Netgear R6220 has all access but clients don't

Hi I just flashed OpenWRT 18.06 on my new Netgear R6220-100PES. I'm using it to create a network that is separated from my main home network. The situation is as follows:

  • router/modem from my ISP creates main home network and has IP
  • modem has static route to with netmask via gateway fixed IP
  • R6220 creates separate network and has IP and fixed IP on WAN

The problem is that clients connected to the R6220 via Lan and W-Lan can't reach the internet. They can't ping or traceroute nor however they can ping the modem at and devices connected to it. Interestingly though on the diagnostic page the R6220 can reach both the internet and devices in the other network. To make sure the cause is not the R6220's firewall I disabled it via ssh. I haven't touched the VLANs so they're default (see the attached image). I've also worked through

What is causing the problem?

Output of ifconfig:
br-lan Link encap:Ethernet HWaddr CC:40:D0:A4:DA:81
inet addr: Bcast: Mask:
inet6 addr: fe80::ce40:d0ff:fea4:da81/64 Scope:Link
inet6 addr: fd37:1994:35d3::1/60 Scope:Global
RX packets:33050 errors:0 dropped:0 overruns:0 frame:0
TX packets:29790 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6250785 (5.9 MiB) TX bytes:19206111 (18.3 MiB)

eth0 Link encap:Ethernet HWaddr CC:40:D0:A4:DA:80
inet6 addr: fe80::ce40:d0ff:fea4:da80/64 Scope:Link
RX packets:81398 errors:0 dropped:7 overruns:0 frame:0
TX packets:61031 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23762817 (22.6 MiB) TX bytes:26421224 (25.1 MiB)

eth0.1 Link encap:Ethernet HWaddr CC:40:D0:A4:DA:81
RX packets:30534 errors:0 dropped:16 overruns:0 frame:0
TX packets:30391 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5907080 (5.6 MiB) TX bytes:19335277 (18.4 MiB)

eth0.2 Link encap:Ethernet HWaddr CC:40:D0:A4:DA:80
inet addr: Bcast: Mask:
RX packets:46508 errors:0 dropped:1039 overruns:0 frame:0
TX packets:26409 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16207820 (15.4 MiB) TX bytes:6320644 (6.0 MiB)

lo Link encap:Local Loopback
inet addr: Mask:
inet6 addr: ::1/128 Scope:Host
RX packets:5739 errors:0 dropped:0 overruns:0 frame:0
TX packets:5739 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:436791 (426.5 KiB) TX bytes:436791 (426.5 KiB)

wlan0 Link encap:Ethernet HWaddr CC:40:D0:A4:DA:80
inet6 addr: fe80::ce40:d0ff:fea4:da80/64 Scope:Link
RX packets:2565 errors:0 dropped:0 overruns:0 frame:0
TX packets:4121 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:383209 (374.2 KiB) TX bytes:864275 (844.0 KiB)

I think you still have NAT working
2 things to try
temporary make them the same firewall group "lan"
could have something to do with forwarding in the firewall setting not setup for the differing zones
failing that change the name on the wan inter face from wan to something else

But I disabled the firewall and it's still not working

Where is the NAT setting and how can I change the name from the Wan interface?

When you static IP the WAN you also have to configure the wan gateway and DNS server under the OpenWrt wan section. These should be

You do not have to enter any routes into the upstream router unless you want devices on the 192.168.1 LAN to be able to reach the 192.168.2 LAN. In that case you also need to open the OpenWrt firewall.

Do not remove all the firewall rules or shut down the service entirely because that will break NAT.

I would try a default configuration, change the LAN to and let the WAN DHCP (which is the default). Once that works you can get fancier. I prefer to make a reservation (static lease) in the DHCP server rather than static IP any clients.

I have left WAN on dhcp as it was by default. I've added the route on the ISP modem so devices have access to the network. Ofc an incoming firewall rule would then be needed.

Even with the default firewall settings the behaviour was the same like written in the first post. The question is why the R6220 itself has full access but his clients don't?

Edit: The ISP modem/router has DHCP enabled but has set a static IP for the R6220 which is

I think the firewall also handles the packet forwards & you have different zones so if firewall is disables who is going to forward the packets ?

