ER605 Port Forwarding not working from public IP when set as DMZ host for ISP Router
My ISP provides an all-in-one device and does not allow Bridge Mode for "security concerns". I have a business plan with a static public IP and very limited direct access to router configuration. Deep configuration changes can not be done some times and when they can be done they take a while to get someone with expertise to make the change.
I have the ISP Router connected to the ER605 on WAN port 1 which I know creates a double NAT scenario. I have no device connected to the ISP router other than the ER605.
I have an OC200 controller which I used to set up my Omada site with 2 switches, and 2 APs. Connected to one of the switches I have a home server running an API exposed on port 3000.
Topology:
ISP Router -> ER605 Router LAN to WAN -> SG2218 Switch -> Server
The ISP Router is connected to the ER605's WAN port. The ER605 Router has the static IP 192.168.1.3 configured in the ISP router which can be seen in the ER605 configuration under the WAN menu:
The ISP Router has a DMZ configuration that has the ER605 as the DMZ host via the ip 192.168.1.3
In the Omada SDN under Transmission -> NAT -> Port Forwarding I configured the following rule:
The server has a static IP so it will always have the destination IP in the configuration.
Connected to the ER605 Network
- I can hit the API through ip 192.168.0.9
- I can hit the API through ip 192.168.1.3
Connected to the ISP Router Network
- I can hit the API through ip 192.168.0.9
- I can hit the API through ip 192.168.1.3
From the Internet
- Whenever I attempt to hit the API through my Static Public IP the request hangs until a ERR_CONNECTION_TIMED_OUT happens after a very long time.
Expected Flow
- ISP Router gets request to the Public IP on port 3000
- ISP Router redirects all traffic through DMZ configuration to the ER605 IP
- ER605 Should use its port forwarding rule to redirect traffic to the server on port 3000
- Server responds on browser
Expected Behaviour
- Double port forwarding: If I have a port forwarding rule for port N on ISP Router pointing to the ER605 IP and the same port forwarding rule on the ER605 then the request should be sent.
- DMZ + Port Forwarding: If I have a the ISP Router configured to use the ER605 as the DMZ host and the a port forwarding rule for port N on the ER605 then the request should be sent when the request comes from port N.
- Double DMZ: If I have the ISP Router configured to use the ER605 as the DMZ host and the ER605 configured to use the server as a DMZ host, the request should be sent to the server.
Troubleshooting Done Already
- Connecting server directly to ISP Router and configuring DMZ to IP of the server Worked, proving that DMZ configuration on the ISP Router is working.
- Changing Port Forwarding rule on Omada to DMZ did not work and timed out as well.
- Disabling firewall on ISP Router with DMZ to ER605 did not work and timed out as well.
- Connecting Server directly to ER605 Router did not work and timed out as well, so nothing in the SG2218 switch is responsible.
- Everything in the Business Community -> Routers -> Virtual Services(Port Forwarding) on the Router Doesn't Take Effect article.
Previous Reading and Findings
I have read a lot of posts from this forum and other forums to no avail and this setup should work for a scenario where the ISP Router cannot be placed into Bridge Mode. I know that I have Double NAT but this means that if I want to do port forwarding it needs to be configured on both routers which I have tried through forwarding specific ports on both routers and setting DMZ on both routers. When I connect any device to the ISP Router, their port forwarding and DMZ rules work and I can access any device from the internet. Whenever I connect the device behind the ER605, directly or behind a switch, the device cannot be reached from the internet.
Main posts from TP Link forms:
- Virtual Services(Port Forwarding) on the Router Doesn't Take Effect
- ER605 Port Forwarding will not work under Omada Software Controller
- ER605 Port Forwarding to an ip on vlan
I have no idea how to move forward from this point, some pots say people have had the same issue and managed to resolve it but there is no information on how they did it.
