Double NAT port-forwarding help

Hi all,

I am trying to implement a new service on a network arranged as follows:

internet <-> router 1 (subnet 192.168.0.) <-> router 2 (subnet 192.168.1.)

i would like to allow access to port 81 to a machine inside subnet 2 (

Router 1 is a netgear WNDR3400. It is currently happily forwarding ports from the internet to a machine on subnet 1 (

Router 2 is running openwrt and is happily forwarding ports from 192.168.0.* range.

But if i try to forward ports from the internet to 192.168.1.*, i cannot

This log shows what i see on router2 when trying to access forwarded port 81 from the internet ( - unsuccessful) and from subnet 1 ( - successful)

Fri Nov  9 17:51:44 2018 kern.warn kernel: [ 5708.002420] HTTP-SYN:IN=eth0 OUT=br-lan MAC=e4:95:6e:44:05:78:20:0c:c8:06:f7:cc:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x20 TTL=46 ID=47417 DF PROTO=TCP SPT=33759 DPT=81 WINDOW=26883 RES=0x00 SYN URGP=0

Fri Nov  9 17:51:46 2018 kern.warn kernel: [ 5709.157298] HTTP-ACK-FIN:IN=eth0 OUT=br-lan MAC=e4:95:6e:44:05:78:d4:85:64:b8:2d:fa:08:00 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=15861 DF PROTO=TCP SPT=18809 DPT=81 WINDOW=16425 RES=0x00 ACK FIN URGP=0

Now, i do not know what this log should look like, but i THINK it should show SRC= (router #1), and not the IP of the actual request on the internet ( - is that correct?

i would be very grateful for advice on the proper way to implement this. Below is my configuration information.

IPtables rule that makes sure the SRC= is re-written to the rule does not need to work from within the LAN, only from internet...

Or, netgear is somehow broken for this specific use-case and I need to put openwrt on it?


image 2, because of new user restrictions:


image 3, because of new user restrictions:


When the initial request comes it it will be => router1.wan.ip:81

Router 1 will then forward it to Router 2 as => router2.wan.ip:81

Router 2 then needs to forward it to your target machine as =>

The original IP source address is unmodified.

It is the Layer 2 MAC source address that changes as that packet works its way to your service host; your upstream router's as Router 1 receives it, Router 1's "LAN" interface as it sends it to Router 2, then Router 2's "LAN" interface as it sends it to the service host.

(Note that the destination port could be changed along the way, if you have a reason not to use port 81 for all "hops".)

1 Like

Also, there's no real reason to use double NAT here. The second router doesn't need to do any NAT.

To clarify, tell the first router that the second router is the gateway for the subnet, and then tell the first router to forward port 82 to the device you want, it will rewrite the destination and forward to the second router as gateway


@dlakelan Is conntrack sophisticated enough to know not to rewrite the source address of the return packet to that of Router 2's WAN in the single-NAT scenario you described?

@vengeful Is there a reason you're running NAT on the OpenWrt Router 2 at all? You can route and firewall on Router 2 without using NAT.

As long as router 2 is not doing any NAT I think my scenario should work with conntrack. The only NAT that's needed is at router 1. As you say, Firewalling at router 2 can work fine without NAT

@jeff I may be wrong to use NAT on router 2 - I had it set up earlier with no NAT and everything in the 192.168.0.* subnet, but what I found is the network is saturated by the traffic from within router 2’s subnet, and this destroys the wireless signal on router 1.

Inside router 2 is 30 high resolution IP cameras. The networking equipment is all unmanaged switches and they don’t seem to be keeping traffic out of where it doesn’t need to be. So NAT on router 2 is separating the two subnets to keep the traffic from effecting network quality.

I understand there must be a better way to do this, but I am ignorant of it.

Interestingly, today the port forwarding is working correctly, but I haven’t changed anything from the OP.

Very open to suggestions, I appreciate all your contributions so far.

Aha!! Now I understand the issue.

It's not so much that you need NAT it's that you need two subnets so that broadcast or multicast traffic in network 2 stays there.

What you've got set up seems fine just turn off NAT on router 2 and set a static route on router 1 to

Now they are separate subnets there is no monkeying with addresses.

Also how many switches are involved in the big camera network? You might consider using at least one managed switch with igmp snooping on that network to reduce congestion and potentially improve network function. Even if you split that network on 4 ports of an 8 port sge108e it might work better. Even more so if you use a somewhat more advanced switch like a zyxel or Netgear and do some QoS and broadcast storm protection as well.

@dlakelan thank you for the suggestion. i am going to try turning off NAT today and setting a static route.

Here is a look at what the current network looks like including switches and stuff.

I believe the IP cams like using broadcast traffic. Would the best place for a managed switch be where the 8-port is?network_makp

So, i've tried the suggestion with the static route, and it does provide access to 192.168.1.x subnet from the 192.168.0.x subnet, but i cannot get access from the internet to 192.168.1.x subnet.

the netgear router won't let me port forward or virtual DMZ to - it says that it has to be a LAN ip. Does anyone know if this is just netgear not imagining this situation? So i should try openWRT on it?

Why not just one router and setup 2 distinct VLANs? The standard firmware of your netgear router probably doesn’t support user defined vlans, but you could either install OpenWRT on the main router, or remove that device and use the existing OpenWRT router with VLANs configured per your use care.

That could well be a limitation of the stock firmware. It would "protect" people from making "mistakes" in setting up port forwarding.

One advantage to your current topology is that if the WNDR is compromised the attacker doesn't immediately gain access to your cameras though. So there's something to be said for maintaining a second firewall around the cameras. In fact, there's something to be said for adding a 3rd firewall around your "office POS" (I assume that means point of sale?) since point of sale devices are a valuable target for malicious hacking.

On the other hand, a VLAN system with a single router would work fine. I suspect that if the WNDR was running OpenWRT it would allow the port forward but I can't be sure without testing.

In terms of keeping control of broadcast/multicast traffic then yes the 8 port would be the candidate, but since it needs to be POE and you already have POE, I'd not do anything there unless you're experiencing problems with function of the camera network. Isolating this network to its own subnet is already enough to eliminate broadcast/multicast traffic leaking onto the rest of your network.

If on the other hand you find that hooking up a few more cameras makes it impossible to really have things working well, you should look into a managed POE switch for that network.

@dlakelan @psherman and Jeff
Thank you for the great suggestions. Looks like I should put OpenWRT on the netgear for either solution, so I’ll put it on and try your suggestions.

I very much appreciate your patience with my limited understanding of networking concepts :slight_smile: