Dual Router Port Forwarding

Question

I have addtional routers behind the Modem/Router supplied by my ISP. This configuration was created to deal with a number of issues, such as port forwarding of connections entering from the internet that need to be directed to a Windows Server connected to the 2nd Router.

The layout looks like this:

• ISP Modem/Router 192.168.100.1 - receives incoming internet traffic (DHCP enabled) including On Demand TV, passing it to a TV Set Top Box and to the 2nd Router.
• 2nd Router 192.168.90.1 - receives internet traffic from ISP Modem/Router, configured with 192.168.100.1 as Default Gateway and (DHCP enabled) serving all WiFi and Ethernet LAN traffic, including the Windows Server configured as 192.168.90.10.

I use an MS-SQL based App, running on this Server and on a companion desktop PC (192.168.90.11), to enable database synchronisation from within the LAN and from the internet. The LAN PC Sync with the Server works fine, the external (internet) Sync can't connect to the Server. But the external PC can ping the Server which has a DDNS Domain up and running.

I've tried configuring open ports on the Server's Firewall, no luck. Disabled the Firewall, no luck.

Between the 2 routers, I have configured port forwarding as follows:

• Router 1 (192.168.100.1) - forward ports 80, 65100, 1433, 1434 etc to
• Router 2 (192.168.90.1) - forward ports 80, 65100, 1433, 1434 etc to Server (192.168.90.10)

My main purpose in separating the 2 LANs is to keep the internet TV and associated hardware separate from the Windows and Android devices that come and go.

Is there something I'm missing, or is there a better way to approach this?

Answer 1

In general this should work. There are two situations:

1. Router 1 doesn't have a route towards the 2nd subnet (192.168.90.0/24, I assume).

   In this case, all port forwardings on Router 1 must use Router 2's external (WAN) IP address, i.e. 192.168.100.x, because it doesn't know how to reach the internal one.

2. Router 1 does have a static route towards the 2nd subnet.

   In this case, port forwardings on Router 1 can point directly to your Server's IP address, and Router 2 does not need any port forwardings at all. (However, router 2 does need firewall rules allowing incoming connections.)

(I would say 2nd is a more direct approach.)

---

You did not mention anything about whether you tested the individual components. The connections take quite a few hops, so it's not a black & white "it works / it doesn't work".

1. Do connections from the internet, to TCP port 80, arrive at your external router?

   This might be difficult or impossible to test if it's a locked-down, combo modem/router. (If you're lucky, it'll have telnet access and tcpdump installed.)

   But do note that some ISPs actually block incoming connections on certain ports, either because they're risky (MS-SQL in particular had serious worms at some point) or because the ISP wants more sales for their business plan (thereby blocking website hosting on consumer plans).

2. Does the external router correctly forward them to whatever is specified in the port-forwarding rules? In other words, does router 2 receive the packets?

   If router 2 doesn't have any method to test this (no telnet/tcpdump), change the forwarding rules to point to a computer in the 192.168.100.x network, and run Wireshark on that computer to confirm that it is receiving the packets. (Then change the rules back.)

3. Does the internal router correctly forward packets to the server?

   This time, the server can have Wireshark or tcpdump installed easily, so you just need to start a capture and watch for the packets.

   The capture is unaffected by the server's own firewall, so it'll show packets coming in even if the OS doesn't react to them. (If that happens, you can assume the server's firewall is the problem.)

4. Does the server respond?

5. Do the responses travel all the way back?