Please help explaining pros-cons of Bridge mode vs DMZ of second router

[calvin tran]

Hello,
I had a question a while back but no answer so I just want to have a better understanding for these setups
So I have a good router RT-AX86s and I don't want to migrate all the setting to xfi router. Initially I connected my router(wan port) to the xfi and it works fine, doesn't seem to slow down at all or noticeable.
Then I found an article that mentioned about having the xfi as a bridge or setting second router as DMZ device. I tried both and from the user experience, there were no differences.
In DMZ mode, I assigned a static ip for the Asus router as 10.0.0.x and when I went to "find my ip address" it still showed the xfi main IP so my router was not exposed at all. So what is the harm of exposing the second router thatpeople advised not doing it. thx

 

[ColinTaylor]

So what is the harm of exposing the second router that people advised not doing it. thx

Do you have a link to this advice. Without knowing exactly what was said it's difficult to answer the question.

At a practical level there's usually very little difference between bridging an ISP router or putting the second router in the DMZ of the first. There may be "gotcha's" depending on your specific equipment. I have no idea what an "xfi" is.

 

[Paliv]

Xfi is Comcast’s general wifi router branding.

 

[drinkingbird]

Hello,
I had a question a while back but no answer so I just want to have a better understanding for these setups
So I have a good router RT-AX86s and I don't want to migrate all the setting to xfi router. Initially I connected my router(wan port) to the xfi and it works fine, doesn't seem to slow down at all or noticeable.
Then I found an article that mentioned about having the xfi as a bridge or setting second router as DMZ device. I tried both and from the user experience, there were no differences.
In DMZ mode, I assigned a static ip for the Asus router as 10.0.0.x and when I went to "find my ip address" it still showed the xfi main IP so my router was not exposed at all. So what is the harm of exposing the second router thatpeople advised not doing it. thx

Bridge mode on the XFI is technically a bit better as you're eliminating one layer of NAT, but DMZ will accomplish the same thing and very little latency difference (imperceptible most likely).

Technically you can just run them both in full blown router mode with two layers of NAT and no DMZ, the only catch there is if you want inbound port forwarding you have to do it on both routers (uPNP also won't work if you have anything that needs that).

I'm assuming what you were reading about DMZ mode was when you're doing it to an actual device inside your network, that is a security risk. Doing it from one router to another is no risk, in fact it is what people do when their ISP router does not support bridge mode (and they need uPNP or port forwarding).

Are they charging you for their router? If so buy a DOCSIS 3.1 cable modem (heck you can even use 3.0 for now, probably a couple years before they shut those down) and plug your router into it, and get rid of their obnoxious fee. For the most part stick with Surfboard modems (one of the Arris lines, which they bought from Motorola). Refurb on amazon is cheap.

If their router is free/included then just run it in bridge mode making it effectively a modem. That will disable the wireless etc too.

 

[drinkingbird]

Xfi is Comcast’s general wifi router branding.

Yeah, use it with our new "10G" network. Great start confusing people about wireless vs wired terms (they say it "Ten G" and the average user doesn't think 10 gig, they think oh that's like my phone is 5G so this is better, which is exactly what they want now that they're competing with T-Mo and Verizon 5G internet).

Comcast has got to be the absolute worst/most confusing with all their stupid branding and naming. They seem to be as obsessed with "X" and name changes as Elon Musk.

 

[JimbobJay]

Due to my ISP forcing me to use their router if I want to use their bundled VOIP service, since upgrading to FTTP I now have to have my ASUS AX86U_Pro sitting behind my ISP's router. ISP annoyingly doesn't allow their router to run in bridged mode.

As much as I can, I have tried to make the ISP router run like a native bridge mode by turning off its firewall, DHCP server, and wifi radios. Only the AX86U is connected to the ISP router via ethernet with a static IP, with the WAN interface on the AX86U set with that static IP and the ISP router as its gateway.

On the ISP router the AX86U is placed in its DMZ, with all TCP&UDP ports (1:65535) additionally forwarded to the AX86U (belts and braces approach).

This is as close to a native bridge mode as possible, is functionally the same, and works fine. Despite technically being in a Double-NAT, with the AX86U complaining that its WAN IP address is private, it is functionally working as close as possible to a direct connection, and the extra hop introduces negligible latency. I use the AX86U just the same as before, whilst also being able to use the ISP's bundled VOIP via their router.

People warn about using a DMZ, and whilst knowledge and extreme caution is advised when using it for your devices, if you are putting a second router in the DMZ you are fine. It has its own firewall and was made to be exposed to the public internet.

A native bridge mode is preferable when possible because for a start it is just plain easier than doing all the steps above. It also reduces latency (albeit, infinitesimally) and reduces the number of variables that could cause issues or problems with your connection. It also stops the router complaining about being Double-NATted. Devices that notice you are in a Double-NAT because of the extra hop or private WAN IP do not know about the steps you have taken to workaround that situation, and so will complain and/or say any issues with the connection are because of that. Native bridge mode is preferable where possible.

