Double NAT Issue

can someone help me out with this situation:


LAN 1, 2 and 3 have access to the internet
LAN 1, 2 and 3 Have access to management interface of ISPRouter
LAN 2 Have access to management interface of LEDERouter1 and ISPRouter

LAN3 Have access to management interface of "ONLY" LEDERouter2 and ISPRouter

How can I have access to LEDERouter1 from LAN3?

Set static ip's e.g. ISP Router >> LEDE Router (1) >> LEDE Router (2)

What are the definitions of the networks on each router? (ISP router, LEDE/OpenWRT router 1 and 2)?

Also, why are you cascading the routers in this way (i.e. what is it that you want to achieve)? You're actually running triple-NAT -- obviously it works in most cases, but it is not an ideal configuration, assuming it can be avoided. For example, if your intent is to have 3 isolated networks, VLANs will be more efficient and you can setup more granular firewall controls to allow/prohibit inter-VLAN connections. Another scenario is that you may be setting up your wifi networks using the LEDE routers -- if this is the case, using a "Dumb AP" configuration may be easier to work with.

As an aside, you mentioned LEDE -- now that OpenWRT 18.06.0 stable is released, it is recommended to upgrade, assuming your hardware is supported.

Thanks for your replies

I understand VLANs would be better, constraints force this setup, existing wire connection, no possibility of having more cable links and locations of the devices, and bandwidth required unacheivable on wifi

Archer C7, WDR4300

DYNAMIC WAN side - LAN side Router1 WAN side Router1 LAN side Router2 WAN side LAN side

yes all routers are on 18.06 just updated

guide followed with no success:

@ZOzo - that still didn't really answer the question about what you're trying to accomplish? Are you setting up separate networks for security? Bandwidth control? other things?

VLANs can actually be setup on a single router and then trunked (over a single cable) to other devices. And, with the right hardware support, you can setup multiple wifi networks, each on its on VLAN.

What I want to acheive is simple:
resource access: printers, SMB file shares, network devices etc but one way only and not the other, else I would have been using a switch.

thanks for asking and you are welcome to propose a better known solution
VLAN on a port on router 1 to location of router 2 as switch you might propose, but no, i thought of this too, security issue I am not the only one having access to router 1.

The situation just made it to be like that, no question, I am in a difficult situation and just seeking help. I just cannot modify the physical setup fullstop

You shouldn't use, it isn't a private IP address. The private ranges you can use addresses from are, and

I don't think it cause the problems you see, but should be fixed anyway since you otherwise can't access sites with IP addresses within the range you are using.

Refer to wikipedia:

You need to setup static routes on any router that doesn't know how to find another router.

Setup static route on lederouter 2

1 Like

As noted by @mbo2o, you probably need to setup a static route on the middle router to direct traffic from the third network back up to the top network.

So in the context of double or triple NAT, the devices further down the NAT chain are generally considered more secure than those above. The security comes from the firewall rules combined with NAT (on its own, NAT only offers a slight advantage, security wise, by somewhat obscuring the devices behind it, it is the firewall that really does the work to protect those devices).

To do what you want with NAT, the most sensitive devices/hosts (the ones that need the greatest protection and should not be generally accessible) should be on LAN3. This way, LAN3 can connect to upstream devices (LAN2) but not generally the other way around (unless you make provisions for it). Same thing with LAN2 > LAN1. Certain protocols and discovery tools will not be able to traverse the different NAT layers (such as mDNS, among others, and broadcast packets) unless you configure each router to properly perform reflection services.

All of that said, VLANs and associated firewall rules will accomplish everything you want/need with a simpler, more efficient, and easier to manage topology. It might be helpful to understand the specific wiring constraints and the mix of wired/wireless connectivity that you are looking for. I am also unclear as to what you mean by the security issue on your upper layer router(s) -- is it the ISP router that you're talking about or the first OpenWRT router? And physical or logical access that is the issue? What about setting up VLANs on router 2 (first OpenWRT router) and eliminating router 3 (OpenWRT2)?

If you don't need nat why don't you disable dns masquerading.

Use a better choice of subnets on each lan

Of course these are small subnets if you need bigger adjust to your needs

You really only need nat for your ISP connection

Calc to help with subnet selection

You only need to worry about vlans if you need to segregate the traffic even further.

Get the basics working first


Thank you all three,

I set up a demo to see where the issue is and followed mbo2o ipcalc to stays within appropriate IP.

