Cannot reach WAN ports from LAN

I just set up a port forward on my Orbi router, and it seems to be working OK (I'm on V2.0.0.76 firmware, FWIW). Hitting the external router interface, I can load a web page on an internal server just fine from inside the network.

My initial thought is that this is some sort of routing issue, but it's hard to say.

If you telnet into the CLI interface on the Orbi router, and run (assuming your server is running on port 80):

tcpdump -i br0 port 80

... and then try to test it from your internal host, you should be able to see the traffic from client -> external NAT address, then NAT -> internal server, and the response packets should follow the same path in reverse. If you're not seeing both legs of the conection flowing in both directions, then it's most likely some sort of routing or maybe ACL issue.

Actually, I just replicated your problem. In my (working) example, I was not using a "default DMZ" (kept it disabled), but instead, added an explicit port forwarding rule to forward port 80 to the internal webserver. HOWEVER, if I remoe the port forwarding rule and enable the default DMZ (using the same internal server), then I see the same behavior as you - external hosts can hit the NAT on port 80, but an internal client canot.

The tcpdump that I mentioned before shows the connection from client -> NAT, but that's it.

IMHO, I'm not a fan of the default DMZ option. First off, it's not *really* a DMZ. For security purposes, an DMZ is normally on a seperate network than your internal LAN, so that if the server in the DMZ gets compromised, it won't jeopardize your internal hosts. I don't see that being the case here. Also, the default DMZ option seems to forward *all* ports to the internal server, rather than just the webserver port. This could inadvertently expose you to other securty issues if you aren't careful.

IMHO, kill the default DMZ (I'm assuming you have it enabled) and instead, built specific port forwarding rules as-needed.

Thanks for the quick help from everyone. "NAT Loopback" was the name I was looking for, as I knew there was a name for it. Since it is just for the sake of being able to use one address that works internally and externally, I've decided to add a DNS entry that just routes to the internal address.

Funny though, the $5 Router I was using did not have this issue...but I guess this is Netgear trying to protect my network. A loopback setting would be a nice update!  LOL

Well, as I mentioned, the Orbi works perfectly fine if you're doing standard NAT port forwarding from the WAN interface. It's the dubious "Default DMZ" option that seems to be the problem (at least, in my testing). And just to re-state my previous opinion, the default DMZ "feature" is a security disaster waiting to happen, so I would avoid it at all costs. I'm actually surprised they provide such a feature. If you want a real DMZ, buy a real firewall. The DMZ feature of the Orbi is sadly just smoke & mirrors. Just my 2¢ though, so take it for what it's worth. At any rate, happy to hear you found a workable solution.

Oh no, I was not ignoring your warnings about the supposed "DMZ" feature of the Orbi. I could tell when I set it up that things were funky, but relieved that I was able to get everything working (VPN, HA, Web, cloud, etc...). I only did not comment on it becuase my server has a firewall built-in. It opens up the ports it needs automatically when services are active, so I wasn't too worried about having it exposed. But your comments led me directly to my solution so I have you to thank again for the help!