Using DMZ to Circumvent Double NAT

Continuing the discussion from Bell Canada: Bell HH3000 aka Bell Hub 3000 Doesn't Offer Bridge Mode [See Staff Post for Workaround]:

After switching to Sky Broadband, I discovered that I couldn’t use my modem and router, so I now use the stock ISP router with Wi-Fi disabled.

Having seen @ipeverywhere’s post above, I was wondering if this is a viable solution for my router, i.e., place my router in the DMZ?

Martin, yes it’s an option. I had to do this on my AT&T Fiber network using their mandatory gateway/router during earlier builds of ARC, and I placed my ASUS router (therefore the double-NAT issue) in the AT&T gateway’s DMZ. It worked, but exposed my ASUS router basically to the internet, bypassing some decent AT&T security capabilities.

After some additional pre-release builds of ARC, I was able to create a port forwarding rule on both my AT&T gateway and my ASUS router, thereby limiting my exposure to the open port on both devices.


Just a quick note here to avoid any confusion since DMZ is a term being thrown about with seemingly incomplete knowledge of what it does.

We (Roon) STRONGLY discourage the use of a router’s DMZ function to point to a Roon core, thereby making port forwarding setup much easier. This is fraught with security risks.

The case of using this function to point at another router/firewall has some real merit in addressing these situations where you have to use the ISP’s hardware, but need to put a more user-friendly device behind it for the sake of usability. In these cases the downstream firewall (the DMZ target) becomes responsible for securing your network and there’s nothing wrong with that as long as its properly configured. This is vastly more secure than pointing all inbound network traffic to some random computer.

Now back to your existing tinkering session, already in progress.


I used to use a Draytek Vigor modem with a Cisco RV320, but replaced the RV with a TP-LInk Omada ER-605 because updates cease this year. Both routers should do a better job than the Sky router, and it means I get around Option 61 authentication. I’d prefer my choice of router and firewall.