Subnet configuration won't pass traffic to internet


I'm trying to set up a subnet and I'm stumped. Everything seems to work as expected except that clients on 10.10.3.x can't get to the internet. They can browse all other resources on any internal subnet. There are no firewall or NAT configurations on Router 3 yet. Everything on Router 3 is on the same VLAN.

All devices on 10.10.2.x have internet access.

I don't understand why Router 3 is sending traffic to Router 1 and apparently being routed internally but not externally.

My ultimate goal is to create subnets so I can better manage traffic locally and to the internet with firewalls.

Static Routes Configured:
Router 	   Destination	Mask	            Gateway	Interface
Router 1	LAN


root@Router3:~# vi /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'

1 Like
  • Factory reset the MR8300.
  • Remove the MR8300 and substitute a C7.
  • factory reset everything
  • buy another C7

Upgrade all equipment to EA8300?


Seems like router 3 has no default gateway assigned to the wan port.


You need to add a static route on for the 10.10.3.x subnet since you have turned of NAT on

1 Like

Reasonable suggestions, we'll call that plan 'B'

1 Like

Interface configuration on Router 3

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option ipaddr ''
        option gateway ''
        option broadcast ''
        list dns ''

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option gateway ''
        option broadcast ''

Default gateway is the LAN address of Router 1, is this incorrect?

1 Like

All your hostnames are the same which is creating contention.

lan gateway should be set to That router knows where 2.1 is to forward packets on that are not for your 3.1 subnet.
The problem is your subnet doesn't know how to reach 2.1 gateway since it is outside it's address space.
I would guess you have some routing tables cashed giving you false results, or your vlan is doing something unexpected.
But should have a static route to the 3.1 subnet. Then it will forward packets from that lans IP's to the 3.1 gateway, and forward your subnet to the 2.x network.


Thank you all for taking time to read and offer assistance. Turns out the issue was the subnet mask on Router 1 LAN. Changing the mask from to allowed Router 1 to route traffic back to 10.10.3.x. Not sure if this is the correct approach but it seemed to resolve my current issue.

1 Like

You just changed your two class C lans into one subset of a class B lan. They are now on the same lan.
What this will do is stop you from having two isolated networks. Changing all your 3.1 addresses to 2.x would have worked the same.
If you would like proof, change the 3.1 to a 10.10.6.x and it will be locked out again.
Glad it is working, but it is not doing what you think it is.
Lan routing works My LAN, then everything else goes out gateway.
Remember private IP lans are by design non-routable. Your 3.1 gateway should be masq'ing and forwarding packets to the 2.1 lan.

1 Like

It is not necessary to masquerade the 3.1 lan.

Using a static route on 2.1 to route traffic to 3.1 is the proper way to fix the original problem.


People shouldn't post at 5am before coffee. :wink:
I've been spoiled with real IP domains for to many years. Last time I sub-netted private domains was back in the 90's.
After that it has been to make isolated networks to not have traffic going out from isolate machines.

1 Like

Changing the subnet mask is not how to do it. You've just made the network larger so 10.10.2.X and 10.10.3.X are now in the same network. They're not separate at all.

There are two ways to do it.

Router 3 can forward to router 1 and not NAT, as long as router 1 knows that the way back to a IP is via router 3's IP on the .2 network. This involves adding a static route to router 1.

config route
    option target ''
    option gateway ''
    option interface 'lan'

The advantage of this method is that there is less load on Router 3's CPU since it doesn't have to keep track of a NAT table. The disadvantage is that machines on the .2 network can also reach the .3 network (their default route is router 1, which will use its route to unless some firewalling is done.

The other way is to have Router 3 NAT any Internet requests from its network to its IP and onward to Router 1. The advantage here is that no additional configuration of Router 1 is needed.


I've rolled back the mask on router 1 to so it' s not spanning subnets. I've added a NAT rule on Router 3 set

config nat
        option name 'Test Rule 1'
        list proto 'all'
        option src '*'
        option target 'MASQUERADE'

Clients on 10.10.3.x can now reach the internet as well as all resources internally.

Am I on the right track now?

That is one solution but double NAT is not ideal

If you want to try.

  1. Remove the NAT rule you just created on router 3.

  2. On router 1 use luci and go to
    Network -》Static Routes

  3. Select add to add a new static route

  4. Make these changes
    • Set Target:
    • Set Mask:
    • Set Gateway :

  5. Save and Apply

I have that in my original configuration, which has me confused.

Static Routes Configured:
Router 	   Destination	Mask	            Gateway	Interface
Router 1	LAN

What is the down side to using the NAT configuration? My goal is to create a subnet with firewalls so I can isolate some IoT devices. Will the NAT conflict with this or cause issues?

You wont be able to access the subnet without using port forwarding and It will get messy if You have multiple devices using the same port

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.