How to bridge WAN to LAN on an OpenWRT router

Question

I'm having trouble understanding how to "bridge" my router. I am using USB tethering on my Android to provide internet access. What I want to achieve is to have a second router (Router 2) "behind" the OpenWRT router that gets the WAN IP address from the phone. So the setup would look like this:

Android --usb--> Router 1 (OpenWRT, Bridged) --> Router 2

I found this post which essentially boils down to this:

$ cat /etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1 eth1'
        option proto 'static'
        option ipaddr '10.0.1.150'
        option netmask '255.255.255.0'
        option gateway '10.0.1.1'
        option broadcast '10.0.1.255'

I have three main questions at this point:

1. What does the option broadcast '10.0.1.255' portion do? Is that part of bridging the interfaces or something unrelated?

2. What is the purpose of the static IP address? That's obviously an internal IP, but how would you even access it if the router is bridged? I just don't quite understand bridging well enough.

3. How should the firewall on Router 1 be configured? Since, this router is supposed to be pretty transparent on the network, I'm assuming I should disable the firewall on the bridged interface and rely on Router 2's firewall. Is that correct?

Answer 1

First and foremost, rtfm: https://wiki.openwrt.org/doc/uci/network

The broadcast address is the last/highest address in a subnet:

The broadcast address for an IPv4 host can be obtained by performing a bitwise OR operation between the bit complement of the subnet mask and the host's IP address. In other words, take the host's IP address, and set to '1' any bit positions which hold a '0' in the subnet mask.

The subnet 10.0.1.0/255.255.255.0 (or 10.0.1.0/24 for short) has 10.0.1.255 as the broadcast address. Setting it is not required, because it can (and will!) be calculated. The docs also confirm this. It’s not related to bridging at all.

You also seem to have a slight misconception of how bridging works. It’s implemented in software. The bridge appears as a network interface to the host OS. It’s somewhat like this:

Unbridged:
-------+ +-------
       | |
   +---+-+---+
   |eth0 eth1|
   +---------+

Bridged:
--------+--------
        |
   +----+----+
   | bridge0 |
   +---------+

So you can of course still talk to the router. Even in regular WiFi routers, the WiFi AP interface is bridged to the wired network, so it would be fatal if this wouldn’t work.

(Please note that the diagram above is tremendously oversimplified. There is actually more going on.)

The firewall is already not effective because the bridging firewall is disabled by default. Also, the resulting br-lan interface is in the LAN zone. You don’t even need any firewall at all, because the Android phone is already acting as a NAT router. And the mobile ISP is most likely also doing Carrier-grade NAT.

Still, it’s better to have another NAT router behind the phone, because they can’t handle multiple clients very well IIRC.

But why even bother with two routers? OpenWrt can do it all and you can just use a switch at the second location. Or set the second router to be a wireless access point, if that’s your goal.