Forward the Internet connection to a second router for network management (Bridge vs DMZ)

By ProclaimDragon
in Smart Home, Network & Security

 Share

Recommended Posts

Veteran

ProclaimDragon

Posted
Posted

Hi,

For optical fiber, a particular ISP I'm interested in, installs a ONT+Router all-in-one device (Huawei) which does not support bridge mode (maybe the router itself supports it but the functionality was probably removed by the ISP). But I don't like this router, I want to use my own (Asus AC68U) to manage my whole LAN. Usually, one would connect the Huawei to the Asus in bridge mode and have the Asus manage everything. But like I said, there's no bridge mode in the Huawei.

I believe the Huawei supports DMZ and I can redirect all the traffic from the Huawei to the Asus and still have the Asus manage everything. However, my question is, in practical terms, what exactly is the difference between redirecting all the traffic with bridge mode and redirecting all the traffic with DMZ. I'm really looking for practical pros and cons. Like "in mode X you can do this but not that".

Would I be able to achieve what I want - have the Asus manage the Internet connection to my LAN (like NAT, Firewall, Port Forwardin, DDNS, VPN, etc...) - with DMZ? Or is there anything that would only be possible in bridge mode?

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.  But if in the dmz you should not have all that many issues other than the slight performance hit of a double nat.  You could have issues with ftp for sure depending on the routers and ftp helpers, if no helper trying to do active or run a ftp server behind could be broken..  Passive could even be a problem if 1st router doesn't have a helper for ftp..  I wouldn't worry about that too much, unless you run a ftp server to the public.. Or use it all the time - its really a deprecated protocol and sftp should be used anyway.

Normally a DMZ is not a bridge, depending on the router it might not forward specific traffic or might do something weird with some ports being listened on the 1st router and not forwarding correctly.  Like I said should be avoided!!!!  But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Dmz is not the same as actual public IP, the router is doing forwards and napt and ports are going to get changed twice, this could cause issues since while it only done once and depending on the router you could have control over this When you do your specific forwards.  But since its being done twice and outer one is just in auto mode with everything being forwarded to first router..

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Another issue that can happen, is just crappy device given by isp and when its doing nat and having to keep track of a lot of connections (p2p for example - especially if multiple users of it) the isp device nat falls down.. But if it was just bridging the connection the user could use a better device that can handle the number of states and not have an issue, etc..

 

 

Edited by BudMan
Veteran

ProclaimDragon

Posted
  • Author
Posted

What model of Huawei is it? Usually when ISP's do things like this, you find the MAC and clone it onto your own device. That's what I have done in the past with an ISP over here in the UK.

Huawei HG8247H. If by cloning the MAC you mean you'd only use my own device, that will not work. I still need to use the ISP's device for IPTV and VoIP. Also, I believe my credentials are builtin in the device, not sure about this though.

The problem with double nat.. For one is a performance hit, be it slight - it still a hit. You prob could have issues with isakmp since this a static port and headers prob going to get messed up in the double nat.  This is used in IKE which is IPSEC vpn connections mostly.. Do you do any of that?  That can make it more complicated, but should still be able to get around it.

I'm not sure... I want to have the VPN service on the Asus turned on so I can connect to my LAN and access my internal services. I do not want VPN to forward all my traffic through my home connection. I'd like to have the possibility though, but I probably won't use it.

Normally you would avoid a double nat as much as possible..  If not in the dmz of the first router it becomes a real pain to control port forwarding, stuff like UPnP would not work.

For security purposes I usually turn UPnP off and open the required ports as necessary for any games I play (which are not that many to be honest).

But if you have to do it, its not the end of the freaking world.. More than likely you can get everything to work..

I'm afraid I do because the bridge functionality is disabled and I'm not sure anybody has yet found a way to enable it (if the router supports it, I believe it does).

Is this a business line or home connection.  Business I would think you could demand bridge mode..Do you plan on playing lots of say console games behind this setup?  Stuff that does with UPnP and or likes static source ports could have problems, but since dmz in first router you should be ok.. For example if console game says via UPnP hey make sure you use source port X on when you nat because who I am connecting too expects that but then outside router just nats it to some random port that is open in its state table.  Where you connecting might say hey that is wrong source port.

Home. I'm not in a position to demand anything. And the only way to request something is after signing the contract, which makes it worse. AFAIK, they no longer have the old ONT+Router combo available anymore, they install the new Huawei for all new clients. Like I previously said, I prefer to disable UPnP and forward all the needed ports. Do you see any issues with this setup?

I would really push for bridge mode on the isp device.  But if a no go, its a slight performance hit..  Why exactly do you want your own router?  To run your wifi, just use it as access point and just use the isp to control forwards, now only 1 nat.  Do you run multiple network segments?  Why do you feel you can not just use the isp device as your edge router?

Because the ISP router sucks and doesn't have all the features I want. I've read many reviews on the Asus routers and they have exactly what I want and like in a router. It's not just the wifi, it's everything. To name a few, VPN Server, DDNS, dual wireless, QoS and proper IP/MAC management (they usually suck on those ISP routers). Also, the Asus has constant firmware development and there's the excellent Merlin firmware with extra features that I need (for one, DDNS to run a custom script so I can have my own custom domain). I just wanted to delegate the Internet/LAN management to the Asus as much as possible and leave the ISP router for IPTV and VoIP only.

Thanks for the long and descriptive post, that's exactly the kind of answer I was looking for :)

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"proper IP/MAC management"

What is this exactly - setting a reservation?  While I agree with you some very limited dhcp servers in many soho routers...  I don't recall seeing one that doesn't do a reservation.  What I have seen is the lack of setting any other options like changing the gateway or dns, or other options you can set with dhcp, etc.

Again double nat would not be the preferred setup, but it is a very workable solution if you don't have the choice.

Grand Master

farmeunit

Posted
Posted

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Veteran

ProclaimDragon

Posted
  • Author
Posted

"proper IP/MAC management"

Like, machine A has MAC A:B:C:D and static IP 1.2.3.4 and it's named "My Personal Device (on the router itself) than I can forward ports, control network access and stuff like that per machine identified by the name I previously selected instead of trying to identify the device I want by MAC or IP address. It's very basic but a lot of devices fail having a good interface to manage stuff like this.

I have a modem with Time Warner that I couldn't get bridged (hidden menu and nothing I could find would get me into it).  I just called them up, asked to be transferred to Tier 2 support, and them accessed it and bridged it for me.  Then I connected my own gear.  Try giving them a call if you haven't.

Yeah, I'm gonna try that but unfortunately the kind of technical support we get around here is not very good, they are not very comprehensive. In other words, they really don't care.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So that is simple dhcp server reservation..  And then ability to use an alias in firewall rules, etc. That would not really be a reason to use one device over another if you ask me..   . But sure if you like that feature of a firmware then ok..

Veteran

ProclaimDragon

Posted
  • Author
Posted

You asked me why I wanted to use my own device and I gave you a few reasons, that's just one of them. But it's certainly not the most important. I wouldn't buy and use my own device just for that.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft confirms Windows 11 26H2 to finally get one of the most requested features

      By Michal H. · Posted

      Dude, im talking about simply disable it from settings app. Because of the eu regulation, you could disable it here for years.
    • One big question about Mars was answered thanks to Einstein's 100 year old theory

      By hellowalkman · Posted

      One big question about Mars was answered thanks to Einstein's 100 year old theory by Sayan Sen Image via DepositPhotos Scientists at the U.S. National Institute of Standards and Technology (NIST) have calculated how time passes on Mars compared with Earth, adding detail to how timekeeping would need to work beyond Earth’s orbit. The study, published in The Astronomical Journal, found that clocks on Mars run an average of 477 microseconds, or millionths of a second, faster per day than clocks on Earth. A microsecond is one millionth of a second, a very small unit used in precise scientific timing systems such as atomic clocks, which measure time using consistent atomic behavior. This difference is not constant. Because Mars moves around the Sun in a non-circular path (an eccentric orbit, meaning its distance from the Sun changes over time instead of staying fixed) and is affected by gravity from other bodies, the daily difference can vary by as much as 226 microseconds over a Martian year. The study also identifies smaller repeating changes of about 40 microseconds per day linked to synodic cycles (repeating periods that describe how planets line up with each other as they orbit the Sun from different positions). These longer patterns affect how time differences slowly rise and fall. To make these estimates, researchers compared Mars with Earth and the Moon. The work looks at relativistic proper time (the time actually measured by a clock depending on its speed and the strength of gravity where it is located, as described in Einstein’s relativity). This shows that each world has its own slightly different “rate” of time. This becomes more important as space missions expand into cislunar space (the region between Earth and the Moon) and toward Mars. On Earth, time systems rely on atomic clocks and satellites, which stay closely synchronized for navigation and communication. The study is based on Albert Einstein’s theory of relativity, which shows that time is affected by gravity and motion. Stronger gravity makes clocks run slower, while weaker gravity makes them run faster. “The time is just right for the Moon and Mars,” said NIST physicist Bijunath Patla. “This is the closest we have been to realizing the science fiction vision of expanding across the solar system.” A day on Mars is about 40 minutes longer than on Earth, and a Martian year lasts 687 Earth days. But the main question is not just about days and years, but how fast time itself passes. An atomic clock placed on Mars would function normally, but compared with one on Earth, the two would slowly drift apart due to differences in gravity and motion. This requires careful calculation of what is similar to a time-zone difference across planets. Researchers modeled Mars using a reference surface and included gravitational effects from the Sun, Earth, the Moon, and other planets. This includes a multi-body gravitational system (often described as a three-body or four-body problem, where predicting motion becomes difficult because multiple large objects all pull on each other at the same time through gravity). Mars also follows a Keplerian orbit (an idealized elliptical orbit based on simple gravitational laws that assume smooth motion, before adding real-world disturbances from other bodies). In addition, the researchers accounted for solar tides (small changes in gravitational force caused by the Sun that slightly distort planetary motion and timing, especially in systems involving Earth and the Moon). These combined effects are described as relativistic proper-time offsets (small but measurable differences in elapsed time between locations caused by gravity and motion), which must be included when comparing clocks across planets. “But for Mars, that’s not the case. Its distance from the Sun and its eccentric orbit make the variations in time larger. A three-body problem is extremely complicated. Now we’re dealing with four: the Sun, Earth, the Moon and Mars,” Patla explained. “The heavy lifting was more challenging than I initially thought.” Although the differences are extremely small, they matter for navigation and communication systems that depend on precise timing. Even modern networks on Earth, such as mobile systems, rely on timing accuracy at very small fractions of a second. Communication between Earth and Mars currently takes about four to 24 minutes or more depending on planetary positions, meaning signals are not real-time. A shared and accurate time system could help future missions reduce confusion in navigation and data exchange. “If you get synchronization, it will be almost like real-time communication without any loss of information. You don’t have to wait to see what happens,” Patla said. Researchers note that fully developed interplanetary communication networks are still far in the future. However, understanding how time behaves across planets helps prepare for those systems. “It may be decades before the surface of Mars is covered by the tracks of wandering rovers, but it is useful now to study the issues involved in establishing navigation systems on other planets and moons,” said Neil Ashby. “Like current global navigation systems like GPS, these systems will depend on accurate clocks, and the effects on clock rates can be analyzed with the help of Einstein’s general theory of relativity.” Patla added that the results also help improve understanding of time itself under relativity. “It's good to know for the first time what is happening on Mars timewise. Nobody knew that before. It improves our knowledge of the theory itself, the theory of how clocks tick and relativity,” he said. Source: NIST, IOPscience This article was generated with some help from AI and reviewed by an editor. Under Section 107 of the Copyright Act 1976, this material is used for the purpose of news reporting. Fair use is a use permitted by copyright statute that might otherwise be infringing.
    • TeraCopy 4.0 Build 26

      By Copernic · Posted

      TeraCopy 4.0 Build 26 by Razvan Serea TeraCopy is a compact program designed to copy and move files at the maximum possible speed, also providing you with a lot of features. Copy files faster. TeraCopy uses dynamically adjusted buffers to reduce seek times. Asynchronous copy speeds up file transfer between two physical hard drives. Pause and resume transfers. Pause copy process at any time to free up system resources and continue with a single click. Error recovery. In case of copy error, TeraCopy will try several times and in the worse case just skips the file, not terminating the entire transfer. Interactive file list. TeraCopy shows failed file transfers and lets you fix the problem and recopy only problem files. Shell integration. TeraCopy can completely replace Explorer copy and move functions, allowing you work with files as usual. TeraCopy is free for non-commercial use only. For commercial use you need to buy a license. The paid version of the program includes the following features: Copy/move to your favorite folders. Save reports as HTML and CSV files. Select files with the same extension/folder. Remove the selected files from the copy queue. TeraCopy 4.0 Build 26 changelog: Added support for receiving files via the LocalSend protocol. Improved exception handling and automated bug report upload. Fixed several minor bugs and small memory leaks. Build 26 (June 24) Fixed a rare exception when a transfer completed. Features added since version 3.17: Enhanced speed graph. New multi-threaded copy engine. Support for copying to multiple targets. Queue system for managing multiple copy operations. Support for receiving files via the LocalSend protocol. TeraCopy entry in the modern Windows Explorer context menu. Integrated toolbar in the title bar. Why receive LocalSend transfers with TeraCopy? Handle file conflicts: Skip, overwrite, or rename files when a file with the same name already exists. LocalSend always creates another copy, which can waste time and disk space, especially when resuming an interrupted transfer. Filter unwanted files: Apply ignore lists or remove files manually before accepting a transfer, so unnecessary files are not downloaded. Better performance on fast networks: In tests over a 10 Gbps connection, TeraCopy received files several times faster than the standard LocalSend app on Windows. Download: TeraCopy 4.0 Build 26 | 14.5 MB (Freeware, paid upgrade available) View: TeraCopy Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Anyone Here With Turbo Pascal Experience?

      By +virtorio · Posted

      Briefly used Turbo Pascal (and Turbo C++) in 97 and soon after that I bought PC magazine that included a full version of Delphi 2. I still use Delphi today, some 29 years later.
    • Age of Empires Mobile comes to PC, here's how to carry over progress from your phone

      By Ivan Jenic · Posted

      Age of Empires Mobile comes to PC, here's how to carry over progress from your phone by Ivan Jenic Image: YouTube/Microsoft Microsoft just released Age of Empires Mobile for PC. The game, officially called Age of Empires Mobile: PC Edition, is available for free on Steam and Microsoft Store, almost two years after its initial release for handheld devices. Age of Empires is one of those franchises that entire generations grew up with. The original came out in 1997, and immediately got people hooked to building civilizations and crushing their enemies on the battlefield. However, the franchise today is a far cry from its roots, as Age of Empires Mobile is, well, a game optimized for handheld devices, and not a classic RTS title we’ve all loved for years. And, of course, it includes in-game purchases. The PC version is still a mobile game at its core, but it’s been optimized for desktop play. There’s mouse control, full keyboard compatibility, and a refined UI. Microsoft also refreshed the visuals with some 4k textures, so the game should look better on larger screens. The game supports Crossplay, so you can switch between your phone, tablet, and PC without losing anything. But linked progress doesn’t come out of the box, as you have to enable it first. Here’s how to link your progress: On your mobile device, open Age of Empires Mobile. Go to Settings (Gear icon) > Account. Select Bind Account and choose a sign-in option. Once you enable account binding, sign in on PC using the same method, and your progress will be accessible across all your devices. Xbox Game Pass subscribers also get a bonus reward pack on PC, which includes: 1 Monthly Pass Token 1 Custom Resource Chest 10 Universal 60-Minute Speed-Ups 1,000 Empire Coins Exclusive Player Portrait Frame You can find more info about Age of Empires Mobile: PC Edition, as well as download links, on the Age of Empires official website.

  • Recent Achievements

    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated
    • First Post
      Tom Schmidt earned a badge
      First Post
    • One Month Later
      D0nn13 earned a badge
      One Month Later
    • Rookie
      +ChiefOfNeo went up a rank
      Rookie

  • Popular Contributors

    1. 1
      +primortal
      458
    2. 2
      +Edouard
      177
    3. 3
      PsYcHoKiLLa
      124
    4. 4
      Michael Scrip
      79
    5. 5
      Xenon
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!