[SOLVED] Cannot access upstream router Luci Interface (double NAT)

Hello everyone,
I've been trying over the last couple of days to troubleshoot on issue with WireGuard client connection speed, as reported by my Roku Ultra. I was able to get about 71Mbps on the Roku Ultra speed test, but somehow, over the last couple of days, it has fallen drastically.
To verify if the issue was caused by the recent adoption of the Protectli router, I decided to chain it to the previously used GL-MV1000, which always provided the above mentioned 70ish Mbps when going through WIreGuard connection. My paid for ISP speed is 200/100, but I intend to go gigabit in the near future, which was the reasoning behind the adoption of the x86/64 router.

Anyway, I don't know if it's the new blood pressure control med I began taking a few days ago, but I cannot seem to find why I cannot access the GL-MV1000 OpenWrt Luci interface from a computer connected to the LAN provided by the Protectli router.... I think I should be able to access Luci on the GL-MV1000 because it's the default gateway for the Protectli, no need for static routes, but since I currently can't and I'm currently a little liteheaded, I thought it would be faster to ask for help from you gentle folk. Services marked as disabled are in such state because of the testing circumstance I explained above.


Diagram below may help you noble friends to understand:

PS: I think it's worth mentioning that even though I can't access LUCI on, I can surf the web alright.

First guess:
You have enabled BCP38 in the innermost Protectii router, and that prevents packets to "local private IP addresses" like 192.168.8.x being sent from WAN of the Protectii.

Or something similar.
Double NAT may cause strange effects as you have private addresses also on the WAN side of the inner router.

you might try accessing the IPv6 address of the router in case IPv4 fails.

1 Like

Thanks for posting back in such short time.
I had to search bcp38 and openwrt to find out about what that is... Sorry for being such a newbie. As far I can remember, I haven't installed the bcp38 package, unless something else installed it for me... How can I find out if it is indeed running?

Funny thing is I have played with double NAT several times (granted with the routers above mentioned in reverse order) before and never got this unexpected behavior.

I tried ping6 from my Mac using the Gateway IPv6 address shown in the Overview page of my Protectli, but did not succeed. Forgot to mention that ping from the Mac also fails.
Screen Shot 2021-08-04 at 14.23.14
Also, I can traceroute from the Mac to, say,, or cnn.com without any problem and, wait for it... one of the hops is, but I CANNOT traceroute to directly.

Several ways

  • LuCI firewall - bcp38 tab
  • LuCI system - software - installed packages. Is bcp38 on the list?
  • From SSH console: `opkg list-installed

But just think on similar lines:
any adblockers or similar, which would affect firewall?
If you connect PC directly to the outer router, can you then access LuCI there?

1 Like

I have just confirmed that it's not installed.

I think you may have nailed it.

Yes, I can, no problem. I'm about to verify if I forgot to disable Adblock and/or Banip (specially bogon prefixes...)

Sounds like intentional disabling...

Probable cause.

1 Like

No, both Adblock and Banip were installed on the Protectli, but disabled as well...
And neither was installed on the GL-MV1000. I just realized that It may as well be something cached in the Mac. I'm about to reboot the damn thing and post back the result.

Blimey... IT WAS the freaking Mac...

Like I said, I'm on new high blood pressure meds since Monday. I can only explain those for failing to think of rebooting the client first...

Anyway, I want to thank @hnyman very much for all the ideas exchanged above. Those may help other fellow users in the future...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.