RT-AX1800S DMZ Not Working

[MSchmieds]

I have an RT-AX1800S configured with OpenVPN client and I setup DMZ because I need one device exposed directly to the Internet. I setup that device under "LAN - DHCP Server" with a static IP address then under "WAN - DMZ" I enabled DMZ and added the device's IP address as per Asus instructions.

However the DMZ isn't working. When I Google "Whats my IP" from that device it comes back with the VPN IP opposed to the ISP IP.

Anybody else ever have this problem and if so were you able to resolve it?

Thanks, Mike

 

[Tech9]

I have an RT-AX1800S configured with OpenVPN client

All your traffic goes through the VPN Client. There is no selective routing in your firmware. You can't use DMZ for this purpose.

I enabled DMZ and added the device's IP address

This basically means all ports open for this device. Unrelated to "What's my IP". Your IP is ISP assigned or your VPN, depending on VPN Client on/off.

 

[ColinTaylor]

That won't work because that's not what the DMZ is used for. What you are trying to do is create an exception for one device so that it doesn't go through the VPN client. As far as I know that's not possible using stock Asus firmware, when the VPN client is active everything goes through it.

Asus routers that support VPN Fusion do allow exceptions though.

[Wireless Router] How to configure multiple VPN connections on ASUS router (VPN Fusion / VPN Client)? (GT-AC5300/GT-AC2900) | Official Support | ASUS Global

 

[Tech9]

VPN Fusion was made available to some RT routers with 388 code firmware, but I'm in doubt RT-AX1800S will be getting it.

 

[MSchmieds]

All your traffic goes through the VPN Client. There is no selective routing in your firmware. You can't use DMZ for this purpose.



This basically means all ports open for this device. Unrelated to "What's my IP". Your IP is ISP assigned or your VPN, depending on VPN Client on/off.

Thanks for your reply
So it's not a real DMZ then, it's just a device with extra ports opened (ftp, web, mail, etc). That's misleading on Asus's part. I've worked extensively with Cisco firewalls and there a DMZ is a separate zone outside of the internal network. I actually have the RT-AX1800S behind a Cisco ASA 5505 right now running a real DMZ but I was hoping to phase out the ASA and use only the RT-AX1800S. Guess if I want real firewall features I'll have to keep the Cisco and us the RT-AX1800S just for VPN client.

 

[Tech9]

So it's not a real DMZ then

Correct. In most home routers DMZ host is part of the internal network. Business gear may have dedicated configurable DMZ port.

 

[ColinTaylor]

Thanks for your reply
So it's not a real DMZ then, it's just a device with extra ports opened (ftp, web, mail, etc). That's misleading on Asus's part. I've worked extensively with Cisco firewalls and there a DMZ is a separate zone outside of the internal network. I actually have the RT-AX1800S behind a Cisco ASA 5505 right now running a real DMZ but I was hoping to phase out the ASA and use only the RT-AX1800S. Guess if I want real firewall features I'll have to keep the Cisco and us the RT-AX1800S just for VPN client.

Correct. What home routers call a "DMZ" is actually nothing like a real DMZ, they have just misappropriated the term. All home router manufacturers do this, not just Asus. The DMZ on home routers is nothing more than forwarding unsolicited traffic on all ports to an internal host.

 

[MSchmieds]

Correct. What home routers call a "DMZ" is actually nothing like a real DMZ, they have just misappropriated the term. All home router manufacturers do this, not just Asus. The DMZ on home routers is nothing more than forwarding unsolicited traffic on all ports to an internal host.

After all these years I just learned something new.
Guess I have to keep the big boy (ASA) on the front line to handle the big boy work. LOL

 

[Tech9]

If you have experience with business gear, you’ll find many things not working as you’d expect in home routers - link aggregation, WAN aggregation, load balancing, fail over and fail back, QoS, band steering, roaming in “mesh” systems. It’s more marketing and good enough to sell it as available feature.

 

[MSchmieds]

If you have experience with business gear, you’ll find many things not working as you’d expect in home routers - link aggregation, WAN aggregation, load balancing, fail over and fail back, QoS, band steering, roaming in “mesh” systems. It’s more marketing and good enough to sell it as available feature.

Thanks for your reply.

I pretty much expected that but I also thought how many different flavors of DMZ could there possibly be. I thought it would all be plain vanilla. And I really wasn't really going to put the Asus on the frontline. I don't trust home routers enough for that.

This is my scenario and what I was hoping to accomplish when I saw "DMZ" on the Asus. The Cisco ASA firewall with the DMZ is fast ethernet but the Asus is gigabit. I have a Cisco 1921 router which is also gigabit. I wanted to take advantage of the gigabit ports. But the 1921 only has 2 interfaces inbound and outbound so when I saw "DMZ" on the Asus I thought "Perfect!". LOL But it rained on that parade.

