Two routers, one in a DMZ, public services visible but not to me

I have a 76 Mbps FTTC internet connection with a dynamic IP address.

I have used a Netgear WNR2000 router which I've been using for a few years, it connects to the FTTC modem and works well.  It has some open ports for a NAS drive that I access from the outside world, and a remote desktop connection to a PC too.  I've set the fixed internal IP addresses, service names mapped to port numbers, and the port forwarding - so that all works fine.

My ISP also provides an IP-TV service which only works using a multicast connection, but my Netgear router doesn't support multicast.  They provide their own router (BT HomeHub 4) which does.  Unfortunately, the port forwarding on their router is poor - it either doesn't work, or it works unreliably.

I have been switching between the two routers - keeping the Netgear one connected by default, unless we want to use the IP-TV, in which case we temporarily forego the NAS and RDP services.

I realised that I could have both: I have left the ISP's router connected, with the IPTV box connected to it directly, and then connected my Netgear router to the ISP's router, and using the ISP's router, configured it to put the Netgear router into the DMZ.

This means the IPTV works (via the ISP's router), and all incoming traffic is sent to my Netgear router in the DMZ, which means everything else works too.  From the outside world, everything works fine.  Inside my network, everything works fine too.

However, the hostname of my NAS which works outside is no longer accessible inside.  I use a DynDNS-like service from the NAS manufacturer QNAP.  Using DDNS it gives me a hostname of, say,  The NAS drive updates the hostname every 10 minutes so it always matches the public IP address I have from my ISP.  It is always accessible from the outside world, but I can no longer access it from inside it.

My ISP's router is, and gives IP addresses via DHCP in the range, 66 etc.  The Netgear router used to be as well, when I used one router or the other, but when I connected the two, the Netgear router saw the "internet port" gave it an address of, so it changed its internal network numbering to be to avoid conflicts.

I can access my NAS on, its fixed internal IP address.  I can also access it via from outside, but if I try to get to from inside, it just times out.  If I tracert it resolves to my public IP address, the first hop pings as and then everything times out.

How can I tell my ISP's router at to let traffic from the IP range access the internal stuff?

I guess each router refers to things with different names, so I'm after what's wrong rather than specific step-by-step instructions - if I know what to look for, I'm sure I can find it.
LVL 11
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
The issue you're seeing is with something called hairpin-NAT.  The BT router (and a lot of others) simply doesn't support it.

Really you could do with an internal DNS server.  This would allow you to map the hostname to its internal IP address.  Your laptop would use the internal DNS server when connected to the local network, and receive the internal IP address of the NAS when at home.

When you go out and about you'd use the public internet DNS servers, which would return the DDNS IP address of the NAS.

There is an easy-ish solution to this though.  The Netgear router can use custom firmware called DD-WRT which includes DNS server features.  This would let you do exactly what I mentioned above.  It's not for the not-so-technical people as it can break your router unless you do it properly, but it'll do exactly what you want.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RedLondonAuthor Commented:
Great - thank you.  Good to know I'm not going mad.

I have two identical Netgear routers, one as a spare in case the live one dies: I will experiment with DD-WRT and read up on hairpin NAT.
So you can access the from outside that means DDNS is working fine for your Synology. But you cant access from inside, that means your internal workstation is not allowed to access the LAN services using WAN IP. That definitely has something to do with the NAT filtering option in your Netgear WNR2000, that might be set as secure and filtering th loopback access. Please try this

Logon to the Netgear WNR2000
go to Advanced Tab -> Setup ->
WAN Setup -> Check "Disable SPI"
Also change NAT filtering from SECURED to OPEN
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Craig BeckCommented:
@Miftaul - that won't work when the Netgear router is connected to the BT router.

The OP needs to use the BT router as the internet-facing router in order to allow BT's multicast service to work.
Justin EllenbeckerIT DirectorCommented:
What I would do is just put up a small DNS server inside your network. You could always modify the hosts file as well. Create a static entry in the internal DNS server for the address and point it to your internal IP. This will not affect external traffic from a different location but will allow you access using the external FQDN. This practice is done a lot when Active Directory is involved. A lot of services have certificates and require you come in using the external FQDN but hitting them from the inside is always easier and faster when you don't have to go all the way to the edge to come back to your internal equipment. I am not sure if the WNR2000 will run anything like DD-WRT which would allow you a little more control and possibly not need an internal DNS server. Setup the Internal DNS server to forward all requests wherever you would like and then just create a single forward lookup zone for your NAS and that should resolve the issue.
Static entry on the host file might create other problem like when using same FQDN to access the Synology from outside will fail.

Synology has a DNS server that can be configured, as far as I remember. Will that work in this scenerio.
Justin EllenbeckerIT DirectorCommented:
A static entry would fail on something like a laptop if you took that off-site. Yes if the Synology has a DNS server you should be able to use that. Change your WNR settings to hand out the Synology as the DNS server. You will want to make sure that the forwarding domain does not use the base zone since that may break the devices ability to update via their DDNS service.
Craig BeckCommented:
Modifying the hosts file WILL cause an issue when you're connected either the LAN or the Internet, depending on what entry you add to the file.  Don't do that.

If you don't know what you're doing with Linux I'd not want to install a DNS server on the NAS (if that's what it's running).

I really would just install DD-WRT on the router, configure the DNS server in it, and leave all other devices as they are - especially a NAS if it's got lots of data on it.  It's simpler.
RedLondonAuthor Commented:
Sorry folks - I thought that I had accepted  craigbeck's original reply as an answer when I posted my message earlier.

The NAS is a QNAP device, not Synology, and while it does run Linux and I'm sure could serve as a DNS server, it's an important NAS device so I need to keep it as near stock setup as possible to allow for changing it should anything fail.

Using WRT-DD sounds like a perfect plan.  I tried it on the spare Netgear router and bricked it - most links on the WRT-DD website about the Netgear router went to a dead page, so I downloaded the 'right' file and installed it via the web interface anyway... and killed it.  A little more reading showed why, and gives notes on how to recover from a bricked router - but the more I read about my 'trusty' Netgear router, the more I see it's a bit of a bugger to flash.

For the challenge and the not wanting to be beaten, I'll probably come back to it another time - but right now common sense says to give in and buy another router.  The cost of time outweighs the cost of a router - and while I'm getting a new router, I might as well get one that supports BT's implementation of multicast for IPTV and cut out the need for two routers.
Craig BeckCommented:
Sounds like a sound plan!

If you need any help with the BT setup once you have a new router, just post a new question and I'll see if I can help - I'm UK based and have BT's Infinity and Vision+ service myself :-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.