Recommended Posts

Hello, I was looking to have one of my network devices completely exposed to the internet, as I have read the easiest way to do this is by setting up a DMZ (after giving that device a dedicated IP)

The problem I am running into is this, my router DOES NOT have a DMZ setting, so I was wondering if I can just open up the entire range of ports (1-65534) through port forwarding. Will this give me the same affect?

Link to comment
https://www.neowin.net/forum/topic/1026548-alternative-to-setting-up-a-dmz/
Share on other sites

  On 18/09/2011 at 20:21, remus_lupin said:

Hello, I was looking to have one of my network devices completely exposed to the internet, as I have read the easiest way to do this is by setting up a DMZ (after giving that device a dedicated IP)

The problem I am running into is this, my router DOES NOT have a DMZ setting, so I was wondering if I can just open up the entire range of ports (1-65534) through port forwarding. Will this give me the same affect?

The thing about a DMZ is that it puts that computer separate from your internal network. If you just open those ports, that machine is still on your internal network, and then you'd need to run a firewall on your other machines to protect it from that machine since it's wide open.

Why do you need a device completely exposed? What device is it?

EDIT: What router do you have? I've never seen one that doesn't have a DMZ.

  On 18/09/2011 at 21:21, HawkMan said:

It will, along with most likely breaking your network.

If you don't have a dmz, just open the ports you need.

Yeah it did break my network, I undid it. The problem is, I have TRIED opening just the ports I need but it didn't help. So I figured I would try giving my device FULL access to the internet (no restrictions)...

  On 18/09/2011 at 21:25, farmeunit said:

The thing about a DMZ is that it puts that computer separate from your internal network. If you just open those ports, that machine is still on your internal network, and then you'd need to run a firewall on your other machines to protect it from that machine since it's wide open.

Why do you need a device completely exposed? What device is it?

EDIT: What router do you have? I've never seen one that doesn't have a DMZ.

Here is what I am trying to do, get my PS3 from NAT type 3 to NAT type 2. I have tried opening all recommended ports and UPNP is enabled, I have searched through many different forums and attempted many different things, setting up a DMZ was my last resort less of calling my ISP and asking for a public IP (as the one I have is private - I read this may cause my NAT type 3 problem). However they charge $10 each month for a public IP, so I was looking for a way around this.

EDIT: It's a new internet service (I live out in the country and cannot get fibre optics/cable etc. it is a turbo hub from bell with a built in router that allows me to get highspeed internet service) The modem/router is made by Netgear and the model is MBR1210

http://www.bell.ca/shopping/en_CA_ON.4G-NETGEAR-MBR1210Turbo-Hub/71142.details

  On 18/09/2011 at 21:43, farmeunit said:

Yup I have tried both of those, however I do thank you for the link to the manual (doh) I am going to try setting up the DMZ now, hopefully it will work!

Unfortunately setting up a dmz did nothing, I still have NAT type 3.

I have each of my devices running on their own IP and I made sure when I set up the DMZ that I added the IP for the PS3 and not one of my other computers, I also made sure I put the NAT filtering on OPEN not secure

Unfortunately setting up a dmz did nothing, I still have NAT type 3.

I have each of my devices running on their own IP and I made sure when I set up the DMZ that I added the IP for the PS3 and not one of my other computers, I also made sure I put the NAT filtering on OPEN not secure

  On 18/09/2011 at 22:22, remus_lupin said:

Unfortunately setting up a dmz did nothing, I still have NAT type 3.

I have each of my devices running on their own IP and I made sure when I set up the DMZ that I added the IP for the PS3 and not one of my other computers, I also made sure I put the NAT filtering on OPEN not secure

Sounds like double nat to me

  On 18/09/2011 at 22:25, chrispinto said:

Sounds like double nat to me

I don't have a second router on my network, the turbo hub has one built in and I am using that directly.

  On 18/09/2011 at 22:25, x9248 said:

PS3 supports uPnP btw.

I have tried UPnP on my router and PS3, still NAT type 3, then I tried manually port forwarding. Still NAT type 3.

I am not having trouble with playing games, even with type 3 all games I have tried work well, I just can not do video chats.

i had the same issues. have a E2000 Cisco router, we have 2 XBox360 1PS3 3 computers in the house, and this NAT problem was happening with the 2 xbox360 and PS3. I ended up installing DD-WRT onto my router and now i dont have the issue. the custom firmware is amazing! i day look into what you have and if you cant install it, get a new router that lets you!

  On 18/09/2011 at 23:52, lflashl said:

i had the same issues. have a E2000 Cisco router, we have 2 XBox360 1PS3 3 computers in the house, and this NAT problem was happening with the 2 xbox360 and PS3. I ended up installing DD-WRT onto my router and now i dont have the issue. the custom firmware is amazing! i day look into what you have and if you cant install it, get a new router that lets you!

Unfortunately I do not think this will help in my case, as the turbo hub itself is what seems to be limiting my NAT type, so even if I bought an external router and put DD-WRT on it, it would still be going through the turbo hub and my NAT would be limited at that point. Having said that I checked google and there is no custom firmware for my particular model.

Thank you very much for the suggestion though!

seems like this problem has been going on for sometime, and there is no fix for it. what about firmware is there a update you can use? have you contacted the location where you got the device from and question with them?

"calling my ISP and asking for a public IP (as the one I have is private"

If your router has a private IP from your ISP on its wan port, then yeah your behind a double nat.. And nothing you do on your router is going to make any difference for unsolicited inbound traffic.

Unless you have control over the device giving your router the private IP on its wan port, there is NOTHING you can do.

  • Like 1
  On 19/09/2011 at 11:03, lflashl said:

seems like this problem has been going on for sometime, and there is no fix for it. what about firmware is there a update you can use? have you contacted the location where you got the device from and question with them?

  On 19/09/2011 at 12:16, BudMan said:

"calling my ISP and asking for a public IP (as the one I have is private"

If your router has a private IP from your ISP on its wan port, then yeah your behind a double nat.. And nothing you do on your router is going to make any difference for unsolicited inbound traffic.

Unless you have control over the device giving your router the private IP on its wan port, there is NOTHING you can do.

Unfortunately I did call them and they would not give me a public IP... They told me that they are only available for their business clients.

Oh well, thanks for all your help!

So you can not get any unsolicited inbound traffic? Or do they have your private IP in the dmz of their nat? You can make things work in a double nat, as long as the traffic is being sent to your private IP.

I would do a simple port forward to some service that is listening, be it ftp, ssh, http, telnet, something that is easy to turn on and you know is listening on your machine via netstat -an seeing the box listening on that port.

Then setup a forward on your router to that port and ip of the box listening. Then check that with canyouseeme.org -- do you see that port open.

I can walk you through a simple port open and forward check.

  On 19/09/2011 at 13:42, BudMan said:

So you can not get any unsolicited inbound traffic? Or do they have your private IP in the dmz of their nat? You can make things work in a double nat, as long as the traffic is being sent to your private IP.

I would do a simple port forward to some service that is listening, be it ftp, ssh, http, telnet, something that is easy to turn on and you know is listening on your machine via netstat -an seeing the box listening on that port.

Then setup a forward on your router to that port and ip of the box listening. Then check that with canyouseeme.org -- do you see that port open.

I can walk you through a simple port open and forward check.

Thanks, I will try this when I get home, I am at school all day today. Will be home around 10:30pm Eastern time.

I think I understand what I need to do, I won't know until I actually try though, so a walkthrough would be fantastic.

depends on the server your picking, lets say you installed filezilla server, by default ftp server listens on tcp 21, so you verify ftp server is listening say on your box 192.168.1.42 via netstat -an on the .42 box, or just accessing it via 192.168.1.42 from a different box on your network - does ftp work? If so then your listening, now go to canyouseeme.org and put 21 for the port - should show closed, then setup the port forward on your router to forward 21 to your 192.168.1.42 now does canyouseeme.org show open? If so then you have atleast some inbound ports forwarded by your isp to your private IP.

If shows not open even when you forward, then your isp is not forwarding any ports to your routers private wan IP. And there is nothing you can do for running any services or having any unsolicited reaching your network.

Now you say your routers wan has a private ip?? Really, thats a really lame ISP -- you might want to change. So your saying when you look on the wan status of your router it shows 10.x.x.x, 192.168.x.x or 172.16-31.x.x ?? If this is the case your ISP is a joke, and I would switch as fast as I could get another one connected.

But if that is not an option, if your ip is private, you can reduce issues with making sure your routers nat private side is different. Ie if your routers wan is 192.168.1.0/24 then make your private lan 192.168.2.0/24 for something.. Having the same network on your wan and lan can cause you all kinds of grief -- it works sometimes, but can have issues.

I tried your steps but even after port forwarding canyouseeme.org still was unable to pick up anything through port 21 (using filezilla).

And yes the WAN status of my router shows 172.16.x.x

Right now I am with Bell Canada, I would switch... but unfortunately I can not, I live in a very bad area and don't really have any other choice (rogers offers the same service but slower - and I have read online they suffer from the same things I am currently experiencing). I had dial-up until a couple years ago (we can not get cable etc.) I am using a portable internet service that uses cell service for internet (its expensive and offers little bandwidth).

I had a different service which was much more open (allowed for NAT 1 on my PS3) however just last week they said they were discontinuing the service and I would have to convert to this new one. Sure it's faster but I went from an unlimited bandwidth plan (3mbps) at $45/month to a 3GB/month plan on a 21mbps speed (5mbps down) for $55/month going up to a max of 10GB in a month for $80. However I have 6 months unlimited, at the end of which I am sure they will have larger plans at more reasonable prices.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Because Win7 was beautiful, much faster and more functional than XP. Win10 (glossing over 8 as many do) was slightly faster in some cases, more functional in some cases, but some people such as myself hated how it looked and decided it wasn't worth the upgrade. Some people liked (or were ok with) the look, and thus it is a good upgrade. Win11 is like 10, but is less functional between key features being removed and constant bugs/crashes either due to updates, or just things that were never patched. It literally has nothing going for it, and I use it every day at work so I'm quite familiar with it.
    • I switched my mom from Chrome to Firefox and she had a serious meltdown. She even managed to figure out how to reinstall Chrome, which really surprised me. What finally got her to switch was Chrome no longer being supported on Win7 and me putting a Chrome skin on FF, and setting it up identically.
    • Feels very much like most other gnome based Linux distros. There is minimal amounts that are influenced by Windows 11, maybe just enough to make people who are switching comfortable enough with the idea. As far as I can tell its mainly just turning the 'taskbar' panel as a 100% sized static panel, rather than the default dynamic sized. Turning it from the Mac OS Dock into the Windows taskbar. The Arc Menu - that I assume you're taking not with from the screenshots, is indeed the Windows 11 style one, but it has lots of other options too, from the more traditional gnome, Windows 7 etc. Still free to install what ever Window Manager you want once you're comfortable enough with Linux though.
    • Wow, and here I'm still happily using 1080p...
    • Added an extra filter to Fail2Ban.  I thought about just adding this to my existing aibots filter, but for the time being I'm keeping it separate because it's "possible" real humans may trigger this one so as long as it doesn't start filling my inbox I'd like to get notified about these so I can adjust it as necessary in the future. I'm still holding close to 10k unique IP addresses at any given time that have been banned via the "aibots" filter that looks for certain user agent strings of known AI scrapers.  However, I've been getting an increasing amount of traffic trying to scrape the site with sanitized user agent strings that just look like normal web browsers, however... Because I enabled authentication I can now see that they're racking up lots of 401 (unauthorized) responses in the Apache "access.log" file, but they're not triggering anything in the Apache "error.log" file, which is where failed attempts to log in would appear.  Basically, if an actual human tried to log in with an invalid username and password they don't immediately go into "access.log" as a 401, they go into "error.log" with a status message such as "user FOO not found".  The only way to trigger a 401 simply by visiting the site, as far as I'm aware, is to hit "Cancel" on the login prompt, or otherwise try to access files directly without properly authenticating. So, given the fact I'm getting a few thousand 401 errors a day from sanitized user agent strings that don't show up in "error.log", which means no attempt at logging in properly, I added another jail/filter set to Fail2Ban to immediately ban anybody who triggers a 401.  This feels a bit nuclear so I may need to adjust it in the future, but as far as I'm aware so far no real humans are being inconvenienced so all I'm doing is wasting the time of some AI scraper bots. Example log entry 61.170.149.70 - - [25/Jun/2025:20:01:04 -0400] "GET /content/mdwiki_en_all_maxi_2024-06/A/Neuroregeneration HTTP/1.1" 401 3287 "https://kiwix.marcusadams.me/content/mdwiki_en_all_maxi_2024-06/A/Neuroregeneration" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.43" Contents of /etc/fail2ban/filter.d/apache-401repeat.conf #Fail2Ban filter for bots and scrapers that try to access #files directly without entering credentials for apache2-auth #and therefore trigger lots of 401 errors without triggering #the apache-auth jail. # #Marcus Dean Adams [Definition] failregex = ^<HOST> .+\" 401 \d+ .*$ Contents of /etc/fail2ban/jail.d/apache-401repeat.local [apache-401repeat] enabled = true ignoreip = 10.1.1.1 port = 80,443 filter = apache-401repeat maxretry = 1 bantime = 672h findtime = 10m logpath = /var/log/apache2/access.log Oh, and all this traffic is AFTER I explicitly banned Alibaba's IP ranges that were absolutely blowing me up day and night. Observation; two of the IP addresses that have triggered this jail in the 30 or so minutes since I turned it on were owned by Microsoft.  Wonder if they're doing their own AI scraping/probing, or if that's just an Azure VM owned by somebody else.
  • Recent Achievements

    • Rising Star
      Phillip0web went up a rank
      Rising Star
    • One Month Later
      Epaminombas earned a badge
      One Month Later
    • One Year In
      Bert Fershner earned a badge
      One Year In
    • Reacting Well
      ChrisOdinUK earned a badge
      Reacting Well
    • One Year In
      Steviant earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      552
    2. 2
      ATLien_0
      208
    3. 3
      +FloatingFatMan
      175
    4. 4
      Michael Scrip
      152
    5. 5
      Som
      139
  • Tell a friend

    Love Neowin? Tell a friend!