Custom DHCPv4/DHCPv6 Options and CoS 6 Support

AYK · March 8, 2026, 9:48am

Hello Alta Labs team,

I would like to submit a feature request regarding support for custom DHCPv4/DHCPv6 options as well as the ability to configure Layer‑2 CoS (Class of Service) priority.

Context

Some Internet Service Providers require specific DHCP options and traffic prioritization in order to authenticate the connection and assign a public IP address.

In my case, my ISP (Orange FTTH in France) requires:

sending specific DHCP options (for example options 60, 61, 77, 90, etc.)
using a specific VLAN (VLAN 832)
applying 802.1p / CoS 6 priority on the traffic used during DHCP authentication

Without these parameters, DHCP requests are ignored by the ISP infrastructure and it is impossible to obtain a public IP address.

I am currently using a WAS‑110 ONT, which allows connecting the fiber directly to the router without using the ISP‑provided Livebox. This type of setup works very well on systems such as OpenWrt, but currently requires workarounds on Alta OS.

Performance observation (nDPI / IPS)

During my testing, I also noticed unexpected behavior related to firewall rules associated with nDPI and IPS.

Even when IPS and inspection features are disabled in the Alta OS interface, some related firewall rules still appear to remain active in the firewall configuration.

In my case, this had a very significant impact on performance :

~ 250 Mbps download
~ 4 Gbps upload

After completely removing all nDPI and IPS related firewall rules, performance returned to normal:

~ 8 Gbps download
~ 8 Gbps upload

To work around this issue, I added a section in my script that automatically removes any firewall rules related to nDPI or IPS.

It might be worth investigating whether some rules remain active even when these features are disabled, as this can heavily impact performance on multi‑gigabit connections.

Community contribution

To help the community, I created a complete post‑configuration script that:

configures management access to the WAS‑110 ONT
configures the Orange WAN (VLAN 832 + DHCPv4 options)
applies CoS 6 priority
adds iptables prioritization rules
removes residual nDPI / IPS rules
enables the necessary optimizations to reach 8 Gbps symmetrical speeds

The first part of the script that allows accessing the WAS‑110 management interface from the LAN is based on a script shared by MikeD on the forum, so a big thank you to him for this very useful contribution.

This script could potentially serve as a reference or example implementation.

Script used:

#!/bin/ash
# /cfg/post-cfg.sh — Post Configuration (Route10)

# ===============================================
#      Configuration ONT Management WAS110
# ===============================================

PATH=/sbin:/usr/sbin:/bin:/usr/bin
set -u

log()  { logger -t post-cfg -p user.notice  "$*"; }
warn() { logger -t post-cfg -p user.warning "$*"; }

# Settings (edit these)
ONT_PARENT_DEV="eth4"          # Port where the ONT module is connected (Route10 default SFP+ WAN is eth4)
ONT_IP="192.168.11.2"          # Router-side IP on the ONT mgmt subnet (choose any unused IP in 192.168.11.0/24)
ONT_NETMASK="255.255.255.0"
ONT_PEER="192.168.11.1"        # ONT mgmt IP (typical WAS-110 default)

# MACVLAN device name (kernel netdevice) used for ONT management
MACVLAN_DEV="ont_mgmt0"

# Firewall names
ONT_ZONE_NAME="ont_mgmt"
ONT_FWD_NAME="lan_to_ont_mgmt"

log "ONT mgmt: mode=macvlan-only parent=$ONT_PARENT_DEV dev=$MACVLAN_DEV ip=$ONT_IP/$ONT_NETMASK peer=$ONT_PEER"

# Sanity checks
if ! ip link show "$ONT_PARENT_DEV" >/dev/null 2>&1; then
  warn "Parent device '$ONT_PARENT_DEV' not found (skipping config)"
  exit 0
fi

# Network config (MACVLAN-only)
# Device section for macvlan
uci -q delete network.ont_mgmt_dev
uci set network.ont_mgmt_dev='device'
uci set network.ont_mgmt_dev.name="$MACVLAN_DEV"
uci set network.ont_mgmt_dev.type='macvlan'
uci set network.ont_mgmt_dev.ifname="$ONT_PARENT_DEV"
uci set network.ont_mgmt_dev.mode='bridge'

# Interface section bound to macvlan device
uci -q delete network.ont_mgmt
uci set network.ont_mgmt='interface'
uci -q delete network.ont_mgmt.ifname
uci -q delete network.ont_mgmt.device
uci set network.ont_mgmt.device="$MACVLAN_DEV"
uci set network.ont_mgmt.proto='static'
uci set network.ont_mgmt.ipaddr="$ONT_IP"
uci set network.ont_mgmt.netmask="$ONT_NETMASK"
uci set network.ont_mgmt.defaultroute='0'
uci set network.ont_mgmt.peerdns='0'
uci set network.ont_mgmt.auto='1'
uci set network.ont_mgmt.metric='0'
uci set network.ont_mgmt.dns_metric='0'

# Firewall config (Model A: dedicated zone + one-way forwarding)
# Remove ont_mgmt from any existing zones (prevents dual-trust leaks)
# (idempotent: ok if not present)
for sec in $(uci show firewall 2>/dev/null | sed -n "s/^firewall\.\([^=]*\)\.name='[^']*'$/\1/p"); do
  uci -q del_list firewall."$sec".network='ont_mgmt'
done

