接的网络游戏的时候(这些游戏经常用UDP协议并会对防火墙做一些类似“UDP打洞”的神奇操作),问题就出现了。
-But it can cause problems, when you are trying to host servers at home that you want to be reachable from the internet or when doing peer-to-peer online gaming (which often uses UDP protocol and does some funny firewall stuff called "UDP-hole punching")+
  
-To deal with this double NAT problem and use IPv4 as flawlessly as possible, you need to choose between several options, how OpenWrt gets connected on its upstream side +为了解决双NAT问题,以尽量完美的使用IPv4,您需要从OpenWrt如何连接上游的几个选项中选择一个。请注意,在这些示例中,OpenWrt设备被认为是在网络“内部”的,诸如 客户端 <-> OpenWrt设备 <-> ISP设备 <-> 因特网。因为我们主要关注OpenWrt设备,我们将以它来定义相对的 //上游// 和 //下游// : 
-  * upstream = the connection from the OpenWrt device to your network infrastructure +  * **上游**: 由OpenWrt设备到您的网络基础设施 
-  * downstream = your home client devices connecting to your OpenWrt device+  * **下游**: 您家里连接到OpenWrt设备的客户端设备
  
-You basically have the following options to connect the upstream side of OpenWrt to your existing home network+There is a range of options to connect the upstream side of OpenWrt to your existing home networkEach option tries to work around the double NAT problem with different technical tricks or configuration:
-Each option tries to work around the double NAT problem with different technical tricks or configuration.+
  
 +====== Routers / gateways ======
 ^NAT ^ Usage variant ^ Visualization ^ ^NAT ^ Usage variant ^ Visualization ^
-double | OpenWrt as router acting in default cascaded router double-NAT configuration | clients <-> OpenWrt router with NAT <-> ISP router with NAT <-> Internet | +single | [[#device_as_router_internet_isp_device_as_modem-bridge|OpenWrt as router and having an internet ISP device configured as modem-bridge]] | clients <-> OpenWrt router with NAT <-> ISP bridge (no NAT) <-> Internet | 
-single | OpenWrt as router and having an internet ISP device configured as modem-bridge | clients <-> OpenWrt router with NAT <-> ISP bridge (no NAT<-> Internet | +| single | [[#device_as_router_as_exposed_host_in_the_isp_router|OpenWrt as router, OpenWrt router being "exposed host" in the ISP router]] | clients <-> OpenWrt router with NAT <-> ISP router with NAT + "exposed host" feature <-> Internet | 
-| double | OpenWrt as router in double-NAT configuration with Dualstack Lite on ISP side | clients <-> OpenWrt router with NAT <-> ISP router with DS-Lite NAT <-> Internet | +double | [[#openwrt_as_cascaded_router_behind_another_router_double_nat|OpenWrt as router acting in default cascaded router double-NAT configuration]] | clients <-> OpenWrt router with NAT <-> ISP router with NAT <-> Internet | 
-| single | OpenWrt as router with disabled NAT, additional routing rules in both routers | clients <-> OpenWrt router (no NAT) <-> routing rules <-> ISP router with NAT <-> Internet | +| double | [[#device_as_double-nat_router_with_dual-stack_lite|OpenWrt as router in double-NAT configuration with Dualstack Lite on ISP side]] | clients <-> OpenWrt router with NAT <-> ISP router with DS-Lite NAT <-> Internet | 
-single OpenWrt as router, OpenWrt router being "exposed host" in the ISP router | clients <-> OpenWrt router with NAT <-> ISP router with NAT + "exposed host" feature <-> Internet | +| single | [[#device_as_router_with_disabled_nat_additional_routing_rules|OpenWrt as router with disabled NAT, additional routing rules in both routers]] | clients <-> OpenWrt router (no NAT) <-> routing rules <-> ISP router with NAT <-> Internet | 
-| 0 | look-out: OpenWrt as router in IPv6 only configuration + ISP router | clients <-> OpenWrt router (no NAT) <-> ISP router (no NAT) <-> Internet | +[[#device_as_router_in_an_ideal_ipv6-only_configuration|look-out: OpenWrt as router in IPv6 only configuration + ISP router]] | clients <-> OpenWrt router (no NAT) <-> ISP router (no NAT) <-> Internet | 
-| single | OpenWrt as gateway using either OpenWrt-device-built-in or external modem | clients <-> OpenWrt as gateway with NAT <-> built-in/external modem (no NAT) <-> Internet | +| single | [[#device_as_a_gateway_with_a_true_modem_between_it_and_the_internet|OpenWrt as gateway using either OpenWrt-device-built-in or external modem]] | clients <-> OpenWrt as gateway with NAT <-> built-in/external modem (no NAT) <-> Internet | 
-| single | OpenWrt as switch (connected by wire or access point or as wifi repeater) | clients <-> OpenWrt as switch (no NAT) <-> ISP router (with NAT) <-> Internet |+ 
 +====== 作为交换机或客户端AP ====== 
 +| single | 三种用法: \\ [[#openwrt_as_wireless_repeater_wifi_wifi_switch|OpenWrt作为无线中继(Wi-Fi <-> Wi-Fi交换机)]] \\ [[#openwrt_as_wireless_access_point_wifi_wired_switch|OpenWrt作为无线接入点(Wi-Fi <-> 有线交换机)]] \\ [[#openwrt_as_a_wire_wire_switch|OpenWrt作为有线交换机(有线 <-> 有线交换机)]] | 客户端 <-> OpenWrt交换机(无NAT) <-> ISP路由器(NAT) <-> 因特网 |
   
- 
 Note that for all of these upstream connection variants, the following applies: Note that for all of these upstream connection variants, the following applies:
  
-  * all variants allow to handle both wireless and wired clients on your downstream side (=your client devices connected to your local network+  * all variants can handle both wireless and wired clients on the downstream side (i.e. client devices connected to your LAN
-  * all variants allow to host software services for both downstream and upstream side (like NAS shares)+  * all variants can host software services for both downstream and upstream sides (like NAS shares)
  
 ==== OpenWrt as cascaded router behind another router (double NAT) ==== ==== OpenWrt as cascaded router behind another router (double NAT) ====
 +This is the default (and easiest) option for your OpenWrt device. For this scenario you simply connect the OpenWrt WAN port to an unused LAN port of your existing ISP router.
 +  * usually the ISP router has its firewall and NAT on, and provides DHCP on the downstream side (which is the upstream side of your OpenWrt)
 +  * OpenWrt also has its firewall and NAT on, and it provides DHCP as well on its downstream (which is the upstream side of your connecting clients)
  
-This is the default (and easiest) option for your OpenWrt deviceright after the OpenWrt installation for off-the-shelf devices sold as "router", that have 1 Ethernet-WAN port and some Ethernet-LAN ports, because for this scenario you simply connect the OpenWrt WAN port to an unused LAN port of your existing ISP router. +So what'the problem? Some traffic scenarios do not work through double NATsuch as hosting servers or playing online games.
-  * usually the ISP router has its firewall on and NAT on and provides DHCP on the downstream side (which is the upstream side of your OpenWrt) +
-  * OpenWrt also has it's firewall on and NAT on and it provides DHCP as well on the downstream (which is the upstream side of your connecting clients)+
  
-So whats the problem? +The problem isn't so much IPv4 NAT, it's a combination of: 
-Some traffic scenarios may not work, line hosting servers for the internet or playing online games. +
- +
-The problem isn't so much IPv4 NAT (=Network address translation), it's a combination of: +
   - NAT usage   - NAT usage
-  - how homerouter firewalls treat UDP-trafficThe firewall treats UDP data traffic statefullThat means if a sourceIP:sourcePort -> targetIP:targetPort package goes out, it will lower the firewall in the reverse direction for a short time, such that the target can answer with the same combination of address and portssourceIP:sourcePort <- targetIP:targetPort.  +  - how firewalls in consumer routers treat UDP traffic.\\The firewall treats UDP traffic as **stateful**This means that if a sourceIP:sourcePort -> targetIP:targetPort package goes out, it will lower the firewall in the reverse direction for a short time, such that the target can answer with the same combination of address and ports (sourceIP:sourcePort <- targetIP:targetPort)
-  - and how mostly online games use tricks to get peer-to-peer data traffic of other players through your firewall(s) to your game client.+  - many online games use tricks to get peer-to-peer data traffic of other players through your firewall(s) to your game client
  
-Unfortunately the firewall details aren't a fully standardized behavior. And unfortunately the NAT behavior that happens in parallel isn't predictable either: Every router may decide little bit differently how it maps addresses and ports on outgoing traffic. +Unfortunately the firewall details aren't a fully standardized behavior. And the NAT behavior that happens in parallel isn't predictable either - every router has slightly different method of deciding how to map addresses to ports on outgoing traffic. Most games and game consoles report this as the "NAT status" of your router, using four broad categories of //open////moderate////strict//and //blocked//, which aren't standardized either - each game vendor may use them for slightly different technical details.
-Most games and game consoles report this as "NAT status" of your router, using 4 different high level categories "open, moderate, strict, blocked", which aren't standardized either - each game vendor may use them for slightly different technical details.+
  
