ER605 / 7206 - DMZ not working properly and long winded workaround

ER605 / 7206 - DMZ not working properly and long winded workaround

ER605 / 7206 - DMZ not working properly and long winded workaround
ER605 / 7206 - DMZ not working properly and long winded workaround
2022-10-01 22:40:27 - last edited 2022-10-01 22:41:28
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: All tested inc Beta's

DMZ on the ER605 and 7206 routers doesnt seem to work as expected.

 

On all other router brands, including TP-Link "home grade" routers, setting an IP address as a DMZ host / target automatically exposes the selected host to the public IP so you dont have to forward lots of ports (eg, if the target is a VPN server) through the primary gateway

 

However, on ER605 and ER7206 this doesnt seem to function at all - traffic reaches the target device but is blocked by the ERs firewall (i think) on the return path.

 

For example, i was testing setting a ER7206 as DMZ target through an ER605 (to utilize the ER7206s much higher throughput VPN capability on a completely seperate subnet with a NAS as the final target for VPN access)

I have been able to get it to work, however, with the following steps on the ER605

 

1) Set intended IP as DMZ in NAT DMZ list section

2) Manually forward all necessary VPN ports to target IP (1723 tcp, 1701 udp, 4500 udp, 500 udp) in Virtual Servers

3) Add the DMZ target IP to an IP Group (DMZ_grp)

4) Add an ACL for DMZ_Grp WAN-IN set to allow

5) Add an ACL for DMZ_Grp LAN > WAN set to allow

 

VPNs now tunnel through the ER605 correctly

 

I have also tried this in reverse with the ER7206 as gateway and ER605 as the target, and had to apply the exact same config on the ER7206 for it to work

 

Tested on ER605 v2 formware 2.0.0, 2.0.1 and 2.0.2 beta and ER7206 firmware 1.1.1, 1.2.0, 1.2.1 and 1.2.2 beta (factory reset each time)

 

Hopefully this is of use to someone and TP link support

 

Screenshots of config below

 

This really should not be necessary, it all we should have to do is set the target in the DMZ host section.

 

Owner of: ER605 v1, ER605 v2, ER7206 v1, SG1024DE v4.2 and AX53 v1
  4      
  4      
#1
Options
2 Reply
Re:ER605 / 7206 - DMZ not working properly and long winded workaround
2022-10-05 22:58:12 - last edited 2022-10-05 23:05:36

  @GRL 

wonder if you wireshark this part?
"However, on ER605 and ER7206 this doesnt seem to function at all - traffic reaches the target device but is blocked by the ERs firewall (i think) on the return path."

that would be quite helpful to analyze it. 

 

in addition to the dmz: page 88: Configuring the One-to-One NAT: Configuring the One-to-One NAT https://static.tp-link.com/upload/manual/2022/202208/20220830/1910013241_ER605(UN)2.0_UG.pdf

  0  
  0  
#2
Options
Re:ER605 / 7206 - DMZ not working properly and long winded workaround
2022-10-05 23:37:17

  @Tedd404 

 

I wish I could use one to one nat, but it's only possible to enable with a static wan IP and I'm dynamic and I'm really trying to avoid double nat

Owner of: ER605 v1, ER605 v2, ER7206 v1, SG1024DE v4.2 and AX53 v1
  0  
  0  
#3
Options

Information

Helpful: 4

Views: 339

Replies: 2

Related Articles