Forward the Internet connection to a second router for network management (Bridge vs DMZ)


Recommended Posts

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
  On 10/11/2015 at 08:35, John Teacake said:

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

  On 10/11/2015 at 13:02, BudMan said:

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

  On 10/11/2015 at 13:02, BudMan said:

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

  On 10/11/2015 at 13:02, BudMan said:

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

  On 10/11/2015 at 13:02, BudMan said:

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

  On 10/11/2015 at 13:02, BudMan said:

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

  On 16/11/2015 at 12:59, BudMan said:

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

  On 16/11/2015 at 13:12, farmeunit said:

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Interesting for sure, I'd like to see 3rd party benchmarks in due time. I just hope Intel can do more in the dGPU space as well.
    • Not going to connect my PC to MS just for a few months extra support,
    • Microsoft Weekly: Windows 11 version 25H2 is official, free updates for Windows 10, and more by Taras Buria This week's news recap is here, and it is full of interesting and important stories. We have Windows 11 version 25H2 announcement, free extended security updates for Windows 10, redesigned BSOD, non-security updates with new features, and more. Quick links: Windows 10 and 11 Windows Insider Program Updates are available Reviews are in Gaming news Great deals to check Windows 11 and Windows 10 Here, we talk about everything happening around Microsoft's latest operating system in the Stable channel and preview builds: new features, removed features, controversies, bugs, interesting findings, and more. And, of course, you may find a word or two about older versions. The biggest Windows story of this week was undoubtedly the launch of the Extended Security Update program for Windows 10, which will soon be out of support (governments are now issuing warnings to Windows 10 users). What is interesting is that Microsoft is giving away free security updates—all users need to do is back up their PCs with the Windows Backup tool. Other options include paying with 1,000 Microsoft Rewards points or $30, so pick your poison. If you are thinking about staying on Windows 10, perhaps this article will convince you to switch. Microsoft published a few reasons why Windows 11 is a better choice than the outgoing Windows 10. Another post compares the performance of the two operating systems in another attempt to make you ditch Windows 10. There is also a new ESU guide for office PCs that do not support Windows 11. Another major story is about the Blue Screen of Death, which will soon become the Black Screen of Death and lose its iconic smiley face. Microsoft revealed that the redesign is coming later this summer, alongside Quick Machine Recovery. This new tool can fix PCs that cannot boot due to outages, malware, or other software nastiness. We are not done with big news just yet. Microsoft confirmed that Windows 11 version 25H2 is coming later this year. This year's feature update is coming soon, and the first officially marked preview builds are now available for testing. Microsoft also released the June 2025 non-security updates for Windows 10 and 11 users. It all started with Windows 10, which received KB5061087 with build number 19045.6036. Windows 11 version 24H2 received KB5060829, and Windows 11 versions 22H2 and 23H2 received KB5060826. Also, Windows 11 received a new configuration update to resolve the stuck Windows Update (and new setup updates), Windows Server 2025 got a new security baseline, and the Media Creation Tool now downloads the latest Windows 11 images with the June 2025 Patch Tuesday fixes. Another important story is about Secure Boot, one of Windows 11's hardware requirements. Microsoft published a lengthy blog post warning that its first certificates will soon expire, and users should prepare to update them if they want their PCs to be secure and compatible with third-party apps going forward. No week goes by without some Windows issues. This time, Dell acknowledged a problem with Night Light on certain Windows on ARM PCs. The bug breaks Night Light on the secondary display, but Dell says you should blame Qualcomm and its Oryon chipset. Microsoft, on the other hand, confirmed more issues with Chrome on Windows. This week's Windows trivia includes an interesting story from Microsoft veteran Raymond Chen. He published a new blog post where he recalled how PC manufacturers used to trick BIOS copyright strings to get full editions of trial versions of various apps. To finish this week's Windows section, here is a small tip for those who want to make Windows 11 feel a little snappier. A hidden accessibility feature can make the user interface much more responsive and fast, so check it out here. Windows Insider Program Here is what Microsoft released for Windows Insiders this week: Builds Canary Channel Nothing in Canary this week Dev Channel Build 26200.5661 This build introduced a new home page for Recall, a single place where you can access your recent snapshots, recommended documents, and other useful information. The update also lets you change where system indicators appear on the screen. Build 26200.5670 This build introduces 1Password integration for Passkeys, Settings improvements, version 25H2 marking, and more. It also fixes the Windows Vista startup sound after the previously failed attempt. Beta Channel Build 26120.4452 This is the same build as 26120.4452 Build 26120.4520 This build is the same as 26200.5670 from the Dev Channel, minus the version 25H2 part. Release Preview Channel Nothing in Release Preview this week Additionally, Microsoft released new screen-recording capabilities for the Snipping Tool app for more Windows Insiders (Beta and Release Preview). Updates are available This section covers software, firmware, and other notable updates (released and coming soon) delivering new features, security fixes, improvements, patches, and more from Microsoft and third parties. This week's browser updates include some major releases and plenty of Firefox updates. Mozilla released Firefox 140 with custom search engine support, a new ESR release, and more changes. Shortly after, it released version 140.0.1 with fixes for dark theme issues and crashes and version 140.0.2 with fixes for crashes on certain Windows devices. Microsoft released Edge 138 with AI-powered history search and a warning for IT admins, and Google released Chrome 138. Office updates include the new Outlook for Windows coming to Microsoft 365 Education in early next year. Speaking of the new Outlook, Microsoft also published a story that explained why the app is actually great and why haters are wrong. Oh, Microsoft... Teams is getting a new health dashboard feature, PowerPoint can generate presentations from PDFs or text files, and Modern Page Templates are coming to SharePoint. Microsoft also published detailed guides about fixing Office 2024 activation issues. Finally, here is this week's recap of the new features coming soon to the Microsoft 365 productivity suite and a recap of everything new in Excel in June 2025. Here are other updates and releases you may find interesting: Microsoft announced Mu, an on-device small language model for Windows 11. The Comet AI browser is coming to Windows, now in private beta. Discord for Windows on ARM is now in development. Surface Copilot+ PCs are coming to classrooms on July 22. Raycast for Windows is now in closed beta; here is the first look. Visual Studio is now even smarter, thanks to more AI models and billing updates. France's third-largest city is ditching Windows and Office in favor of Linux and FOSS. Here are five things that people want in Microsoft Teams. Here are the latest drivers and firmware updates released this week: Intel 32.0.101.6913 WHQL graphics driver with Mecha BREAK support and more. Reviews are in Here is the hardware and software we reviewed this week Steven Parker reviewed the TerraMaster F4 SSD, an extremely lightweight and quiet all-SSD NAS with some good connectivity, a decent price tag, and good design. It is not flawless, but it still managed to score 8.5 out of 10 on Steven's NAS scale. Robbie Khan reviewed the Keychron Lemokey G2 8K Wireless mouse. It is lightweight, has onboard memory, supports Keychron Launcher, and includes a good cable and an adapter. However, with an 8/10 rating at Robbie's scale, it has some cons that you should consider before buying. On the gaming side Learn about upcoming game releases, Xbox rumors, new hardware, software updates, freebies, deals, discounts, and more. Microsoft finally announced the long-rumored Xbox app launcher for Windows PCs and handhelds. The Xbox app will soon work as a single place for all your games, regardless of their origin, be it Steam, Epic Games Store, Origin, or something else. As of right now, the updated app is being tested in the Xbox Insider Program. Also, Microsoft announced the June 2025 update for Xbox, bringing users unsynced save management, the ability to browse games by publishers, the option to hide system apps on the Dashboard on Xbox consoles, and more. Microsoft finally has its official Xbox-branded VR helmet. However, it is not an entirely Xbox VR per se. It was made in collaboration with Meta, and its stocks are "extremely limited." Sadly, not all Xbox news was positive this week. A new report hit out of the blue, revealing Microsoft's plans to lay off a lot of workers in the Xbox division. Microsoft Flight Simulator received a new city update with upgraded visuals of New York, New Jersey, Massachusetts, and other parts of the state to give you a more realistic experience when flying the sim. City Update 11 is now available on consoles and PCs. Deals and freebies The Epic Games Store is giving away Sable, an interesting-looking exploration game with an open world and a unique art style. If that is not enough, be sure to check out the Steam Summer Sale 2025, which is now in full swing, offering gamers a horde of discounts on various games. More deals are available in this week's edition of Weekend PC Game Deals. Other gaming news includes the following: Senua's Saga: Hellblade II is getting 60 FPS mode, dev commentary, and more. DayZ is getting a desert map with the new Badlands expansion, set to be its biggest yet. Great deals to check Every week, we cover many deals on different hardware and software. The following discounts are still available, so check them out. You might find something you want or need. ASUS NUC 14 Pro+ Core Ultra 9 185H, 32GB RAM, 1TB SSD - $799.99 | 27% off 75" Hisense U7 Series Google Smart TV - $799.99 | 11% off Sony BRAVIA Theater System 6 - $668 | 13% off 6TB WD Blue PC Internal HDD - $99.99 | 17% off 14TB WD Elements Desktop External HDD - $199.99 | 31% off Corsair iCUE 4000D RGB Airflow Mid-Tower Case - $89.99 | 40% off Samsung Galaxy S25+ 512GB - $899 | 20% off This link will take you to other issues of the Microsoft Weekly series. You can also support Neowin by registering a free member account or subscribing for extra member benefits, along with an ad-free tier option. Microsoft Weekly image background by jhenning on Pixabay
    • UniGetUI 3.2.1 Beta 2 by Razvan Serea UniGetUI is an application whose main goal is to create an intuitive GUI for the most common CLI package managers for Windows 10 and Windows 11, such as Winget, Scoop and Chocolatey. With UniGetUI, you'll be able to download, install, update and uninstall any software that's published on the supported package managers — and so much more. UniGetUI features Install, update and remove software from your system easily at one click: UniGetUI combines the packages from the most used package managers for windows: WinGet, Chocolatey, Scoop, Pip, Npm and .NET Tool. Discover new packages and filter them to easily find the package you want. View detailed metadata about any package before installing it. Get the direct download URL or the name of the publisher, as well as the size of the download. Easily bulk-install, update or uninstall multiple packages at once selecting multiple packages before performing an operation Automatically update packages, or be notified when updates become available. Skip versions or completely ignore updates in a per-package basis. Manage your available updates at the touch of a button from the Widgets pane or from Dev Home pane with UniGetUI Widgets. The system tray icon will also show the available updates and installed package, to efficiently update a program or remove a package from your system. Easily customize how and where packages are installed. Select different installation options and switches for each package. Install an older version or force to install a 32bit architecture. [But don't worry, those options will be saved for future updates for this package] Share packages with your friends to show them off that program you found. Here is an example: Hey @friend, Check out this program! Export custom lists of packages to then import them to another machine and install those packages with previously-specified, custom installation parameters. Setting up machines or configuring a specific software setup has never been easier. Backup your packages to a local file to easily recover your setup in a matter of seconds when migrating to a new machine UniGetUI 3.2.1 Beta 2 changelog: Elevator command generation has been improved to Not throw NullReference Exceptions Be less vulnerable to command injection Icons from the database can now target a custom package (via id=ManagerName.ExactPackageId) Scoop will use PowerShell7 when possible Fix a crash related to UniGetUI Elevator finding Fixed issues with downloading package installers Fixed issues with PowerShell7 package uninstallation New signing certificate Other minor changes and improvements Download: UniGetUI 3.2.1 Beta 2 | 52.2 MB (Open Source) Links: WingetUI Home Page | GitHub | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • LG G3 is still one of the best phones I’ve ever owned
  • Recent Achievements

    • Week One Done
      Hartej earned a badge
      Week One Done
    • One Year In
      TsunadeMama earned a badge
      One Year In
    • Week One Done
      shaheen earned a badge
      Week One Done
    • Dedicated
      Cole Multipass earned a badge
      Dedicated
    • Week One Done
      Alexander 001 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      551
    2. 2
      +FloatingFatMan
      182
    3. 3
      ATLien_0
      169
    4. 4
      Skyfrog
      108
    5. 5
      Som
      106
  • Tell a friend

    Love Neowin? Tell a friend!