DMZ - Alternative to Bridging a Router

[JimHelms]

OpenWRT/LEDE does not have a true bridge mode. The closest configuration to bridging is to DMZ (De-Militarized Zone) all traffic from the gateway router (WE826) to a secondary router/device (MAIN ROUTER) which will handle the DHCP and Firewall.

I have used a couple of different configurations to accomplish this task. I will include the first method in this tutorial with an additional method to follow later. I hope to also find the time in the near future to document these steps with photos.

In this example, we will be using the WE826 (with GoldenOrb firmware) as the gateway router. The secondary router can be most any router and is referenced below as the MAIN ROUTER.

The WE826’s LAN needs a static IP address on a subnet that will not be used on the MAIN ROUTER. For example (use whatever IP combination you prefer):

Go to NETWORK > INTERFACES > LAN > EDIT > COMMON CONFIGURATION

NOTE: Be sure to SAVE & APPLY each of the modifications.

Code: Select all

Protocol: Static Address
IPV4 Address: 192.168.2.1
IPv4 Netmask: 255.255.255.0

Reboot the WE826 router. Remember that you will now use 192.168.2.1 to log into the WE826.

Go to MAIN ROUTER and configure the WAN a Static IP address in the same subnet as the WE826’s LAN:

Code: Select all

IP Address: 192.168.2.2
Netmask: 255.255.255.0
Gateway IP: 192.168.2.1

The LAN on the MAIN ROUTER can remain 192.168.1.1 with serving the DHCP starting with 192.168.1.100 (or whatever).

Configure the DNS server IP as 8.8.8.8 (or your favorite DNS server IP) .

Connect the WE826 LAN to the WAN port of the MAIN ROUTER with an Ethernet cable and reboot both routers.

On the WE826 go to NETWORK > FIREWALL > PORT FORWARDS and Remove all PORT FORWARDS (if any), then

> ADD

Code: Select all

Name: ALL->DMZ
Protocol: choose TCP+UDP
External zone: wan
External Port: leave empty
Internal zone: lan
Internal IP address: 192.168.2.2  (Choose the Static IP assigned the Main Router WAN)
Internal port: leave empty

Next, disable DHCP on the WE826 since the MAIN ROUTER will be the DHCP server.

Go to NETWORK > INTERFACES > LAN > EDIT > DHCP SERVER > General Setup

Code: Select all

Ignore interface: Checked (to disable DHCP)

Go to NETWORK > INTERFACES > LAN > EDIT > DHCP SERVER > Advanced Setting

Code: Select all

Dynamic DHCP: Uncheck

Disable the WiFi on the WE826. Go to NETWORK > WIRELESS > DISABLE

Reboot the WE826 and the MAIN ROUTER.

Any port forwarding must now be done in the MAIN ROUTER.

Hopefully, this will get you started.

[k9kfx]

The last step I couldn't find.... Dynamic dhcp: uncheck.... having trouble finding this.

[JimHelms]

The last step I couldn't find.... Dynamic dhcp: uncheck.... having trouble finding this.

Disable DHCP Server.png

[k9kfx]

I kinda figured this was an issue.... I don't have an advanced settings tab, just general and ipv6 settings. Crazy.

[JimHelms]

Disable the WE826 as the DHCP Server on the General Setup tab and try it.

[k9kfx]

Ahh... when i unchecked ignore interface under general settings the advance settings tab came back. So I should uncheck the dynamic dhcp under advance settings first, then the ignore interface under general?

[JimHelms]

Hmm... It is possible that by unchecking the box under general settings, renders the rest of the advance settings moot. If this is the case, then it probably does not matter it the advance settings is even unchecked--though it probably does not hurt either way.

[k9kfx]

copy that. thanks.

[RussWestrem]

Openwrt actually bridges interfaces just fine, it's the rooter scripts that stops the bridge from working. Rooter is just not set up for this feature. If you want a true bridge just dont use rooter. Install your drivers and packages you need to run the modem then just bridge the lan and wan and it's pretty much done.

[trumee]

I will include the first method in this tutorial with an additional method to follow later.

What was the additional method you were alluding to?

I am interested in setting up WE826-T2 as an IP Passthrough/Bridge to my main pFsense router. Here is a post which wants to do the same by bridging LAN with WAN. Would that work?

Teltonika routers are based on openwrt and their router also supports ip passthrough. This post claims that they use ebtables. There was a discussion about how to achieve this on linux forum, but the discussion wasnt conclusive.

Mofi4500 also supports ip passthrough on the WE826, wonder how they do it?

[swwifty]

Openwrt actually bridges interfaces just fine, it's the rooter scripts that stops the bridge from working. Rooter is just not set up for this feature. If you want a true bridge just dont use rooter. Install your drivers and packages you need to run the modem then just bridge the lan and wan and it's pretty much done.

Do you happen to have a tutorial on how to do this? I'm having trouble finding instructions on this. I'd really like to get rid of my silly double NAT as I use pFsense for my main firewall.

[Need4Speed]

I was successful using this tutorial hooking up my wg3526 on GoldenOrb_2019-03-10 to my other (asus) router. Tried reversing the process but got locked out of my wg3526. So after recovering firmware and getting reconfigured I seen that DHCP server in goldenorb starts at 100 so nothing needs to be done on wg3526. In my asus, I changed the LAN IP to 192.168.1.2 (that will be my new login for asus now) since it was the same as the wg3526. I then turned the dhcp off on the asus and set the ip starting to 192.168.1.20. Not that the ip starting should matter since the wg3526's dhcp should be handling the ip assignments.

Applied all settings and was up and running. Now i can access the wg3526 directly through my asus via ethernet and still have the wg3526's wifi capabilities.

[BillA]

I was successful using this tutorial hooking up my wg3526 on GoldenOrb_2019-03-10 to my other (asus) router. Tried reversing the process but got locked out of my wg3526. So after recovering firmware and getting reconfigured I seen that DHCP server in goldenorb starts at 100 so nothing needs to be done on wg3526. In my asus, I changed the LAN IP to 192.168.1.2 (that will be my new login for asus now) since it was the same as the wg3526. I then turned the dhcp off on the asus and set the ip starting to 192.168.1.20. Not that the ip starting should matter since the wg3526's dhcp should be handling the ip assignments.

Applied all settings and was up and running. Now i can access the wg3526 directly through my asus via ethernet and still have the wg3526's wifi capabilities.

Right, but your setup does the opposite what others wanted, using the modem/router in pass-through mode. In your case you're still using the WG3526's DHCP to assign IP's while the Asus acts as a simple access point/hub/switch. It all depends how you intend to use it.

[freep]

Openwrt actually bridges interfaces just fine, it's the rooter scripts that stops the bridge from working. Rooter is just not set up for this feature. If you want a true bridge just dont use rooter. Install your drivers and packages you need to run the modem then just bridge the lan and wan and it's pretty much done.

I know this is kind of old, but can you elaborate on how to "just bridge the lan and wan"? I'm going to try something similar with a unifi USG

[52electrons]

We’re you able to bridge with the USG? I have basically this exact setup and the double Nat is giving me trouble.

Wrt1200ac with rooter / USB modem, and UniFi USG as my main router / all other UniFi hardware. I’m running 192.168.1.1 on the linksys and 10.0.1.1 on the USG. Followed the guide above pretty much to fix the IPs on the wan and disable dhcp and some devices work, some don’t.

Got to the point I’m running two networks / one with Visible / Linksys and my normal network ATT in a netgear modem / USG.

Upgrading my USG (it’s a really old rev) so I can rock double WAN as I also can’t seem to get the WAN load balancing / rules to work very well in the Rooter since it can’t see the 10.0.1.x devices I can’t setup rules.

[BillA]

We’re you able to bridge with the USG? I have basically this exact setup and the double Nat is giving me trouble.

Wrt1200ac with rooter / USB modem, and UniFi USG as my main router / all other UniFi hardware. I’m running 192.168.1.1 on the linksys and 10.0.1.1 on the USG. Followed the guide above pretty much to fix the IPs on the wan and disable dhcp and some devices work, some don’t.

Got to the point I’m running two networks / one with Visible / Linksys and my normal network ATT in a netgear modem / USG.

Upgrading my USG (it’s a really old rev) so I can rock double WAN as I also can’t seem to get the WAN load balancing / rules to work very well in the Rooter since it can’t see the 10.0.1.x devices I can’t setup rules.

The best solution for channel bonding two or more modems with speed aggregation (not just simple load balancing), including bridging interfaces in any combination using a GUI interface, is by using OpenMPTCProuter. As an added bonus, you also get a VPN protected connection.
https://wirelessjoint.com/viewtopic.php?f=21&t=1078

[toddw]

I have a USG Pro 4 (and a USG 3P as backup) with two routers, one on each WAN port. It won't do WAN bonding, but it does load balance properly. You can use weighted values or failover setting via the GUI. Not bad if you don't have equal data plans for each connection.

[jakesgt2]

Anyone have any luck setting this method up in the 11/23 1608 firmware? I can follow the tutorial but it won't let me leave the external port empty to save the port forward.

Screenshot (2).png

[Viper67857]

Try "any" or "1-65535"... That should cover all ports.

[WarBeard]

I know this is an older guide, I but I used it to solve an issue I was having. Would I still be able to use OpenVPN on this setup or do I have to have dhcp, etc. turned on to do so?

[BillA]

I know this is an older guide, I but I used it to solve an issue I was having. Would I still be able to use OpenVPN on this setup or do I have to have dhcp, etc. turned on to do so?