-So should you use this double NAT scenario and be happy with it? +So should you use this double NAT scenario and be happy with it? It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. 
-It highly depends on your equipment and your usage scenario. Double NAT is not automatically bad. +- if you just do browsing and email, you don't have to care (your internet browsing will not even be slowed down by double NAT)
-- if you just do browsing and mailing, you don't have to care (your internet browsing will not even be slowed down by double NAT).+
 - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT  - check if you want to run servers at home that you want to expose to the internet (e.g. a VPN or web server) - such hosting will definitely not work over double NAT 
-- checkif your usual online games work flawlessly.+- check if your usual online games work flawlessly
  
-Now most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-lagging UDP packets to your game client. Usually those tricks can only bypass a single NATed home router, but not 2 of them. You will find out, if you either cannot connect at all to online sessions or if there is noticeably more game lag than usual (more lag happensbecause most games will first try to fallback from UDP to TCP, before giving up, if the so called "UDP hole punching" through your 2 firewalls/NATs won't work. This TCP-fallback will sometimes be noticeable). Most online games report this as "NAT status" in the game settings. Your aim usually will be to either have this status "open" or "moderate". If your game engine reports anything else, it is usually failing on your firewalls+double NAT and it will then fallback to the slower TCP and can even fail completely to connect to a game session (and I guess you should be able to notice that, if you are left alone in an online game session).+Most online games use weird UDP tricks to temporarily bypass your router firewall (without opening your firewall to the whole world), to get less-laggy UDP packets to your game client. Usually those tricks can only bypass a single NATed home router, not two as in double NAT. You will find out, if you either cannot connect at all to online sessions or if there is noticeably more game lag than usual (more lag happens because most games will first try to fallback from UDP to TCP, before giving up, if the so called "UDP hole punching" through your 2 firewalls/NATs won't work - this TCP-fallback will sometimes be noticeable). Most online games report this as "NAT status" in the game settings. Your aim usually will be to either have this status "open" or "moderate". If your game engine reports anything else, it is usually failing on your two firewalls and double NATand it will then fallback to the slower TCP and can even fail completely to connect to a game session (and you should be able to notice that, if you are left alone in an online game session).
  
-The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabled +The next few sections explain what you can do to bypass these problems, while keeping both routers and firewalls enabledJust keep in mind: don't try to fix problems that you do not have.
-Just keep in mind: Don't try to fix problems that you do not have.+
  
 ==== Device as router, internet ISP device as modem-bridge ==== ==== Device as router, internet ISP device as modem-bridge ====
-Mostly for Cable internet, you can often choose to reconfigure your ISP cable router into 1 of 2 operation modes: +Follow[[docs:guide-user:network:wan:bridge-mode|Bridge mode]]
-  - router mode +
-  - bridge mode+
  
-Sometimes you have to configure this in in nested online portal menus of your ISP (and not on your ISP router GUI).+Mostly for cable internet, you can often choose to reconfigure your ISP cable router into either **router mode** or **bridge mode**. Sometimes you have to configure this in nested online portal menus of your ISP (and not on your ISP router web GUI).
  
-When set to bridge mode, the ISP router starts behaving like a pass through device: it will only authenticate you as a legitimate customer, but will otherwise just passthrough the IPv4 traffic unchanged to your OpenWrt router. The firewall and NAT and DHCP of the ISP device will simply be disabledwhen set to bridge mode.+When set to bridge mode, the ISP router starts behaving like a pass through device: it will superficially act as a modem and will authenticate you as a legitimate customer, but will otherwise just pass through the IPv4 traffic unchanged to your OpenWrt router. The firewall and NAT and DHCP and all the normal "router" services of the ISP device will simply be disabled when set to bridge mode.
  
-[[docs:guide-user:network:wan:bridge-mode|Bridge Mode how its supposed to be done]]+==== Device as double-NAT router with DS-Lite ==== 
 +Often you do not have a choice whether your ISP gives you a real IPv4 address or a discredited [[wp>IPv6_transition_mechanism#Dual-Stack_Lite_(DS-Lite)|DS-Lite]] IPv4 address. If you want to understand DS-Lite in contrast to regular dual stack, please research the [[https://tools.ietf.org/html/rfc6333|RFC 6333]].
  
