How can multiple openwrts be used in series?

I use 5 openwrt devices connected in series with network cables, numbered openwrt1, openwrt2, openwrt3, openwrt4, openwrt5. PC1 is connected to openwrt1 and PC2 is connected to openwrt5, but PC1 cannot ping PC2. Why. The network configuration of each openwrt is the same except for the ” option ipaddr ''“, as shown below:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fdf7:c172:6b5c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option ipaddr ''

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 0t'

You can connect them in two ways.

Lan to wan then lan to wan and so on. Then you will have the firewall and masq protection in lan to wan protection and pretty much normal traffic in wan to lan direction.

Alternative 2, the first device is the router and the other is configured as switches in lan.

Is there any reason for this specific configuration? My first piece of advice will be to change it completely, unless you have some requirements to keep it as is.

1 Like

I can't think of a use for 5 levels of routing within a facility. A home is almost always one level of routing, there are a few cases where it might need two. Even a large network like a business or college would be two or three at most.

Anyway when there is more than one level of routing within the network, only the last one facing the Internet (the edge or upstream router) should use NAT masquerade-- OpenWrt defaults to this mode since the default use of OpenWrt is to be the only and thus the last router in a house.

When you add a second level, turn off masquerade in the downstream router, and install a symmetric route in the upstream router(s). For example consider a house where everything inside the house is on one router, but there are two outbuildings with their own routers.
Router 1
wan : Internet service (masqueraded)
lan :
Guest lan :
Router 2a
wan :
lan :
Router 2b
wan :
lan :
Now Router 1 needs to know how to reach the 2a and 2b lans. This is done by installing routes in Router 1

  • via
  • via

Technically Routers 2a and 2b should have a route to the main lan(s). But since they already hold an IP on the LAN, that route is automatically added. If 2a should have access to the guest lan, that can be added via, but this is not strictly necessary since Router 1 is the default route for the 2a and 2b routers. Any IP unknown in the 2a routing table will be directed to Router 1 and can reach a lan on router 1.

The main reason to do this in a home is that the outbuildings can be linked with routed links instead of bridged. AP-STA wireless and most VPNs cannot be bridges. Having a network with a large number of users bridged to another site instead of routed will incur a lot of broadcast, ARP and DHCP traffic on the site-site link, which can impair the network if it has limited bandwidth. Using a VPN means that the second level router(s) can be far away at a remote site and the network will still work the same.

Note that router 1 contains two LANs, but they are both within the same level of routing. It is not necessary to add another level of routing to have a guest network. Guests can and should be isolated from other LANs by firewall rules, not NAT or intentional omission of routes.


How to change? My goal is to connect them in layer2 to provide WiFi coverage along a long road, with client IP addresses dynamically assigned by the dhcp server deployed on PC2

In that case set them up "dumb APs" connect lan-lan so they are all in the same LAN. A dumb AP bridges users out at layer 2; it does not route.


I also think so, but I don't know why it doesn't work well. When PC1 pings PC2, openwrt5 doesn't forward the arp reply message to openwrt4, and there's no MAC for PC1 in the arp table of openwrt4

Did you follow the dumb ap guide for configuration of the 4 devices? (One of the units is directly connected to the internet and should stay configured as it is/was; the other 4 should be configured as dumb APs as @mk24 said, and they should all be connected via their lan ports.)

1 Like

I found that although wlan0, eth0.1, and eth0.2 are both members of br-lan, some broadcast messages received from eth0.1 or eth0.2 are not broadcasted to wlan0. Is there any difference between wlan0 and eth0. x in br-lan?

wlan devices should never be specified in the network config file. They should only appear in the wireless config file (and it is in the wireless file that you attach a network to the SSID).

Further, eth0.1 and eth0.2 should not be together in the bridge... usually just one of them.

Let's see the config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like


clearly, it is a "swconfig" device, where eth0.2 is used to separate/emulate WAN port from rest of switch

if you want a L2, and i think you want it, according to your OP, then you should get rid of WAN / eth0.2 definitons