DHCP has to do with assigning local IP's to your connected devices. A VPN is used to established an encrypted connection. You can run it with or without DHCP depending if you're using your mobile router in bridge/bypass mode connected to a second router which serves DHCP instead. Generally you don't want two routers on the same network both serving DHCP, it can create conflict.

[JoshKelly]

OpenWRT/LEDE does not have a true bridge mode. The closest configuration to bridging is to DMZ (De-Militarized Zone) all traffic from the gateway router (WE826) to a secondary router/device (MAIN ROUTER) which will handle the DHCP and Firewall.

Does this break the custom TTL settings in GO if I follow the tutorial? Meaning will my TTL still be reported as 65 to tmobile even though my ER12 is taking care of all the router functions?

[Didneywhorl]

iptables should apply the mangle to all traffic through the interface specified. I think at least.

[JoshKelly]

iptables should apply the mangle to all traffic through the interface specified. I think at least.

Thank you so much Didney !

[JoshKelly]

Hey guys I have followed the guides for DMZ but for some reason my WG1608 is still trying to handle DNS assignment, any ideas? Is there a config file I can paste in here to make sure I have everything configured properly?

[lawnmowerman]

I have zbt-we826 with ep06 running goldenorb_2020-03-01. Because of the external antenna setup, the we826 is not in a good wifi location, so I'm using an asus router for wifi. I have the wifi disabled on the we826, and ethernet is connecting the we826 lan to the asus wan, so the asus router is just the access point. Everything seems to be working just fine... what are the benefits/reasons for setting things up (via this tutorial) instead?

[BillA]

I have zbt-we826 with ep06 running goldenorb_2020-03-01. Because of the external antenna setup, the we826 is not in a good wifi location, so I'm using an asus router for wifi. I have the wifi disabled on the we826, and ethernet is connecting the we826 lan to the asus wan, so the asus router is just the access point. Everything seems to be working just fine... what are the benefits/reasons for setting things up (via this tutorial) instead?

Ideally you would want to keep the mobile router in full router/DHCP mode with WiFi turned off in order to handle various routing and carrier bypass functions properly. The second router should only act as a dummy access point with routing/DHCP functions turned off and possibly in DMZ mode.
It may work for now the other way around, however you're running the risk of the carrier blocking your service later down the line.

Here's more info on different setup options:
https://wirelessjoint.com/viewtopic.php?p=15956#p15956

[lawnmowerman]

Ideally you would want to keep the mobile router in full router/DHCP mode with WiFi turned off in order to handle various routing and carrier bypass functions properly. The second router should only act as a dummy access point with routing/DHCP functions turned off and possibly in DMZ mode.
It may work for now the other way around, however you're running the risk of the carrier blocking your service later down the line.

Here's more info on different setup options:
https://wirelessjoint.com/viewtopic.php?p=15956#p15956

Thanks bill! I followed your advice, turned off the WiFi on the mobile router and set the second router to access point mode.

[RealFlyITGuy]

Repost this as a new topic under Routers Questions and support, then delete this one, please.

Tried deleting it but it wouldn't let me because you'd replied to it lol

Anyway, I redacted it to a "." and also posted it as a new topic per your request.

Sorry about that.

[Didneywhorl]

Tried deleting it but it wouldn't let me because you'd replied to it lol

Anyway, I redacted it to a "." and also posted it as a new topic per your request.

Sorry about that.

Thanks, no worries.

[elwood_]

Thanks for the tutorial, Jim!

Is there a way to apply this to IPv6? It seems that my RMB11G is still serving IPv6 as my "primary" router is receiving an IPv6 IP (set to automatic) and clients on the network are getting IPv6 IPs but they all say "No Internet Access".

[Didneywhorl]

The ipv6 has to be setup as ipv4 over ipv6 on the router firmware to work properly with ipv6 based connections.

[stryker6040]

I attempted to setup the DMZ from the tutorial above on a wg1608 but when I complete the first setup above, it starts to apply the changes with the count down and then says changes failed reverting back to the previous setup at which time the device locks up and becomes unresponsive and have to reflash firmware.

Anyone else have this issue and know whats causing the device to lock up? I want to use a better router to route traffic and basically just use the 1608 as a modem only

[JoshKelly]

You have to manually set your IP on your PC to your newer subnet (turn DHCP off) and access the GUI before the time runs out or the changes won't take.

With that said I never have been able to get this to work well. I have better luck setting a static route in the WG1608 to the down stream router and then turning off the firewall & DHCP on the WG1608. This should give a single NAT setup but it also has its problems.

From what I am told there just isn't a simple way to do a bridge mode in these rooter versions of OpenWRT because they are already in bridge mode with the modem. Something about having to do a double bridge to get this to work. IDK there are smarter people than me that could explain better. This is just my understanding from the guys over on whirlpool.