-==== Device as double-NAT router with Dualstack Lite ====+Very often DS-Lite is offered as a default package by cable TVor fiber-based ISPs. A key feature of DS-Lite is that it has so called //carrier-grade NAT// happening in some network equipment several blocks away from your home at your ISP's site, not in your ISP router at home. 
  
-Often you do not have a choicewhether your ISP gives you a real IPv4 address or an often discredited dual stack lite IPv4 address. +It is important to mention that DS-Lite and this carrier-grade NAT isn't really implemented in a standardized way. It can have slightly different implementation behaviourdepending on the actual equipment that the ISP has bought and how this equipment is configured.
-(please research the full story e.g. on wikipedia, if you want to understand what Dualstack Lite is, in contrast to dual stack)+
  
-Very often dual stack lite is offered as default package by TVcableor fiber-based Internet providers. +Sadly this technique won't help you to expose any home services over IPv4 on the internet this won't be possible with DS-Lite in any caseBut if online gaming over DS-Lite is your only concernyou might want to check if your double NAT on IPv4 is a problem at all in your favorite online games. Nowadays, often the carrier-grade NAT of DS-Lite is configured in a manner very friendly to online gamesresulting in a "moderate" NAT rating in the game engine even when having the additional OpenWrt NAT cascaded in front of it and even when running with default firewall rules.
-A key feature of DS-Lite is, that it has so called carrier-grade NAT happening in some network equipment several blocks away from your home at your ISP's sitenot in your ISP router at home+
  
-Now it is important, to mention that dual stack lite and this carrier-grade NAT isn't really implemented in a standardized way. +So if gaming (and game-related UDP peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your online games first and their reported NAT status, before investing extensive time in solving a double NAT problem that might not even cause a problem in everyday use.
-It can have slightly different implementation behaviour, depending on the actual equipment that the ISP has bought and depending on how this equipment is configured. +
- +
-Sadly this won't help you, to expose any home services over IPv4 on the internet - This won't be possible with dual stack lite in any case. +
- +
-But if online gaming over DS-Lite is your only concern, you might want to check if your double NAT on IPv4 is at all a problem in your favorite online games. +
-Nowadays, often the carrier grade NAT of DS Lite is configured very online game-friedly, resulting in a "moderate" NAT rating in the game engine even when having the additional OpenWrt NAT cascaded in front of it and even when running with default firewall rules. +
- +
-So if gaming (and game related UDP-peer-to-peer traffic handling) is your only concern regarding the double-NAT problem, you may just want to check your favorite games first and their reported NAT status, before investing extensive time in solving a double NAT problem that maybe does not even cause a problem for you.+
  
 ===== Device as router with disabled NAT, additional routing rules ===== ===== Device as router with disabled NAT, additional routing rules =====
-Using this scenario depends onwhether your ISP router supports custom routing rules.+Using this scenario depends on whether your ISP router supports custom routing rules. This requires that your ISP router allows you to define forward routing rules (often ISP routers are restricted in function and do not allow this).
  
-This requires that your ISP router allows to define forward routing rules (often ISP routers are functional restricted in function and do not allow this). +The idea of this solution is 
- +  * to disable NAT on the OpenWrt router, but keep its routing (and firewall) on 
-The idea is of this solution is +  * routing on the ISP router is also enabled 
-  * to disable NAT on the OpenWrt router, but keep it'routing (and firewall) on. +  * you have to define non-overlapping IP ranges and static IP addresses for the two routers
-  * so both your OpenWrt and the ISP router have routing enabled +
-  * you have to define non overlapping separate IP ranges and static IP addresses for the OpenWrt router and the ISP router+
   * as OpenWrt's NAT is disabled, you need to manually set static routes, such that clients on both routers can send traffic to the other router   * as OpenWrt's NAT is disabled, you need to manually set static routes, such that clients on both routers can send traffic to the other router
-  * you need to add a static routing on the OpenWrt router, forwarding all Internet-address ranges to the ISP router +  * you need to add a static route on the OpenWrt router to forward all Internet-address ranges to the ISP router 
-  * you need to add a static routing on the ISP router, forwarding the address range managed by OpenWrt to the OpenWrt router +  * you need to add a static route on the ISP router to forward the local address range managed by OpenWrt to the OpenWrt router
  
 ===== Device as router as "exposed host" in the ISP router ===== ===== Device as router as "exposed host" in the ISP router =====
 +Follow: [[docs:guide-user:network:wan:dmz-based-bridge-mode|Poor man's bridge]]
  
