Port Forwarding With Two Routers

[kramttocs]

Stumped at what I think should be working

Two routers:
Verizon TCL Linkzone hotspot
RT-AX86U (Merlin firmware)

The Asus is hardwired to the Linkzone via the ethernet port
Asus IP is set in the DMZ of the Linkzone

Application running on a PC hardwired to the Asus on port 54321
Application loads fine with localhost:54321

DDNS is setup in the Asus and the dns ip is correctly getting set in ZoneEdit

In the Asus 54321 is port forwarded to the PC IP both source/dest

I've tried with the PC firewall on and off

From another PC on another network, trying to connect via the domain name or IP + 54321 never connects.

Something I am missing?

 

[ColinTaylor]

Are you sure that your Linkzone has a public IP address? Often mobile providers only give you a CGNAT address. What are the first two octets of the Linkzone's WAN IP?

In the Asus 54321 is port forwarded to the PC IP both source/dest

What do you mean by "both source/dest"? Can you post a screenshot of your port forwarding rules.

 

[kramttocs]

Hey Colin.

174.210

Sorry, I should have used 'external/internal'. Meaning I am mapping the same port value all the way through to simplify it further.


I read over the guide prior to getting this device and while it doesn't talk about a second router being a client to it, these settings made me assume it should handle this:

DDNS
WAN IP address is needed when some functions of your LINKZONE are enabled. If the WAN IP address of your LINKZONE changes, these functions may not work properly. The Dynamic Domain Name Server (DDNS) function allows you to map a dynamic WAN IP address (public IP address) to a static domain name, helping internet users (WAN side) access the LINKZONE network by static domain name.

DMZ
The DMZ separates LAN from the public internet. Certain network services in DMZ cannot be accessed by external users. You can enable the DMZ function and set a new host IP address to allow access .



IP in Asus (cut off the DDNS value but it is populated correctly with xxxxx.xxxxxx.com)
For what it's worth in my home setup I am allowing wildcards and just yyyyyy.com. Don't expect that factors in but...

Localhost working (This is BlueIris security camera software)

TCL DMZ
I also tried just port forwarding 54321 to 192.168.1.180 so only that port would hop twice but no luck

 

[ColinTaylor]

Well it looks like you've done everything correctly and the 174.210 address should be ok.

Have you confirmed that you can reach 192.168.50.207:54321 from another PC on your LAN?

Also, disable any VPN clients you have on the PC or router when testing.

 

[kramttocs]

Yeah, the page loads when testing from my phone connected to the Asus wifi (I have the TCL wifi turned off).

From the other pc on the other lan pinging the domain name correctly returns the 174.210 IP (no response for the pings).
I've also tried open port checkers and they all show 54321 as closed. I never know just what those are looking for so that may be a red herring.

 

[kramttocs]

I will also say that Let's Encrypt from the Asus is failing but I suspect that's just another symptom of this in combination with nothing listening on port 80 (?).

 

[ColinTaylor]

I've also tried open port checkers and they all show 54321 as closed. I never know just what those are looking for so that may be a red herring.

They test whether there's a TCP response from the destination server. Can you test port 54321 again (I know you've done this before) from www.yougetsignal.com/tools/open-ports/ after making sure that the PC's firewall is disabled and the BlueIris software is running.

 

[kramttocs]

Shows as closed and I confirmed the firewall is still off on that pc hosting BlueIris. Haven't touched the firewall on the Asus or TCL (if it even has one).

What I can do this evening or over lunch is to remove the Asus, connect the pc to the TCL, remove the dmz, setup port forwarding there and see what happens.

 

[ColinTaylor]

That sounds like a good plan. It would indicate whether the traffic is being blocked by your ISP. You should leave the Asus firewall enabled as that protects the router itself and doesn't effect port forwarding.

 

[kramttocs]

Looks like a no-go. Verizon tech support didn't know what I was talking about (not really blaming them as it's an outlier) but appears that even though the hardware they sold me has the features, they aren't letting it work from their end. They didn't say that (again, they didn't know what I was asking )

 

[sfx2000]

That sounds like a good plan. It would indicate whether the traffic is being blocked by your ISP. You should leave the Asus firewall enabled as that protects the router itself and doesn't effect port forwarding.

He's on a 5G mobile network - most carriers will filter both IPv4 and IPv6 inbound traffic to preserve bandwidth....

 

[kramttocs]

It does make some sense.
This rules out openvpn on the Asus, right? Haven't tried that yet.
The TCL also has VPN capabilities but I think it's just a client.

 

[kramttocs]

Oh, what about this?
I setup the VPN client on the Asus A to connect to the VPN server on my Asus B at my house ( the 5G/Asus A setup is at a farm).

Being a client, it wouldn't need port forwarding right through the TCL? Then I could vpn to my Asus B and all the devices from Asus A would be local?
Or am I dreaming impossilities?

 

[ColinTaylor]

Oh, what about this?
I setup the VPN client on the Asus A to connect to the VPN server on my Asus B at my house ( the 5G/Asus A setup is at a farm).

Being a client, it wouldn't need port forwarding right through the TCL? Then I could vpn to my Asus B and all the devices from Asus A would be local?
Or am I dreaming impossilities?

Sounds like it should work.

 

[kramttocs]

Just to close this out - tried a bunch of things but ultimately giving up. There are probably a few other ways it can be done utilizing a third party offering but I settled on letting Home Assistant's Nabu Casa handle it. Limits me to what it can integrate with but fortunately that's a lot.