Advice about own router behind ISP Router in Bridge Mode

[fozzie bear]

I have a 50mbps FTTP with an ISP in the UK called Gigaclear. They provide a Genexis HRG 1000 router by default.
Recently I have been having problems with my internet connection and their Tech Support think I am flooding one of the 4 ports on the router as I have a 24 port switch attached to it that serves multiple devices (Server, numerous PCs and laptops, Smart Home devices including appliances, Amazon Echos, Mobile phones, game consoles, video streaming boxes, tablets etc).
I am soon to install TP-Link EAP225's to improve wifi coverage in my bungalow and was going to feed all of these via a POE hub to second port on the router. The ISP Tech support have offered me a Linksys Velop as a router but I am committed now to TP-Link however they suggested me using my own router and turning the Genexis into Bridge mode.
A few questions:-
1) I have an ASUS RT- AC66u router that I can use. Will this more easily manage the amount of network traffic than the Genexis, bearing in mind the 24 port switch will still be connected to one port on the router?
2) When in bridge mode does the Genexis just act as a cable modem with no NAT or routing function?
3) Does the ISP WAN IP address get assigned to my new router or still to the Genexis.
4) Currently there is no username and password for my ISP. Will I need this to configure the Asus?

There are lots of other benefits of using my own router such as DDNS, Download Manager, being able to connect a USB drive for backup purposes, VPN etc etc. However the downside is that the ISP might not be keen to support issues when I'm using my own kit

 

[L&LD]

The main reason I never want to use an ISP supplied router for myself or my customers is because of the built-in capability (not just possibility) to peruse my network and devices at will.

Not just of the ISP (for data mining?), but also from a rogue employee(s), and/or any gov't body that can simply enter my personal network at will. Not to mention any contractor or other (out of sight) workers that the ISP allows to work on their equipment, and having access to everything too.

May as well just leave your front door open with a welcome sign above it.

Put your Genexis HRG 1000 in full Bridge mode (you should have a public IP address on your attached router and will be using the HRG as a 'modem') and buy yourself a better router than the RT-AC66U you currently have as it is slow, and not very up-to-date security-wise too.

The RT-AC66U_B1 model is a big step up for that original '66U and is effectively an updated (and faster) RT-AC68U.

I wouldn't be too concerned with ISP support when running your own router. The customers I serve buy their own because the ISP couldn't find a solution for them.

And for any issues, you might have? This forum will be the place to ask for help.

Use the RT-AC66U after you have fully upgraded the firmware to the latest available (see john9527's fork of the RMerlin firmware and his 'dev' Onedrive link or to Asus' latest official firmware) until you can upgrade to a more current router.

Buy (or at least install) only one AP at a time until you are satisfied with the WiFi coverage and confident you are not over-saturating the home with AP's.

But for sure put that ISP router into Bridge mode.

 

[Trip]

1) I have an ASUS RT- AC66u router that I can use. Will this more easily manage the amount of network traffic than the Genexis, bearing in mind the 24 port switch will still be connected to one port on the router?

Yes, but with Omada being installed, at the very least you want to disable wifi on the AC66U and use it effectively as a wired router only, so you're not unnecessarily polluting your own airspace.

2) When in bridge mode does the Genexis just act as a cable modem with no NAT or routing function?

Yes, and you should put the fiber gateway/ONT into bridge mode when combining with your own gateway.

3) Does the ISP WAN IP address get assigned to my new router or still to the Genexis.

Yes. With the Genexis in bridge mode, the WAN IP should be DHCP'd to the MAC ID of the AC66U.

4) Currently there is no username and password for my ISP. Will I need this to configure the Asus?

Depends on whether or not your fiber connection is PPPoE-based. If there is no PPPoE login but rather the connection is simple DHCP (like a cable provider), then simply bridging the Genexis should be good enough to allow for the connection to be passed directly to your router. If Gigaclear does require PPPoE auth, then putting the Genexis into pure bridge mode would require PPPoE be handled by your router. That may or may not be possible, depending on if Gigaclear uses proprietary encryption on their PPPoE. If they do, then you'll likely have to keep the Genexis in some form of "routed bridge mode" (sometimes referred to as "PPPoE pass-through", or similar), whereby the Genexis handles PPPoE, but does not route , still passing the WAN IP to your router.

If I were you, I'd do exactly what you're thinking. Put the Genexis into whatever bridge mode is possible, to offload as many services to your router as you can. Then run the AC66U with wifi disabled, or put in a wired-only router (UI EdgeRouter, Mikrotik, pfSense box, etc.) and run wifi exclusively via your Omada APs.

 

[ddaenen1]

I have my own router behind my ISP's Home Gateway. I cannot get rid of it as the HGW also takes care of my landline subscription and our digital TV. For internet, i have everything in the HGW opened up wide and my Mikrotik is taking care of routing and firewall so i have total control over my home network.

 

[fozzie bear]

The main reason I never want to use an ISP supplied router for myself or my customers is because of the built-in capability (not just possibility) to peruse my network and devices at will.

