Hi there, I recently went through the Unifi world, to get a bit more controls and stats on several things and due to house upgarde. Since Sunrise doesn't provide a "bridge mode", after looking a bit on the forum, I found some advice to use the DMZ. I now have finished to setup everything, but I'm struggling to access some services I configured to be accessible from internet. My configuration is the following: * Sunrise Internet Box Fiber: 192.168.1.1 * Unifi Cloud Gateway WAN IP: 192.168.1.2 * Unifi Cloud Gateway LAN IP: 192.168.0.1 * My device: 192.168.0.30 On the sunrise internet box I did: * Set the DMZ to 192.168.1.2 * Disabled all my port forwarding * Disable the sunrise firewall But when I'm trying to reach my service on the port 443(SSL) I get no response. What I've checked: * If I set directly hostname(C:\\Windows\\System32\\drivers\\etc\\hosts) to match my local IP: it works (so my local device is properly listening) * The IP I'm trying to reach still points to my home IP * If I add a port forwarding on sunrise router(443 --> 192.168.1.2) it works(so it's probably not the UCG that is misconfigured) I taught that the device set as DMZ should directly receive any un-forwarded port, but it doesn't seems to be the case? Did I misunderstood something? Thanks for the help.

@"nargzul"#p304832 I'm not a prof in IP related questions. But AI tells me: This is expected behavior. Port **443 (HTTPS)** is used by the router itself for its **management interface**. Traffic to ports that are used by the router (like 443 for HTTPS or 80 for HTTP) is **handled locally by the router and never forwarded**, even if a DMZ host is configured. The DMZ only receives **traffic that is not already claimed by the router**. More detailed explanation Even though the user manual states that “all traffic without a rule is forwarded to the DMZ host”, there are **important exceptions**: ### 1. Router management ports always have priority Most routers reserve certain ports for their own services, especially: * **TCP 443** → HTTPS admin interface * **TCP 80** → HTTP admin interface Incoming traffic to these ports is **terminated by the router itself**, before NAT or DMZ forwarding is applied. ### 2. DMZ ≠ “forward absolutely everything” A DMZ is effectively a **catch‑all NAT rule**, but only for: * ports **not used by the router** * traffic **not explicitly blocked** * traffic **not reserved for management or system services** So the DMZ rule does **not override**: * the router’s own web UI * management, VPN, TR‑069, or diagnostic services ### 3. This is a security design choice Allowing DMZ to override port 443 would expose the router’s admin interface to the internet or make it unreachable for management — which is why vendors block this by design. Greetings Daniele

@"nargzul"#p304944 I can't tell you whether the port can be changed. [Here ](https://a.storyblok.com/f/113473/x/5d30a0460c/sunrise_home_user_manual_sunrise_internet_box_new_firmware_e.pdf)you will find the user manual for your modem with all the information you need. Greetings Daniele

@"Daniele_Sunrise"#p305020 Thanks for the help, I'm more looking about how to disable it. According to the user manual you provided, I should be able to disable the remote access: [upl-image-preview uuid=4ceb946e-389b-4d7c-89cb-555233b89517 url=https://community.sunrise.ch/assets/files/2026-03-11/1773252517-122356-2026-03-11-19-05-30.png alt={TEXT?}] Which would be ideal, but the "Access Control" or "Remote Access" menu are nowhere to be found., it doesn't seem to be the same UI. At one place I found the Parent control/port forwarding/firewall/Dmz listed on this image, but there is no Remote access next to it. Any chance you could find where this option is gone?

DMZ & redirections

nargzul

Hi there,

I recently went through the Unifi world, to get a bit more controls and stats on several things and due to house upgarde.

Since Sunrise doesn’t provide a “bridge mode”, after looking a bit on the forum, I found some advice to use the DMZ.

I now have finished to setup everything, but I’m struggling to access some services I configured to be accessible from internet.

My configuration is the following:

Sunrise Internet Box Fiber: 192.168.1.1
Unifi Cloud Gateway WAN IP: 192.168.1.2
Unifi Cloud Gateway LAN IP: 192.168.0.1
My device: 192.168.0.30

On the sunrise internet box I did:

Set the DMZ to 192.168.1.2
Disabled all my port forwarding
Disable the sunrise firewall

But when I’m trying to reach my service on the port 443(SSL) I get no response.

What I’ve checked:

If I set directly hostname(C:\Windows\System32\drivers\etc\hosts) to match my local IP: it works (so my local device is properly listening)
The IP I’m trying to reach still points to my home IP
If I add a port forwarding on sunrise router(443 –> 192.168.1.2) it works(so it’s probably not the UCG that is misconfigured)

I taught that the device set as DMZ should directly receive any un-forwarded port, but it doesn’t seems to be the case? Did I misunderstood something?

Thanks for the help.

Daniele_Sunrise

nargzul We have just switched your modem to IPv4 and No CGNAT, which should be completed in a few minutes. Could you please test it again afterwards? Your modem should have restarted by the time you test it.

Greetings
Daniele

nargzul

Daniele_Sunrise

Thanks for the change. I now have a different (weird) behavior.

When I’m accessing to my IP on port 443(HTTPS),im getting the router login interface. Why? According to the user manual, all traffic without a rule should be redirected to the dmz host?

Daniele_Sunrise

nargzul I’m not a prof in IP related questions. But AI tells me:

This is expected behavior.

Port 443 (HTTPS) is used by the router itself for its management interface.
Traffic to ports that are used by the router (like 443 for HTTPS or 80 for HTTP) is handled locally by the router and never forwarded, even if a DMZ host is configured.

The DMZ only receives traffic that is not already claimed by the router.

More detailed explanation

Even though the user manual states that “all traffic without a rule is forwarded to the DMZ host”, there are important exceptions:

1. Router management ports always have priority

Most routers reserve certain ports for their own services, especially:

TCP 443 → HTTPS admin interface
TCP 80 → HTTP admin interface

Incoming traffic to these ports is terminated by the router itself, before NAT or DMZ forwarding is applied.

2. DMZ ≠ “forward absolutely everything”

A DMZ is effectively a catch‑all NAT rule, but only for:

ports not used by the router
traffic not explicitly blocked
traffic not reserved for management or system services

So the DMZ rule does not override:

the router’s own web UI
management, VPN, TR‑069, or diagnostic services

3. This is a security design choice

Allowing DMZ to override port 443 would expose the router’s admin interface to the internet or make it unreachable for management — which is why vendors block this by design.

Greetings
Daniele

nargzul

I thing the IA is mixing things up.

The router URL should be available through port 443 from its lan side.

In my case, if I add a manual port forward to my router, it works. But normally the DMZ is already supposed to forward everything to the DMZ endpoint.

Is there somewhere on the sunrise router where I can disable the wan for the router admin? I guess this would stop using the port 443 and therefore redirect it to my dmz?

Daniele_Sunrise

nargzul I can’t tell you whether the port can be changed. Here you will find the user manual for your modem with all the information you need.

Greetings
Daniele

nargzul

Daniele_Sunrise Thanks for the help, I’m more looking about how to disable it.

According to the user manual you provided, I should be able to disable the remote access:

Which would be ideal, but the “Access Control” or “Remote Access” menu are nowhere to be found., it doesn’t seem to be the same UI. At one place I found the Parent control/port forwarding/firewall/Dmz listed on this image, but there is no Remote access next to it.

Any chance you could find where this option is gone?

Daniele_Sunrise

nargzul It is possible that this option has been disabled due to remote access by our support team when necessary. As I have no further information on this, please call our support team on 0800 707 707.

Greetings
Daniele