Issues with port forwarding from ISP router to LAN router (LEDE)

I am pretty new to fiddling in depth with my network setup, but finally decided that it's time to learn. Especially because the default router supplied by my ISP sucks (o2 in Germany - o2Box 6441).

So I decided on getting an openWRT router, namely the Linksys Wrt1200ac. Unfortunately it does not have a modem, so I want to use the 'modem part' of the o2Box.

So the setup should look like this:

  • Router 1: O2 box 6441 is connected to the internet:

  • Router 2: Linksys 1200ac is connected on its 'Internet' Port (not the numbered ethernet ports) to Router 1 at a numbered Lan Port. It should take over all the 'routing' services in my network and provide wifi to all my devices as well as a media server and such shenannigans.

So it should look like this:

Nextcloud-server (RPi)
-> ports: 22/80/443

Linksys WRT 1200 ac <-----------------------> o2Box <----> Internet

Personal Computer

other devices

I flashed openWRT (Lede reboot v17.01.4) and connecting the Linksys, I can setup wifi and get an internet connection. The WAN part of the Linksys gets in the o2box subnet; ports 22, 80, 443, 1149 are forwarded on the o2box.

On the Linksys I have also forwarded ports, as follows:


However, if I put my RPi-nextcloud-server in the 192.168.2.x subnet, I cannot reach it from the outside. Also, if I connect to the 192.168.1.x subnet (o2 box), I cannot reach any of the devices behind the linksys router.

The other way round works just fine: if I put the RPi into the 192.168.1.x subnet, adjust the port forwardings on the o2box, I can ssh into the RPi ( from the 192.168.2.x subnet. So my guess is that sth with the port forwardings is wrong. Should I set up an outgoing forward too (although that does not seem to make sense to me, as outgoing connections are allowed anyways)?

I have also, under general settings, set forwarding to 'accept' from the wan zone to the lan zone.


So my question is how can I configure the Linksys so that it will actually work as desired - any help is appreciated.

Glad to supply logs if you point me to which ones might help.

Unfortunately this setup will NOT be passing all the routing duties to your LEDE box. All you have actually done is made it so the O2 router thinks there is only a single client, but its still doing just as much work as before as its still translating between the WAN and LAN.

Is there no way to switch the O2 router into bridge/modem only mode?

Oh and yes, I looked at the related topics on this forum. However, I could not find a solution to this. If there is, would be grateful if you'd point me in the right direction.

Unfortunately, I think the o2box does NOT have a bridge mode incorporated (as I said earlier, it is pretty crappy software at least). unless there is another way to get it into bridge mode, that is no option here...

This is also going to be a temporary setup as I will be moving house in a couple of months. So I do not really want to get a new piece of hardware until I moved house.

I get that the o2box is doing the main work here, however, couldn't I still use the LEDE box for setting up a VPN and such things?

Yes you should still get the functionality of LEDE.

Its generally easier if doing it this way to assign a DMZ to the LEDE box so you only have to mess with port forwarding on the LEDE box, but again that is assuming the O2 box supports that function.

well you guessed it: it does not support dmz. however, the port forwarding should still work as required, right?

meaning my forward rules are theoretically alright?

Other people seemed to have the same issues. maybe I will go with the o2box until i can get some decent hardware..

Can anyone recommend a dsl mode (german isp) for going with the linksys?

Can't think of any reason why the port forwarding wouldn't be working. Do you know what the actual hardware of the O2 box is?

As for using your own modem/router, do you have access to the login details necessary to do so? There should be plenty of DSL routers that can handle bridge mode, many which can run LEDE themselves.

The modem/router should be set to forward ports to your LEDE router at Then the LEDE router forwards again to the RPi at

When testing this you need to try to connect via a separate Internet service such as a mobile phone. Using your public IP on your LAN is unlikely to work.

Which router is running the SSH server, and what SSH server is running?

  • Please also post the output of /etc/config/firewall

Perhaps I'm thinking about this wrong, but shouldn't the following work if the SSH server is running on the 1200AC at LAN port 22

  • o2Box port redirect 22 WAN to 22 LAN
  • 1200AC listening on 22 WAN.

If the SSH server is on the o2Box, a Multi-Hop SSH must be performed, with gateway port forwarding allowed on the o2Box's SSH server.

  • A multi-hop is an SSH tunnel within another SSH tunnel, and would look like:
    • Remote device -> WAN SSH -> o2Box SSH Server -> [multi-hop begins] -> LAN SSH -> 1200AC SSH Server -> NextCloud

You could also setup OpenVPN on the 1200AC.

that's weird.
I have lede on wrt1200ac and have a modem for adsl.
and I had problem too.
meaning that if I dont use the bridge mode and port forward all the port to lede I cant use the remote ssh to my internal clients.
so I had to use the bridge mode.(though bridge mode is nice because you then you can manage your internet from your router instead of modem webui.

@JW0914 If port forwarding isn't working then you wouldn't be able to reach the OpenVPN server either. :wink:

@reza Not sure what you mean as if you use bridge mode then there is nothing to port forward to the LEDE box, as the LEDE box gets the WAN IP directly.

I highly doubt port redirects aren't working, and as I mentioned above, this is likely due to a misconfiguration... hence why I asked for you to post your firewall config. I also asked a pertinent question you ignored...

I know that.
but when I ssh to my ,say laptop from wan side (from my data line on mobile) in bridge mode it works. it lan mode it doesnt work.

I'm aware of that, as you've stated it numerous times. I, nor anyone else, has access to your devices, therefore, in order to troubleshoot an issue, the person with the issue (yourself) must provide information requested if the person with the issue (yourself) wishes to resolve said issue.

Suppositions and assumptions, hypotheticals and guesses are a waste of everyone's time... so if you would like to troubleshoot your issue, I'll be glad to help... otherwise, best of luck =]

I dont understand.
what info?
my router model? my age? my blood type ?:slight_smile:
I am not the OP I just popped up when I saw this post and it as an issue I had the I just ignored and use my modem--to--router in bridge mode. it has its perks (no need for port forwarding from modem to router and managing pppd from router with scripts)

but bridge mode is a weird mode for me. for example I cant use normal lan redsocks iptable config to use transparent proxy on it (I am a noob linuxer) .
and because it uses bridge mode I cant get correct amount of logging for data management (amount downloaded and so on) and I cant use tools like tcpdump on that bridged interface as I would on my laptop in simple lan mode (maybe somebody can tell me how )

@reza My mistake, I thought you were the OP

1 Like

@reza You really should start a new thread if you want help with this as your problem sounds completely unrelated.

Sorry for taking some time to reply, been enjoying my vacation. I am not sure about the hardware of the o2box. However, as I do not have access to the login information and will move appartments in 6 months anyway, I probably will not bother anymore.

Thanks for trying to solve this with me though.

I have been trying to test the connection from the outside of course. As soon as I am back (next week), I will post the output of /etc/config/firewall.

The ssh server running on the wrt1200ac subnet is a raspberry pi with a standard raspbian stretch (lite). the ssh server is the standard in-built linux version.