NAT or no-NAT — what the firetruck?

I have to admit defeat. Yes, I’m out of ideas currently …

Thing is: I have three TL MR-3020 (well, 2 3020 and one 3040 right now, but they should be identical except for the lack of buttons and the existence of a battery in the 3040 case), all running, installed from a local copy of the repository, …

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 ATTITUDE ADJUSTMENT (Bleeding Edge, r32930)
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice

Illustration of the setup

… and each of them has one USB 3G dongle attached. They are linked via WiFi to another 3020 that runs OpenVPN and acts as the AP; each of the aforementioned 3020/3040 with 3G have a link open into one of the (local) major GSM networks (Telekom (D1), Vodafone (D2) and o2 (O2)). The OpenVPN-3020 has links to three public IPs of one host out there that serves as the OpenVPN hub — each of these links runs statically over one of the 3G boxes. (Rationale: I want to have an access point that is as connected as possible in the train, i. e. by means of OLSR protocol running over the OpenVPN links over the 3G connections, if there is any connection working at all at any given point in time, the Optimized Link State Routing will assure that the access point’s network stays connected.)


The current issue at hand is this: all 3G routers are set to do SNAT (masquerading to be precise) on anything leaving the box via their 3G interface (funnily named 3g-wwan in OpenWRT). All but one do as ordered; that one refuses to properly masquerade all traffic, or, to be more precise: it insists on not masquerading the OpenVPN traffic coming from the OpenVPN node. All other traffic destined to the only destination reachable via that 3G link, from any of the connected boxes, is properly NATed — see traceroute screenshot for details.
So, while the OpenVPN node is trying to reach out to it’s counterpart in the public Internet via that 3G link, the node refuses to masquerade this traffic, which then in turn get’s killed by the (O2) mobile network’s routers because the source address is alien to that network. Doing a telnet to destination and port from the OpenVPN box, it get’s properly NATed and I get a connection refused ICMP back. Trying to traceroute to the destination results in … proper NATing/masquerading as well. Only the only needed traffic, the one from the OpenVPN node, is not touched at all.
I even shut down the weird firewalling of OpenWRT and tried iptables manually — to no avail: the traffic from the OpenVPN node is not NATed, anything else is.

This seems to happen only sporadic, I could reproduce this issue on 3 out of 5 reboots so far. Any idea on how to resolve — or even programmatically detect (to issue a reboot) — this would be very appreciated …