NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Cannot reach WAN ports from LAN
Hi all, I have been seaching thru the forums but have not found a discussion that is exactly my issue. I have setup an Orbi router and satellite and everything is working great...except for one t...
Actually, I just replicated your problem. In my (working) example, I was not using a "default DMZ" (kept it disabled), but instead, added an explicit port forwarding rule to forward port 80 to the internal webserver. HOWEVER, if I remoe the port forwarding rule and enable the default DMZ (using the same internal server), then I see the same behavior as you - external hosts can hit the NAT on port 80, but an internal client canot.
The tcpdump that I mentioned before shows the connection from client -> NAT, but that's it.
IMHO, I'm not a fan of the default DMZ option. First off, it's not *really* a DMZ. For security purposes, an DMZ is normally on a seperate network than your internal LAN, so that if the server in the DMZ gets compromised, it won't jeopardize your internal hosts. I don't see that being the case here. Also, the default DMZ option seems to forward *all* ports to the internal server, rather than just the webserver port. This could inadvertently expose you to other securty issues if you aren't careful.
IMHO, kill the default DMZ (I'm assuming you have it enabled) and instead, built specific port forwarding rules as-needed.
Thanks for the quick help from everyone. "NAT Loopback" was the name I was looking for, as I knew there was a name for it. Since it is just for the sake of being able to use one address that works internally and externally, I've decided to add a DNS entry that just routes to the internal address.
Funny though, the $5 Router I was using did not have this issue...but I guess this is Netgear trying to protect my network. A loopback setting would be a nice update! LOL
Well, as I mentioned, the Orbi works perfectly fine if you're doing standard NAT port forwarding from the WAN interface. It's the dubious "Default DMZ" option that seems to be the problem (at least, in my testing). And just to re-state my previous opinion, the default DMZ "feature" is a security disaster waiting to happen, so I would avoid it at all costs. I'm actually surprised they provide such a feature. If you want a real DMZ, buy a real firewall. The DMZ feature of the Orbi is sadly just smoke & mirrors. Just my 2¢ though, so take it for what it's worth. At any rate, happy to hear you found a workable solution.
Oh no, I was not ignoring your warnings about the supposed "DMZ" feature of the Orbi. I could tell when I set it up that things were funky, but relieved that I was able to get everything working (VPN, HA, Web, cloud, etc...). I only did not comment on it becuase my server has a firewall built-in. It opens up the ports it needs automatically when services are active, so I wasn't too worried about having it exposed. But your comments led me directly to my solution so I have you to thank again for the help!