I have an ISP router in the mix too, that's the culprit behind this issue. The ISP router is connected to the TV set top box via coax cable but it also needs internet access so that all the functions on my TV work properly (on Demand, voice search, voice mail access, etc) but the ISP router is also an untrusted device, it uses network discovery and maps my internal network so it needs to be in a DMZ. I don't want my ISP seeing all my network devices let alone potentially accessing them. If I found an inexpensive gigabit ethernet interface card for the 1921 I could add it and setup a DMZ or VLan on the 1921 to keep the ISP router separate from the internal network. The 1921 does have enough firewall like features to put it on the frontline. But for now I keep the ASA on the frontline with the ISP router in the ASA's DMZ keeping my TV functioning properly, my internal network safe from prying eyes and the Asus behind the ASA firewall as a VPN client.

 

[MSchmieds]

If you have experience with business gear, you’ll find many things not working as you’d expect in home routers - link aggregation, WAN aggregation, load balancing, fail over and fail back, QoS, band steering, roaming in “mesh” systems. It’s more marketing and good enough to sell it as available feature.

I found a Cisco 8 port gigabit managed switch at a really good price. This will allow me to setup VLans to keep my internal network separate from the ISP router plus take advantage of the Cisco router's gigabit interfaces.

 

[Tech9]

Don’t spend more money on hardware you don’t need. You already got some wrong hardware. You just need one proper home router.

 

[MSchmieds]

Don’t spend more money on hardware you don’t need. You already got some wrong hardware. You just need one proper home router.

I only paid $16 for the switch, the Asus $70, the 1921 router $40 and I paid $60 for the ASA 5505 three and a half years ago. The ASA I can phase out now and give to my son. The rest of the equipment I'm keeping. Total investment $126. Quite honestly I don't think I'm going to find a good home router for $126 that gives me the functionality and flexibility that the Cisco switch and router give me. I had to buy the Asus because Cisco doesn't support OpenVPN. And the ISP router like it or not came with the package if I want to use the features on the TV like voice search, on demand, voice mail access, etc. Plus Cisco devices are fun to work with. I never use the GUI menus I do everything CLI.

 

[Tech9]

How many of your Cisco devices are not EOL/EOS already? For your purpose you don’t need any of that. The Asus router is the cheaper version of the cheapest AX router. Waste of money.

 

[Tech9]

Got home, so more details:

keep my internal network separate from the ISP router

Use your ISP router for things you don't care much about - VoIP, IoT, Guest Network, TV, Game Consoles, etc. Connect a good home router to it with the right firmware and create a second network. From this network the ISP can see your router only, eventually. Port forward on the ISP router whatever you need. Your more secure devices will be behind two firewalls. You'll have access to ISP connected devices, but they won't have access to your more secure network. A proper router is RT-AX86S or better with 388 code Asuswrt firmware (coming soon) or Asuswrt-Merlin (available now). This router can do >200Mbps on OpenVPN and >300Mbps on Wireguard with selective routing and multiple clients/servers - simpler and limited on Asuswrt and way more advanced and the best you can find in home routers on Asuswrt-Merlin. What else is needed? This model is often on sale for $180.

Quite honestly I don't think I'm going to find a good home router for $126 that gives me the functionality and flexibility that the Cisco switch and router give me.

Asus RT-AC68U V4 can be found around $120. It has Asuswrt-Merlin firmware support, modern dual-core 1.8GHz ARMv8 + AES CPU, 512MB RAM, current updated firmware, router optimized IDS/IPS from TrendMicro (simple, but good enough), IP blocker is available (Skynet), DNS blocker is available (Diversion), DNS interception is available (DNSFilter), DNS encryption (DNS-over-TLS) built-in, own DNS server if you want (Unbound), OpenVPN with 5x clients and 2x servers with advanced configurations. It has Wi-Fi as well, not the latest and greatest, but better than nothing. For typical home router duties as wired router this little guy will make Cisco 1921 want to run away, hide somewhere and recycle itself quietly.

 

[MSchmieds]

How many of your Cisco devices are not EOL/EOS already? For your purpose you don’t need any of that. The Asus router is the cheaper version of the cheapest AX router. Waste of money.

The 1921 End of Support September 30, 2023; the switch EOL November 30, 2018 but it still does VLANS and the ASA 5505 End of Support August 31, 2022. I don't have a TAC account anyway so I wouldn't be getting Cisco support but I am registered with https://community.cisco.com where there's a lot of good free support. And the Asus does just fine handling VPN especially for the price. I can work around the DMZ issue.

