ASUS TUF AX3000 v2 - port forwarding doesn't work

[almatea]

Hello,

I have changed my old router RT-N12 to new one TUF-AX3000 V2.
I have camera connected on some port.
I had port forwarding set on my RT-N12 and everything was working fine (still working when I am using old router, so there is no problem with my internet issues)
On new AX3000 V2 I did same configuration on WAN -> Port forwarding, but.... it doesn't work.
Firewall is disabled.
What I have to set up yet? For sure - on internal network, I have access to camera

Firmware: ASUS TUF-AX3000 V2 Firmware version 3.0.0.4.388_23785.
I tried 3 releases back and it didn't work.

WAN - Internet connection
Basic Config
WAN Connection Type Automatic IP
Enable WAN Yes
Enable NAT Yes
Enable UPnP No

WAN DNS Setting
Forward local domain queries to upstream DNS No
Enable DNS Rebind protection No
Enable DNSSEC support No
Prevent client auto DoH Auto
DNS Privacy Protocol None

AiProtection Off

VPN off



I have seen, that port forwarding can be configured on Open NAT tab too.
I tried it without success.

What can I check more?

Thanks in advance
Rafal

 

[ColinTaylor]

Do not turn off the router's firewall.

Check that your new router has a public IP address (e.g. not a CGNAT address) as it will likely be a different address than the one the N12 had.

Confirm the port forwarding rule at System Log - Port Forwarding.

 

[almatea]

Do not turn off the router's firewall.

Check that your new router has a public IP address (e.g. not a CGNAT address) as it will likely be a different address than the one the N12 had.

Confirm the port forwarding rule at System Log - Port Forwarding.

Thank You so much for feedback.

I connected N12 and I checked WAN IP - it was 192.168.1.21.
Than I connected AX3000 and I received 192.168.1.22 - so it is getting different address.

Next step - I changed WAN Connection Type from 'Automatic IP' to 'Static IP' and set IP 192.168.1.21, same mask, gateway and DNS. I had internet connection.


And I still cannot to connect to my camera
Camera is working with IP adderess 192.168.2.199 and port 4100

System Log
Source Destination Proto Port range Open by Redirect to Client name Local port
ALL ALL TCP 4100 VSERVER 192.168.2.199

Any idea?

Thanks in advance
Rafal

 

[L&LD]

You do not have a public WAN IP. Those are private addresses.

And the camera is on a different subnet too.

 

[ColinTaylor]

I connected N12 and I checked WAN IP - it was 192.168.1.21.
Than I connected AX3000 and I received 192.168.1.22 - so it is getting different address.

These are private addresses not public addresses. So this could never have worked from the internet with either router unless you were using a DMZ on the upstream modem/router.

What modem/router do you have connected to the Asus' WAN port? This device should be configured as a modem only (sometimes called "bridge mode") and not as a router.

 

[almatea]

These are private addresses not public addresses. So this could never have worked from the internet with either router unless you were using a DMZ on the upstream modem/router.

What modem/router do you have connected to the Asus' WAN port? This device should be configured as a modem only (sometimes called "bridge mode") and not as a router.

Thank You for feedback.

I know, that 192.168.2.21 is private (internal) address. Of course my public address is different. Unfortunately I have no access to modem connected to my WAN port. Only internet supplier has got it. I called them and they told me, that everything is fine by their side.
Strange is, that when I connect my N12 everything works.

Can they have something like MAC address restrictions?
I can check it, but probably I cannot to change my AX3000 mac address.

Thanks in advance for any feedback

 

[ColinTaylor]

I know, that 192.168.2.21 is private (internal) address. Of course my public address is different.

I wasn't talking about your LAN (192.168.2.x) addresses but your routers' WAN addresses, 192.168.1.21 and 192.168.1.22. These are not public addresses.

Unfortunately I have no access to modem connected to my WAN port. Only internet supplier has got it. I called them and they told me, that everything is fine by their side.
Strange is, that when I connect my N12 everything works.

Then there is some other piece of information we don't know about, because as it stands this simply cannot work.

 

[almatea]

I wasn't talking about your LAN (192.168.2.x) addresses but your routers' WAN addresses, 192.168.1.21 and 192.168.1.22. These are not public addresses.


Then there is some other piece of information we don't know about, because as it stands this simply cannot work.

