Use the DMZ function to forward incoming connections to a specific device

DMZ function cannot be activated on Internet Box, is grayed out.

For the DMZ function, you need a public IPv4 address for your individual connection, which is no longer assigned as standard for many Swisscom connections due to the global shortage.

So you have to call support and request that “CGNAT” be deactivated on your Anschluss.

If the first-level support does not feel responsible or is not competent enough, you have to get connected to myService and then point out to myService that you assume that the release of a dynamic public IP address for your Anschluss is really free of charge takes place.

The term DMZ is absolutely wrong. Swisscom does not offer a demilitarized zone but rather access to a computer on your own LAN. For a real DMZ you have to take care of it yourself. I find it embarrassing that an ISP provider offers something like that.

@Tux0ne (one of the customers with the best network knowledge here) wrote in the forum a long time ago: "The DMZ function on the Internet Box is not a DMZ, but simply the forwarding of everything not from the Internet Box You can then connect the ports you need to an internal IP to this to generate your own DMZ. So you and everyone else who cannot understand Swisscom’s interpretation of the term DMZ in the private customer sector are certainly not alone. Whether you find this embarrassing or not is probably a question of your personal know-how about DMZ in the professional sector. In the Swisscom business area (e.g. with the CB2 router), the term is used in the same way that LAN administrators are used to.

There doesn’t seem to be any actual instructions for DMZ anywhere. The above article is only a superficial description of the intended use, with the note that expert knowledge would then be required to actually use the DMZ. That’s good and right, but where can the expert find out the actual technical details in order to actually operate the DMZ. Should you try to figure out how to do it through trial and error? Why not offer a small PDF of how to do this for Centro Business Router? Unfortunately there are no instructions for the DMZ there either.

@Andreas F

There’s actually nothing to describe, because DMZ on an Internet box is nothing more than the bundled forwarding of ports to a downstream device.

So if you know what port forwarding is and when it makes sense to use it, you actually already know everything.

Thanks. Of course that’s true and I already understood that much. But what I also want to know is what consequences this has.

(i) For example, it is not clear to me what happens to port 80 when I turn on the DMZ. For example, on the WAN, Swisscom employees still have access to the IB via port 80 or not. Important if you want to put a web server in the DMZ (my case).

(ii) What happens to port forwarding in general? Will this be switched off or can it still be used, for example to redirect certain ports to servers other than the one that is in the DMZ (I still have FileMaker Servers and possibly Music Servers on the LAN).

(iii) What about DynDNS? Is it switched off in DMZ mode or not? Because DMZ descriptions/instructions at Swisscom only seem to exist for static IPs. But I want to be able to use DynDNS.

(iv) What about a public IP#, because I think I have understood that the IP numbers assigned by Swisscom via DHCP are only public in certain modes. Does DMZ mode play a role here or not?

(v) Finally, what about security and firewalls if I put a server in the DMZ.

I’m sorry, but I need to have answered all of these questions in order to decide whether I want to put a server (or several) in the DMZ or not. That’s what I expect from instructions, since after all DMZ mode is offered for all IBs, not just for Business Centro boxes.

I would be happy to receive any suggestions as to possible answers or perhaps even answers to these questions. Thanks.

@Andreas F

to (i): Port 80 is forwarded to the device in the DMZ if no port 80 forwarding is otherwise defined. A decision must then be made in the DMZ as to what happens with this request.

to (ii): no, it will not be switched off, but will continue to function as usual.

to (iii): exactly the same as usual: with DynDNS you either get to the Internet box (with the corresponding port information, which is then forwarded via port forwarding to a correspondingly set-up device. This device preferably has a fixed IP, otherwise port forwarding will intervene at some point Empty), or in the DMZ if no port forwarding is set up on the Internet box. Whatever happens on the device in the DMZ, you then have to set it up there again.

to (iv): of course, you can basically only access your router from the outside (with DynDNS) if you are not in “cgnat”. Access to a device in the DMZ from outside also requires a public IP address. Calling the hotline should* be enough to get a public IP (* there are experiences that they can’t do this and want to forward you to paid support. It should then be quick, and at no cost 😉 )

to (v): that is then the responsibility of the person who puts a device in the DMZ. Basically everything is open there. Typically, the IP in the DMZ points to a router with a firewall, or to a firewall with a router function (depending on how you define it 😉), and only after that do other devices come.

These are my experiences with these questions. Additions and corrections are of course welcome!

@kaetho: Thank you very much for these precise and very, very helpful answers to my questions. Super! Now others like me could only hope that this information would also find its way into Swisscom’s documents.

Good morning,

Small question, does the Swisscom DMZ function allow you to avoid double NAT? I wanted to switch my swisscom box 3 to Bridge mode but this is not possible.

Can using the DMZ function be an equivalent?

Thank you in advance and have a good evening

@Mïsterfreeze

For the DMZ function, you need a public IPv4 address of your individual connection, which is no longer assigned by default on many Swisscom connections due to the global shortage.

Call support and request that “CGNAT” be deactivated on the connection used:

Private customers: contact by hotline, chat, message | Swisscom

Such. free 0800 800 800

If first level support does not feel competent or is not competent enough, contact My Service and then indicate to My Service that it is assumed that the release of a dynamic public IP address for the connection used is truly free:

Swisscom My Service–computer & smartphone assistance | Swisscom

Additional information:

There is actually nothing to describe, because DMZ on an Internet box is nothing more than packet forwarding of ports to a downstream device. If we know what port forwarding is and when it makes sense to use it, we already know everything.

The DMZ function of the Internet Box is not a DMZ, but simply the redirection of all ports not used by the Internet Box itself to an internal IP. You can then connect a router / firewall to generate a DMZ yourself. Therefore, it is difficult to understand Swisscom's interpretation of the term DMZ in the area of ​​private clients, and certainly not the only ones. Whether one finds it annoying or not, it’s probably a matter of personal know-how when it comes to DMZ in the professional field. In the professional field of Swisscom (e.g. for the CB2 router), the term is also used in the same way as local network administrators are used to it.

Port 80 is redirected to the device in the DMZ if no other port 80 forwarding is set. It is then necessary to decide in the DMZ what happens to this request.

With DynDNS, one accesses either the Internet Box (with the corresponding port specification, which is then transmitted by port forwarding to a correspondingly configured terminal. This terminal preferably has a * *Fixed IP**, otherwise port forwarding does not work at a given time), or in the DMZ, if no port forwarding is configured on the Internet Box. What happens on the device in the DMZ must then be configured there.

You can in principle access your router from the outside (with DynDNS) only if you are not in the “CGNAT”. Even external access to a device in the DMZ requires a public IP address. A call to the Swisscom Hotline should be enough to get a public IP (there are experiences where they cannot do this and want to redirect the request to paid support. There it must be fast and free.

Place a device in the DMZ: in principle, everything is open. Typically, the IP in the DMZ points again to a router with firewall or to a firewall with router function (depending on how you defines it), and only then do other devices come.