How to setup isolated double NAT

I have a Raspberry PI 3B running a fresh install of OpenWRT. I would like to configure it to connect to an exsisting primary router as a DHCP client while broadcasting an isolated WLAN. (Essentially using the primary router as a gateway only.) The purpose of this is to broadcast a WLAN for a group of wireless nodes.

second isolated WLAN ---> Secondary Pi Router ---> connects to primary router as client device.

I have attempted to configure a LAN client interface and bridge it with wireless AP interface, however despite setting "Force DHCP on THIS network" ip addresses for connecting devices are issued from the primary router and the Raspberry Pi defaults to acting as a bridge device.

Any help configuring, preferably in LUCI, would be greatly appreciated! Thanks in advance!

There's no real need to have a second NAT. The "primary" router can handle all the NAT needed and subnets / VLANs can handle the isolation with firewall rules on the primary router. NAT is not a firewall.

Personally, I'd create a subnet and an associated VLAN on the primary router and bridge them with a "dumb AP", or "semi-dumb AP" approach, depending on how you want to handle DHCP, DNS, NTP, and the like. You could, for example, run an isolated set of services in the "secondary" router and disable them on the "isolated" subnet on the primary router.


You can also have multiple SSIDs on a single AP on many routers running OpenWrt, without a second physical device. This is how I handle, for example, guest networks as well putting IoT devices on their own, isolated, dead-end subnets.

To expand on Jeff's idea, what you do is create a VLAN on the primary router, give it its own subnet on the router, put it tagged onto the wire that connects to your RPi have the RPi bridge eth0.N where N is the VLAN tag number, together with your RPi wifi SSID and off you go. The RPi acts as a bridge, but devices connecting to its SSID become part of a separate network on your router.

The only problem is if your router is stock firmware and can't handle the extra VLAN/subnet or is otherwise not under your control.

Thank you jeff and dlakelan for your replies! The reason I need a second device is because I will not have any access to the primary router. The objective is that the secondary Raspberry Pi router can simply connect to the primary router's LAN as a client and then broadcast it's own WLAN for the nodes to connect to.

A piece of information I omitted that may also help understand my objective is that the Raspberry Pi will also be acting as a server on-behalf of the wireless nodes. A remote server will be connecting to the second Raspberry Pi router via SSH Tunneling to get data from the nodes. (The Raspberry Pi will serve this data up.)

Thanks for your help!

Are you planning to connect to the "primary" router via a WiFi client or with a wire?

Wired Connection


It could actually be both depending on the logistics of the physical device location's environment.

So I think you just need to change your physical device settings, put eth0 as your physical device for the WAN and make your radio be your LAN physical device, and you're done. Probably what you've got right now is just a LAN which is a bridge between the SSID and eth0 and no WAN at all.

I will double check my setting and get back to you. As far as I could tell that's how I originally configured it. However somehow it started issuing IP addresses from the "primary" router's DHCP pool, even when set to force DHCP assignment from the "secondary" router's pool.

More than likely an error on my part though haha.


That's why I think it must be bridged between the eth and the radio, otherwise there's no way the main router would hear the DHCP requests.

Set up a routed client. The radio or wifi connection to the backhaul network is the WAN. Your wifi AP is in the LAN. You can also bridge a VLAN TAP into the LAN, and extend the LAN to a remote location. Everything on the WAN side, be it part of the existing LAN you are connecting to, or the Internet itself, should be considered untrusted.

The WAN and LAN networks and the firewall between them should be in the default configuration. Note that you must use a separate IP range for the LAN than what you get from the other router in the WAN.

Just create an interface with static ip on PI eth0, and this IP is one of primary router ip's.
then you can use your second DHCP freely!

I'd like to thank everyone for the replies. I'm sorry it took so long for me to reply, I had some deadlines at work end up getting in the way. I ended up figuring out that when I was creating the secondary WAN interface, OpenWRT automatically bridged to two interfaces symmetrically after the fact. I wasn't able to see this occurring because I was loosing connectivity outright to the device. Now I know to go back before I apply the final setting and ensure it didn't bridge them.

I do have just one last question, other than ensuring the "secondary" router is on a different subnet than the "primary" router, is there anything else I should do to ensure complete isolation of the client devices connected to the "secondary" router?

Thanks a bunch!

If you're trying to isolate the guest network from your regular LAN you should have firewall rules that block the guest network from forwarding to the regular LAN. But you'll have to allow forwarding just to the gateway.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.