Cannot upload anything from OpenWrt router's subnetwork

Here's how my network looks:

I have an OpenWrt router linked to a regular SAGEMCOM modem (FTTH), with a working WireGuard setup (
However, I am experiencing severe latency and timeouts when uploading anything, be it an image on imgur or text on pastebin. Downloads and page requests work fine, except for the slight reduction in bandwidth caused by the VPN. Uploads work fine when connected directly to the modem, without the OpenWrt router in-between.
A simple example: I can view this forum from my router, but I need to connect my ethernet cable directly to the modem to be able to post. Attempting to post from the router results in a timeout.

There's something I did wrong on the router and I don't really know what. I'm thankful for any help in troubleshooting or solving the issue.

Router's config:

If you'd actually have a modem (bridged, not double NAT), my bets would be on a mtu issue (missing MSS clamping), but although you aren't being explicit about your setup, I assume your WAN IP is terminated on the 'modem'.

1 Like

Thank you very much for the quick reply.

It's a SAGEMCOM F@st 5460. I assumed it was a modem, I'm sorry if that's inaccurate. The datasheet says it's a "WLAN Gateway", I'm not entirely sure what that means. The device's web page does mention a router instead.

The OpenWrt router's interfaces are configured just like in Mullvad's guide, this includes MSS Clamping on Wireguard's interface.

Can you elaborate on the steps required to check if the router is bridged or in "double NAT" mode? How should I change it?

As long as you're having problems with basic operations, I'd strongly suggest to get additional complications (VPN client mode) out of the way. Other than that, no masquerading/ no MSS clamping on WAN almost certainly looks wrong. If I were you, I'd reset your router to OpenWrt defaults (firstboot) and defer the VPN steps until you've confirmed that basic functionality is working reliably (then make a backup of your known-good configuration and slowly look into the VPN topic).

1 Like

Thank you for the pointers, I understand the problem better, however I'm still somewhat stuck.
I read this OpenWrt article and figured my network has indeed a double NAT going on.

Two of the solutions detailed in the article apply to my problem: static routing and DMZ.

I've started following the OpenWrt as router with disabled NAT, additional routing rules in both routers guide, however while I can add a static route from OpenWrt to the modem (the ISP device's webpage mentions both modem and router) and access the internet that way, the modem's interface doesn't allow adding a static route to my router. Which to my understanding means the double NAT issue is not resolved. At least I think that's what traceroute seems to tell me:

traceroute to (, 30 hops max, 60 byte packets
 1  OpenWrt.lan (  0.210 ms  0.325 ms  0.404 ms
 2 (  1.873 ms  3.071 ms  3.966 ms

The F@st 5460 should support DMZ, however it looks like the setting isn't available anymore with the current firmware, so I can't follow the DMZ guide.

I still don't know whether double NAT is the source of my first problems, however it's definitely something I want to get rid of to be able to forward ports, which never worked before. Glad I finally understood why, but not being able to actually fix it is frustrating. Any advice on this is welcome!

Other than that, no masquerading/ no MSS clamping on WAN almost certainly looks wrong.

This was a picture from the official Mullvad guide. My own config has masquerading and clamping enabled on the WAN.

Any other ideas to solve the double NAT issue? From what I read, I see two possibilities:

I thought the 2 problems were unrelated at first, but it turns out this issue is a duplicate of this one. The solution is to set the MTU to 1380 for the WireGuard interface.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.