OpenWrt & "Advanced DMZ"

My IPS's router provides a DMZ and "Advanced DMZ" support. The second one assigns a selected device (an OpenWrt router connected to a LAN port) an external IP, so there is no double NAT here. Can something like this be done in OpenWrt?

https://openwrt.org/docs/guide-user/network/wan/multiple_public_ips

1 Like

I honestly think @fantom-x is asking about just simple DMZ in OpenWrt..

If your ISP/Edge router is "Advanced DMZ'ing" (meaning, it's just forwarding anything inbound to the OpenWrt device), and you want to pass that through to a device behind the OpenWrt router, you'd just (again) DMZ the OpenWrt device to pass through to whatever device you assign.

In simple DMZ the second level router gets a private IP. I am asking about a setup, where the second router gets a public ip. I just looked at my routers (ISP's and OpenWrt) and they both have the same public IP on their WAN interfaces and it all somehow works.

You want to find out if your ISP's router has a Bridge mode then, which will not interact on the outside packets and just act as a forwarding agent to the OpenWrt device. This will allow the ISP's device to pass on the IP assignment to the OpenWrt device

This happens because in the DMZ, anything unsolicited goes to the DMZ. Your ISP's router will still NAT anything else and recognize the returning traffic and route it outside of the DMZ.

You mis-undesrtand it: I did not use myip.com to get the IP of the WAN interface. I got them from the second router itself and the WAN interface got an external/routable IP. And so did the first router. I know what a bridge mode is and how a regular DMZ works (by forwarding everything to an internal IP), but there is no internal IP in this case: the secondary router got an external IP. And the ISP's router does some magic to make this happen. I want to understand what that magic is and use it.

Thx, but this does not seem to be the same: there is a public IP assigned to the ISP router (I use a LAN port to connect to it and myip.com returned the same IP and the ISP's router interface). Then I ssh'ed into the second router (OpenWrt) and its WAN IP got the same public IP via DHCP. There are no multiple IP's involved.

Unless you bridge somehow a lan port with a wan interface and let the lan host negotiate directly with the ISP, this is the closest you can get with OpenWrt.

2 Likes