Port forwarding through 2 routers

Sachb

Regular Contributor

Port forwarding through 2 routers​

For years I was trying to Port forward through 2 routers. 1) Main router (Hall) 2) Second router (room) May help someone

THIS IS A SITUATION WHEN THE 2ND ROUTER IS CONNECTED TO THE FIRST ROUTER. (Via Extender, Powerline, Ethernet, etc)​


Solution:
Step 1: You need to reserve the IP address for the second router by configuring the First router.
Step 2: Use the DMZ server in the first router and let the traffic reach the second router. Once you've reserved the IP of the second router, enter that IP on the first router's DMZ menu.
Note: Make sure UPNP is enabled on both the routers, Firewall is off for Private network, and upnp is function on PC, mobile etc.

Port forwarding through 2 routers.png


Ip reservation.png



DMZ server.png


Hope this helps!!!
 

Tech9

Part of the Furniture
Why do you have this second router in router mode in first place?
 

Sachb

Regular Contributor
Why do you have this second router in router mode in first place?
Good question. This is done because the other modes disable some features. Access point is one mode I can use, but for some reason, I need the router in its full form so the router mode is the one I use.
 

Tech9

Part of the Furniture
This way you create two different networks with the second router in Double NAT. Something most people try to avoid.
 

Sachb

Regular Contributor
This way you create two different networks with the second router in Double NAT. Something most people try to avoid.
But once you use the DMZ server all apps give a green flag, which means it's working. Might be a problem in a more complex setup.
 

Tech9

Part of the Furniture
With two different networks you have no roaming between the routers. DMZ is not necessary for port forwarding (just makes it easier), UPnP can be disabled (you can forward the ports you need only) and the firewall on the second router can stay enabled (its network will still have access to Router 1 network, but not vice versa) - different configurations depending on the use case. If you want specific router features, make the router with those features main and the other set as an access point. This is much cleaner single network configuration with extended Wi-Fi range.
 

dosborne

Very Senior Member
Personally, I would stay as far away from that type of configuration as possible.

A DMZ should be a last resort in almost all scenarios. Forward the port that you actually need and keep them to a minimum.

UPnP should nevermind used unless the last resort. You are essentially giving full trust to every application and link you click on. Again, setup firewalls and port forwarding for known and necessary ports only.

Just ask any QNAP NAS user who was hit by QLocker, QLocker2 or Deadbolt about how bad this type of scenario is.

I run 3 levels or routers, and a forth for testing, and have no issues forwarding what I need with DMZ turned OFF at every level and UPnP disabled on all devices.
 

Sachb

Regular Contributor
I tried Access point mode on the 2nd router & guess what, there was a 100 mbps + drop in wifi speeds. This is a drastic speed drop compared to router mode.

Access point mode

Access pointmode.jpg


Router Mode

Router mode.jpg


Conclusion Router mode is best even on the 2nd router to maximize wifi speeds and also have all the features.
 

Sachb

Regular Contributor
Personally, I would stay as far away from that type of configuration as possible.

A DMZ should be a last resort in almost all scenarios. Forward the port that you actually need and keep them to a minimum.

UPnP should nevermind used unless the last resort. You are essentially giving full trust to every application and link you click on. Again, setup firewalls and port forwarding for known and necessary ports only.

Just ask any QNAP NAS user who was hit by QLocker, QLocker2 or Deadbolt about how bad this type of scenario is.

I run 3 levels or routers, and a forth for testing, and have no issues forwarding what I need with DMZ turned OFF at every level and UPnP disabled on all devices.
As long as your wifi is secured with a WPA2 + AES encryption, it doesn't matter, this is not 2006. We're in 2022 buddy.
 

Tech9

Part of the Furniture
Conclusion Router mode is best even on the 2nd router

Something is wrong with your testing. It's exactly the same radio and the same ports. AP mode is just wired to wireless bridge.

We're in 2022 buddy.

In theory, malicious software may use UPnP to open ports and you may get hit on WAN. Your wireless security is unrelated, buddy.
 

cptnoblivious

Senior Member
As long as your wifi is secured with a WPA2 + AES encryption, it doesn't matter, this is not 2006. We're in 2022 buddy.
None of that makes sense, your mixing up 'what it takes for someone to connect to my wireless network" with "what an app can open for 2 way communication on my firewall without me making config changes"
 

dosborne

Very Senior Member
As long as your wifi is secured with a WPA2 + AES encryption, it doesn't matter, this is not 2006. We're in 2022 buddy.
I invite you to do a simple Google search on QLocker or Deadbolt in relation to a vulnerability in QNAP. NAS servers. You may not have one, but it is a simple example where UPNP was used to exploit a vulnerability in the operating system. The deadbolt ransomware attack took place in January of, guess what, 2022 :)

I am simply pointing out that ever since the option existed, and yes even today, it is inadvisable to run a DMZ. I'm obviously not saying it should never be done, but there are security issues that must be considered and as pointed out, it has nothing to do with WPA or AES (in the specific case with QNAP, we are talking wired devices anyway so definitely nothing to do with WiFi protocols). With these 3 ransomware attacks, all it took was a single port to be exposed providing a backdoor in through the admin console) which was either through DMZ, UPnP or forwarding the console port.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top