-This is an optional feature of your ISP router (so it could be that your ISP router may not support this). +Only some ISP routers have this feature, sometimes called a //DMZ// (demilitarized zone), //DMZ for single server////exposed host//, //IP passthrough//, or //poor man'bridge mode// (there is no standardized name). This feature enables your ISP router to define a single one of its downstream clients to be a so called "exposed host". The ISP router will then forward all incoming Internet traffic from its upstream side to this "exposed host".
-Sometimes this feature is called "DMZ for single server""exposed hostor "poor man bridge mode(there is no standardized name)  +
- +
-The feature enables your ISP router to define a single one of its downstream ports to be a so called "exposed host". +
-The ISP router will then forward all incoming Internet traffic from its upstream side to this "exposed host".+
  
-This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: For obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router.+This effectively disables NAT on the ISP router only for a single connected device on the ISP router downstream side: for obvious reasons, we will be connecting our OpenWrt router as this exposed host. So in the end, we have achieved single NAT solely in the network chain towards the OpenWrt router.
  
-(Remeber you still need to define usual port forwarding rules in your OpenWrt routerif you want to expose OpenWrt-connected-servers to the Internet)+Remember you still need to define the usual port forwarding rules in your OpenWrt router if you want to expose OpenWrt-connected servers to the Internet, since we haven't set up an exposed host on the internal network.
  
 Drawbacks of this method are: Drawbacks of this method are:
 - the feature may not be supported by your ISP router, you'll have to find out if it does - the feature may not be supported by your ISP router, you'll have to find out if it does
-- the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any non-needed careless extra rules to the default OpenWrt firewall rule set +- the OpenWrt upstream port is exposed to the Internet, so be sure that you have not added any careless or extraneous rules to the ruleset 
-- one of your ISP router ports is now without firewall protection. So be careful with this one downstream ISP router port now, in case you ever connect something else to this port. +- one of your ISP router ports is now without firewall protection, so be careful with this one downstream ISP router port in case you ever connect something else to it
- +
-[[docs:guide-user:network:wan:dmz-based-bridge-mode|"Exposed host" a.k.a "Poor Man's Bridge Mode"]] +
- +
-===== Device as router in an ideal IPv6 only configuration ===== +
-Obviously this ideal world does not yet exist. Its just a look-out for much later.\\ +
-Once this happens, the previous chapters of this howto can be ignored\\ +
-This will then be the default (and easiest) and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases.\\ +
-There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed and no more discussion whether a "exposed host" config is needed. +
- +
-  * You will be choosing to run OpenWrt as router (without variants), if you want to have an extra firewall active inside your home network (in addition to the firewall of your ISP router) +
-  * You will be choosing to run OpenWrt as switch instead (see below), if you don't want the extra bit of routing and firewall inside your home network +
-  * You will be choosing to run OpenWrt as gateway instead (also see below), if you need to connect to Internet via a special modem protocol +
  
 +===== Device as router in an ideal IPv6-only configuration =====
 +Obviously this ideal world does not yet exist, it's just a prospect for much later. Once this happens, the previous chapters of this page can be ignored. This will then be the default and only router option required for your IPv6 OpenWrt device, as you it will just work out of the box for all business cases. There will be no NAT issues, there is no longer a discussion whether to switch the ISP router to bridged or routed, and no more discussion whether an "exposed host" configuration is needed. You will be able to choose three ways of running OpenWrt:
 +  * as a router (without variants), if you want to have an extra firewall active inside your home network (in addition to the firewall of your ISP router)
 +  * as a switch instead (see below), if you don't want the extra bit of routing and firewall inside your home network
 +  * as a gateway instead (see below), if you need to connect to Internet via a special modem protocol
  
 ===== Device as a gateway, with a true modem between it and the Internet ===== ===== Device as a gateway, with a true modem between it and the Internet =====
-If your OpenWrt device has no WAN port at all out of the box adn has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in "bridge mode" (either full bridge or half bridge), this is for you.+Follow: [[docs:guide-user:network:wan:internet.connection|Internet connection]]
  
-See [[docs:guide-user:network:wan:internet.connection|this tutorial]]+If your OpenWrt device has no WAN port at all out of the box and has a built-in modem with something like a VDSL-phone port, or if it has a WAN port and you have an external modem that can be put in "bridge mode" (either full bridge or half bridge), this is for you.
  
