[Solved] Does Router #1 need passthrough?

Setup is: AT&T Arris NVG599 (modem-router-wifi). 2ary router is TP-Link Archer C7 v2 with LEDE/LuCI.

C7 IP is:

599 router is: 192.168.1.x

AT&T does not allow bridge. It has passthrough, which is not yet configged for C7.

On attaching cable from computer to C7, and making computer IP, Gateway, I cannot see the Admin page at

I have configged for OpenVPN, addressed specifically to me at: https://cryptostorm.org/viewtopic.php?f=37&t=4480 (see @FoodMaven second to last post, that page). After configging for OpenVPN/Cryptostorm I first saw: ā€œDestination port unreachableā€ when pinging computer in another subnet. (10 days ago).

As of today, 6Mar18, direct connection from C7 WAN to 'puter LAN and surfing to, and other IPs, shows no destination reachable.

Does the NVG599 need to be in passthrough mode? Is that all this is wrong?

Put the NVG599 in passthrough mode and turn off DHCP, wireless, and the firewall.

The C7 doesn't need passthrough.

Definitely put it in passthrough mode, turn off all the firewall stuff and the wireless on the Arris, you will probably still need DHCP because that's how the C7 will find out its passthrough IP.

Once you've got that set up, then see how your situation is. It should "just work" but if not we can help from there.

1 Like

I turned on IP Passthrough but didn't supply an IP at the blank field: Default Server Internal Address. Disabled Packet Filtering (Firewall). Whether that was enough, is confusing to me as there were 20 switches to throw. Also turned off Wifi. Rebooted modem. I have no internet.

In the IP Passthrough setup on my NVG599 I select

Allocation Mode "passthrough"
Passthrough Mode "DHCPS-fixed"
Passthrough Fixed MAC Address: "my router's mac addr by manual entry"
Passthrough DHCP Lease: 30 minutes

Then I have my router do DHCP to get its WAN address and it winds up with the public address that the 599 gives it... things just work.

I cannot get the modem and router to talk on the Internet. I cannot get the router onto the 'net. I can access the Admin page (LuCI) and the syslog reports:

"A default route is present but there is no public prefix on br-lan thus we don't announce a default route!"

That obtained with cable from network to WAN of router and LAN of router to computer.

IP of computer:
IP of Router:

The issue you have is what's up on the WAN side, not on the LAN side. The fact that you list "IP of Router" as a private address outside the usual LAN net suggests that you're telling us the WAN and since it's private, passthrough is not set up correctly.

When you do IP passthrough, only ONE device on the LAN side of the NVG599 / modem can get the passthrough IP. You need to tell it which one that is. And, most likely you need to do the "reboot dance"

  1. turn off router, turn off modem
  2. Turn on modem, wait about 1 to 2 minutes for it to fully boot
  3. Turn on router, wait for 1 to 2 minutes for it to fully boot and to get a new DHCP lease for the ip passthrough IP on its WAN side.

see if that works.

I'm not sure what the 192.168.11.X is for. You have to have the router and the computer in the same subnet. Default settings on router: IP, will assign DHCP to computer of 192.168.1.X.

Yes like @dlakelan said, turn off the modem for a while, as that may be necessary to have the ISP network forget your previous MAC address. Then connect modem to WAN port and switch on-- if modem is in pass-through the router will obtain a public WAN IP via DHCP all the way from the ISP's end.

Once all of this basic stuff is working, you can go back to setting up OpenVPN.

Hurrrrieddderrr I go, behnnindderrr I git. Powered off both devices. Cold booted per usual wait 2x min.

ping google.com states

From LEDE.lan ( icmp_seq=1 Destination Port Unreachable

above with modem in passthrough per your post above DH fixed, MAC addr, lease 30, Firewall packets disabled and 2.4gig wifi off.

The output of ip -f inet route or netstat -rn may provide insight


ip addr show

Please bear with my slowness at picking this up. Terminal output may as well have been Greek to me.

mark@Lexington:~$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 4c:cc:6a:63:b1:bf brd ff:ff:ff:ff:ff:ff
inet brd scope global dynamic enp6s0
valid_lft 43178sec preferred_lft 43178sec
inet6 fd12:7b17:b457::2d3/128 scope global
valid_lft forever preferred_lft forever
inet6 fd12:7b17:b457:0:4e01:f7c9:7f8a:cdb1/64 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 2600:1700:9e60:c42f:e593:aea9:7d30:80f5/64 scope global noprefixroute dynamic
valid_lft 1207286sec preferred_lft 1207286sec
inet6 fe80::1b26:68f4:b0f3:bafc/64 scope link
valid_lft forever preferred_lft forever

A little clearer (maybe).

mark@Lexington:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface UG 0 0 0 enp6s0 U 0 0 0 enp6s0 U 0 0 0 enp6s0

mark@Lexington:~$ ip -f inet route

default via dev enp6s0 proto static metric 100 dev enp6s0 scope link metric 1000 dev enp6s0 proto kernel scope link src metric 100

I added a Gateway addr of: into the C7 but that's a fail.

That ip addr show output is all really different from expected...

It shows just ONE ethernet interface "enp6s0" which is typically the kind of naming you get from systemd. There is no additional interface... no VLAN... no wifi...

Are you running some kind of LEDE snapshot? but even still.. something is weird, you should have a br-lan and either a second ethernet or two VLAN interfaces, and two wifi interfaces.

EDIT: I'm tempted to say just flash LEDE again and start from scratch.

Forgive my ignorance, but I don't know what a snapshot it. I have a "stock" LEDE for this device.

I'm tempted to firstboot as well and will start that this coming Monday.

I am now certain that the C7 router should be configured to run as the internet connectivity before the VPN work. Why this has happened backwards is now a mystery to me.

Thank you, dlakelan, for your thoroughgoing support.

No problem. I definitely think you should not just firstboot, but actually flash a new image, and tell it to erase old settings.

here is link to C7 v2 stable image for sysupgrade from existing LEDE install:


log into LUCI, go to system > backup / flash firmware and tell it to flash new firmware image, uncheck the box for "keep settings"...

once you've got that flashed, then ssh in, set the password, and connect via LUCI to set up WAN. It should get the public ipv4 address from your NVG599 on the WAN, and also should get an ipv6 address and an ipv6 prefix for the LAN.

I would recommend reading the OpenWrt/LEDE documentation...


SUCCESS. Passthrough now working. 2.4 & 5 gig wifi passwords enabled and working, too.

Thnx to
dlakelan & jwoods.

for latecomers to this post I have AT&T (formerly Uverse) DSL through an AT&T supplied Motorola Arris NV599 modem (router wifi). I am trying to setup a VPN. AT&T's NVG599 does not have "bridged mode", only Passthrough.

1 Like

Since it is marked as solved: Can we close this topic?

Close it. Please.