Skip to content

Instantly share code, notes, and snippets.

@madduci

madduci/ftth_openwrt.md

Last active February 27, 2025 21:31
Show Gist options
  • Save madduci/8b8637b922e433d617261373220be44c to your computer and use it in GitHub Desktop.
Save madduci/8b8637b922e433d617261373220be44c to your computer and use it in GitHub Desktop.
Download ZIP
Deutsche Telekom FTTH Access with OpenWRT
Raw
ftth_openwrt.md

Configuring Deutsche Telekom FTTH Access with OpenWRT

After looking for alternatves to the suggested Router from Telekom (AVM FritzBox and HUawei Speedport), I've discovered the possibility of configuring my existing OpenWRT Router to act as gateway to the Telekom FTTH (Fiber To The Home) Magenta Zuhause package.

TL;DR

The WAN interface must be configured as follows (see your Telekom letter):

  • Protocol: PPPoE
  • PAP/CHAP username:
  • PAP/CHAP password: Zugangskenntwort
  • VLAN: 7
  • MTU: leave empty (delete the default value 1500)

Requirements

Access Data

Old Contracts (Before 2024)

It's important to know the following information, before attempting any connection:

  • Anschlusskennung
  • Zugangsnummer
  • Mitbenutzernummer
  • Zugangskenntwort

All the above information are typically sent by Telekom at home, when activating the Internet Access.

Newer Contracts (From 2024)

The "Easy Login" option is automatically activated for new contracts. If it is activated, you can use any username/password. Otherwise it can activated in the "Kundencenter".

Otherwise it's important to know the following information, before attempting any connection:

Anschlusskennung
Zugangsnummer
Mitbenutzernummer
Zugangskenntwort

All the above information can be found oin the "Kundencenter" at "Verträge" -> "Erweiterte Optionen" -> "Internetzugang".

Hardware

You need a OpenWRT-capable router (e.g. TP-Link Archer C7 works really well), see here for an exhaustive list of supported devices.

Make sure your Telekom Fiber Modem is working properly.

Configuration

Enable VLAN

The Telekom PPPoE access requires the VLAN-ID to be set to 7. In order to do so, you have to configure the Router Ethernet interface that refers to WAN. The configuration panel can be found under the Menu entry Network->Switch (on OpenWRT 22.03 is Network -> Devices -> Add Device Config)

In this panel, you can see a table showing the VLAN(s) configured for your Router (typically 2) and they have some comboboxes with status tagged/untagged/off. One of the VLANs configured should be configured with the following information:

Port Status CPU (eth0) LAN1 LAN2 LAN3 LAN4 WAN
1 tagged untagged untagged untagged untagged off
7 tagged off off off off tagged

In case of Routers with multiple Ethernet interfaces (e.g. TP-Link Archer C7), the panel should look like this:

Port Status CPU (eth0) CPU (eth0) LAN1 LAN2 LAN3 LAN4 WAN
1 tagged tagged untagged untagged untagged untagged off
7 tagged tagged off off off off tagged

Setup WAN Interface

In the Menu entry Network->Interfaces, select the WAN interface and set the following information in the General Setup tab:

  • Protocol: PPPoE
  • PAP/CHAP username: [email protected]
  • PAP/CHAP password: Zugangskenntwort

In the tab Physical Settings, select the interface Switch VLAN eth0.7 (the one corresponding to the VLAN-ID 7).

Beware: in case your "Zugangsnummer" has less than 12 digits, the PAP/CHAP username is in the form AnschlusskennungZugangsnummer#[email protected] (see https://telekomhilft.telekom.de/t5/Telefonie-Internet/PPPOE-Einwahl-ueber-einen-Router-herstellen/ta-p/3654990 for further details)

Performance Tuning

MTU should not be set to an MTU of 1500 in any WAN, PPPOE-WAN or VLAN 7 interface - it automatically negotiates an MTU of 1492 when dialing in. Make sure that in none of the above mentioned interfaces in the field MTU is a real value in it.

Check the /etc/config/network file or execute uci show network over ssh for any configured mtu:

config interface 'wan'
option proto 'pppoe'
option device 'eth0.7'
option username '[email protected]'
option password 'xxx'
option ipv6 'auto'

This change improves the performance with Applications/Services such as MS Teams, Speedtests and many other ones.

Happy surfing!

@DaVarga
Copy link

DaVarga commented Jan 4, 2025

Thanks for sharing! I’m running OpenWrt 24.10.0-rc4 on a NanoPi R5C, my setup struggles to manage 600 Mbit downstream. While I expected some hardware limitations, I was hoping to reach 1 Gbit with this device. Does anyone know if this is achievable, or is 600 Mbit the limit of what this hardware can deliver?

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd47:3f3a:a3cc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'ae:13:cd:22:31:3d'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'ae:13:cd:22:31:3c'

config interface 'wan_telekom'
        option device 'eth1.7'
        option proto 'pppoe'
        option username '***@t-online.de'
        option password '***'
        option ipv6 'auto'
        option keepalive '0 1'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '7'
        option name 'eth1.7'

iperf3 results

  • From NanoPi.

