DMZ on the ER605 and 7206 routers doesnt seem to work as expected.

On all other router brands, including TP-Link "home grade" routers, setting an IP address as a DMZ host / target automatically exposes the selected host to the public IP so you dont have to forward lots of ports (eg, if the target is a VPN server) through the primary gateway

However, on ER605 and ER7206 this doesnt seem to function at all - traffic reaches the target device but is blocked by the ERs firewall (i think) on the return path.

For example, i was testing setting a ER7206 as DMZ target through an ER605 (to utilize the ER7206s much higher throughput VPN capability on a completely seperate subnet with a NAS as the final target for VPN access)

I have been able to get it to work, however, with the following steps on the ER605

1) Set intended IP as DMZ in NAT DMZ list section

2) Manually forward all necessary VPN ports to target IP (1723 tcp, 1701 udp, 4500 udp, 500 udp) in Virtual Servers

3) Add the DMZ target IP to an IP Group (DMZ_grp)

4) Add an ACL for DMZ_Grp WAN-IN set to allow

5) Add an ACL for DMZ_Grp LAN > WAN set to allow

VPNs now tunnel through the ER605 correctly

I have also tried this in reverse with the ER7206 as gateway and ER605 as the target, and had to apply the exact same config on the ER7206 for it to work

Tested on ER605 v2 formware 2.0.0, 2.0.1 and 2.0.2 beta and ER7206 firmware 1.1.1, 1.2.0, 1.2.1 and 1.2.2 beta (factory reset each time)

Hopefully this is of use to someone and TP link support

Screenshots of config below

This really should not be necessary, it all we should have to do is set the target in the DMZ host section.