[jmgoth]

Hello,
This is my first post so my apologies if this question has been answered and/or if it is in the incorrect discussion forum.

Now, before I post the setup, I am aware that this can be completely resolved with putting the XFINITY router in bridged mode and have the DD-WRT device handle the requests directly.

So, I have an XFNINITY router and plugged to one port is my DDWRT Device (Linksys Nighthawk R8000. I am preparing to host several websites with a single apache server but before I do I am familiarizing myself with iptables as to provide as much protection as possible for the VM running what I need. Now, with this said, on the Xfninity router, I can either port forward (which is rather lame because half of the time the router does not pick up VM hosts correctly, or create a DMZ host IP to open that up completely to the world.

Rather than a port forward, I feel a DMZ would be best suited for my needs / setup due to the control I would have over what is allowed via IPTables rules. So, my question is, would I open up a DMZ to my DD-WRT router and from the DD-WRT router, do port forwarding as normal due to all port’s essentially opened from the Comcast side of things due to this single host being in the DMZ?

80/443 port forward as needed to on the DD-WRT, plus additional port forwards to other VM’s (currently running a wireguard VPN on a separate VM until I test / configure the one DD-WRT can host).

Is this setup possible or do I have to do some strange double-netting thing with the two devices? I assume creating a DMZ host (the DD-WRT router) would forward any and all traffic to the DMZ, in which case I would just do normal port forwarding rules within the DD-WRT as normal.

In theory, I believe this to make sense, but I am not sure in practice. I suppose I can test this individually.

XFINITY lan (10.0.0.0/24) —> WAN IP of DD-WRT (10.0.0.2), VM IP’s 192.168.50.50-55). 
DMZ open to 10.0.0.2, DD-WRT Port forward 80/443 to 192.168.50.50 (VM hosting Apache). 

Will this work?

Many thanks in advance and I can post config/ build of DD-WRT if needed.

Side question, is there any plan to implement NFTables within DDWRT as IPTables is heading in the way of the DODO?

[egc]

Welcome to the forum.

We can give the best support if you start with not only what router you have but also what build you are running, current build is 50357.

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Placing your DDWRT router in the DMZ of the modem and then port forward on your DDWRT router is certainly a good way to deal with this.

If your Linux server is having a proper firewall you should even be able to place the Linux server in the DMZ of the DDWRT router so you do not have to port forward at all.

[jmgoth]

Great, I just wanted to be sure that would work. I would have opened a single VM to the DMZ but Comcast only allows for a single DMZ host as I plan on hosting a few other things.

For future questions, I will place my build etc as per the guidelines. My apologies and thanks again for the reply.