 +===== OpenWrt as wireless repeater (wireless-to-wireless switch) =====
 +Follow: [[docs:guide-user:network:wifi:relay_configuration|Wi-Fi extender or repeater or bridge configuration]]
  
-===== OpenWrt as wireless repeater (wifi<->wifi switch) ===== 
 If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network. If your OpenWrt device does not have LAN ports or if you don't want to connect any other devices using RJ45 LAN cables, then most probably you want to use the OpenWrt device as a WiFi repeater in your existing network.
  
Line 177: Line 148:
   * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other wifi)   * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other wifi)
      
-[[docs:guide-user:network:wifi:relay_configuration|Wifi Extender or Repeater or Bridge Configuration]]+Note: In case you are interested in creating a so called "wireless mesh" instead of a wireless repeater, you will have to refer to other projects, e.g. [[https://libremesh.org/]] or [[https://open-mesh.org/]] at this time.
  
 +===== OpenWrt作为无线接入点(无线到有线交换机)=====
 +遵循: [[docs:guide-user:network:wifi:dumbap|Wi-Fi接入点]]
  
-Note: In case you are interested in creating a so called "wireless mesh" instead of a wireless repeater, you will have to refer to other projects like libremesh.org at this time. +作为一个无线接入点,OpenWrt将以有线连接至现存网络。供您的无线设备经由OpenWrt连接至有线网络所用。 
- +  * 有线网络提供因特网访问
- +
-===== OpenWrt as wireless access point (wifi<->wire switch)===== +
-As a wireless access point, OpenWrt connects to the existing network by wire. OpenWrt then acts as a networking device that allows your Wi-Fi devices to connect to the wired network over OpenWrt +
-  * the wired network provides Internet access+
   * OpenWrts upstream side (the other wired network it will connect to) will be a wired connection to the existing router. So OpenWrt acts as a client of this existing other network.   * OpenWrts upstream side (the other wired network it will connect to) will be a wired connection to the existing router. So OpenWrt acts as a client of this existing other network.
-  * OpenWrts downstream side (the wifi network that OpenWrt will provide) will be an access point for your wireless clients+  * OpenWrts downstream side (the Wi-Fi network that OpenWrt will provide) will be an access point for your wireless clients
   * the existing router on the wired upstream side provides the DHCP service (OpenWrt's own DHCP will be off)   * the existing router on the wired upstream side provides the DHCP service (OpenWrt's own DHCP will be off)
   * some other network device on your network will have a firewall and NAT on and provides DHCP   * some other network device on your network will have a firewall and NAT on and provides DHCP
   * OpenWrts firewall and NAT will be off (As OpenWrt will operate in switch mode which cannot use NAT)   * OpenWrts firewall and NAT will be off (As OpenWrt will operate in switch mode which cannot use NAT)
-  * summed up, OpenWrt acts as a wifi-to-wired switch+  * summed up, OpenWrt acts as a wireless-wired switch
   * as long as you do not purposely disable the LAN downstream ports, OpenWrt will also act as a wire-to-wire switch   * as long as you do not purposely disable the LAN downstream ports, OpenWrt will also act as a wire-to-wire switch
-  * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other wifi) +  * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other Wi-Fi)
-   +
-[[docs:guide-user:network:wifi:dumbap|Wifi Access Point]] +
  
 ===== OpenWrt as a wire-to-wire switch ===== ===== OpenWrt as a wire-to-wire switch =====
 This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, as no firewall is active on the OpenWrt device. This scenario has already been covered in the previous described access point scenario, as the downstream LAN ports in OpenWrt are active by default, providing switching: All your wired and wireless clients connected to either OpenWrt or your other network switches can talk to each other without restrictions, as no firewall is active on the OpenWrt device.
-  * so just follow the wireless access point description - just with the difference: if you only need a wire-to-wire-switch, then just do not enable the downstream wifi+  * so just follow the wireless access point description - just with the difference: if you only need a wire-to-wire switch, then just do not enable the downstream Wi-Fi
   * OpenWrt will then act as a wire-to-wire switch between the different OpenWrt-attached downstream devices and between the downstream <-> upstream ports   * OpenWrt will then act as a wire-to-wire switch between the different OpenWrt-attached downstream devices and between the downstream <-> upstream ports
   * in switch mode, OpenWrt cannot use NAT   * in switch mode, OpenWrt cannot use NAT
-  * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other wifi) +  * Note that OpenWrt will no longer listen on the typical default router address of your subnet (e.g. ip-address 192.168.1.1), but will get a custom address (either by DHCP from your other router or you have manually set a static address of the subnet of the other Wi-Fi)
  
  • Last modified: 2022/03/17 10:11
  • by biaji