Yes. DMZ on router 1 exposes router 2 IP to internet.
this post was submitted on 26 Apr 2025
27 points (100.0% liked)
Selfhosted
46320 readers
477 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
This right here. Since you can’t really configure the ISP router (1), DMZ is the way to go. The DMZ feature on home routers usually allows you to select a specific device or devices to add to the DMZ so make sure to reserve/set a static IP on your router (2) and configure the DMZ on your ISP router (1) to include only that specific IP. DMZ essentially forwards all ports to that device.
Either DMZ on the first router, or bridge mode on the second.
I use cloudflare tunnel for this purpose. No open ports, no dealing with ISP, no exposing my IP.
yet some people might want less america in their setup and try to avoid services like that.
The DMZ for the ISPs router forward to the second router, then everything that hits your outside IP will be forwarded to router 2. Then on Router 2 you open the ports for your service and forward to the internal machine. That should all work fine.
Thank you, will try. I was afraid of DMZ ...
You don't want two routers as that creates a double NAT
Setup a service and them install Tailscale/Netbird on your devices. The reason double NAT is bad is that it can break NAT traversal used to allow you to directly remote access a device away from home.
Hey, I'm doing this now, using DuckDNS. But I had to forward a port thru Router 1, as you call it. That's your problem.
Maybe Tailscale would help you? (I've not used it though)
Or, instead of allowing port 80/443 traffic in, what I have is a random port used by my Wireguard VPN opened only. But I have to connect thru that when I'm not at home. I. E. only I can access my web server.
UPDATE:
1: Thanks to all of you for helping me out!
2. I just had a chat (on Sat-Eve) w my ISP, they could open a "bridge-port" on their last "Lan-socket" on R1.
That's the way to go, if not, i'll go DMZ, correct?
You want DMZ. I have the same setup. DMZ will make router 1 consider router 2 to be WAN and not behind firewall.
Yes, but DMZ is a better solution if you want to let Router 2 handle your network
You're going to get double NAT'd if you don't have a proper passthrough. Is there a specific reason you have two routers setup like this?
Probably because the ISP modem/router has limited capability.
I've done 2 routers like this for years (out of laziness more than anything) because cable modem router suck from a capability standpoint.
The actual cable modem can run in passthrough mode though. Look up the model and find the docs. Should be a quick and easy change, or your ISP at least should able to change it. It would be absurd if not.
the ISP locked their router. I have to go the the ISP's site, login and change settings there... can't even change DNS on ISP-router.
That's a bummer. Have you asked them about running it in passthrough mode?
No I haven't. First i got to educate myself what these different modes are...
Passthrough in this sense just means that the ISP cable modem only acts as a modem, handing off all traffic to your router to control. Essentially it just disabled NAT so you won't have double-NAT'ing happening. It's a standard setting on all cable modems, so I know that part is possible, but it's more about getting your ISP to enable that if they have it locked.
that's exactly why.
Is the ISP device a cable modem or is it fiber?
You may be able to replace it with your own stuff
it's fiber.
Do you have a username and password for PPP? You could replace the device with something with a SPF port
Another option is that you could turn off masquerading (NAT) on the Asus router. This may not work but if you have different IP ranges on each device theoretically it would avoid double NAT
I'm actually behind 3 routers and still hosting stuff to the internet. My house is behind cgnat, I have two isp routers, which both connect to a pfsense router (ip of which is in the dmz of each isp router).
My pfsense router and a free vps hosted at oracle are both connected via tailscale. Pfsense router advertises specific subnet addresses to the tailnet. VPS uses caddy to reverse proxy to those subnet addresses to expose them to the internet.