NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Cannot reach WAN ports from LAN
Hi all, I have been seaching thru the forums but have not found a discussion that is exactly my issue. I have setup an Orbi router and satellite and everything is working great...except for one t...
I just set up a port forward on my Orbi router, and it seems to be working OK (I'm on V2.0.0.76 firmware, FWIW). Hitting the external router interface, I can load a web page on an internal server just fine from inside the network.
My initial thought is that this is some sort of routing issue, but it's hard to say.
If you telnet into the CLI interface on the Orbi router, and run (assuming your server is running on port 80):
tcpdump -i br0 port 80
... and then try to test it from your internal host, you should be able to see the traffic from client -> external NAT address, then NAT -> internal server, and the response packets should follow the same path in reverse. If you're not seeing both legs of the conection flowing in both directions, then it's most likely some sort of routing or maybe ACL issue.
Actually, I just replicated your problem. In my (working) example, I was not using a "default DMZ" (kept it disabled), but instead, added an explicit port forwarding rule to forward port 80 to the internal webserver. HOWEVER, if I remoe the port forwarding rule and enable the default DMZ (using the same internal server), then I see the same behavior as you - external hosts can hit the NAT on port 80, but an internal client canot.
The tcpdump that I mentioned before shows the connection from client -> NAT, but that's it.
IMHO, I'm not a fan of the default DMZ option. First off, it's not *really* a DMZ. For security purposes, an DMZ is normally on a seperate network than your internal LAN, so that if the server in the DMZ gets compromised, it won't jeopardize your internal hosts. I don't see that being the case here. Also, the default DMZ option seems to forward *all* ports to the internal server, rather than just the webserver port. This could inadvertently expose you to other securty issues if you aren't careful.IMHO, kill the default DMZ (I'm assuming you have it enabled) and instead, built specific port forwarding rules as-needed.
Thanks for the quick help from everyone. "NAT Loopback" was the name I was looking for, as I knew there was a name for it. Since it is just for the sake of being able to use one address that works internally and externally, I've decided to add a DNS entry that just routes to the internal address.
Funny though, the $5 Router I was using did not have this issue...but I guess this is Netgear trying to protect my network. A loopback setting would be a nice update! LOL
Well, as I mentioned, the Orbi works perfectly fine if you're doing standard NAT port forwarding from the WAN interface. It's the dubious "Default DMZ" option that seems to be the problem (at least, in my testing). And just to re-state my previous opinion, the default DMZ "feature" is a security disaster waiting to happen, so I would avoid it at all costs. I'm actually surprised they provide such a feature. If you want a real DMZ, buy a real firewall. The DMZ feature of the Orbi is sadly just smoke & mirrors. Just my 2¢ though, so take it for what it's worth. At any rate, happy to hear you found a workable solution.