Trouble getting double NAT to work

Installing and Using OpenWrt
1

Fellow OpenWrt users,

After years of hassle free OpenWrt usage i've run into something which I cant seem to fix. I recently switched ISP, this ISP unfortunately supplied a modem/router/swich combo with no bridge mode.

As per instructions found here (https://openwrt.org/docs/guide-user/network/wan/dmz-based-bridge-mode) I configured a "double NAT" as follows:

ISP Modem (192.168.2.1) -> OpenWRT WAN interface with static address protocol (192.168.2.2) -> OpenWRT LAN interface with (192.168.1.1) with gateway 192.168.2.1. This resulted in connectivity between subnets, and internet access for device in the 192.168.1.x range.

Per instruction set up DMZ on the ISP modem, confirmed its not blocking traffic. Set-up port forward rules on the OpenWrt device to devices in the 192.168.1.x range which i want to connect to from the internet.

However, i am unable to connect to these devices. Things i tried and dit not work:

  • port forwards on the OpenWRT device to several devices in 192.168.1.x ;
  • accepting all traffic on the WAN firewall zone;

Any advise for further troubleshooting? Much appreciated!

2

Does your ISP has given you a public IP address, e.g. one which does not start with 100 or 10 ?

1 Like
3

And to be clear, you set this IP at the DMZ?

How did you confirm?

  • How did you test - from what network?
  • Are you able to reach them from a test device connected to the ISP device's from 192.168.2.0/24 network to 192.168.2.2:xxxxx? This test will confirm the OpenWrt port forward actually works

To be clear, you only set this on the OpenWrt's WAN config, correct?

4

That is correct, starts with 91.

1 Like
5

Yes I did

With NMAP, running a portscan on the public IP of the ISP modem from a 5G phone network

Same 5G phone network

Did not test this, will try later today.

On the WAN and on the LAN interface - could that be an issue?

Thanks in advance for your help. :pray:

6

It could.

  • That IP doesn't exist on the LAN interface
  • The router knows to send traffic to WAN, so under normal circumstances you wouldn't set gateways on [local] interfaces without Internet :wink: