Forward the Internet connection to a second router for network management (Bridge vs DMZ)

By ProclaimDragon
in Smart Home, Network & Security

 Share

Recommended Posts

Veteran

ProclaimDragon

Posted
Posted

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
Veteran

ProclaimDragon

Posted
  • Author
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

Grand Master

farmeunit

Posted
Posted

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Veteran

ProclaimDragon

Posted
  • Author
Posted

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

Veteran

ProclaimDragon

Posted
  • Author
Posted

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • ABSTRACT//AWESOME//WALLPAPERS - made by me!

      By remixedcat · Posted

      thank you!
    • Apple and Tesla Supplier Tata Electronics Confirms 630 GB Data Theft: iPhone Specs on Dark Web

      By +Nik Louch · Posted

      Ooopsie!
    • A coalition of publishers sued OpenAI and Microsoft over scraping content without consent

      By Hamid Ganji · Posted

      A coalition of publishers sued OpenAI and Microsoft over scraping content without consent by Hamid Ganji Image via Depositphotos.com AI companies often rely on readily available internet content to train their chatbots and provide users with instant answers. This method of AI training is fast and relatively inexpensive, but using a website’s content without permission or compensation is not something publishers like to see, and this is exactly why Microsoft and OpenAI are now being sued. As reported by Bloomberg, a group of publishers that collectively own nearly 400 newspapers has filed a lawsuit against OpenAI and Microsoft. The coalition argues that the two companies scraped their content to build AI chatbots like ChatGPT and Copilot without paying any compensation. The complaint, filed in the U.S. District Court for the Southern District of New York, argues that while AI products have generated billions of dollars in market value using publishers’ work, none of that value has been shared with the publishers. The plaintiffs are seeking statutory damages and injunctive relief for alleged copyright infringement and violations of the Digital Millennium Copyright Act. “Defendants systematically and secretly crawled the Publishers’ websites—including content behind paywalls and other access restrictions—and copied the Publishers’ articles, stories, and other original works onto their own servers without authorization,” the complaint states. The publishers also described the AI boom as a “death knell for local journalism” if AI companies that scrape content for free are not held accountable. Former New Jersey Attorney General Matthew Platkin and his law firm, Platkin LLP, are representing the publishers. “Our models empower innovation, are trained on publicly available data, and are grounded in fair use,” OpenAI spokesperson Drew Pusateri told Bloomberg. This is not the first lawsuit involving the unauthorized use of publishers’ content by AI firms, but it is one of the largest coalitions ever formed against the free use of content by AI chatbots. In 2024, OpenAI and Microsoft also faced a similar lawsuit from eight newspapers that claimed AI products were benefiting from their content without permission.
    • Rufus alternative Ventoy now supports Windows 11's mandatory update, fixes major boot bug

      By hellowalkman · Posted

      Rufus alternative Ventoy now supports Windows 11's mandatory update, fixes major boot bug by Sayan Sen While Microsoft has its own official Media Creation Tool used for making bootable USB media, there are some popular third-party utilities as well which offer additional options like bypassing system requirements, Microsoft Account creation, and more. One of these is Ventoy, and the software has received its latest update today. In fact, the app actually got a slew of updates over the last couple of days, three version releases in total, to be specific. The first release, version 1.1.13, was pulled as there was some unspecified error in the update, and as such, the corrected version 1.1.14 was pushed out. Following that on very short notice, 1.1.15 was published as well. For those unfamiliar, Ventoy is an open-source utility that lets users create a bootable USB drive once and then simply copy ISO, WIM, IMG, VHD, or EFI files onto it without repeatedly formatting the drive. It supports both legacy BIOS and UEFI boot modes, Secure Boot, and a wide range of operating systems, making it one of the most versatile tools in the category. The biggest change in version 1.1.14 is an updated Secure Boot shim file aimed at resolving the UEFI CA 2023 issue, which is basically a compatibility problem that has affected Secure Boot environments on some systems. If you recall, we reported about severe boot issues on HP devices following the release of updated Secure Boot 2023 keys. For anyone who may not be aware, back in early 2024, Microsoft announced that it was updating Secure Boot keys as they were going to become 15 years old in 2026, which is also when they are set to expire. As such, the new 2023 certificates have been rolling out with the newest Windows 11 updates. Updated boot manager and Secure Boot certificates are crucial for protection against malware like bootkits. These are mandatory updates. Alongside that, the VentoyPlugson graphical plugin configurator was updated in sync with the release. The update also introduces a new VTOY_SECURE_BOOT_POLICY option within the Global Control plugin, giving users more flexibility in managing Secure Boot behavior. Ventoy has also received a fix for a startup issue when Secure Boot was disabled. Microsoft does officially allow users to boot systems without Secure Boot as long as the PC is Secure Boot capable. The full changelog is given below: Update secure boot shim file to solve the UEFI CA 2023 issue. The new release use a new CA, so you need to enroll the new key for the first boot time. VentoyPlugson update synchronously. Global control plugin add a VTOY_SECURE_BOOT_POLICY option. Fix the boot issue when Secure Boot is disabled in the UEFI firmware. You can download the latest version of the app here on Ventoy's official GitHub repo or from Neowin software stories.
    • Windows 11 is now five years old

      By grunger106 · Posted

      Windows 11 is fine, no issues on any of the machines I've run it on since release. The stricter security requirements are a good thing, sometimes the baseline needs to change and people will winge, but it is what it is. Happened with the move from 9x to NT - broke compatability Happened with XP SP2 when security started to become a serious consideration Certainly happend with Vista that brought in UAC, the concept of not running as admin (something that has been the norm in Linux/Unix from pretty much the start) and a completely new driver stack. Windows 11 will probably get looked back at as the point where even consumer and SMB IT was dragged kicking and screaming into a somewhat secure by default configuration.

  • Recent Achievements

    • Rookie
      krychek57 went up a rank
      Rookie
    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated
    • First Post
      Tom Schmidt earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      441
    2. 2
      +Edouard
      172
    3. 3
      PsYcHoKiLLa
      134
    4. 4
      Michael Scrip
      78
    5. 5
      Xenon
      77
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!