RT-AC68U Router mode w/ firewall only

[reaver_shado]

hey all, just setup a new fiber install, which has to use modem/router combo. On the plus side the modem/router has WIFI 6, but as usual the security on these things isn’t the greatest. I’d like to use modem/router for a Game Streaming server(wired and setup as VPN server), 2 smartphone, Quest2(VR), and then everything else on RT-AC68U (chromecast non-4k, smart home plug, smart home lights, alexa)

But then, ive got double NAT, as well as unable to use smartphone to control smart home stuff behind RT-AC68U WAN.

Can i disable NAT, and the DHCP on RT-AC68U (let modem/router do addressing) and just have firewall running for scheduling/access control/QoS? I’ve tried but no go, figure i need to setup either some static routing rule or something in the firewall, however ive hit a wall with my knowledge.

Any help would be appreciated.

 

[L&LD]

Your RT-AC68U is woefully outclassed by the new router (depending on your ISP speeds and your needs/expectations, prepare for an upgrade).

Are you able to get the modem/router in Bridge mode? Can you ask your ISP to do it for you? Is this a single device or two?

 

[drinkingbird]

hey all, just setup a new fiber install, which has to use modem/router combo. On the plus side the modem/router has WIFI 6, but as usual the security on these things isn’t the greatest. I’d like to use modem/router for a Game Streaming server(wired and setup as VPN server), 2 smartphone, Quest2(VR), and then everything else on RT-AC68U (chromecast non-4k, smart home plug, smart home lights, alexa)

But then, ive got double NAT, as well as unable to use smartphone to control smart home stuff behind RT-AC68U WAN.

Can i disable NAT, and the DHCP on RT-AC68U (let modem/router do addressing) and just have firewall running for scheduling/access control/QoS? I’ve tried but no go, figure i need to setup either some static routing rule or something in the firewall, however ive hit a wall with my knowledge.

Any help would be appreciated.

Yes, disable NAT, give the Asus LAN a different subnet from the ISP, then add a static route on the ISP router for the Asus LAN, pointing to the Asus WAN.

For example if Asus LAN is 192.168.2.0/24 and WAN is 192.168.1.2 (from the ISP 192.168.1.0/24 subnet) then your ISP static route would be 192.168.2.0/24 via destination 192.168.1.2.

You will need DHCP on the AC68 still, DHCP does not pass through routers, your ISP router will not handle DHCP for the Asus LAN.

BUT your ISP router must support any source IP in the NAT rule it has for this to work. Unfortunately there is no list of routers and how they've configured their hide NAT. If they are only permitting their own LAN to hit the NAT rule, then this won't work. You'll be able to hit the devices from your ISP LAN, but the devices will have no internet. There are some possible hacks/workarounds to this but not clean and could be problematic. On the Asus when you enable static routes it knows that you're doing it for this reason and should work, but not sure about the ISP router. You'll just have to try and see.

You're also defeating some of the isolation that you want by removing that layer of NAT. You could potentially look at doing port forwarding rules etc instead and keeping the double NAT in place. Some IOT stuff is controlled through the cloud and doesn't even need local connectivity, other stuff needs it, so depends what you have.

After doing that I would log into the CLI and just make sure the firewall rules look good and are still functional. I haven't run an Asus in non-NAT mode so not positive but it certainly should still have firewall running and enabled. You can also test by blocking access to the ISP LAN on the asus firewall rules (which I'm assuming you want). Of course if you do that you can't control the stuff with your smart phone on the ISP LAN, so honestly I'm confused as to what you want to do. Isolation will take away some convenience, just the nature of the beast.

 

[drinkingbird]

Your RT-AC68U is woefully outclassed by the new router (depending on your ISP speeds and your needs/expectations, prepare for an upgrade).

Are you able to get the modem/router in Bridge mode? Can you ask your ISP to do it for you? Is this a single device or two?

Looks like they just want their IOT stuff behind it so should be more than capable.

 

[reaver_shado]

Your RT-AC68U is woefully outclassed by the new router (depending on your ISP speeds and your needs/expectations, prepare for an upgrade).

Are you able to get the modem/router in Bridge mode? Can you ask your ISP to do it for you? Is this a single device or two?

Performance outclassed Indeed… except for security features and access controls, which are virtual non-existent on ISP router.

I can do PPPoE from Asus or Advanced DMZ, which gives my router same address as modem (though it add a significant amount if hiccup/lag). I think both somehow still allow me to use WIFI 6 on the ISP router, but it would totally cut me off my hoped goal.

 

[reaver_shado]

Yes, disable NAT, give the Asus LAN a different subnet from the ISP, then add a static route on the ISP router for the Asus LAN, pointing to the Asus WAN.

For example if Asus LAN is 192.168.2.0/24 and WAN is 192.168.1.2 (from the ISP 192.168.1.0/24 subnet) then your ISP static route would be 192.168.2.0/24 via destination 192.168.1.2.

You will need DHCP on the AC68 still, DHCP does not pass through routers, your ISP router will not handle DHCP for the Asus LAN.

BUT your ISP router must support any source IP in the NAT rule it has for this to work. Unfortunately there is no list of routers and how they've configured their hide NAT. If they are only permitting their own LAN to hit the NAT rule, then this won't work. You'll be able to hit the devices from your ISP LAN, but the devices will have no internet. There are some possible hacks/workarounds to this but not clean and could be problematic. On the Asus when you enable static routes it knows that you're doing it for this reason and should work, but not sure about the ISP router. You'll just have to try and see.

You're also defeating some of the isolation that you want by removing that layer of NAT. You could potentially look at doing port forwarding rules etc instead and keeping the double NAT in place. Some IOT stuff is controlled through the cloud and doesn't even need local connectivity, other stuff needs it, so depends what you have.

After doing that I would log into the CLI and just make sure the firewall rules look good and are still functional. I haven't run an Asus in non-NAT mode so not positive but it certainly should still have firewall running and enabled. You can also test by blocking access to the ISP LAN on the asus firewall rules (which I'm assuming you want). Of course if you do that you can't control the stuff with your smart phone on the ISP LAN, so honestly I'm confused as to what you want to do. Isolation will take away some convenience, just the nature of the beast.

Unfortunately there is no way to add static routes to the ISP router.

what would the firewall, or i guess port triggering rules look like.

perhaps the simplest way of saying what im trying to do, is add better security, monitoring and access controls to the ISP router for 1/2 my devices (or at least the ones im concerned could easily present vulnerabilities) (devices that can take advantage of the Gigabit speeds im less concerned about because they’re more updated, like apple, or have software monitors installed). Like my ISP router has no way of seeing which device/IP is using what type of traffic or sending how much data to specific IPs.

 

[drinkingbird]

Unfortunately there is no way to add static routes to the ISP router.

what would the firewall, or i guess port triggering rules look like.

perhaps the simplest way of saying what im trying to do, is add better security, monitoring and access controls to the ISP router for 1/2 my devices (or at least the ones im concerned could easily present vulnerabilities) (devices that can take advantage of the Gigabit speeds im less concerned about because they’re more updated, like apple, or have software monitors installed). Like my ISP router has no way of seeing which device/IP is using what type of traffic or sending how much data to specific IPs.

If there are no static routes in the ISP router, you have to use NAT if you want the stuff behind the Asus to have internet access. You can put your Asus in DMZ of the ISP router (if it has that feature) but may not be needed for your use case.

It depends on your IOT devices. If they require MDNS for discovery, you have many that need the same TCP port, etc then it may not be feasible to use NAT and port mapping. On the other hand if they are systems that are managed via the cloud (your phone doesn't connect to them directly but rather via the internet) it will work fine usually, even without DMZ. If they are all managed by a single hub then port mapping may be feasible. Or just have both wifi networks saved in your phone and swap back and forth. If I want to cast to my Fire TV (which is on an IOT network) I just tap that network in my phone and it switches right over.

You have the option of just getting yourself a layer 2 firewall and putting the devices behind that, that way they are on the same subnet, use the DHCP server of the ISP router, and you can set up rules for what they can and cannot do. In theory you could even do this with the asus in AP mode but you'll need to get into scripting and EBTABLES etc.