NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
CAX80 v5.1.1.8 Firewall Blocking HTTPS API Traffic - DMZ Confirmed
Hi all,
I'm experiencing a firewall bug on my CAX80 (firmware v5.1.1.8) that's blocking HTTPS API calls to legitimate services (specifically api.anthropic.com for Claude AI/Claude Code).
Symptoms:
- API connections consistently fail on home WiFi, while same connections work perfectly on cellular hotspot
- Issue started intermittently, now persistent
- Internet speed normal (675 Mbps down / 28.6 Mbps up, Comcast)
Extensive troubleshooting completed:
- Disabled IPv6 (temporarily helped, then broke again)
- Disabled DoS Protection and Port Scan in WAN Setup
- Changed DNS to 8.8.8.8 / 8.8.4.4
- Tested with VPN (still failed - rules out ISP filtering)
- DMZ test: Placed computer in Default DMZ Server - API calls work perfectly
Conclusion: The DMZ test definitively proves the CAX80's firewall is incorrectly blocking legitimate encrypted API traffic. This is not an ISP, endpoint security, or configuration issue.
Questions:
- Is there firmware beyond v5.1.1.8 that fixes this firewall bug? (Router says no updates available)
- Are beta firmware versions available for testing?
- What specific firewall settings should be adjusted beyond disabling DoS/Port Scan?
Permanently running in DMZ isn't an option from a security standpoint. My support/warranty expired so I can't contact paid support. Any help/guidance is much appreciated!
What region are you located?
Who is your ISP?
Is SIP ALG enabled on the modem?
Something to contact NG about.
Something to contact NG support about.
Look up what ports are used by your API traffic and input that in to Port Forwarding or Port Triggering configuration. If you try this, be sure to disable uPnP before hand.
9 Replies
Confused. On Spectrum in the US, I entered https://api.anthropic.com into the Edge browser and got this:
Same results with other browsers. (Brave, Chrome, Opera, etc.) My guess is that this URL is not supposed to lead to a web page, but rather to a programming interface? (api?)
Confused.
Read this:
This is not a web page, it is a RESTful API that allows developers to access cloud-based Claude models from their applications.
Is SIP ALG enabled on the modem?
I don't think this will matter in this situation, but generally it should be disabled.
Look up what ports are used by your API traffic
RESTful APIs use HTTP/HTTPS messages, on the normal ports. HTTPS in this case, so port 443. There is also account authentication, which I believe does a callback on port 54545.
@brief-actuator: Have you tried forwarding these two ports to the PC you are using?
If that doesn't work, I suggest taking a wireshark trace with the PC in the DMZ, and see if there are other ports being used.
What region are you located?
Who is your ISP?
Is SIP ALG enabled on the modem?
Something to contact NG about.
Something to contact NG support about.
Look up what ports are used by your API traffic and input that in to Port Forwarding or Port Triggering configuration. If you try this, be sure to disable uPnP before hand.
Hi FURRYe38 - SIP ALG is currently disabled in WAN Setup (I disabled it during earlier troubleshooting). In terms of contacting support - my warranty expired and they want $100/yr for support, so I'm hoping to find a workaround here first, or confirmation that beta firmware exists that fixes this issue.
I'll check if UPnP is enabled and try disabling it before testing port forwarding - thanks for the suggestion!
No beta that I'm aware of, however you seem to be the only one posting about this.
DMZ test: Placed computer in Default DMZ Server - API calls work perfectly
Did you try just forwarding port 443 to the PC?
You might also need to forward 54545 (used for Oauth callback during login).
Also, do you have upnp enabled in the CAX80?
StephenB Thanks for the suggestion! I can try forwarding 443 and 54545 to my Mac.
Quick question: Should I use Port Forwarding or Port Triggering for this? And do I need both inbound/outbound rules or just inbound?
Quick question: Should I use Port Forwarding or Port Triggering for this?
I suggest port forwarding
And do I need both inbound/outbound rules or just inbound?
Just inbound. Outbound connections aren't filtered.