 

[Ripshod]

Which ISP are you with. It's not unknown for them to force you into using their equipment by lying about compatability and such.
Here in the UK most ISPs have an obligation to give you your login and sip details on request.

 

[CaptainSTX]

Hello,
I had a question a while back but no answer so I just want to have a better understanding for these setups
So I have a good router RT-AX86s and I don't want to migrate all the setting to xfi router. Initially I connected my router(wan port) to the xfi and it works fine, doesn't seem to slow down at all or noticeable.
Then I found an article that mentioned about having the xfi as a bridge or setting second router as DMZ device. I tried both and from the user experience, there were no differences.
In DMZ mode, I assigned a static ip for the Asus router as 10.0.0.x and when I went to "find my ip address" it still showed the xfi main IP so my router was not exposed at all. So what is the harm of exposing the second router thatpeople advised not doing it. thx

There is nothing wrong with running your second router in a double NAT setup as you found out. No need to put it in DMZ. The only issue you will have is if you want to run some type of server on the second router than you will need to setup some port forwarding and perhaps some static routes.

The biggest problem you will have with a double NAT setup is people will tell you it is a no no and if you have any issues with your network most likely whomever you call for tech support will try and blame the double NAT as the root of the problem.

 

[drinkingbird]

Due to my ISP forcing me to use their router if I want to use their bundled VOIP service, since upgrading to FTTP I now have to have my ASUS AX86U_Pro sitting behind my ISP's router. ISP annoyingly doesn't allow their router to run in bridged mode.

As much as I can, I have tried to make the ISP router run like a native bridge mode by turning off its firewall, DHCP server, and wifi radios. Only the AX86U is connected to the ISP router via ethernet with a static IP, with the WAN interface on the AX86U set with that static IP and the ISP router as its gateway.

On the ISP router the AX86U is placed in its DMZ, with all TCP&UDP ports (1:65535) additionally forwarded to the AX86U (belts and braces approach).

This is as close to a native bridge mode as possible, is functionally the same, and works fine. Despite technically being in a Double-NAT, with the AX86U complaining that its WAN IP address is private, it is functionally working as close as possible to a direct connection, and the extra hop introduces negligible latency. I use the AX86U just the same as before, whilst also being able to use the ISP's bundled VOIP via their router.

People warn about using a DMZ, and whilst knowledge and extreme caution is advised when using it for your devices, if you are putting a second router in the DMZ you are fine. It has its own firewall and was made to be exposed to the public internet.

A native bridge mode is preferable when possible because for a start it is just plain easier than doing all the steps above. It also reduces latency (albeit, infinitesimally) and reduces the number of variables that could cause issues or problems with your connection. It also stops the router complaining about being Double-NATted. Devices that notice you are in a Double-NAT because of the extra hop or private WAN IP do not know about the steps you have taken to workaround that situation, and so will complain and/or say any issues with the connection are because of that. Native bridge mode is preferable where possible.

No need to forward all ports if in DMZ, it accomplishes the same thing. Port forwarding could actually interfere potentially.

Running double NAT, as someone else mentioned, is fine, if you don't do DMZ then uPNP won't work and static port forwards have to be done on both devices. so DMZ does solve both of those. You can even leave DHCP enabled, if you set a static on your Asus WAN nothing will ever need DHCP, unless you specifically want to plug something into the ISP router directly for whatever reason, then it will get and IP, so leaving it enabled allows that should the need ever arise (consider it your DMZ where an untrusted device could be placed).

Generally when people have to use their ISP router (due to needing VOIP typically) I just run the router behind it in AP mode. But obviously if you want all the Asus features, you need to run it in router mode.

If you need uPNP or port forwarding, on the ISP router I'd just disable wifi and put the Asus in DMZ (with either a static IP or a manual reservation if ISP router allows it). Other than that you can leave the rest at default. If you don't need those features, don't even put the asus in DMZ, two firewalls and two layers of NAT is more secure and will not slow anything down (not to a noticeable extent, in reality their router is going to be a router and doing NAT whether you have DMZ or not).

Keep it simple basically.

Note that DMZ off the ISP router is nowhere near "bridge" mode. Bridge is just a switch effectively. DMZ is still using routing and NAT. Even if you disable wifi, DHCP, etc etc it is still a NAT router no matter what.

If OP is able to bridge the ISP router I'd personally say do that (or just replace it with your own modem and nix the rental fee). Everyone I know with Xfinity/Comcast I tell them to buy a cheap modem off amazon or wherever and run their own router. Have set up multiple family and friends that way, only takes 6 months or so to break even on cost.

 

[Paliv]

only takes 6 months or so to break even on cost.

Unless you are using unlimited data. They actually make it cheaper $25/mo to use their gateway and get unlimited vs using your own modem with unlimited for $30/mo.

 

[calvin tran]

Thanks, it sound likes no problem running one of the three configurations that I have tried. I have unlimited data and free modem and I must use it for the package deal.

 

[calvin tran]

Thanks all, It sounds like I am fine with one of the three configurations that I mentioned. I have Lorex security camera and ring but none of them requires me to setup any special port forwarding. I have unlimited data and free modem so I have to use it for the package.