Help with double NAT configuration

(I moved the thread to the correct forum, alerted the mod with flag to delete the other thread.)

Hi everyone, I have installed Openwrt on a Netgear ex3700 device with Wi-Fi and only one ethernet port
I would like to use it exclusively as a Vpn Client for my Wifi network so that all my wifi client devices access the Internet exclusively via Vpn.

wifi client -> Openwrt router ---> Isp router ---> Vpn server

There should be many ways to do this, based on the little security knowledge I have I thought I was doing this (I would be happy to get better advice on this, I would like the best security configuration). I only have two networks to manage, that's why I thought you don't need to use Vlan, I don't know if it's better to bridge the Wi-Fi interface on the Lan / Wan to solve the forwarding and masquerading difficulties ??)

  1. wifi clients are on a different network than the Isp router
  2. wifi client cannot access the Isp Router network and vice versa.

Openwrt router:

-Wan interface (no bridge lan for security ??) dhcp client
Ip from Router Isp (e.g.
Gateway Router Isp (e.g.

-Wifi interface with dhcp server:
Static Ip (e.g. gw

wlan = (dhcp server)
wan = (dhcp client)

I can access the Wan interface from the Wifi network, but I cannot access the Internet (there are probably masquerade errors)

From what I understand I don't have to use snat, since the wan takes a dynamic address from the Isp router.

Thank you all

I’d recommend resetting the device to defaults and starting fresh. Most of what you need (other than the vpn) is configured properly as a router. You’ll need to change the lan IP of this device so it doesn’t conflict with the upstream network, enable WiFi, and set the Ethernet port to a network interface called ‘wan’ (you can use dhcp client for this network). Once you do that, you should have a functioning double nat and you can install your vpn related packages and config.


thanks psherman for the help.
probably if I can't get it to work, I'll start over.
Probably if the wan interface had been in bridge mode it would have worked, but I'd rather not use bridge mode.

the problem in my opinion is instead that I can't configure the double nat on openwrt, there is only the masquerading on the wan interface which is not public and I don't know how to configure the default gateway.

after several readings on the forum I have seen that there are problems having the wan (dhcp client) on the same class as the router ..

You don't have to use bridge mode. You can set it up with routing (making a double NAT).

The way you make a double NAT is by connecting a NAT/masqueraded interface to the upstream network. In other words, your existing LAN is the upstream here. You'll connect the WAN of your second router to the LAN of the first. You must have different subnets on each network -- so if your first one is, you could make your second one (or, etc... these are just examples, but you need to use RFC1918 addresses).

It is certainly possible that there is a bug or a quirk or something, but the best starting place is the default configuration. It only needs a few tweaks to get it running as a NAT/masqueraded router.

Reset your device to defaults, then enable wifi, and post your config files and I can advise further.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall