Forward the Internet connection to a second router for network management (Bridge vs DMZ)


Recommended Posts

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
  On 10/11/2015 at 08:35, John Teacake said:

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

  On 10/11/2015 at 13:02, BudMan said:

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

  On 10/11/2015 at 13:02, BudMan said:

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

  On 10/11/2015 at 13:02, BudMan said:

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

  On 10/11/2015 at 13:02, BudMan said:

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

  On 10/11/2015 at 13:02, BudMan said:

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

  On 16/11/2015 at 12:59, BudMan said:

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

  On 16/11/2015 at 13:12, farmeunit said:

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Arlo Essential 2K Indoor Camera: Unpacking the features and value of this home security cam by Paul Hill Are you in the UK and looking for internal cameras to keep an eye on your pets or property? If so, the Arlo Essential 2K indoor security camera (2-pack) is now discounted by 26% from its £159.99 RRP to just £119.00. As usual, the product is available with free delivery and free returns, which is helpful if the product turns out to be defective. In addition to the discounted product, the listing also notes there’s a £10-off voucher available until Monday and a £10 Morrisons on Amazon voucher. Arlo is a reputable brand for home security cameras so this deal marks a great opportunity if you’ve been looking for this type of device. Do note that it is a wired camera so it’ll have to be plugged in somewhere. Deep dive into camera features and capabilities The Arlo Essential 2K indoor security camera comes with a very good 2K (up to 2,560x1,440) resolution that provides you with clear, detailed video, great if you want to keep an eye on smaller pets such as kittens. Not only is the camera high-quality, but the camera is equipped with black and white night vision (it can see up to 7 metres), so you can see any events that occur at night. This Arlo security cam features two-way audio with noise reduction and echo cancellation allowing you to chat with anyone coming to feed your pets. There’s also an automatic privacy lens cover that physically blocks the lens when disarmed, providing you with more privacy when at home. There is also passive infrared motion detection that has a range of 7 metres. You can use motion detection in combination with the 80 dB smart siren to scare away intruders. The siren can also be activated manually. The Arlo Essential 2K features a 130-degree wide-angle diagonal view, which is sufficient for most rooms, to capture more of what’s going on in the room and there is 12x digital zoom to take a closer look at objects. It’s compatible with pretty much all Wi-Fi devices with its 2.4GHz Wi-Fi support and it integrates with your smart home via Amazon Alexa, Google Assistant, and IFTTT. Leveraging the Arlo Secure subscription for enhanced security When you buy the Arlo Essential 2K, you get a 30-day free trial of the Arlo Secure subscription, and if you want to continue it, it costs from £11.99 per month or £119.90 per year. This subscription isn’t necessary for basic functionality, but it does unlock the full potential of the camera. When you subscribe you get secure cloud storage for video history (30 to 60 days depending on plan); AI-powered identification of people, animals, vehicles, and packages, reducing false alerts; custom activity zones that let you define areas for motion detection, minimising unwanted notifications; and interactive notifications that can be interacted with from the lock screen like view animated previews, activate siren, and call emergency services. My biggest issue with this camera is that there is no local storage for recordings, necessitating the need to buy the subscription if you want to save any footage. If you’re thinking of using this camera to protect your home from theft and want footage to give to the police, you’ll need a subscription. An alternative to a subscription is buying the Arlo SmartHub (VMB5000) which is compatible with the Arlo Essential 2K indoor camera, according to Arlo’s website. The savings on this camera twin-pack are significant and it’s the lowest price they’ve been at on Amazon UK so they’re definitely worth considering for your home. If you don’t mind the subscription or have the Arlo SmartHub already, then this camera makes sense. If not, then you may be better off with a camera that comes with an SD card slot and recording capabilities. Arlo Essential 2K Indoor Pet Security Camera (2-pack): £119 + £10-off voucher + £10 for Morrisons on Amazon (Amazon UK) / MSRP £159.99 This Amazon deal is U.K. specific, and not available in other regions unless specified. If you don't like it or want to look at more options, check out the Amazon UK deals page here. Get Prime, Prime Video, Music Unlimited, Audible or Kindle Unlimited, free for the first 30 days As an Amazon Associate we earn from qualifying purchases.
    • The Nokia Lumias? Or the third-party HTC One8's? I had HTC's hardware cuz it was slick and reliable... but, yeah, the software left me wanting more and I just couldn't allocate personal time to develop all of the software I would have wanted to see (overworked in other capacities @ MSFT at the time, heh).
    • Microsoft's mobile strategy had great future vision and UX research, but mediocre engineering and inadequate support (third-party and internal business alike). The death knell for WinMo was Google's (mostly YouTube's) incessant API blocking and purposeful release of buggy WinMo builds to force consumers to stay away -- and this was conducted via sabotage of whatever partnerships they were supposed to play nice in. I still yearn for that UI on a modern smartphone...
    • Linux has always been an option but never adopted by the masses despite being free. The reasons are limited usability and features. Despite everything we all complaint about with MS , the overall experience for the general public is much better than what Linux can deliver.
    • If nothing works automatically for you, I'd say pick a better/different distro. Granted, it's trickier with laptops because they use all kinds of weird hardware, but still. I actually just did a fresh Arch Linux install on my netbook, and given that Arch is certainly not an "automagical" distro, I had to do very little manual tweaking, everything but the audio worked out of the box (including plasma and Wayland) and the audio was simply an issue of installing an additional firmware package that wasn't included in the default selection. Which is equivalent of installing additional drivers in Windows. Surely a more user-oriented distro would be even less troublesome (but granted, I haven't used/tested anything outside of Arch for quite some time). And let's not forget that a fair bit of issues that get blamed on Linux (though it also applies to Windows issues) are actually caused by hardware vendors not giving a damn.
  • Recent Achievements

    • One Month Later
      POR2GAL4EVER earned a badge
      One Month Later
    • One Year In
      Orpheus13 earned a badge
      One Year In
    • One Month Later
      Orpheus13 earned a badge
      One Month Later
    • Week One Done
      Orpheus13 earned a badge
      Week One Done
    • Week One Done
      serfegyed earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      563
    2. 2
      ATLien_0
      256
    3. 3
      +Edouard
      163
    4. 4
      +FloatingFatMan
      157
    5. 5
      Michael Scrip
      109
  • Tell a friend

    Love Neowin? Tell a friend!