# Create/update dedicated ont_mgmt zone
uci -q delete firewall.ont_mgmt
uci set firewall.ont_mgmt='zone'
uci set firewall.ont_mgmt.name="$ONT_ZONE_NAME"
uci -q delete firewall.ont_mgmt.network
uci add_list firewall.ont_mgmt.network='ont_mgmt'
uci set firewall.ont_mgmt.input='ACCEPT'
uci set firewall.ont_mgmt.output='ACCEPT'
uci set firewall.ont_mgmt.forward='REJECT'

# Create/update lan -> ont_mgmt forwarding only
uci -q delete firewall."$ONT_FWD_NAME"
uci set firewall."$ONT_FWD_NAME"='forwarding'
uci set firewall."$ONT_FWD_NAME".src='lan'
uci set firewall."$ONT_FWD_NAME".dest="$ONT_ZONE_NAME"

# Apply changes
uci commit network || warn "uci commit network failed"
uci commit firewall || warn "uci commit firewall failed"

# Bring up the interface
if ifup ont_mgmt >/dev/null 2>&1; then
  log "ifup ont_mgmt OK"
else
  warn "ifup ont_mgmt failed (exit $?)"
fi

# Reload firewall
if /etc/init.d/firewall reload >/dev/null 2>&1; then
  log "firewall reloaded"
else
  warn "firewall reload failed"
fi

# Verify
# Report link state of parent + macvlan existence
if ip link show "$ONT_PARENT_DEV" 2>/dev/null | grep -q "LOWER_UP"; then
  log "$ONT_PARENT_DEV carrier: up"
else
  warn "$ONT_PARENT_DEV carrier: down (ONT reachability may fail)"
fi

if ip link show "$MACVLAN_DEV" >/dev/null 2>&1; then
  log "macvlan device present: $MACVLAN_DEV"
else
  warn "macvlan device missing: $MACVLAN_DEV"
fi

# Quick reachability test from the router
if ping -c1 -W1 "$ONT_PEER" >/dev/null 2>&1; then
  log "ONT reachable ($ONT_PEER)"
else
  warn "ONT not reachable ($ONT_PEER)"
fi

log "post-cfg.sh complete"


# ===============================================
#   Configuration WAN Orange 8Gbps pour Route10 
# ===============================================

# --- Paramètres ---
WAN_MAC="58:1d:d8:89:8c:61"
# Option 60 : Vendor Class
VENDOR="736167656D"
# Option 61 : Client ID Généralement 01 + Adresse MAC (sans :)
CLIENT_ID="01581dd8898c61" 
# Option 77 : Livebox User Class
LIVEBOX="2B46535644534C5F6C697665626F782E496E7465726E65742E736F66746174686F6D652E4C697665626F7837"
# Option 90 : La chaîne d'authentification complète : https://jsfiddle.net/kgersen/3mnsc6wy/
AUTH_90="chaine de l'option dhcp 90"


# === 1. Configuration du Device (VLAN + QoS CoS 6) ===
uci set network.eth4_832=device
uci set network.eth4_832.name='eth4.832'
uci set network.eth4_832.type='8021q'
uci set network.eth4_832.ifname='eth4'
uci set network.eth4_832.vid='832'
uci set network.eth4_832.macaddr="$WAN_MAC"
# Marquage priorité 6 au niveau Ethernet
uci set network.eth4_832.egress_qos_map='0:6 1:6 2:6 3:6 4:6 5:6 6:6 7:6'

# === 2. Configuration de l'Interface WAN ===
uci set network.wan_orange=interface
uci set network.wan_orange.proto='dhcp'
uci set network.wan_orange.device='eth4.832'
uci set network.wan_orange.vendorid='sagem'
uci set network.wan_orange.reqopts='1 3 6 15 28 51 58 59 90 119 125'
# On combine l'option 77 (UserClass), 90 (Auth) et 60 (VendorClass)
uci set network.wan_orange.sendopts="77:$LIVEBOX 90:$AUTH_90 60:$VENDOR"
uci set network.wan_orange.clientid="$CLIENT_ID"

# === 3. Affectation au Firewall WAN ===
uci add_list firewall.@zone[1].network='wan_orange' 2>/dev/null || true

# === 4. Activation de l'accélération (Flow Offloading) ===
uci set firewall.@defaults[0].flow_offloading='1'

# Application
uci commit network
uci commit firewall

# ===============================================
#   Injection des règles de priorité IPtables
# ===============================================

# Ces règles forcent le marquage CoS 6 pour les paquets critiques
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth4.832 -j CLASSIFY --set-class 0:1
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth4.832 -p icmp -j CLASSIFY --set-class 0:6
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth4.832 -p igmp -j CLASSIFY --set-class 0:6
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth4.832 -p udp --dport 67 -j CLASSIFY --set-class 0:6
/usr/sbin/iptables -t mangle -A POSTROUTING -o eth4.832 -p udp --dport 547 -j CLASSIFY --set-class 0:6


# ===============================================
#             Désactivation IPS/IDS
# ===============================================

# On boucle sur les sections 'include' pour trouver et supprimer nDPI et IPS
for i in $(uci show firewall | grep -E "ndpi|ips" | cut -d. -f2 | cut -d= -f1 | uniq); do
    uci delete firewall.$i
done

# Application et Redémarrage
uci commit network
uci commit firewall

/etc/init.d/network restart
/etc/init.d/firewall restart

# Fin du script
exit 0

I believe these features would significantly improve compatibility with many ISPs and provide more flexibility for advanced users running direct fiber setups with ONTs.

Thank you for your work on Alta Labs products and for taking the time to consider this request.