How to configure a double NAT

The problem I'm facing are quite similar to this post: How to setup isolated double NAT
But I can't properly apply the solution. Solution, as was accepted in the above post, says to

"put eth0 as your physical device for the WAN"

, but how do I do it? When I put the ethernet cable that comes out of the LAN port of my primary router in my Openwrt device (a RPi 3), it gets recognized as LAN, how I convert it into WAN?
My Device connection layout:

Internet <-----> Primary Router <---- [ethernet cable] ---> OpenWRT device
I wan openwrt device to be a NAT device.
Please enlighten me on topic.

By whom ??

I mean this.

when not dealing with any of-the-shelf type WiFi-router:

  • the first NIC on a device is always a LAN port.
  • The second NIC is the WAN port
  • if there are more NICs they are by default inactive
    (order I guess depends on MAC address order)

the RPI3 has 1 NIC, so that is LAN by default.

What you can do:

  • connect the RPI via Wifi to your main router, WAN will then be via Wifi
  • or add a USB-to-NIC adapter (though driver installation kind of requires a Wifi-based WAN first)
  • or create a Wifi on LAN, connect your client to that WiFi, then manually reassign the 1 NIC from the LAN interface to WAN interface (and it could be, you have to manually create a WAN interface first, as that might not be there by default on 1-NIC-devices).

What you have circled is the firewall zone assigned to that interface. Click on edit, then the firewall settings tab and you can choose the WAN zone where NAT is enabled by default.

No that the LAN interface that he has circled.

Yes, but it's colored green which means that it is in the lan firewall zone. He needs to move it to the wan firewall zone (red color) where nat is enabled by default. Yes, the interface itself will still be named lan. Alternatively, he could delete the lan interface, and create a new one with the name of his choice, and put that one in the wan zone.

problem likely is: to move the only device NIC to WAN, the administrating client will have to be connected via Wifi, the Wifi connected to that LAN interface.

That is where a separate WAN interface is handy,
then unassigning the NIC from LAN interface and assign it to the WAN interface.

Nice. I've moved eth0 to WAN firewall zone and wlan to LAN zone. My wireless client is getting internet connection. But do I need to configure anything separately to get my wifi clients NATed internet connection through this WAN?
Moreover, I can't ping by wlan0.


The WiFi clients connected through this device are now behind a nat layer created by openwrt. And that is behind an upstream router, so those clients are double nat’d.

I’m not sure why you want to do this, but you have achieved your stated goal.

Wlan0 is your downstream network, so it makes sense you cannot ping upstream (and to the internet) this way. What are you trying to test or achieve in this situation?

Sorry, I can't get why I can't ping upstream this way if my devices connected to wlan0 can get internet connection?

Forwarding from a LAN user (wifi in this case) to the Internet (wired in this case) works because of the firewall. The default firewall settings assume that the two networks will be named lan and wan exactly. Since you've used other names you need to put the two new network names into the firewall zones.

1 Like


Here is already a zone, lan(TRUELAN) => wan(LAN).

The picture doesn't tell the whole story. Please post the following files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
1 Like

I think you're confused about which direction the packets are going. When one of your wireless devices send out a packet, the packet comes into wlan0 for forwarding. When you do ping -I wlan0 google.com on your router, a packet goes out of wlan0.

Inbound packets from wlan0 sent by your wireless devices are forwarded by your router to eth0 based on its routing table, and eth0 has a route that can get to google.com (usually via the default route).

Outbound packets to wlan0 can only go to the connected wireless devices, and unless one of those wireless devices is a router that has a route to google.com, you won't be able to reach google.com via any routes on wlan0.

1 Like
root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4:bdc1:af17::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'eth0'
        list dns '192.168.1.115'
        option gateway '192.168.1.115'

config device
        option name 'eth0'

config device
        option name 'wlan0'

config interface 'TRUELAN'
        option proto 'static'
        option device 'wlan0'
        option ipaddr '192.168.5.5'
        option netmask '255.255.255.0'


root@OpenWrt:/etc/config# cat wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option network 'TRUELAN'

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'TRUELAN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'named'
        option src 'wan'
        option src_dport '2222'
        option dest_ip '192.168.1.1'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'named1'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.1'
        option dest_port '80'

Thanks rao.
I've another confusion here:
I see I can't communicate(ping) from a my openwrt device to a device connected to LAN of my primary router. As my Openwrt device is connected to the LAN of my primary router also, why can I not do that?
Can you please explain this for me?

That should work.

  • You need to know the IP of the device.
  • Windows PCs by default do not answer pings.
  • Make sure that no other device on the house network (such as the main router) has 192.168.1.1.

Following a few conventions would make this easier to follow:

  • The upstream router (gateway to the Internet) in a /24 network should have the IP ending in .1
  • The network facing the Internet should be named "wan" or "wwan" etc.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.