1043ND being used


Gateway <----> RouterA <----> Router B

Traceroute has started…

traceroute to (, 64 hops max, 72 byte packets

1 * * *

2 * *traceroute: sendto: No route to host

traceroute: wrote 72 chars, ret=-1

traceroute: sendto: Host is down

3 traceroute: wrote 72 chars, ret=-1

*traceroute: sendto: Host is down

traceroute: wrote 72 chars, ret=-1

*traceroute: sendto: Host is down

traceroute: wrote 72 chars, ret=-1

Traceroute has started…

traceroute to (, 64 hops max, 72 byte packets
1 ( 1.242 ms 0.523 ms 0.464 ms
2 ( 1.029 ms 1.028 ms 1.199 ms
3 ( 1.567 ms 1.533 ms 1.190 ms

What should I do to Reach Router A and its LAN devices (Printers, File Servers etc) from devices on Router B

With this direction of communication there should be no issue at all!
crazy issue.
The other way round I would have understand but no access from B to A is weird!

Even weird is that communication can go pass Router A to reach Gateway - no firewall and no blocking in between

I will stop fighting the issue get some other routers or return to basic firmware and see. If good will set up linux box to do services which are actually being done on the OpenWRT devices.

Thank you all for you help

I'm more confused now...

Is actually router A, or is it a host on router A? What about -- is that router B's address or a host? Why are you not using all /24 networks? I think you should reallocate your addresses -- more below.

But quickly...
As a matter of notation, you don't need to specify the 'slash notation' and the subnet mask since they really are specifying the same thing. See this as a reference. But for what it is worth, your subnet mask on router B does not match the slash notation -- a /27 should have a subnet mask of The subnet mask on Router B corresponds to a /31.

Back to your main issue:
I would highly recommend that you start simple -- I'm going to recommend some addressing schemes to make it easier to follow.

Router 1 = ISP router. Looks like it is defining the network and has a LAN IP of
Router 2 = OpenWRT router 'A' -- assign it (LAN IP
Router 3 = OpenWRT router 'B' -- assign it 192.168.300.0/24 (LAN IP 192.168.300.1)

The reason to use the following assignments is that they are really easy to understand (1 = 100-block, 2 = 200 block, 3 = 300 block), and it follows a very logical order.

Router 2 should have a WAN IP in the block -- you can let that be DHCP assigned. Same idea with Router 3 in the block. By having the WAN get an IP via DHCP, it should guarantee that there is an appropriate upstream gateway and DNS server.

Now, from any host connected to router 3, you should be able to ping any host on router 2 (and router 2 itself).
Router 2 hosts should have no issue pinging router 1 and its hosts.

If either of those two fail, there is something else going on.

I'm not sure, but I would think you might be able to ping router 1 hosts (and router 1) directly from router 3 and its associated devices. If not, you would add a static route on router 3 that specifies how to get to router 1's network. That would be by specifying the following:
interface: wan
subnet mask:
route type: unicast

Meanwhile, I'll say it again: I really think your situation is more complex than it needs to be. I still don't know what your wiring limitations are and/or security concerns, but VLANs really are the easier way to do this type of thing.

Anyway, report back with your results once you've reconfigured your address schemes and tried ping and traceroute tests again.

1 Like

I don't believe there's any need to add a static route. The default route should be sufficient.

I see no reason why it shouldn't work as intended. What I would do is login to lede2 CLI and run tcpdump to watch the test packets you're sending to lede1. Do the same at lede1 also.


there's no such thing as x.x.300.0 each number comes from an 8 bit byte so it must be between 0 and 254 (255 is usually reserved for broadcast) I suggest


Whoops. I knew that, lol. I was thinking of VLAN ids (1024).

vlans are actually 12 bit, so have 4096 different options, some of which may be reserved.

Anyway, @ZOzo I strongly agree with others who say that you should just set up normal routing without NAT on your private network. have 3 separate private subnets and route between them using firewall to limit the routing for security. Your problem will be solved.


So to revise my embarrassingly silly mistake with the networks, select 2 or 3 network ranges that are in the range of 1-254, and are easy to follow (logically). Earlier, there was a suggestion of,, and That's a good plan, of course. But if you don't want to change your ISP router, you can just use,, and, or really anything within the allowable range. The important thing is that it is properly configured and is intuitive -- if you need a decoder ring to understand it, that's too complicated.

There is no requirement that states your router's LAN must be assigned the .1 address in each block, but this is a common approach and makes it easier to follow.

I agree with @jezzaaaa that you shouldn't need a static route. Fundamentally, a router really only needs to know the network it controls and how to get to the network above (the gateway address)... in this case, it should theoretically forward packets appropriately up the stack.

lol... I'm making a lot of these silly mistakes today!