The packets should be forwarded according to the routing table. The standard route dictates that packets whose destination is not in the router's own network will typically be forwarded to the router connected at the WAN port. That shouldn't be different here because R6220's clients are able to ping devices in the network

basic steps to get this to work

in your main router
setup dhcp to give the mac address of you R6220 a ip of
setup static route to forward 192.168.2.x/24 to

in R6220
Factory reset
change Network>interfaces>LAN>Edit>General Setup>"IPV4 address" to
change Network>interfaces>WAN>Edit>Firewall Settings>"Create / Assign firewall-zone" to LAN
should now be able to access R6220 on &

you should now be able to ping a device from 192.168.1.x to 192.168.2.x & back

now if you router allows 192.168.2.x to use it's NAT you will have internet access as well on 192.168.2.x

it's up to you now to sort out you firewall / isolation on how you want it to end up

Your routing table on the R6220 should look like this:

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth0    *        U     0      0        0 br-lan   *        U     0      0        0 eth0

This is all automatically set up-- you don't need to declare any routes on the R6220.

1 Like

there seem to be some confusion on this thread
I'm thinking you are trying to add a 2nd sub net & only your main router is doing NAT
other seem fine with double NAT witch I can't think of why you would want to do this ?

@mk24 the routing table looks exactly like this

@Lucky1 Yes but I'm not sure if the R6220 doesn't do NAT aswell? I've read that double NAT is ugly but works well most of the times. The thing is that all internal communication is working fine, all devices in the net can access the internet including the R6220, but all devices connected to the R6220 in the net cannot. But I have no idea why...

The setup is the way you wrote @Lucky1 except that for testing purposes I've disabled the firewall completely. But it also didn't work before with it properly configured. That's why I don't think resetting to factory defaults and setting the firewall up the way you wrote (which is how it was before and which was not working) will solve the issue. Also there is no setting for NAT on the ISP modem/router. Enabling DMZ in the modem's settings for the R6220 on has not solved it either (and I don't want to use this setting anyway).

Any traceroute to the internet from a device in the net stops after reaching the modem at for no apparent reason

MK24 you have to understand the firewall is what forwards form 192.168.2.x to 192.168.1.x so if you disable it you will get what you have no communications between
the easy way to get it to work & see if you router will let 192.168.2.x on the internet
is to turn on your firewall & add both lan & wan to the default LAN firewall group
if you look on your firewall page & see the settings under zone that's the forward you want
if you make them the same zone for now it will forward


  • the IPv4 and IPv6 packet forwarding sysctrl setting enables routing
  • the firewall handles masquerade (NAT) rules

So if the user adds static routes to the non-OpenWrt with firewall disabled, then the device should forward normally. Major Internet and core routers forward with no NAT or firewalls all the time. If the OP also routes on the APs (has subnets on them), routes would be added to OpenWrt as well.

So @lleachii what could be the issue then? How can I find out why any traceroute to the internet from a device in the net stops after reaching the modem at ? It stops with both traceroute and ping to and

Also in the ISP modem/router there's no option for firewall and NAT


I didn't inquire; but that information was quite useful!

  • Please confirm if the ISP device is a router - what's its make/model?

If this is the case, then your setup is working. I'd blame the ISP device. It's code may only create a masquerade rule for the prefix assigned to its LAN (i.e.

  • Can you show a screenshot of this route configured in the ISP device?

You already did:

  • Your devices can ping devices at
  • This means their gateway (i.e. has a route properly configured
  • If you can ping vice versa, then the only device left to troubleshoot is the ISP device

it seem the ISP device isn't accepting the 192.168.2.x/24 range
is the ISP's Router needed for Fiber,VDSL,VOIP ?
if so is there a way to put it in Bridge mode ?
I know Netgear adsl/vdsl modes have a hidden page for enabling Bridge Mode
if it can making the R6220 do NAT & have 2 networks would be the best option

The ISP device is an Askey RTV1905VW. The route configured looks like this:

@Lucky1 Yes the device is needed for Fiber (or FTTH I think it's called). There is no bridge mode, I have checked this seeing others that are missing this feature as well.

I also think the problem has to be the ISP router. But I don't want to buy a replacement device for it.

Wow I can't believe I randomly solved the problem! :grimacing:
I did a OpenWRT reset and changed the IP for the LAN interface to instead of and everything is working as expected! Maybe the ISP router messed something up with it using ...2.1...

Anyway thank you guys for helping me, really glad it's working now :smile:

1 Like

yay good to hear :slight_smile:

if you want to isolate the networks you can play with the firewall & make a new zone etc
you can use it's wifi to extend the old subnet & add the new one at the same time
just add a new SSID same security & password as your modem & add it to the uplink/wan interface
as well a different SSID for the new subnet

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.