Forward the Internet connection to a second router for network management (Bridge vs DMZ)

By ProclaimDragon
in Smart Home, Network & Security

 Share

Recommended Posts

Veteran

ProclaimDragon

Posted
Posted

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
Veteran

ProclaimDragon

Posted
  • Author
Posted
  On 10/11/2015 at 08:35, John Teacake said:

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

  On 10/11/2015 at 13:02, BudMan said:

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

  On 10/11/2015 at 13:02, BudMan said:

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

  On 10/11/2015 at 13:02, BudMan said:

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

  On 10/11/2015 at 13:02, BudMan said:

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

  On 10/11/2015 at 13:02, BudMan said:

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

Grand Master

farmeunit

Posted
Posted

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Veteran

ProclaimDragon

Posted
  • Author
Posted
  On 16/11/2015 at 12:59, BudMan said:

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

  On 16/11/2015 at 13:12, farmeunit said:

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

Veteran

ProclaimDragon

Posted
  • Author
Posted

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Zen Browser 1.13b

      By Copernic · Posted

      Zen Browser 1.13b by Razvan Serea Zen Browser is a privacy-focused, open-source web browser built on Mozilla Firefox, offering users a secure and customizable browsing experience. It emphasizes privacy by blocking trackers, ads, and ensuring your data isn't collected. With Zen Mods, users can enhance their browser experience with various customization options, including features like split views and vertical tabs. The browser is designed for efficiency, providing fast browsing speeds and a lightweight interface. Zen Browser prioritizes user control over the browsing experience, offering a minimal yet powerful alternative to traditional web browsers while keeping your online activity private. Zen Browser’s DRM limitation Zen Browser currently lacks support for DRM-protected content, meaning streaming services like Netflix and HBO Max are inaccessible. This is due to the absence of a Widevine license, which requires significant costs and is financially unfeasible for the developer. Additionally, applying for this license would require Zen to be part of a larger company, similar to Mozilla or Brave. Therefore, DRM-protected media won't be supported in Zen Browser for the foreseeable future. Zen Browser offers features that improve user experience, privacy, and customization: Privacy-Focused: Blocks trackers and minimizes data collection. Automatic Updates: Keeps the browser updated with security patches. Zen Mods: Customizable themes and layouts. Workspaces: Organize tabs into different workspaces. Compact Mode: Maximizes screen space by minimizing UI elements. Zen Glance: Quick website previews. Split Views: View multiple tabs in the same window. Sidebar: Access bookmarks and tools quickly. Vertical Tabs: Manage tabs vertically. Container Tabs: Separate browsing sessions. Fast Profile Switcher: Switch between profiles easily. Tab Folders: Organize tabs into folders. Customizable UI: Personalize browser interface. Security Features: Inherits Firefox’s robust security. Fast Performance: Lightweight and optimized for speed. Zen Mods Customization: Deep customization with mods. Quick Access: Easy access to favorite websites. Open Source: Built on Mozilla Firefox with community collaboration. Community-Driven: Active development and feedback from users. GitHub Repository: Contribute and review the source code. Zen Browser 1.13b changes: New Features There's a new way to manage spaces, which brings a more intuitive and user-friendly experience Updated to firefox 139.0.4 Added support for Google safebrowsing for better security Collapsed toolbarr gets a slight UI redesign Fixes Fixed issues related to glance and split view Fixed performance issues and high GPU usage for some users Other small fixes and improvements Breaking Changes Customizable UI buttons at the bottom has been reset to a new default state Download: Zen Browser | 73.6 MB (Open Source) Download: Zen Browser ARM64 | Other Operating Systems View: Zen Browser Home Page | Screenshots 1 | 2 | Reddit Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Secure wipe your Windows 11 device with this Data Shredder Stick, now 25% off

      By Rosyna · Posted

      It is fundamentally impossible to secure delete files, especially on newer HDDs and all SSDs. You never know how the controller firmware is going to layout data or copy data around to optimize access or invoke wear leveling. The only way to securely “delete” something is to put it on an encrypted file system and forget the encryption key, assuming any apps you open the files in don’t copy the files to a local cache on the boot volumes.
    • New Outlook for Windows is getting another offline feature

      By Orrelix Organimus · Posted

      TBF, it has had PST support for quite a while now. But I still want them to add the ability to drag & drop between accounts / PSTs.
    • LibreOffice closes in on Microsoft Office, leaves Windows 7/8 behind in 25.8 Beta 1

      By Yonah · Posted

      That is too bad.
    • LibreOffice closes in on Microsoft Office, leaves Windows 7/8 behind in 25.8 Beta 1

      By David Uzondu · Posted

      LibreOffice closes in on Microsoft Office, leaves Windows 7/8 behind in 25.8 Beta 1 by David Uzondu The Document Foundation has released LibreOffice 25.8 Beta 1 for public testing on Linux, macOS, and Windows. This is the second pre-release for the 25.8 cycle and the foundation says that the final, stable version of LibreOffice 25.8 is expected to land at the end of August 2025. Starting off with Writer, LibreOffice's Word, the developers have finally addressed some long-standing annoyances, including a new command to easily insert a paragraph break right before a table. This beta also introduces a useful privacy feature in its Auto-Redact tool, letting you strip all images from a document with a single option. To use it, go to Tools and select the Auto-Redact option: The application has improved its ability to handle different languages for punctuation, preventing mix-ups in multilingual documents. Other notable improvements have also been made. A new hyphenation rule lets you choose to prevent a word from splitting at the end of a page, moving the whole line to the next page instead. Microsoft Word has had this feature for years now. The Navigator now displays a handy tooltip with word and character counts for headings and their sub-outlines. Scrolling behavior when selecting text has been improved, making it less erratic. A new command with a keyboard shortcut was added for converting fields into plain text. Calc gets a lot of new functions that bring it closer to its competitors like Excel, including TEXTSPLIT, VSTACK, and WRAPROWS. Impress now properly supports embedded fonts in PPTX files, which should reduce headaches when sharing presentations with PowerPoint users. Alongside these additions, the project is also cleaning house; support for Windows 7, 8, and 8.1 has been completely dropped. There are also smaller UI tweaks across the suite, like allowing a single click to enter rotation mode for objects in Writer and Calc. macOS users get better integration, with proper support for native full screen mode and new window management features from the Sequoia update. In terms of performance, the team has optimized everything from loading huge DOC files and XLSX spreadsheets with tons of conditional formatting to simply switching between sheets in Calc. These improvements should be noticeable, especially when working with complex documents. A new application-wide "Viewer mode" has also been implemented, which opens all files in a read-only state for quick, safe viewing. On a related note, The Document Foundation has joined efforts by the likes of KDE to encourage Windows 10 users to switch to Linux. Also, you might have heard that Denmark, in a bid to lessen its reliance on Microsoft, has decided to make a full switch to LibreOffice, with plans to begin phasing out Office 365 in certain ministries as early as next month. If you're interested in this release, you can read the full release notes and download the binaries for your platform: Windows, macOS (Intel | Apple Silicon), or Linux (DEB | RPM). You can also get the latest stable version from our software stories page.

  • Recent Achievements

    • Week One Done
      julien02 earned a badge
      Week One Done
    • One Year In
      Drewidian1 earned a badge
      One Year In
    • Explorer
      Case_f went up a rank
      Explorer
    • Conversation Starter
      Jamie Smith earned a badge
      Conversation Starter
    • First Post
      NeoToad777 earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      544
    2. 2
      ATLien_0
      227
    3. 3
      +FloatingFatMan
      160
    4. 4
      Michael Scrip
      113
    5. 5
      +Edouard
      104
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!