Fix a DMZ that will not work
We'll verify the DMZ host IP, rule out firewall and double NAT, then get inbound traffic to the device or point you to a port forward.
What you'll need
- Access to the router (to set DMZ host)
- Access to the device (to check IP, firewall)
Step-by-step diagnostic
Quick triage — pick your path
Quick triage — pick your path
Choose the option that matches what you see. You can jump straight to that section.
- Follow this guide Work through the full procedure from DMZ IP to fix.
- Verify DMZ host IP You want to confirm the DMZ points to the right device.
- Check device firewall The DMZ IP is correct but traffic does not reach the device.
- Port forward instead DMZ will not work and you want to use a port forward.
- When to call support Config is correct but DMZ still fails.
Show full guide
Steps
Goal: Verify the DMZ host IP, rule out firewall and double NAT, then get inbound traffic to the device.
- Confirm the DMZ host IP matches the device and the device has a fixed IP.
- Ensure the device is on the router LAN (same subnet).
- Check the device firewall allows inbound traffic.
- Good: Traffic reaches the device. Bad: Still fails—use a port forward or call support.
Verify DMZ host IP
Goal: Confirm the DMZ points to the right device.
- In the router, open DMZ or DMZ Host. The IP must match the device. The device must have a static IP or DHCP reservation.
- Good: IP correct and fixed. Bad: Wrong or changing—fix the device IP and DMZ setting.
Check device firewall
Goal: Ensure the device accepts inbound traffic.
- The router forwards to the DMZ host, but the host firewall can block. Add inbound rules for the ports you need.
- Good: Firewall allows traffic. Bad: Blocking—add rules.
Port forward instead
Goal: Use a port forward when DMZ fails.
- DMZ exposes the whole device. A port forward opens only the ports you need and is often more reliable. See fix-port-forward-will-not-work.
- Good: Port forward works. Bad: Still fails—check double NAT or call support.
When to get help
Call the router manufacturer if:
- The DMZ host IP is correct, the device has a fixed IP, the firewall allows traffic, and inbound traffic still does not reach the device.
- The router may have a DMZ bug; a port forward may work instead.
Verification
- Inbound traffic reaches the device (e.g. canyouseeme.org shows the port open, game connects).
- The app or game works from outside the network.
- No firewall or router errors.
Escalation ladder
Work from the device outward. Stop when the problem is fixed.
- Verify DMZ IP Confirm DMZ host IP matches the device; device has fixed IP.
- Device firewall Allow inbound traffic on the device.
- Restart and double NAT Restart router; check for double NAT.
- Port forward Use port forward instead of DMZ.
- Call support Router manufacturer if DMZ still fails.
What to capture if you need help
Before calling support or posting for help, have these ready. It speeds everything up.
- Router model
- DMZ host IP configured
- Device IP and whether it is fixed
- Whether the device is on the router LAN
- Device firewall settings
- Steps already tried
Is the DMZ host IP correct?
The DMZ must point to the device that should receive inbound traffic.
In the router, check the DMZ host IP. It must match the device. The device must have a fixed IP (static or DHCP reservation). Good: IP correct. Bad: wrong—fix it.
You can change your answer later.
Fix DMZ host IP
Set the DMZ host IP to the device. Ensure the device has a static IP or DHCP reservation. Restart the router.
Does the device firewall allow inbound traffic?
The host firewall can block traffic even when DMZ forwards it.
On the DMZ host, add inbound firewall rules for the ports you need, or temporarily disable the firewall to test. Good: firewall allows. Bad: blocking—add rules.
You can change your answer later.
Fix firewall
Add inbound rules for the required ports. Restart the app. Test from outside.
Restart router and test
Some routers need a restart to apply DMZ.
Power-cycle the router. Test from outside the network (phone on cellular or canyouseeme.org). Good: traffic reaches the device. Bad: still fails—check double NAT or use port forward.
You can change your answer later.
Use port forward instead
DMZ may not work on this router. Add a port forward for the specific port. See fix-port-forward-will-not-work.
DMZ works
Inbound traffic reaches the DMZ host. The app or game should work.
Reviewed by Blackbox Atlas
Frequently asked questions
- What is a DMZ and why would it not work?
- A DMZ host is a router setting that forwards all inbound traffic to one device. It may not work if the DMZ IP is wrong, the device IP changed, the device firewall blocks traffic, or there is double NAT. The DMZ host must have a fixed IP.
- Is DMZ safe?
- DMZ exposes the entire device to the internet. Any open port on that device is reachable. Use DMZ only for a device you trust (e.g. a game console or dedicated server). Prefer a port forward for specific ports when possible.
- Should I use DMZ or port forward?
- Port forward is safer—you open only the ports you need. Use DMZ when an app needs many ports or UPnP fails and you do not want to configure each port. For a single game or service, port forward is usually better.
Rate this guide
Was this helpful?
Thanks for your feedback.