Router cascade w/o double NAT

[cmonty14]

Hello,
based on this tutorial I started a setup of router cascade w/o double NAT.

This means primary router is setup with disabled NAT and additional routing rules.
The visualization would look like this:
clients ↔ OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

Actually the clients are represented in a LAN subnet (172.16.1.0/24) and DMZ subnet (172.16.11.0/24).

This works as expected.

Now I want to connect a secondary router to a free NIC of the primary router. This secondary router provides multiple subnets, e.g. Office, Guest, IoT.

The visualization would look like this:
clients ↔ OPNsense router (no NAT) ↔routing rules ↔OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

The secondary router's LAN subnet is identical to primary router's LAN: 172.16.1.0/24.
This subnet is only for router access (SSH and HTTPS).

As a result the following IPs are assigned:
primary router:
LAN: 172.16.1.1/24
DMZ: 172.16.11.1/24
eth1: 172.16.0.1/30
WAN: 192.168.1.2/24
secondary router:
LAN: 172.16.1.2/24
Office: 172.21.10.1/24 (VLAN)
Guest: 172.21.20.1/24 (VLAN)
WAN: 172.16.0.2/30

The current issue is:
No internet access from secondary router, means I cannot upgrade software packages.
The error message is this:

Code: [Select]

[thomas@lou ~]$ sudo pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Connection refused
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Connection refused
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Connection refused
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Connection refused
Unable to update repository mimugmail
Error updating repositories!
DNS on secondary router is (obviously) working, though.

I wonder which route secondary router should take when accessing internet?
Executing traceroute shows this:

Code: [Select]

[thomas@lou ~]$ sudo traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 64 hops max, 40 byte packets
1 172.16.0.1 (172.16.0.1) 0.538 ms 0.433 ms 0.355 ms
2 172.16.0.1 (172.16.0.1) 0.355 ms 0.443 ms 0.392 ms
This means secondary router is not using default route of primary router. This is routing table of primary router:

Code: [Select]

root@eddie:~# ip route
default via 192.168.1.1 dev wan src 192.168.1.2
172.16.0.0/30 dev lan5 scope link src 172.16.0.1
172.16.1.0/24 dev lan2 scope link src 172.16.1.1
172.16.11.0/24 dev lan4 scope link src 172.16.11.1
172.21.0.0/16 via 172.16.0.2 dev lan5 onlink
192.168.1.0/24 dev wan scope link src 192.168.1.2
I don't understand how network traffic on this subnet would be routed to WAN interface of primary router.
Can you please advise how to troubleshoot this issue?