No internet from secondary router behind OpenWrt router

I have a setup with 3 routers; the visualization would look like this:
clients ↔ OPNsense router (no NAT) ↔routing rules ↔OpenWrt router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

The issue is that I have no internet access from secondary router (OPNsense) and any clients connected to it.

The following IPs are assigned:
primary router (OpenWrt):
secondary router (OPNsense):
Office: (VLAN)
Guest: (VLAN)

Interface eth1 is not assigned to any firewall zone, it's a blank NIC.

And this is the routing table of primary router:

root@eddie:~# ip route
default via dev wan src dev lan5 scope link src dev lan2 scope link src dev lan4 scope link src via dev lan5 onlink dev wan scope link src

My understanding is that there's no route from secondary router to internet.
Any communication between primary and secondary router is via subnet

Can you please advise what is missing to route internet traffic from secondary router to ISP router via primary router?


if they're connected LAN<>WAN, you can't use the same LAN subnet on both devices.


You could enable masquerade on the wan interface of OPNsense, which I understand is the upstream interface to eth1 in OpenWrt.
Otherwise you'd need to use unique subnets among the router interfaces, as @frollic suggested.

1 Like

I got really confused. Let's rebuild this from scratch with a more systematic plan.

There are 3 networks and 3 routers. Each network's router is .1 in its network. The next downstream router is .2
Network 3 (Users) on lan of router 3:
wan of router 3:
Network 2 (middle router) lan of router 2:
wan of router 2:
Network 1 (ISP router) lan of router 1:
wan of router 1: Internet

Routing rules define a network and the next hop to reach it.
Router 3 doesn't need any additional rules other than those established by default for its own networks. The default gateway is router 2, which then knows how to reach router 1, which then NATs to the Internet. The problem is when router 1 has to dispatch a return packet to router 2 or router 3's LAN.
Router 2 needs to know about router 3's LAN: via
Router 1 is going to send packets for users of router 3 (.3.0 addresses) to router 2, which will then use its rule (above) to send them to router 3. via
Additionally you probably want a route to router 2's lan in router 1, so that router 3 itself and anything else on the .2 lan can use the Internet. via
These two rules could be combined into one by carefully choosing the IP ranges and expanding the netmask.

As documented in my visualization above
clients ↔ OPNsense router (no NAT) ↔routing rules ↔OpenWrt router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet
masquerading is not an option (no NAT).

Let me add information of IPs and routes on the relevant router.

ISP router:
WAN: <public IPv4>
Static route: 
  interface: LAN

(CIDR has first IP and last IP

Primary router:
Static route 1: 
  interface: LAN
Static route 2: 
  interface: homelab
Default route:
  interface: wan

Secondary router:
Default route:
  interface: wan

To simplify the issue resolution let's drop the secondary router for a moment.
This means I connect another client to interface homelab.

There's no DHCP service running for interface homelab, and this means no IP will be assigned.
Instead, the client's routing table is this:

default dev eth0 scope link src metric 202 dev eth0 scope link src metric 202

To assign a static IPv4 on eth0 I execute this command:
ip addr add dev eth0
And finally to define a (new) default route I execute this command:
ip route add default via

This results in client's new routing table:

default via dev eth0
default dev eth0 scope link src metric 202 dev eth0 scope link src metric 202 dev eth0 proto kernel scope link src

I don't think this NIC configuration is correct because I cannot access internet.
And I don't understand why IP 169.254.x.x is still shown in client's routing table.

My strategy is: once the client has internet access, I can continue with secondary router setup.

This is wrong and pointless. Network is directly connected in DMZ.

This is not default route, also wrong and pointless, as it is directly connected.

Network conflict with the LAN in primary router.

169.254 should not be there at all and it is link local, that means it cannot have a gateway to reach other networks.
Fix the things we have remarked already three times first and it will work. It's not something exotic.


Well, let's do it... step-by-step.

I have removed static route 1.
Communication LAN <-> DMZ is working as expected.

Primary router's default route is created automatically, means I didn't modify it.
WAN interface is a DHCP client and connected to ISP router downstream network (LAN), therefore I don't understand why this should be wrong.

As of now, the secondary router is disconnected.
And I have modified primary router's interface homelab, means I modified subnet to and enabled DHCP.
Now, interface homelab can be compared with interface DMZ.

If I connect a client to interface DMZ, command traceroute is working as expected:

pi@raspberrypi:~ $ traceroute
traceroute to (, 30 hops max, 60 byte packets
 1 (  0.641 ms  0.571 ms  0.495 ms
 2 (  1.116 ms  1.020 ms  0.888 ms
 3  * * *
 4 (  25.090 ms  25.024 ms  24.842 ms
 5 (  28.690 ms  28.513 ms  28.441 ms
 6 (  29.372 ms  25.143 ms  25.033 ms
 7 (  23.848 ms  23.767 ms  24.482 ms

When I connect the same client to interface homelab, command traceroute fails:

pi@raspberrypi:~ $ traceroute
traceroute to (, 30 hops max, 60 byte packets
 1 (  0.342 ms  0.288 ms  0.217 ms
 2 (  0.235 ms  0.178 ms  0.199 ms

The major difference comparing interface homelab and DMZ is:
there's no firewall zone assigned to interface homelab.
This means homelab is a "blank" interface.

In my opinion interface homelab is not using default route and traffic is not routed to WAN.
Maybe this is related to a forwarding issue?

Until this traceroute issue is not solved I don't need to continue with secondary router.

After creating firewall zone homelab with these settings the issue is solved:

config zone
	option name 'homelab'
	option forward 'REJECT'
	list network 'homelab'
	option input 'ACCEPT'
	option output 'ACCEPT'

config forwarding
	option src 'homelab'
	option dest 'wan'

However, I'm not sure if I should be more restrictive with input and output settings.

By default if there is no forwarding configured, traffic is denied.
input policy matches the incoming packets. If you change it to drop or reject you'll need rules to allow the flows to access the router. output policy matches the egress packets. It is generally fine to leave it to accept.