AiFast/OpenWrt/SSRP/ADG DNS diversion/1st layer NAT configuration

This article discusses the configuration of Soft Router as the main router and OpenWrt as the side gateway. OpenWrt also provides DNS ad-blocking and domestic and foreign traffic diversion. The entire network is single-layer NAT and is set to full cone NAT for the operation of PCDN.

Network Environment#

  • Internal network:
  • External network: PPPoE dial-up
  • Soft Router:
  • OpenWrt:

Single-layer NAT Configuration#

Since Soft Router is the main router, it provides NAT for the entire internal network. Enable NAT1 type in Soft Router:


Enable UPnP in Soft Router and disable UPnP in OpenWrt.

Disable full cone NAT in OpenWrt, disable firewall dynamic masquerading, and enable forwarding.

OpenWrt's dynamic masquerading is NAT, and after enabling it, there will be an additional layer of NAT, so it must be turned off.

After turning off dynamic masquerading, ARP verification may cause inability to access the Internet. It has been tested that when Soft Router is the main router, it does not affect Internet access.

Delete the following firewall rules if they exist:

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

The above firewall rules are also dynamic masquerading and should be deleted.

After the settings are complete, restart OpenWrt.

Verify Single-layer NAT#

Through Soft Router terminal monitoring, if OpenWrt ( also provides NAT, it cannot see any traffic passing through other terminals in Soft Router. All traffic is sent to If it is not all sent to OpenWrt, it proves to be single-layer NAT.

At this time, only scientific traffic will be displayed in Soft Router through OpenWrt. Domestic traffic is displayed for each corresponding terminal.

Use Dual ADG with SSRP for Domestic and Foreign DNS Diversion#

Configure Dual ADG#

You need to know that this setting does not require SmartDNS and Turbo ACC DNS caching. If enabled, disable them all.

You can directly install luci-app-adguardhome on OpenWrt. After installation, configure the domestic version of ADG.

First, set the redirection mode as the upstream server for dnsmasq.

After entering the ADG management panel, set the domestic DNS. The upstream DNS server settings are as follows (for reference):

Set the Bootstrap DNS server to the local ISP DNS (backup Alibaba Cloud): are Shanghai Mobile DNS.

Set the speed limit to 0.

Next, configure the second ADG. You can use Docker or install ADG on the second virtual machine. I use the second machine ( to install ADG.

After installation, configure the DNS to be foreign DNS.

The upstream DNS server settings are as follows (for reference):

Set the Bootstrap DNS server to the local ISP DNS (backup Alibaba Cloud):

Disable IPv6 resolution (some airports in SSRP do not support IPv6, which may cause inability to access the Internet). There is no speed limit.

Now remember:

  • Domestic DNS: (the port set by ADG)
  • Foreign DNS:

Configure dnsmasq#

Go to OpenWrt's "Network" - "DHCP/DNS", and there should only be the address of ADG for DNS forwarding. In my case, it is, and there is no other forwarding.

Configure SSRP#

Configure as shown in the figure below:

SSRP Configuration

Select bypass China mainland IP, and fill in the foreign DNS with the foreign diversion ADG. Do not fill in the domestic DNS. If it is already filled in, select "Other" and leave it blank.

Go to "Status" and update the "GFW List" database and the "Domestic IP Range" database.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.