I have a Cisco PIX 515e too which has been retired but it still has capabilities you won't find on the majority of new home routers. And all Cisco firewalls regardless of life cycle status support this ACL:

access-list 101 extended deny ip any any
access-group 101 in interface outside

What that does is block ALL unsolicited traffic from the outside including ICMP and port scanners making you virtually invisible to the outside world yet it still allows ISP DHCP and all legitimate traffic originating on the inside. Is there a new home router that can equal that? And even though a Cisco devise might be EOL it'll still have far more capabilities than a lot of newer home routers especially for the price. And since I'm just a home network and not an enterprise network with growing demands I don't need to keep up with all the demands presented to an enterprise network. I'm retired now but when I was in the field heck yeah I had a TAC account and heck yeah I had the company replace equipment before it was EOL. But not on my budget. LOL

 

[MSchmieds]

Got home, so more details:



Use your ISP router for things you don't care much about - VoIP, IoT, Guest Network, TV, Game Consoles, etc. Connect a good home router to it with the right firmware and create a second network. From this network the ISP can see your router only, eventually. Port forward on the ISP router whatever you need. Your more secure devices will be behind two firewalls. You'll have access to ISP connected devices, but they won't have access to your more secure network. A proper router is RT-AX86S or better with 388 code Asuswrt firmware (coming soon) or Asuswrt-Merlin (available now). This router can do >200Mbps on OpenVPN and >300Mbps on Wireguard with selective routing and multiple clients/servers - simpler and limited on Asuswrt and way more advanced and the best you can find in home routers on Asuswrt-Merlin. What else is needed? This model is often on sale for $180.



Asus RT-AC68U V4 can be found around $120. It has Asuswrt-Merlin firmware support, modern dual-core 1.8GHz ARMv8 + AES CPU, 512MB RAM, current updated firmware, router optimized IDS/IPS from TrendMicro (simple, but good enough), IP blocker is available (Skynet), DNS blocker is available (Diversion), DNS interception is available (DNSFilter), DNS encryption (DNS-over-TLS) built-in, own DNS server if you want (Unbound), OpenVPN with 5x clients and 2x servers with advanced configurations. It has Wi-Fi as well, not the latest and greatest, but better than nothing. For typical home router duties as wired router this little guy will make Cisco 1921 want to run away, hide somewhere and recycle itself quietly.

The way I have it setup now with the ISP router in the DMZ they can't even see their own router and it works fine with the ISP connected device. I still have the ASA up and that's making me virtually invisible.

I was looking at higher end Asus routers but my initial goal was just getting a VPN that runs on a router instead of desktop because I want EVERYTHING hidden from my ISP, even the anti virus auto updates and the DNS server handshake when my systems come up. Not that I'm doing anything wrong it's just none of their business what I do. And without spending a lot of money being in "exploratory" mode the Cisco equipment I have is certainly enough to get me started without shelling out a lot or compromising security.

But I appreciate the information you passed along. I'm looking it over to see what features there are that I might be interested in and possibly develop an upgrade plan from there.

I'm running NordVPN client right now and when I put it on a full gigabit network I'm still only getting about 20Mbps download so now I know upgrading to a faster router right now will be useless unless I change VPN client too.

I have time now to look around and decide what I really want but in the mean time my network is probably better protected than the average home network. Not that I settle for average of anything but I am a step above right now. LOL

 

[Tech9]

Is there a new home router that can equal that?

All of them, starting from the cheapest one for $30... in last 20 years, perhaps.

I want EVERYTHING hidden from my ISP

You're not the first one with this idea. Your journey will be full of surprises. Many threads around on the subject.

Not that I settle for average of anything but I am a step above right now.

I have nothing to add here. I'm only interested in recycling the equipment you are talking about. Good luck.

 

[MSchmieds]

All of them, starting from the cheapest one for $30... in last 20 years, perhaps.



You're not the first one with this idea. Your journey will be full of surprises. Many threads around on the subject.



I have nothing to add here. I'm only interested in recycling the equipment you are talking about. Good luck.

I haven't taken a really close look at home routers in at least five years and back then they were really lame. IDS was a foreign concept to them. Kiddie network toys for the most part. I'm surprised and impressed how much they advanced.

I don't have to do too much research on what ISPs gather, they're just a big sniffer sucking up ALL our packets and analyzing them to profile us. My ISP dropped more cookies on my systems than any other websites and then they follow us around. Now I block all their cookies unless I have to briefly access my account. I also use add-ons in Firefox to block other cookies and trackers too. When I switched ISP three years ago the first thing I did was go into their router and I saw all my network devices registered and I'm not running network discovery, file sharing or anything else that broadcasts my devices. That's when their router went behind a firewall. I had to call their tech support once and the tech said to me in a baffled manner "I can't see your network". And I said "No kidding! That's by design!" LOL

My network is configured to use anonymous DNS servers too that don't keep logs. (103.86.96.100, 103.86.99.100)

 

[Tech9]

A lot of what I read so far is from not exactly correct to straight wrong, but I have no intentions to participate in this discussion.