OpenWrt connected via WAN to a 5G router in bridge mode - How to access the 5G router webui?

Hello all.

I have an OpenWrt 25.12.0-rc5 router (Linksys WRT1900ACS) connected via WAN to an 5G router in bridge mode (Huawei CPE Pro 2 H122-373).

I have a br-lan interface bridging LAN1-LAN2-LAN3-LAN4 with 192.168.5.1 as IP address, with 192.168.8.1 as gateway (5G router), and a DHCP server on the range 192.168.5.0/24.

2336×126 11 KB

3423×386 23.8 KB

Also, I have a wan interface with 192.168.8.100 as IP address (OpenWrt router), with 192.168.8.1 as gateway (5G router).

4345×309 17.6 KB

Everything works like a charm, I have internet on every device connected via Ethernet or Wifi to the OpenWrt router.

1179×197 19.4 KB

But now I **would like to be able to access to the 192.168.8.0/24 subnet (**more precisely, the 192.168.8.1 where the 5G router is, in order to do some maintenance via its webui), while being connected to the OpenWrt router, which I cannot as of now. If I type 192.168.8.1 on the browser i got a 404 error.

Do I need to create another interface or announce some static routes to achieve so? I am pretty new to networking.

Thanks in advance.

Please read the wiki and use search

etc.

Please avoid using pictures.

True bridge mode means that your router wan interface holds a public IPv4 address, usually obtained by DHCP. This almost always requires making special arrangements with the wireless company, and paying a lot extra, since in most countries wireless companies have many many more customers than they have public IPv4 addresses.

Your configuration now actually NATs everything to a private IP address which is then NAT again in the modem and/or wireless company. Since the default route is the 5G router, simply going to 192.168.8.1 will forward there without any additional settings.

404 error means that the network has reached a live web server, but in its filesystem it is unable to find the page that you requested.

If this is the only upstream interface you have, then your 5G router is still a router (with NAT), not a bridge.
Once the upstream device is configured as a bridge, most likely you will need to configure your OpenWrt wan as DHCP.
Then for external device access you will need an interface like the one you have now, but with default gateway disabled.

There should be at most one option gateway in all of your networks, it would be in the wan network if it is not DHCP configured (DHCP installs the default route automatically).

A lot of beginners add extra option gateway and list dns to all the interfaces, but actually these are only relevant for wans.

Thank you.

You are both correct, I thought the 5G router was in bridge mode, but it is in DMZ mode (poor man bridge mode tutorial from here → https://openwrt.org/docs/guide-user/network/wan/dmz-based-bridge-mode) because I have some Voip phones I need, and if bridging I lose RJ-11 capabilities, so it acts as a router with some services disabled (firewall, dhcp, wifi).

Is that the reason due to which I cannot access the 5G router? (192.168.8.1)

Install curl then run it on the router and post the output.
curl -I http://192.168.8.1

I do not have your router but logically you do not want access to the ISP router when it is set to DMZ mode from the DMZ zone as that is insecure.
So that access might be just blocked on the ISP router by design.

If it is not in the manual then ask the ISP (but they will probably not know)

Maybe the DMZ zone is set only on one of the lan ports of the ISP router then you can use other ports to connect to it

This is what i got:

root@openwrt:~# curl -I 192.168.8.1
HTTP/1.1 405
Content-Length: 0

I also tried

root@openwrt:~# curl -I http://192.168.8.1
HTTP/1.1 405
Content-Length: 0

Thank you so much for helping me out.

405 is "Method Not Allowed", try without -I (HEAD request). We need to get the proper response in order to proceed.

curl -v http://192.168.8.1/

Thank you.

It is working! I would swear I have not touched anything since last month I checked:

root@openwrt:~# curl -v http://192.168.8.1
> GET / HTTP/1.1
> Host: 192.168.8.1
> User-Agent: curl/8.15.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Set-Cookie: SessionID=*redacted*; 
< path=/; HttpOnly;
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Content-Type: text/html
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
< X-Content-Type-Options: nosniff
< Date: Wed, 25 Feb 2026 15:45:18 GMT
< Connection: Keep-Alive
< Content-Length: 10945
<
<!DOCTYPE html>
<...

Now I have a further necessity, although it is out of scope of OpenWrt as it depends on tailscale, but in case you would know the way.

I have tailscale installed on the OpenWrt router (version 1.94.1) with the following arguments/options:

• Accept routes
• Advertise as exit node
• Allow LAN access
• Advertise routes: 192.168.5.0/24

Everything works flawlessly, I can access remotely via tailscale to the OpenWrt router and the devices on the 192.168.5.0/24 subnet, I can use the 192.168.5.1 router as an exit node, etc.

But I cannot access the 5G router on 192.168.8.1, which I would need to restart/do maintenance via tailscale when I am abroad.

I have tried to advertise also the 192.168.8.0/24 route on the OpenWrt tailscale, but with no success (the 5G router does not allow to install tailscale on it).

You need a redirect rule as shown in Mikrotik Router device switch ports - #8 by AndrewZ

Thank you.

In order to access the 5G router (192.168.8.1) via 192.168.5.1:8888, I will do:

config redirect
option dest 'wan'
option target 'DNAT'
list proto 'tcp'
option src 'lan'
option src_dport '8888'
option dest_ip '192.168.8.1'
option dest_port '80'
option name 'Modem access'
option family 'ipv4'

In option src, would I need to add “vpn” too, as it is my tailscale interface?

Thanks in advance.

Yes, I think so.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.