Cascade of two OpenWrt router with DHCP and firewall

I have an apparently simple question that I was not able to solve. I have two openWRT routers with latest version 19.07.5. I connected the second router via WAN port to the first one.
I would like to have LAN1+WLAN1 with firewall1 and DHCP1 on the first router and LAN2 with firewall2 (optional) and DHCP2 on the second router. Moreover, I would like to access (ssh and https) from devices connected to LAN1 to devices connected to LAN2.
My configuration is the following:
LAN2: static gateway
All devices from LAN1, WLAN1 and LAN2 can connect to Internet. However, from LAN1 I cannot connect neither to the router of LAN2 (only ping it, I think it is a firewall problem) nor to devices of LAN2.
Do you have any documentation for this? What do you suggest to do?
Thank you

You need to

  1. allow it on the firewall, by default wan is blocking (almost) everything.
  2. to add a static route for lan2 via wan2 ip on R1

Is there a reason you want to use two routers? OpenWrt supports VLANs and multiple ssids. This means that on most hardware, you can setup multiple independent networks that have the ability to be completely or selectively isolated (think: trusted lan, guest network, iot network) - all from one device and one management interface.

1 Like

Thank you, I will try it.

Yes, I know about this. My problem is not just related to traffic isolation, but above all to increase the number of available LAN ports. I already have some old devices compatible with openWRT.

If you cascade routers in router mode, you will end up with double-NAT, and some devices will behind a NAT+Firewall which will complicate the ability to reach them (they will appear to be isolated in one direction).

If you are after more ports, you can disable the routing and make the device essentially just a switch.

If you can be more specific about exactly what you want (more ports only, multiple networks, isolated networks, etc.), we can help you design a topology that works well. Otherwise, you may end up with a sub-optimal setup that may be inefficient, difficult to manage, all the while not achieving your overall goals.

EDIT: I should also add that if you are looking for more ports, you can get basic network switches really cheaply. I know that sometimes there is a desire to use the hardware you already have -- in some cases this is logical, but in other cases it is just the wrong tool (or at least not the best tool) for the job.


I agree with @psherman (whose name always makes me think of the famous Curtis Mayfield song).

If you mainly want more ports, put your second router in "ap" mode, and connect a cable LAN to LAN between the two devices, now the AP device is basically a switch on the LAN, and an access point.

1 Like

I normally get 42 wallaby way!

1 Like

'round here we got the funk...

also in case someone doesn't know the original referenced song:

1 Like

You are right, I should have been more detailed.
However I already tried with the second device configured as AP. In this mode, can I adjust QoS via SQM? I noticed low performance in AP mode compared to router mode especially with real time traffic. Do you confirm this?
Moreover, I would like to setup a VPN connection (openVPN or wireguard) just on the second device for the second LAN. Do you have any advice?
First device -> LAN+WLAN
Second device -> QoS+VPN
Thank you

SQM should not care, but you can not really shape individual LAN ports easily... IMHO the best place for SQM is still the WAN link...

1 Like

If you have the second device connected lan to lan then wired a client into the second device it's just a switch. There should be no problem that manifests only on devices plugged to the switch.

If you're talking issues with wifi Clients then you should optimize wifi settings, such as turning off low data rates, choosing interference free channels, reducing channel width, and even disabling 2.4GHz

1 Like

Ok thank, my second device provides only LAN. I will try again and I will let you know.