[Solved] Forward 2nd wired lan (from 2nd router) out to Internet

Hello all.

How can I forward a second wired network out of the WAN port? No Vlans. No wireless (AP).

-I have the LEDE 17.04 network
-Second router has
-Both have STATIC ROUTES that work. x.x.2.x can ping x.x.1.1 and vise versa.
-Second router has firewall OFF. Forwarding both networks. Even proxy arp.

I don't need DHCP or DNS on 2nd network.


me@lede:~# route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         ISP         UG    0      0        0 eth0
ISP   U     0      0        0 eth0
ISP UH    0      0        0 eth0   U     0      0        0 br-lan   UG    1      0        0 br-lan << STATIC ROUTE

cat /etc/config/network
config route << STATIC ROUTE
        option interface 'lan'
        option target ''
        option netmask ''
        option gateway ''
        option metric '1'
        option mtu '1500'

me@Lede:~# ping -c1 < DHCP on x.x.2.0 network
PING ( 56 data bytes
64 bytes from seq=0 ttl=127 time=0.887 ms WORKS


me@Router2:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* [1/0] via, eth0 < STATIC ROUTE & DEFAULT GATEWAY
C>* is directly connected, lo
C>* is directly connected, eth0
C>* is directly connected, switch0

2nd network client

x.x.2.233>ping -n1
Sent=1, Received =1, Lost = 0 (0% Loss) WORKS

1st network client

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), WORKS

But x.x.2.0 network can't go out to the Internet.
Please help if you can. Appreciated smile


if you connect the laptop to the LEDE box on its lan port and get a 192.168.1.x address, can you ping the internet, maybe or something like that? Maybe you have a routing problem or firewall problem on the LEDE box?

You don't need a static route on router2, assuming you have a standard masquerade NAT configuration. Basically, the router at already knows how to traverse up to the next level ( Defining the static route may be what is messing that up.

Hello dlakelan
"if you connect the laptop to the LEDE box on its lan port and get a 192.168.1.x address, can you ping the internet,"
Absolutely. I'm on a PC on now typing this.
I do think it's firewall related but not sure how to address it.

It's like the LEDE router is treating 192.168.2.x traffic like WAN traffic and drops it.

How can I tell the route to treat 192.168.2.x traffic on the lan interface like traffic.
That seems like the root of the problem.

Hello psherman.
The static route for router2 is a default gateway. Maybe I should of called it just that.
"You don’t need a static route on router2, assuming you have a standard masquerade NAT configuration. "
192.168.2.x (router2) is a stub network.without routing protocols.

Since Router2 is directly connected to router1 and 192.168.1.x network, it does know that network, but nothing past that. i.e Internet/
The IP info for router2 (subnet mask, etc) was assigned by me, not DHCP from router1.

Nodes on can PING and vise versa, but the LEDE router drops outgoing traffic, like it's considering it unknown or WAN traffic.

Is there a way to tell the LEDE router that 192.168.2.x is trusted and internal? It doesn't seem to be able tell this from it's own local routing table.


Let's back up a little bit so I understand the intent of your network setup. What are your goals? Why are you setting up two cascading routers (not challenging your setup, just trying to understand it)? What OS is each router running (if the picture is representative, you seem to have a Linksys facing the internet and a EdgeRouter in the middle -- is LEDE on both, or the stock OS on one or the other, etc.)? And how are they configured currently?

In general, double-NAT is not an ideal configuration, but it will typically work without too many issues. When both routers are in their standard/default operating mode (masquerade NAT), devices on the double-NAT layer will be able to reach the internet without issue (there are exceptions for certain protocols/applications, but general internet should be fine). Normally, in a SOHO type config (we're not talking internet backbone here), a router only needs to know about the network(s) it controls and the next hop out (i.e. the gateway). Here, because you are doing something else with the middle router, my statements don't totally apply... but I don't quite understand what you want to achieve and how things are setup right now.

Hello psherman
Goals: 2 wired local networks.
-default unfiltered. Typical SOHO set-up
- filtered by Router2 but access to Internet via Router1(LEDE Router)

Reason: Special IP filtering of Network2 by Router2 fillwall (which is turned off). IOTs. Testing. etc.

Router1-LEDE 17.04
Router2-Ubiquity EdgeRouter 1.7.1
You guessed righted.

No special configs. LEDE install is fresh.
Static route. Some host file edits. Static dhcp leases. That's it. I got rid of all my openwrt confgis.

Only NAT on LEDE. Firewall on Edge is off. No NAT or masquerading. Purely routing in the 1980s sense of routing. This setup is simple. Like the first diagram you see in a Cisco class. A->B<-C

All I want is the LEDE router to treat like

It's treating it like WAN. That's why I see messages like this:
Sun Feb 11 13:49:35 2018 daemon.warn dnsmasq[31885]: Ignoring query from non-local network
"non-local" is the clue.