When I want to connect to my any device, I am using my public address 109.xxx.xxx.xxx and defined port number. For example 4545. Yesterday I had connected Siemens PLC S7-1200 working as a TCPIP server. Moreover I tested camera forwarded on port 4100. I could use web browser on my mobile writing in address field 109.xxx.xxx.xxx:4100 and I had access to camera. Then I used TCPIP Client I could connect to Siemens on port 4545. On RT-12N I have forwarded port 4100 and 4545. Everything works fine. When I am using same configuration and I am exchanging RT-12N to AX-3000 V2, than I have no access to my devices. I spoke with internet supplier, and they told me that they are using DMZ with IP address of my router.

What could be wrong?

 

[ColinTaylor]

I spoke with internet supplier, and they told me that they are using DMZ with IP address of my router.

So this is what I said in my first reply: "unless you were using a DMZ on the upstream modem/router".

It sounds like your ISP has put your old router's WAN IP address (192.168.1.21) in their DMZ. So you need to ask them to change this for your new router's WAN IP address (192.168.1.22).

 

[almatea]

I would redact this post. You shouldn’t share your public IP plus mention open ports.

Thank You. I just created ports to make a test. Usually I am using different port numbers

 

[almatea]

So this is what I said in my first reply: "unless you were using a DMZ on the upstream modem/router".

It sounds like your ISP has put your old router's WAN IP address (192.168.1.21) in their DMZ. So you need to ask them to change this for your new router's WAN IP address (192.168.1.22).

Thank You for your feedback again.

I will call them tomorrow.
Anyway without wasting time, I launched my old RT-12N and I changed WAN IP address form automatic to static. Than I set 192.168.1.21 and 192.168.1.22. Both of them working fine.
In next step I did the same with mu TUF-AX3000 v2 without success.

 

[ColinTaylor]

Anyway without wasting time, I launched my old RT-12N and I changed WAN IP address form automatic to static. Than I set 192.168.1.21 and 192.168.1.22. Both of them working fine.
In next step I did the same with mu TUF-AX3000 v2 without success.

When an ISP puts a device in their DMZ they usually do it using the MAC address of the device, not the IP address which is dynamic.

You can test this by making a note of the MAC address of the RT-12N's WAN interface. Then put this MAC address in the MAC Address/MAC Clone field in the TUF-AX3000's WAN - Internet Connection settings.

 

[almatea]

When an ISP puts a device in their DMZ they usually do it using the MAC address of the device, not the IP address which is dynamic.

You can test this by making a note of the MAC address of the RT-12N's WAN interface. Then put this MAC address in the MAC Address/MAC Clone field in the TUF-AX3000's WAN - Internet Connection settings.

Thank You,

I was wondering about it. But what I cannot to understand is - when I click on MAC clone it showing me the same address on both routers.
Is it ok? It shouldn't be different?

Best regards

 

[ColinTaylor]

I was wondering about it. But what I cannot to understand is - when I click on MAC clone it showing me the same address on both routers.
Is it ok? It shouldn't be different?

Don't click on the MAC Clone button. Type the MAC address directly into the field.

If you click the MAC Clone button it puts your PC's MAC address in that field which you don't want.

 

[almatea]

Don't click on the MAC Clone button. Type the MAC address directly into the field.

If you click the MAC Clone button it puts your PC's MAC address in that field which you don't want.

Ok, I see. I understand, that I have to read it from label located on router "body"? Or there is other way to check it?

 

[ColinTaylor]

Ok, I see. I understand, that I have to read it from label located on router "body"? Or there is other way to check it?

Go to AiMesh and look for the MAC address on the right.

 

[almatea]

Go to AiMesh and look for the MAC address on the right.

View attachment 54156

It works!!!! Thank You so much!! I know that I could wait till tomorrow and call to internet supplier to request MAC address changing in DMZ area, but according to your suggestion I used MAC address clone button. Last question - I typed new MAC address in textbox, pressed clone button and it works, but MAC address visible in AiMesh is still the same. Is it ok?
Thank you once again. Sorry for my bad English.

 

[ColinTaylor]

Last question - I typed new MAC address in textbox, pressed clone Apply button and it works, but MAC address visible in AiMesh is still the same. Is it ok?

Yes, that's OK.