ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router

ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router

ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 01:30:53 - last edited 2024-10-09 01:42:05
Tags: #NAT
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.6 Build 20240718 Rel.82712

My ISP provides an all-in-one device and does not allow Bridge Mode for "security concerns". I have a business plan with a static public IP and very limited direct access to router configuration. Deep configuration changes can not be done some times and when they can be done they take a while to get someone with expertise to make the change.

 

I have the ISP Router connected to the ER605 on WAN port 1 which I know creates a double NAT scenario. I have no device connected to the ISP router other than the ER605.

 

I have an OC200 controller which I used to set up my Omada site with 2 switches, and 2 APs. Connected to one of the switches I have a home server running an API exposed on port 3000.

 

Topology:

 

ISP Router -> ER605 Router LAN to WAN -> SG2218 Switch -> Server

 

The ISP Router is connected to the ER605's WAN port. The ER605 Router has the static IP 192.168.1.3 configured in the ISP router which can be seen in the ER605 configuration under the WAN menu:

  

The ISP Router has a DMZ configuration that has the ER605 as the DMZ host via the ip 192.168.1.3

 

In the Omada SDN under Transmission -> NAT -> Port Forwarding I configured the following rule:

 

The server has a static IP so it will always have the destination IP in the configuration.

 

Connected to the ER605 Network

 

I can hit the API through ip 192.168.0.9

I can hit the API through ip 192.168.1.3

 

Connected to the ISP Router Network

 

I can hit the API through ip 192.168.0.9

I can hit the API through ip 192.168.1.3

 

From the Internet

 

Whenever I attempt to hit the API through my Static Public IP the request hangs until a ERR_CONNECTION_TIMED_OUT happens after a very long time.

 

Expected Flow

 

ISP Router gets request to the Public IP on port 3000

- ISP Router redirects all traffic through DMZ configuration to the ER605 IP

- ER605 Should use its port forwarding rule to redirect traffic to the server on port 3000

- Server responds on browser

 

Expected Behaviour

 

- Double port forwarding: If I have a port forwarding rule for port N on ISP Router pointing to the ER605 IP and the same port forwarding rule on the ER605 then the request should be sent.

DMZ + Port Forwarding: If I have a the ISP Router configured to use the ER605 as the DMZ host and the a port forwarding rule for port N on the ER605 then the request should be sent when the request comes from port N.

- Double DMZ: If I have the ISP Router configured to use the ER605 as the DMZ host and the ER605 configured to use the server as a DMZ host, the request should be sent to the server.

 

Troubleshooting Done Already

 

Connecting server directly to ISP Router and configuring DMZ to IP of the server Worked, proving that DMZ configuration on the ISP Router is working.

- Changing Port Forwarding rule on Omada to DMZ did not work and timed out as well.

- Disabling firewall on ISP Router with DMZ to ER605 did not work and timed out as well.

- Connecting Server directly to ER605 Router did not work and timed out as well, so nothing in the SG2218 switch is responsible.

- Everything in the Business Community -> Routers -> Virtual Services(Port Forwarding) on the Router Doesn't Take Effect article.

 

Previous Reading and Findings

 

I have read a lot of posts from this forum and other forums to no avail and this setup should work for a scenario where the ISP Router cannot be placed into Bridge Mode. I know that I have Double NAT but this means that if I want to do port forwarding it needs to be configured on both routers which I have tried through forwarding specific ports on both routers and setting DMZ on both routers. When I connect any device to the ISP Router, their port forwarding and DMZ rules work and I can access any device from the internet. Whenever I connect the device behind the ER605, directly or behind a switch, the device cannot be reached from the internet.

 

Main posts from TP Link forms:

 

Virtual Services(Port Forwarding) on the Router Doesn't Take Effect

ER605 Port Forwarding will not work under Omada Software Controller

ER605 Port Forwarding to an ip on vlan

Port forwarding on ER605 v2

 

I have no idea how to move forward from this point, some pots say people have had the same issue and managed to resolve it but there is no information on how they did it.

  0      
  0      
#1
Options
7 Reply
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 01:45:27

Hi @marlrus 

Thanks for posting in our business forum.

Have you tested if your ISP router DMZ working fine?

At least you DMZ and you should access the page of the router if your 80 and 443 are not duplicated.

 

Consider the disable NAT beta firmware in the label Solution. Please note it only applies to the standalone mode.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 02:04:44

  @Clive_A Thank you Clive,

 

Yes, I have tested the ISP Roture DMZ and mentioned in the original post.

 

When I connect the server directly to the ISP router and configure DMZ or port forwarding requests make it to the server.

 

As soon as I place the server behind the ER605, the request fails to make it to the server.

 

> Consider the disable NAT beta firmware in the label Solution. Please note it only applies to the standalone mode.

 

I'm using the OC200 for the Omada SDN so this would not apply.

  0  
  0  
#3
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 02:15:16

Hi @marlrus 

Thanks for posting in our business forum.

marlrus wrote

  @Clive_A Thank you Clive,

 

Yes, I have tested the ISP Roture DMZ and mentioned in the original post.

 

When I connect the server directly to the ISP router and configure DMZ or port forwarding requests make it to the server.

 

As soon as I place the server behind the ER605, the request fails to make it to the server.

 

> Consider the disable NAT beta firmware in the label Solution. Please note it only applies to the standalone mode.

 

I'm using the OC200 for the Omada SDN so this would not apply.

As it is double-NAT, we don't have alternatives to fix it.

You may wait for the future firmware release when it supports disabling the NAT on the Omada Controller. See the timeline in the solution post.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 13:18:22

  @Clive_A 

 

I removed the Router from the Omada Controller to have it standalone and changed the configuration you pointed out and it still didn't work.

 

There is no reason why a DMZ from the ISP Router to the ER605 should not work. Is there something I'm missing?

 

Posts from this forum stating that DMZ from Router 1 to Router 2 is the solution:

 

ER605 behind primary router - Not able to connect to OpenVPN

port forwarding on ER605

 

I've done exactly as pointed out in those 2 posts which should work. I've tested everything in the chain and it is something when connecting to the ER605 that is disallowing the forwarding.

  0  
  0  
#5
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-09 22:33:08 - last edited 2024-10-09 23:01:00

I've continued to troubleshoot with the following:

 

- Disabling NAT following the article Disable NAT on Omada Router did not work.

 

I also don't want to disbale NAT on the Router as I want the router to manage port forwarding and assign IP addresses to my devices. I want the router NAT and DHCP functionality of the ER605. Port forwarding not working for anything coming from outside the network is unrelated to disabling NAT.

 

- Configured Virtual Server in Standalone mode

 

I did the configuration to forward port 3000 to the server's IP and it did not work.

 

- Configured DMZ to Server in Standalone mode

 

I set the Server to be a DMZ host and it did not work.

 

- Configured Router in Standalone mode for Connection Type "Static IP"

 

I was unable to configure "Static IP" in the Omada controller at first as I always got the message "The IP range you set for the WAN port conflicts with the IP range of the other WAN port." which is an odd message considering I only have one WAN port. I changed the IP to a different one and configured the ISP router to the updated IP.

 

In Standalone mode I was able to configure "Static IP" using the same parameters I tried in the Omada Controller. Unfortunately, this did not solve the port forwarding issue.

 

I tested both DMZ and Virtual server scenarios after this configuration change and they did not work either.

  0  
  0  
#6
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-11 13:48:12

Hi @Clive_A hope everything has been going well,

 

I've kept troubleshooting and have interesting updates that narrowed down the possibilties of what is wrong:

 

- After configuring NAT -> Port Forwarding and using "Port Checker" and "Port Check Tool" using port 3000, the website says the port is open.

- When I turn the Server off, both tools show the port is closed, meaning that there is a link there.

- Even though the port shows open, I see no traffic making it to the server on any route and there is no repsonse for requests comming from outside the LAN.

 

I will keep digging later today, but maybe this is enough information to know what could be going wrong?

 

Again, this only happens when the server is behind the ER605 and not connected directly to the ISP modem.

 

Cheers!

  0  
  0  
#7
Options
Re:ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
2024-10-12 01:25:09

Hi @marlrus 

Thanks for posting in our business forum.

marlrus wrote

Hi @Clive_A hope everything has been going well,

 

I've kept troubleshooting and have interesting updates that narrowed down the possibilties of what is wrong:

 

- After configuring NAT -> Port Forwarding and using "Port Checker" and "Port Check Tool" using port 3000, the website says the port is open.

- When I turn the Server off, both tools show the port is closed, meaning that there is a link there.

- Even though the port shows open, I see no traffic making it to the server on any route and there is no repsonse for requests comming from outside the LAN.

 

I will keep digging later today, but maybe this is enough information to know what could be going wrong?

 

Again, this only happens when the server is behind the ER605 and not connected directly to the ISP modem.

 

Cheers!

Normal to see it is closed if your server is down. The port test or any of the tools are actually trying to make a connection to the port you test for its open status.

 

I cannot judge what might be wrong here. It now only seems to be a problem with the DMZ mechanism or NAT with your ISP modem router.

Our device might not be properly working in the double-NAT scenario as it is not designed to be so. I think disable NAT does not work either.

Know that different routers have different NAT types and might take different approaches to the NAT funnel. So, it does not mean you open the port and it'd work.

 

If you need to debug this further, make clear what kind of NAT type your ISP modem router is. Wireshark on the ISP modem WAN and LAN while testing the open ports. See if the request even travels through the NAT of your ISP router.

If you can get a iptables or NAT related stuff on your ISP router, that would be great.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options