How about this. How can I create an Firewall Zone WITHOUT an associated interface/bridge?
When I try in the luci GUI, it takes the lan interfaces from lan and leaves lan empty. Or stays empty itself.
Can I create a zone from a static route or another non-lan interface?
If no, then this request might be beyond the ability of this OS..

If I can add to the Lan zone or it's own zone, that might do it.

The log file you're seeing sounds like dnsmasq is seeing a DNS request coming from 192.168.2.x and refusing to respond to it because of permissions. Probably you should look into how to tell dnsmasq to respond to these DNS requests.

if you go to your second network and just try to ping something by ip address say ping does it work? Perhaps the only issue is dnsmasq isn't responding to DNS requests?

Ok, some thoughts...

First, upgrade your EdgeRouter to the latest firmware (1.10.0 was just released)... fixes bugs, improves security, adds features. Unless you have a very specific reason for sticking with the old version, I would highly recommend the upgrade.

Next, I'm really not sure what you are trying to do when it comes to IP filtering if there is no firewall enabled. What kind of filtering are you doing (or trying to do)? If you aren't using a firewall, there is little or no reason to have a second router unless you need a second address range. But if you don't have a firewall between the two 'zones,' there isn't really any filtering that will happen.

It really sounds like what you want is a VLAN config. The ER can absolutely setup VLANs, and presumably the LEDE device can, as well (depending on the hardware, but if it is recent, it almost certainly will). By setting up VLANs, you can have a unique address scope for your IoT/lab network (or make several, if you want) with full access to the internet that runs parallel to your trusted LAN but you can then control the level of inter-VLAN routing with the use of the LEDE firewall. You can have it open for full bi-directional communication, or limit it to one-way (2-way, really, but limiting it to just one side being able to initiate a connection), or completely isolate them, or really whatever you want. The VLANs can be associated 1-per port or you can trunk multiple VLANs over a single port.

As far as the firewall zones are concerned, they have to be associated with an interface, else they are useless, AFAIK. The basic idea of a firewall is that it evaluates each connection as one of three things (maybe not the best description, but these are the 3 basic criteria):

  1. coming into the firewall from a network/zone destined for the firewall/router itself (Input).
  2. coming into the firewall from a network/zone going to another network/zone (Forward)
  3. leaving the firewall destined for a network/zone (Output)
1 Like

Hello dlakelan
"if you go to your second network and just try to ping something by ip address say ping does it work?"
No, the LEDE router acting as the Internet gateway drops ALL packets from the network. DNS, PING(ICMP), http, etc.

Hello psherman.
Thank you for assisting.

"I’m really not sure what you are trying to do when it comes to IP filtering if there is no firewall enabled."

For now, I'm trying to get the LEDE router to route.. The diagram has 3 nodes including a PC.
I would turn the other firewall on when I can properly configure the LEDE router to route&NAT to the Internet.
I have the Edge firewall off for troubleshooting sake. The goal would be to enable it of-course.

The EdgeRouter is operating like a hub and is routing anything sent to it.
I added multiple networks to the EdgeRouter and node-tested those and they're routing fine. It's the LEDE.

The LEDE drops any lan-traffic not
The LEDE Router is treating ANY network traffic OTHER then as un-established WAN and dropping it even though the static clearly says lan. See uci config.

root@LEDERouter:~# uci show network | grep route
network.@route[0].interface='lan' < LEDE ignore is
network.@route[0].gateway='' < facing port on Edge
network.@route[0].type='local' < LEDE ignore it
network.@route[0].target='' < Edge other network with laptop.
network.@route[0].metric='1' < doesn't seem to matter

"It really sounds like what you want is a VLAN config"
Not really what I want but I assume that's going to be required because LEDE can't associate zones with networks that are NOT directly connected i.e switchports.
If it really requires this OS to be a router-on-a-stick vlan solution. I might just use the Edge as the gateway and mothball the LEDE router or ebay it.
Hardware is Linksys 1900AC.

Thank you.

I updated the static route to have the target as (and reloaded networking) and it still won't enter the LEDE's routing table:

config route
option interface 'lan'
option netmask ''
option gateway ''
option type 'local'
option mtu '1500'
option metric '1'
option target ''

root@LEDERouter:/etc/config# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface ISP UG 0 0 0 eth1 <wan
ISP U 0 0 0 eth1 <wan
ISP UH 0 0 0 eth1 <wan U 0 0 0 br-lan < lan

Before I updated to LEDE from OpenWRT it WOULD enter the routing table. Now it's not even doing that.
I wonder if this is some sort of bug.

Your LEDE router probably believes that only 192.168.1.x is accessible via its LAN interface, and as such for security reasons it drops any IPs from another subnet. Your best bet is to do a VLAN setting for a second VLAN, create a new interface on LEDE connected to the VLAN, and give the LEDE box an ip in the 192.168.2.x range, then plug the second box into that port so it joins that VLAN... and set up a firewall rule for the appropriate forwarding. This should work fine.

Fixing the static route fixed the issue to some degree.
I had to set up dns forwarding on router2 but good enough.
Thank you.