How to open a port to a device when my GLiNet router is behind another router?

Hello there!
I have bought the Flint router recently and (as the ISP doesn’t support IPTV if they place the integrated modem+router into bridge mode), I had to plug my Flint into the ISP’s router.
Now, I have a Nextcloud server running on my Pi, which has only the absolutely necessary ports exposed via the ISP’s router to access the server under normal usage.
However, I want to move the Pi, hosting the Nextcloud server behind my Flint router as well. My Flint router is in Wireguard client mode and AdGuard is set up on it. I wish to open the ports to the Pi, which I want to plug into the Flint router, so I can control that from Flint as well.
I have tried opening the ISP’s relevant ports to the Flint router and opening the very same ports on the Flint router to the Pi, however I could not access it from WAN.
In some programmer groups, I asked about this and they talked about using DMZ and that this can be very tricky and unique depending on my exact setup.
I do not want to make it unnecessarily complicated and if possible, I would like to move my Pi server behind the Flint router. How can I make that happen? I am out of ideas.

Thanks for all the help!

Guess you’re a lucky guy!
I ran into the same issue these days and think I resolved it yesterday…
Have look there.

Regarding DMZ: You could (ab)use the GuestNet - but AFAIK only if you connect by WiFi to the Guest WiFi - I see no (easy) way to dedicate one of the LAN ports to the guest net.
In case you want an ethernet connection (faster, more stable, less latency) you’ll need to place the Pi in the LAN. In that case it’s IMO a bad idea to use the “DMZ” settings from your Flink, an unnecessary risk. Rather forward the single ports you need.
In case all your IT is behind the Flink you might consider setting up the Flink as DMZ host in your ISP-router so you only have to handle port forwarding at the flink instead of both.


I am not using a VPN anymore, but the issue perists, does this still apply?

Also, I tried setting up Flint as DMZ, but same result, can only access my servers if I am behind the Telekom router.

Maybe the Telekom router is the problem here?

If I understand what you are trying to do correctly, then you will need to assign your Flint a static IP from your ISP router. You will then need to forward the ports in question from your ISP router to your Flint’s fixed WAN IP assigned by the parent router and finally you will need to open the same ports on your Flint this time pointing them to whichever LAN client is connected to the Flint. Hope this makes sense.

1 Like

Double NAT is unnecessarily complicated.

You’ve written a lot of text, it is hard to follow from an external point of view.
What are the related ports? Did you forward 1:1 or port ranges? Are there overlapping ports?

In my experience the Speedport routers from Telekom are doing some own magic, that is not matching with what is seen in the frontend. I have never tried it, but I can think they will also block double NAT (Router behind Router).
Because I am using it in business, I have the possibility to see a Speedport/Digibox, laugh and replace with something reliable… But also in this case I won’t try to portforward twice (see my first sentence).

1 Like

… but it I’ve wanted to get it work, I would start with some simple tests.

First set up a small webserver. Any device or VM I cam easily move between the networks will do the trick.
Put the Webserver in the ISP router LAN. Set a Portforwarding from port 80 to port 80. Check if you can reach the webserver from the outside. For example with a mobile phone not connected to the WLAN.

If everything is fine, the setup is:
Internet - WAN:80 (ffd) Webserver:80

Than add the Flint and do the same Portforwarding
Internet - WAN:80 (ffd) Flint:80 (ffd) Webserver:80

I do think this won’t work. The question is why. One possibility is the privileged ports (below 1024) are handled different, sometimes. So you can test:
Internet - WAN:80 (ffd) Flint:8080 (ffd) Webserver:80
Or another entry from the Internet (the URL in this case is http://[your external address]:8080):
Internet - WAN:8080 (ffd) Flint:8080 (ffd) Webserver:80

And to check if the incoming or outgoing traffic is the problem, open a tail -f /var/log/apache2/access.log (or similar for your Webserver) in a terminal.
Of course a tcpdump/wireshark would be better, but could also be a little overwhelming at the beginning.

1 Like

I did this exactly, but to no avail, when trying to access the web service outside of the ISP router it will never connect.

1 Like

Have you tried this exact setup with your wireguard client turned off? I have had some issues with WG being on and portforwarding but resolved them by setting port forward from WAN2LAN as well as from WGD2LAN for the same ports on my GL.iNET. I also opened the necessary ports on my Wireguard service (as torguard allows you to do so) but not sure if this extra step was also necessary. In any case, I think that you should try without wireguard client running and see if it would make a difference.

1 Like

As I said, I do not use VPN anymore. I will create a new post with a lot more detail. And link it here. It will clear things up regarding my new setup : )

1 Like

Use zerotier it works great

Thanks for the recommendation but it doesn’t solve my problem at all.

Have you tried putting your GL.iNET in “Drop-in Gateway Mode”? Actually not sure if the Flint supports this mode yet as I have not used mine for some time!

Hi guys!

My internet provider gave me a new router and now double NAT works flawlessly. I am really not sure what could cause this, I think it was the fault of the ISP provided router, maybe it dropped packets instead of routing it to my Flint. It is also possible that both devices together created some situation, where this happened.

The thing I can say for sure now is that the problem was resolved by changing the ISP provided router, so when you are facing this situation with a Flint, suspect the level 1 router in the double NAT.

At this point of time, my Flint is in a DMZ, and I have set up my own NAT rules for devices behind the level 2 NAT.

In retrospect, could you please provide some information on what is that (maybe some links)?

1 Like

Reasonably good documentation here:

I have however not used this mode for a while as it has not been very stable for me and managed to fix a lot (but not all) of my double NATing woes using PPPOE pass-through and DMZ. Still a very nice feature to have at hand when needed.