Access to an access point behind another router behind the common router

Hello! I am trying to do the following, but I am not sure if it's supposed to work at all. May be I'm looking for an impossible thing.

My ISP Router is Fritzbox 5530. Behind it, I have EdgeRouterX with OpenWRT (WAN:, and Mikrtotik Hexlite (WAN: with stock firmware. Both of them have on LAN side. My laptop is connected over ERX.
MikroTik is faraway, and behind it, I have Fritzbox4020 with OpenWRT ( as an access point. I attach the diagram.

I set Mikrotik to "accept" from WAN 177.4 (TCP 80, 443, etc.), so that I can log into Mikrotik from my laptop. I can access to it under 177.45. It's working.

But so far, in order to access to FB4020, I have to first ssh to Mikrotik, then from there, ssh to FB4020. And obviously I can't access LUCI.
I thought, since I have no device with 1.46 under ERX, and DHCP lease starts from 1.100, I should be somehow able to access to FB4020 directly. So I set on ERX

config route
	option interface 'wan'
	option target ''
	option gateway ''

On Mikrotik, something like, accept forward from WAN to LAN on GUI.
I thought that this way the static route on ERX would send the packet with the address 1.46 to Mikrotik (177.45), then mikrotik is going to deliver it to FB4020 (1.46). But it's not working.
I tried a few things, but since I am not sure if it's supposed to be possible at all, I wanted to ask first, before putting too much energy for this. I would appreciate very much, if someone could let me know!

The route you posted is incorrect - as you specified that Private IPs are reachable on the WAN interface.

It's not clear why you have 2 routers downstream of the 5530, and what your goal is. Can you better explain your use case?


The port forwarding didn't work?

Your Open WRT router does not play a part in this.
You can port forward port 8080 and port 2222 on the mikrotik router to respectively port 80 and 22 on the the fritzbox 4020.


Thank you, @lleachii and @egc for your replies !

It's because, if I type on my browser, ERX is going to think that I'm trying to reach a device connected to ERX, not Mikrotik, unless I tell otherwise. That's why I tried to set a static route so that 1.46 will be sent first to 177.45 (Mikrotik).

The reason that I have Mikrotik behind FB5530 is because the location is far away and is connected through a telephone cable over a VDSL converter, which crashes/dies every once in a while. Behind Mikrotik there are boilers, It's ok if WAN connection fails sometimes, but they need a stable DHCP server there in order to work together. And the boiler company told me to buy Hexlite: they have had a lot of problems till they found hexlite. Theoretically, I just need a DCHP server and a switch there, but then I have to set up an interface on ERX with disabled DCHP, up there I need something which only does DHCP, it's a bit complicated for me.

@egc Do you mean that I do portforward for 8080, 2222, then I should open, then it will be directed to luci of ?

You set this port forward on your mikrotik and then connect to the mikrotik will forward this to

If you need access without port forwards you have to change one of the subnets to something else

Thank you so much! Now I understand. I also understood what it meant by

I just didn't know much about port forwarding. I was somehow occupied with the idea of accessing FB4020 under 1.46 somehow, I didn't think about using 177.45, and didn't know that that's what port forwarding is about.
Now Luci of FB4020 is accessible under 177.45:8000 ! (8080 was used for something else on Mikrotik, so I fowarded 8000 to 80.) I did with 22 and 2222, now I can SSH directly as well :slight_smile: Thank you ssooo much to both of you!!!


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.