Router as a DMZ for a modem I have minimal access to

tl;dr is it safe and practical to set a wireless router as a DMZ for my modem as an alternative to individual modem port forwarding?

Due to unfortunate circumstances, the powers that be won’t let me have actual access to the modem in my own home, but I can request changes to it and hope they’re feeling benevolent.
I need to forward ports for hosting game/media servers, and have a spare router. My best idea so far is to network my PC via the router, using it as a DMZ from the modem and manually forwarding ports on the router itself since I have access to that.

Is this smart and workable, or is it a good way to catch internet nasties? My networking knowledge is pretty basic, so any input would be very much appreciated.

You will run into double NAT issues if the ISP Router/Modem is not put into bridge mode before you place another router behind it. If you can not do this from within the GUI, or maybe the modem has no GUI, you might need to contact your ISP to do it.

Once you have the ISP modem in bridge mode and you have the router behind it, you can administer it however you want. Setting the DMZ as an alternative to port forwarding can be a quick and dirty solution, but it does leave the computer behind the DMZ completely exposed to the internet and potentially vulnerable to any internet nasties.

You’d be better off forwarding the ports required through the router for the client(s) needed.

1 Like

Thanks for that, I’ll try to get the modem into bridge mode. I can’t access the GUI as I’m renting via my uni who provide internet under their iron grip, but I’ll try to sweet talk them into bridging.

Does a DMZ leave the client exposed if the router itself has a decent firewall?

Setup an openvpn server at home on port 80 or 443 then use a openvpn client at uni.

DMZ as a phrase gets used to mean different things in different contexts.

“DMZ” setting on your ISP gateway, usually means forward all ports to some local IP.

It doesn’t really matter what this IP is, what matters is that you don’t forward ports to stupid software and then give this stupid software free reign over your data that you care about.

How many firewalls you have to punch a hole through doesn’t really help with security.


Security aside, it sounds like your problem is you don’t have a public ip and/or set of ports you need for your hosting.

As @NZSNIPER mentions you could use one from home - and bring it over through a tunnel (VPN) of some kind; or you could rent an IP - a small cheap VPS somewhere.


A more secure alternative is to rent a VPS/VM and run a game server there… that way the game server software doesn’t have access to your stuff.

1 Like

“Home” at the moment is the uni place I can’t access the modem at, so as I understand it that means no VPN hosting for me.

What I mean RE: firewall is that if I’m letting everything through the modem and connecting via a router with its own security, then opening individual ports on the router, isn’t that the same risk as opening individual ports on the modem anyway? Sure not actually secure, but as secure as I’ve always been when life let me have a little independence.

Pretty much yes, not sure why you’d need your own router then.


The strange part from my perspective is when you say “uni” and “modem” in the same sentence (I’m imagining small racks with a bunch of RJ45 and fiber going out the building). Have you physically seen the devices/equipment that provides you with internet - are you sure you’re asking for the right thing?


[caveats and disclaimers aside, in rough strokes:]

Connecting your computer directly to the internet, is relatively secure these days.
It is the same, or as secure, as connecting your computer to the internet behind a NAT firewall/gateway and then punching a big hole in that firewall using DMZ forwarding to let internet in, while still allowing your computer to go everywhere else on the internet as it pleases.

Replacing DMZ, with UPNP (or nat-pmp - slightly better) is about the same thing security wise.

In terminology used by various IT security courses a DMZ is a firewall setup where you’d take your game server and put it on its own network and isolate it to only allow the minimum of incoming connections required for the service it needs to run. e.g. it doesn’t need to make outgoing connections to the internet, so that’s closed off. The idea is that once there’s an unpatched bug in the game server, the attacker/malware can of course take over the game server, but that’ll be useless to them… Once you notice that’s happened rest of your compute resources are still unharmed, and it’s not like that machine has caused further damage, you’re free to nuke the game server from orbit and restore it from a backup.

If this is something you’re proposing to do, then having a separate firewall that the machine is not allowed to easily access would be useful, as you could use it to prevent game server from going onto the internet, or from being used to spread malware further on your LAN. Is this what you were proposing?

Sorry, I was probably a bit vague - I’m renting “uni accommodation”, as in they flung me off to a rural town for the year and sublet a normal apartment to me and provide utilities. I have physical access to the modem, but no admin access.

By DMZ I mean the router function which I don’t think is technically a DMZ but it’s still a pretty universal setting, my idea being basically to use DMZ as a catch-all to effectively open all ports to the router I control in one go, then open individual ports on the router which is then connected to my PC. That minimises the amount of dealing with the folks not giving me modem GUI access. I could ask them to open every individual port I need as I need them, but that limits me to office hours and a lot of emails and ongoing effort. I know if I used my client PC as a DMZ I’d be yeeting security into the sun, but if the DMZ is a router with full security implementation which then has individually forwarded ports I don’t understand the risk, but I’m a networking noob so could easily be wrong.

Bridging mode as suggested by n3tizen sounds ideal, basically turning the modem/router into just acting as a modem and letting my router do the routing, deconflicting the chain and giving me the access I need with just the one action from whoever has admin access to the modem. The only potential issue I see with this one is that my housemates would have to connect to my router too, which may or may not have security and/or connectivity implications (the modem is about 100 years old and single band though so probably the opposite).

I don’t mean to thread jack here, but I’ve seen people reference Double NAT, and I’ve never really had a problem… In fact I have three routers daisy chained. Modem/Router → Router → Router. I can connect to a VPN across the internet fine (I’ve never hosted one myself though)… my brother is plugged directly into the second router in the chain; he can game fine. I mean having the modem crap out, and waiting for the entire chain to recycle has been a pain but, that’s literally the worst I’ve ever experienced.

AFAIK, this is more for when the issue is when one has a server type instance behind a double NAT then there is a problem. For example: forwarding ports or setting a DMZ on the 2nd NAT in the ISP modem > Router chain, will not actually open the ports to the internet. You would need to administer the same rules in both NATs to achieve the result, and depending on how you handle DHCP it could get really messy, really fast.

Whereas in your example, and again this is AFAIK, a game client can be negotiated via uPNP, but it is not the same situation comparably. If you’re connecting to your VPN from a singular PC - then same as the game client, you are simply connecting a client. Issues would arise more if you have a lot of devices/clients and they all try and connect at the same time, depending on how the routers are configured etc.

Makes sense. I’m actually in the process of reworking everything, so will set-up the “correct way” soon… The two routers beyond the modem exist predominately as wifi points for tablets and phones (with desktops plugged into the ethernet ports on them), so eventually will turn on the AP modes on those, and replace their current positions in the chain with switches. Anyway, I defer back to the OP (again sorry about the threadjacking).