    # iperf3 -c speedtest.wtnet.de -p 5205 -4 -R -f m -t 30
[...]
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.04  sec  2.53 GBytes   722 Mbits/sec  853             sender
[  5]   0.00-30.00  sec  2.52 GBytes   720 Mbits/sec                  receiver

iperf Done.

  • From connected pc.

    PS> iperf3 -c speedtest.wtnet.de -p 5205 -4 -R -f m -t 30
[...]
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.03  sec  1.97 GBytes   564 Mbits/sec  398            sender
[  5]   0.00-30.02  sec  1.96 GBytes   562 Mbits/sec                  receiver

iperf Done.

  • Connection between pc and NanoPi

    PS> iperf3 -c 192.168.1.1 -R -f m -t 30
[...]
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.01  sec  6.13 GBytes  1754 Mbits/sec    0            sender
[  5]   0.00-30.01  sec  6.13 GBytes  1754 Mbits/sec                  receiver

iperf Done.

@To6i
Copy link

To6i commented Jan 4, 2025

@DaVarga
If the device does not support hardware offloading, you can just take a look at the CPU load with top. If it is pinned at > 95% while iperf is running, than that's the limit. Unfortunately PPPoE is pretty CPU intensive.

@DaVarga
Copy link

DaVarga commented Jan 4, 2025

@To6i
Thank you for highlighting this!. The following adjustments did the trick for me.

# cat /etc/config/network
config globals 'globals'
+      option packet_steering '2'
+      option steering_flows '64'
[...]

# cat /etc/config/firewall 
config defaults
+	option flow_offloading '1'
+	option flow_offloading_hw '1'
[...]

Getting pretty stable results now. Latency jitter under load went down as well.

# iperf3 -c speedtest.wtnet.de -p 5205 -4 -f m -t 30
[...]
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.00  sec  1.78 GBytes   510 Mbits/sec  350             sender
[  5]   0.00-30.04  sec  1.78 GBytes   509 Mbits/sec                  receiver

iperf Done.

# iperf3 -c speedtest.wtnet.de -p 5205 -4 -R -f m -t 30
[...]
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-30.04  sec  3.74 GBytes  1070 Mbits/sec  185             sender
[  5]   0.00-30.00  sec  3.74 GBytes  1070 Mbits/sec                  receiver

iperf Done.

@DaVarga
Copy link

DaVarga commented Feb 1, 2025

The instructions work for me so far. Thank you very much! What I am still wondering is how I can access the web interface of the “Telekom Glasfaser Modem 2” which I have routed. (eth0 my home network; eth1 the network where the modem is connected). For example, if I change 192.168.100.2/24 to eth1 or eth1.1 or even eth1.7, I cannot access 192.168.100.1. If I try the same with a laptop directly with a cable to the modem without any VLAN configuration, it works. Does anyone have an idea?
@egabosh

The following setup works for me:

config interface 'wan_staticip'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.252'
        option delegate '0'
        option defaultroute '0'

I had to add the wan_staticip interface to the wan firewall zone.
You might also have to add an additional route. It was not necessary in my case:

config route
        option target '192.168.100.1/32'
        option interface 'wan_staticip'

@madduci
Copy link
Author

madduci commented Feb 1, 2025 via email

@nicoh88
Copy link

nicoh88 commented Feb 5, 2025
edited
Loading

The instructions work for me so far. Thank you very much! What I am still wondering is how I can access the web interface of the “Telekom Glasfaser Modem 2” which I have routed. (eth0 my home network; eth1 the network where the modem is connected). For example, if I change 192.168.100.2/24 to eth1 or eth1.1 or even eth1.7, I cannot access 192.168.100.1. If I try the same with a laptop directly with a cable to the modem without any VLAN configuration, it works. Does anyone have an idea?
@egabosh

The following setup works for me:

config interface 'wan_staticip'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.252'
        option delegate '0'
        option defaultroute '0'

I had to add the wan_staticip interface to the wan firewall zone. You might also have to add an additional route. It was not necessary in my case:

config route
        option target '192.168.100.1/32'
        option interface 'wan_staticip'

Wow, interesting.
I tried it straight away.
Unfortunately without success.
I also have my OpenWRT router connected to a Telekom fiber optic modem 2.
In my case (Netgear Nighthawk X4S R7800)

  • eth0 is the network port that goes to the modem and
  • eth1 is internal.
...
config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.7' 
...

My changes

...
config interface 'wan_staticip'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.252'
        option defaultroute '0'
        option delegate '0'

config route
        option interface 'wan_staticip'
        option target '192.168.100.1/32'

Screenshot 2025-02-05 205826
Screenshot 2025-02-05 205836
Screenshot 2025-02-05 205840

And I have assigned the interface wan_staticip to the firewall zone wan. Unfortunately without success, I can neither ping 192.168.100.1 from the router nor from the PC - the web interface does not open either. Too bad.

Do you have any other ideas? @DaVarga

@zlatovlas
Copy link

zlatovlas commented Feb 24, 2025
edited
Loading

Thanks for the instructions.

For ASUS RT-AX53U with OpenWrt 24.10.0:

  • In Network > Interfaces > Devices click Add device configuration
  • Select VLAN (802.1q) as device type and Ethernet Adapter: "wan" as Base device
  • VLAN ID shall be 7
  • device name whatever you prefer, e. g. pppoe_telekom
  • keep MTU empty (manually setting it to 1500 or 1492 will cause the connection to stop working).

Then

  • in Network > Interfaces > click edit next to your wan interface
  • protocol PPPoE and device wan.7
  • fill in your PAP/CHAP username and password as advised above
  • keep the rest empty

Then consider

  • in Network > Interfaces >* selecting Flow offloading type to Software flow offloading otherwise I was only getting 1/3 of the download speed (upload was OK).

EDIT: Actually, since RT-AX53U is MediaTek MT7621 based, you may even try Hardware flow offloading.

Note: wan_6 pppoe-wan will then be automatically created as protocol "Virtual dynamic interface (DHCPv6 client).

I hope it helps someone, just as this thread helped me!

@zlatovlas
Copy link

The instructions work for me so far. Thank you very much! What I am still wondering is how I can access the web interface of the “Telekom Glasfaser Modem 2” which I have routed. (eth0 my home network; eth1 the network where the modem is connected). For example, if I change 192.168.100.2/24 to eth1 or eth1.1 or even eth1.7, I cannot access 192.168.100.1. If I try the same with a laptop directly with a cable to the modem without any VLAN configuration, it works. Does anyone have an idea?
@egabosh

The following setup works for me:

config interface 'wan_staticip'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.252'
        option delegate '0'
        option defaultroute '0'

I had to add the wan_staticip interface to the wan firewall zone. You might also have to add an additional route. It was not necessary in my case:

config route
        option target '192.168.100.1/32'
        option interface 'wan_staticip'

Wow, interesting. I tried it straight away. Unfortunately without success. I also have my OpenWRT router connected to a Telekom fiber optic modem 2. In my case (Netgear Nighthawk X4S R7800)

* eth0 is the network port that goes to the modem and

* eth1 is internal.

...
config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.7' 
...

My changes

...
config interface 'wan_staticip'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.252'
        option defaultroute '0'
        option delegate '0'

config route
        option interface 'wan_staticip'
        option target '192.168.100.1/32'

Screenshot 2025-02-05 205826 Screenshot 2025-02-05 205836 Screenshot 2025-02-05 205840

And I have assigned the interface wan_staticip to the firewall zone wan. Unfortunately without success, I can neither ping 192.168.100.1 from the router nor from the PC - the web interface does not open either. Too bad.

Do you have any other ideas? @DaVarga

My understanding is that you cannot access the modem interface AND internet at the same time, I believe it is mentioned somewhere in the manual. Teoretically it shall be possible using the VLANs though.

@zlatovlas
Copy link

Thank you very much for this addition.
I'd like to propose that this Gist content gets its own Repository, so suggestions and additions, as well as issues can be added in for of Issues and PRs. I think also about creating a page for a modern setup (newer OpenWRT, newer Telekom/Fiber contracts), keeping the "legacy" in a dedicated page. What do you think?

I am happy to contribute.

@Kapsville
Copy link

Kapsville commented Feb 27, 2025
edited
Loading

I tried everything and cannot get it to work ... I already used PPPoE (Telekom DSL) with the native TP-Link Firmware and everything was fine. I might miss something.. do I have to change something in my Vigor DSL Modem? I did not touch it... Is PPPoE over OpenWRT different compared to TP-Link Firmware? Maybe someone with Draytek Vigor and ER605 can push me in the right direction.

@zlatovlas
Copy link

I tried everything and cannot get it to work ... I already used PPPoE (Telekom DSL) with the native TP-Link Firmware and everything was fine. I might miss something.. do I have to change something in my Vigor DSL Modem? I did not touch it... Is PPPoE over OpenWRT different compared to TP-Link Firmware? Maybe someone with Draytek Vigor and ER605 can push me in the right direction.

Have you tried resetting your configuration while on OpenWRT? Maybe post your configuration here and we can have a look.

@Kapsville
Copy link

Hello @ zlatovlas
I resetted the ER605 a few times now.

`root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd13:c758:e810::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config device
option name 'lan2'
option macaddr 'A8:42:A1:8C:99:E1'

config device
option name 'lan3'
option macaddr 'A8:42:A1:8C:99:E1'

config device
option name 'lan4'
option macaddr 'A8:42:A1:8C:99:E1'

config device
option name 'lan5'
option macaddr 'A8:42:A1:8C:99:E1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'wan1'
option macaddr 'A8:42:A1:8c:99:e2'

config interface 'wan'
option device 'wan1.7'
option proto 'pppoe'
option username '[email protected]' (changed digits)
option password xxx - I set PW in Telekom Kundencenter (used with ER605 default FW) - tried the "Zugangsdaten PW" aswell, none is working
option ipv6 'auto'

config interface 'wan6'
option device 'wan1'
option proto 'dhcpv6'

config device
option type '8021q'
option ifname 'wan1'
option vid '7'
option name 'wan1.7'
option ipv6 '1'`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment