DMZ and no access to ports on public ip?

Hi there

I've got a fiber router from my IP, but they lock the access (Web GUI) to it.

The private IP address class (LAN) of it is

And it has a port forwared from any port to

So i can configure my own OpenWRT router as a DMZ - when i use the static IP on its WAN port.

Then i'm able to configure a port forward, e.g. to port 80 from:

-> public ip -> (fiber router) - > (my own OpenWRT router) -> (win10 machine with apache)

BUT: When i try to enter the public ip in browser (same computer where apache on port 80 is runnnig), there is no response on port 80.

When i use tor browser, a vpn connection or a separte internet connection on my mobile phone, port 80 gives me a reponse...

That problem is really really strange... does somebody have a hint for me? May be the problem on my own OpenWRT router or on the fiber router of my ISP?


Microsoft Windows [Version 10.0.17134.228]
(c) 2018 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\zzz>tracert yyy

Routenverfolgung zu [yyy]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms OpenWrt.lan []
2 4 ms 8 ms 3 ms [yyy]

Ablaufverfolgung beendet.


yyy = my public ip
xxx = my public ip written in a reverted way

port 80 on does also not respond on my own computer. (same computer where apache is running on port 80), but i also get a response from tor browser, with a vpn connection, from mobile phone. (so same as described before)

Then OpenWRT version i use is 18.06.1...

Thank you very much.

Best regards,

from i will get a response. (from the same computer where apache is running,


Maybe i need to change something at this place?


access from a virtual machine (which runs on the host system (=system where the apache runs on port 80) does also not work..


...and same problem with older versions of OpenWRT.

fwiw, sounds like a 'NAT loopback' problem.
In the past I have come across a few ISP supplied routers where NAT loopback was deliberately disabled apparently to improve security.
I'm no expert, but I'm wondering if your problem is actually caused by what looks like a double-NAT setup (daisy chained routers).
Do you see the same symptoms if you are able to replace the openwrt router with a non-openwrt device?

1 Like


"double-NAT setup"

Yes, they both run with nat. the 1st one from the isp has a dmz (set up by the isp, i don't have access to the config), the 2nd one (my openwrt) has nat too, and redirects all requests from it's external tcp port 80 on to the 2nd private subnet to

so you think the problem is on that first router, the fiber one from the isp.

"nat loopback" is enabled on the port 80 tcp rule on openwrt router.

do you think it's a nat loopback problem on the first (fiber from isp) router?


I can't answer the question because I'm not familiar with your ISP and its locked down router.

If your ISP has a user support forum, I would suggest asking if any other customer has encountered the same issue when using the fibre router.

does also not, because of it i commented it out:

#insmod ipt_mark
#insmod xt_mark
#iptables -t mangle -A PREROUTING -i ! get_wanface -d nvram get wan_ipaddr -j MARK --set-mark 0xd001
#iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE

...before i had the fibre router from the isp, i had a cable mode (in bridge mode) at this time, i never had problems with port forwards on openwrt..

Workaround: ""

set -x && wget -qO- > ./public_ip.txt
for IP in $(cat ./public_ip.txt); do iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination; done
iptables -t nat -A POSTROUTING -d -s -j SNAT --to-source && rm -f ./public_ip.txt


That's the place to put that file in - it should start without any user interaction (similar to a servicie) and AFTER all other iptables firewall rules...

Thank you for your feedbacks.

P.S.: If you see something to improve, it would be nice if you tell it to me! :wink:

With best regards,

Hehe, i think i need to correct myself, i was a lil bit tired so i think. So the sentence should be:

"What's the best directory to put that file in?

It should start without any user interaction (similar to a servicie) and AFTER all other iptables firewall rules..."


Your ISP's router isn't configured to allow "hairpin NAT".

Yes and i don't have any access the the config gui. The ISP configured a DMZ for me on Because of that, i use a OpenWRT router too. (IP

What's the "best" directory in put in my iptables workaround script. It needs to start like a service - without any user interaction, not manually, with every router boot:

set -x && wget -qO- > ./public_ip.txt
for IP in $(cat ./public_ip.txt); do iptables -t nat -A PREROUTING -d $IP -m tcp -p tcp --dport 80 -j DNAT --to-destination; done
iptables -t nat -A POSTROUTING -d -s -j SNAT --to-source && rm -f ./public_ip.txt

That depends on the contents of the include directive in /etc/config/firewall.

By default it points to the file at /etc/firewall.user but that can be changed.

1 Like

It should be executed AFTER all other firewall rules...

Bung your custom rules in a separate script, then use a sleep timer to delay the execution of the script, on each startup:

sleep 60

Thank you very much, will look for that..:slight_smile:

1 Like

Isn't that the correct path to execute it automatically?


instead of


? may contain some relevant information.