Forward the Internet connection to a second router for network management (Bridge vs DMZ)

By ProclaimDragon
in Smart Home, Network & Security

 Share

Recommended Posts

Veteran

ProclaimDragon

Posted
Posted

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
Veteran

ProclaimDragon

Posted
  • Author
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

Grand Master

farmeunit

Posted
Posted

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Veteran

ProclaimDragon

Posted
  • Author
Posted

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

Veteran

ProclaimDragon

Posted
  • Author
Posted

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • A coalition of publishers sued OpenAI and Microsoft over scraping content without consent

      By sagum · Posted

      Just the price of doing business. The scamble to pull as much from the web as possible is happening, and it's happening before a case like this changes how or what is legal do to with AI in terms of data harvesting. But even then as we've seen with the likes of Google who ignore cookie requests and just accept the fact they'll get fined, it's built into their business price model now. AI is here, its not going away. Their reward if any from the court case would be best suited to trying to incorprate AI or licence their end points as authentic human verified content. The problem is, as we've seen these same news papers are using AI themselves.
    • IBM reveals sub-1nm chip technology, production expected in another 5 years

      By Yogurth · Posted

      Which finger's fingernail are we talking about? I can see how not having this info can lead to massive differences in interpretation.
    • This Chinese company is reportedly developing a feature Apple and Samsung can only dream of

      By Hamid Ganji · Posted

      This Chinese company is reportedly developing a feature Apple and Samsung can only dream of by Hamid Ganji While companies like Apple and Samsung have been relatively conservative with their devices’ battery capacities in recent years, Chinese manufacturers have taken the competition to the next level by introducing significantly larger batteries. However, the latest report from China suggests that a local company may already be developing a smartphone with a whopping 14,000mAh battery. Chinese leaker Digital Chat Station claimed on Weibo that a smartphone maker is developing a device with a 14,000mAh battery. If true, it would be the largest battery ever used in a smartphone and could, in theory, provide up to a week of battery life on a single charge. The leaker did not reveal the name of the company behind the device, but there are some clues. This week, HONOR unveiled the X80 Pro Max in China with an 11,000mAh battery and 90W wired charging support. The company also launched the Honor Win in January, which packs a 10,000mAh battery. HONOR, a former subsidiary of Huawei, has a proven track record of developing smartphones with unusually large batteries. However, other Chinese brands, including Xiaomi, have also launched devices such as the Xiaomi 17 Pro Max with 7,500mAh batteries. Though Chinese users on Weibo also believe the company behind the new battery is HONOR. Interestingly, Digital Chat Station said the device with the 14,000mAh battery weighs around 220 grams, making it lighter than the Apple iPhone 17 Pro Max (233 grams) and slightly heavier than the Samsung Galaxy S26 Ultra (214 grams). The iPhone 17 Pro Max currently packs a 5,088mAh battery in eSIM-only versions, while the Galaxy S26 Ultra features a 5,000mAh battery. Neither device is expected to see a dramatic increase in battery capacity in its next-generation successor. So when it comes to battery comparison, Chinese brands are unbeaten. HONOR smartphones are currently available in the EU, but the Chinese brand has no official presence in the United States due to restrictions imposed by the U.S. government.
    • IBM reveals sub-1nm chip technology, production expected in another 5 years

      By xrobwx71 · Posted

      https://i.imgur.com/dNY9tNv.png
    • Rufus alternative Ventoy now supports Windows 11's mandatory update, fixes major boot bug

      By Skyfrog · Posted

      I'm not sure I would call Ventoy a Rufus alternative.

  • Recent Achievements

    • First Post
      kinowa earned a badge
      First Post
    • Rookie
      krychek57 went up a rank
      Rookie
    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      461
    2. 2
      +Edouard
      172
    3. 3
      PsYcHoKiLLa
      137
    4. 4
      Michael Scrip
      78
    5. 5
      Xenon
      77
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!