On the F@ST5355 I have set the WNDR3700 to be in the DMZ.
The ISP-provided F@ST5355 modem/router is configured in bridge mode, with DHCP enabled. LAN-side it is 192.168.1.1, WAN-side it is the ISP-provided dynamic IP address. (I use NO-IP.COM to link this dynamic IP to a domain name.)
Connected to a LAN port on the F@ST5355 LAN by its WAN port is a Netgear WNDR3700v4 with DDWRT DD-WRT v24-sp2 (12/22/14) std (SVN revision 25697). WAN-side it is 192.168.1.3, LAN-side it is 192.168.200.2. The WNDR3700v4 is my LAN DHCP server.
On the WNDR3700v4 I have enabled the internal DDWRT web server (ports 81, 443) and the internal openvpn server (port 1194).
I have forwarded port 80 (web server) and 25, 465, 587, 143, 993, 110, 995 (email server) to raspberrypi1.
I have also forwarded port 4444 (2nd openvpn) to raspberrypi2.
WNDR3700v4 / ports 81 and 443 = visible
WNDR3700v4 / port 1194 = not visible [<< not sure why this is the case...?]
raspberrypi1 / ports 80 = not visible
raspberrypi2 / ports 4444 = not visible
When I set raspberrypi1 into the DMZ on the DDWRT WNDR3700v, port 80 is still not visible - but then neither is port 81. Removing raspberrypi1 from the DMZ then makes port 81 visible again.
:~$ sudo nmap -sT -sU -p 80 192.168.200.2 (WNDR3700v4 LAN-side)
Starting Nmap 7.40 ( https://nmap.org ) at 2019-03-31 16:36 AEDT
Nmap scan report for wndr3700v4 (192.168.200.2)
Host is up (0.0093s latency).
PORT STATE SERVICE
80/tcp open http
80/udp closed http
MAC Address: 28:C6:8E:B3:D3:5B (Netgear)
Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
:~$ sudo nmap -sT -sU -p 80 192.168.1.3 (WNDR3700v4 WAN-side)
Starting Nmap 7.40 ( https://nmap.org ) at 2019-03-31 16:33 AEDT
Nmap scan report for 192.168.1.3
Host is up (0.0059s latency).
PORT STATE SERVICE
80/tcp open http
80/udp closed http
Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
:~$ sudo nmap -sT -sU -p 80 192.168.1.1 (F@ST5355 LAN-side)
Starting Nmap 7.40 ( https://nmap.org ) at 2019-03-31 16:35 AEDT
Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
PORT STATE SERVICE
80/tcp open http
80/udp open|filtered http
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
:~$ sudo nmap -sT -sU -p 80 xxx.xxx.xxx.xxx (F@ST5355 LAN-side)
Starting Nmap 7.40 ( https://nmap.org ) at 2019-03-31 16:37 AEDT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.0080s latency).
rDNS record for xxx.xxx.xxx.xxx
PORT STATE SERVICE
80/tcp filtered http
80/udp open|filtered http
Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds
So, the problem I have is that I can reach services on the WNDR3700v4 router, from the internet, but I cannot reach services beyond this router, on the LAN.
But when I check e.g. raspberrypi1 on the LAN, and the forwarding rules on the DDWRT WNDR3700v4 router, it seems all the right ports are open/forwarding.
What am I missing?
Last edited by castletonroad on Sun Mar 31, 2019 6:23; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Mar 31, 2019 6:24 Post subject:
Your ISP modem is not in bridge mode otherwise the Netgear would get a Public IP.
Sou you have to port forward both your ISP modem and the Netgear
If possible use bridge mode on the ISP modem if not place the Netgear in the DMZ of the ISP modem that saves you the port forwarding from the ISP modem.
If you place the Netgear in the DMZ then give it a static lease.
Something doesn't make sense here. If the Sagecom is in bridge mode, then the dd-wrt router should be assigned the public IP on its WAN. But you indicated a *private* IP (192.168.1.3). You can't remotely access your dd-wrt router unless it has a *public* IP!
The Sagecom says it's in bridge mode.
FYI, this morning I swapped out a Netgear D6200 (stock firmware) for this WNDR3700 (DDWRT). I recall port forwarding worked, and it saw the ISP IP as it's IP, not an assigned IP like 192.168.1.3...
Your ISP modem is not in bridge mode otherwise the Netgear would get a Public IP.
Sou you have to port forward both your ISP modem and the Netgear
If possible use bridge mode on the ISP modem if not place the Netgear in the DMZ of the ISP modem that saves you the port forwarding from the ISP modem.
If you place the Netgear in the DMZ then give it a static lease.
The build of your Netgear is really old, consider upgrading, read the build threads, it could be that this is one of the routers that is picky about build size
Sagecom says the WNDR3700 with a static IP is in the DMZ...
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Mon Apr 01, 2019 0:41 Post subject: Reset
Factory reset the wndr3700. Then factory reset the cable modem.
Put the cable modem in bridge mode after the factory reset.
The cable modem will firewall the router if you switch between a known router and a foreign router.
I encounter this problem all the time with my customers who swap out their old routers with new ddwrt routers. The cable modem always has to be reset on isp equipment. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Posted: Mon Apr 01, 2019 8:07 Post subject: Re: Reset
sploit wrote:
Factory reset the wndr3700. Then factory reset the cable modem.
Put the cable modem in bridge mode after the factory reset.
The cable modem will firewall the router if you switch between a known router and a foreign router.
I encounter this problem all the time with my customers who swap out their old routers with new ddwrt routers. The cable modem always has to be reset on isp equipment.
Spot-on.
A clue that the ISP router/modem (F@ST5355) was misbehaving was in that the VOIP phone light was still on, and the internal admin page said the phone was available - internet phone is NOT available on this router when in 'bridge mode'.
I factory reset the ISP router/modem (F@ST5355), then put it back into 'bridge mode'. Didn't even need to reboot the WNDR3700v4 DDWRT router, just renewed the DHCP lease.
All is now working the way it should! My DDWRT router is now seeing the ISP provided IP.
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Mon Apr 01, 2019 8:19 Post subject: Your Welcome
Your Welcome.
And the only reason I suggested the wndr3700 reset was because you has setup so many settings I wasnt sure if any of them might cause other problems as well. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers