coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

Disable router DMZ, replace with explicit Virtual Server forwards #109

New issue
Open
opened 2026-05-24 21:45:48 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-24 21:45:48 +00:00
Owner
Copy link

Problem
The TP-Link Archer A20 (kai home router) has DMZ enabled pointing at 192.168.0.194 (kai-server). Every WAN port not already claimed by a Virtual Server rule forwards straight to kai-server. kai-server has no local firewall (ufw/nftables) in place, so anything listening on kai-server is reachable from the public internet. That includes SSH (22), k3s API (6443), kubelet (10250), and any dev server bound to a high port.

Current Virtual Server entries (intentional public exposure):

  • 3000-3003 - Eco
  • 34197 - Factorio

Missing forwards (currently working only because DMZ catches them):

  • 80 TCP - Traefik (eco-jobs-tracker.coilysiren.me, eco-mcp.coilysiren.me)
  • 443 TCP - Traefik (same)

Plan

  1. SSH into kai-server, run ss -tlnp and ss -ulnp to inventory all listening ports.
  2. For each port that should be publicly reachable, add an explicit Virtual Server entry in the router (192.168.0.1 -> Advanced -> NAT Forwarding -> Virtual Servers).
  3. At minimum: add 80/TCP and 443/TCP for Traefik.
  4. Disable DMZ (Advanced -> NAT Forwarding -> DMZ -> uncheck Enable, Save).
  5. Verify from off-network: Eco (3000-3003), Factorio (34197), eco-jobs-tracker.coilysiren.me, eco-mcp.coilysiren.me. Confirm SSH on 22 is now refused.

Origin
Surfaced 2026-05-24 while prepping the TP-Link Archer A20 firmware upgrade 1.1.1 -> 1.2.1. DMZ + no-local-firewall combo noticed when reviewing the NAT Forwarding -> DMZ screenshot. Not blocking the firmware upgrade itself.

**Problem** The TP-Link Archer A20 (kai home router) has DMZ enabled pointing at `192.168.0.194` (kai-server). Every WAN port not already claimed by a Virtual Server rule forwards straight to kai-server. kai-server has no local firewall (ufw/nftables) in place, so anything listening on kai-server is reachable from the public internet. That includes SSH (22), k3s API (6443), kubelet (10250), and any dev server bound to a high port. **Current Virtual Server entries (intentional public exposure):** - 3000-3003 - Eco - 34197 - Factorio **Missing forwards (currently working only because DMZ catches them):** - 80 TCP - Traefik (eco-jobs-tracker.coilysiren.me, eco-mcp.coilysiren.me) - 443 TCP - Traefik (same) **Plan** 1. SSH into kai-server, run `ss -tlnp` and `ss -ulnp` to inventory all listening ports. 2. For each port that should be publicly reachable, add an explicit Virtual Server entry in the router (192.168.0.1 -> Advanced -> NAT Forwarding -> Virtual Servers). 3. At minimum: add 80/TCP and 443/TCP for Traefik. 4. Disable DMZ (Advanced -> NAT Forwarding -> DMZ -> uncheck Enable, Save). 5. Verify from off-network: Eco (3000-3003), Factorio (34197), eco-jobs-tracker.coilysiren.me, eco-mcp.coilysiren.me. Confirm SSH on 22 is now refused. **Origin** Surfaced 2026-05-24 while prepping the TP-Link Archer A20 firmware upgrade 1.1.1 -> 1.2.1. DMZ + no-local-firewall combo noticed when reviewing the NAT Forwarding -> DMZ screenshot. Not blocking the firmware upgrade itself.
coilysiren added
P2
 and removed
P1
 labels 2026-05-31 07:00:40 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#109
No description provided.