Not just of the ISP (for data mining?), but also from a rogue employee(s), and/or any gov't body that can simply enter my personal network at will. Not to mention any contractor or other (out of sight) workers that the ISP allows to work on their equipment, and having access to everything too.

May as well just leave your front door open with a welcome sign above it.

Put your Genexis HRG 1000 in full Bridge mode (you should have a public IP address on your attached router and will be using the HRG as a 'modem') and buy yourself a better router than the RT-AC66U you currently have as it is slow, and not very up-to-date security-wise too.

The RT-AC66U_B1 model is a big step up for that original '66U and is effectively an updated (and faster) RT-AC68U.

I wouldn't be too concerned with ISP support when running your own router. The customers I serve buy their own because the ISP couldn't find a solution for them.

And for any issues, you might have? This forum will be the place to ask for help.

Use the RT-AC66U after you have fully upgraded the firmware to the latest available (see john9527's fork of the RMerlin firmware and his 'dev' Onedrive link or to Asus' latest official firmware) until you can upgrade to a more current router.

Buy (or at least install) only one AP at a time until you are satisfied with the WiFi coverage and confident you are not over-saturating the home with AP's.

But for sure put that ISP router into Bridge mode.

Many thanks for your advice. My exiting AC66U has hardware v B1 on the label but not a front facing USB port. Is this the older router?

 

[fozzie bear]

Yes, but with Omada being installed, at the very least you want to disable wifi on the AC66U and use it effectively as a wired router only, so you're not unnecessarily polluting your own airspace.
Yes, and you should put the fiber gateway/ONT into bridge mode when combining with your own gateway.
Yes. With the Genexis in bridge mode, the WAN IP should be DHCP'd to the MAC ID of the AC66U.
Depends on whether or not your fiber connection is PPPoE-based. If there is no PPPoE login but rather the connection is simple DHCP (like a cable provider), then simply bridging the Genexis should be good enough to allow for the connection to be passed directly to your router. If Gigaclear does require PPPoE auth, then putting the Genexis into pure bridge mode would require PPPoE be handled by your router. That may or may not be possible, depending on if Gigaclear uses proprietary encryption on their PPPoE. If they do, then you'll likely have to keep the Genexis in some form of "routed bridge mode" (sometimes referred to as "PPPoE pass-through", or similar), whereby the Genexis handles PPPoE, but does not route , still passing the WAN IP to your router.

If I were you, I'd do exactly what you're thinking. Put the Genexis into whatever bridge mode is possible, to offload as many services to your router as you can. Then run the AC66U with wifi disabled, or put in a wired-only router (UI EdgeRouter, Mikrotik, pfSense box, etc.) and run wifi exclusively via your Omada APs.

Thank you again Trip for a detailed reply. I will contact Gigaclear Tech Support and ask if I need credentials in the second router.

 

[L&LD]

Many thanks for your advice. My exiting AC66U has hardware v B1 on the label but not a front facing USB port. Is this the older router?

I'm not too sure about the USB port? I'm pretty sure all RT-AC66U_B1 installations I've performed have the USB drive in the back (for Entware and amtm).

Sounds like you have the version I recommended! If you can confirm in the GUI that this is a dual-core 1GHz CPU model, I would recommend upgrading (please see my M&M Config below) to the latest RMerlin 384.15_0 final release.

That will give you amtm support built-in and with a spare USB drive, you can have an even more secure network and even a faster one too. (Specifically; amtm, Ext4 USB drive w/journaling enabled, a 2GB swap file, Diversion, Entware, Skynet and Unbound. Many more scripts you may want to explore, but the preceding list is a good baseline).

And while you won't have to install amtm when RMerlin 384.15_0 is installed, you may still want to follow the amtm Step-by-Step guide also found in the link in my signature below.

 

[Val D.]

My exiting AC66U has hardware v B1 on the label but not a front facing USB port. Is this the older router?

Yes, it is the older MIPS hardware based model. It has 2 x USB 2.0 ports at the back. The newer RT-AC66U B1 router has 1 x USB 2.0 port at the back and 1 x USB 3.0 port at the front. There is a difference in case thickness as well, the older is slimmer, the newer is more chunky. ASUS created a bit of confusion with model numbers. The older RT-AC66U has hardware revisions A1/B1, the newer has a name RT-AC66U B1. You can't use Asuswrt-Merlin 384.15 firmware on the older model.

Pictures of the products:
https://www.asus.com/ca-en/Networking/RTAC66U/gallery/
https://www.asus.com/ca-en/Networking/RT-AC66U-B1/gallery/

The RT-AC66U_B1 model is a big step up for that original '66U and is effectively an updated (and faster) RT-AC68U.

It is indeed updated version of RT-AC68U internally, but in my experience RT-AC66U B1 has a bit weaker WiFi in real life conditions. Both routers use the same radio modules, but the antennae design is different and RT-AC68U vertical design versions perform a bit better. There is another difference - offered as low-cost alternative, RT-AC66U B1 is actually a bit throttled in original firmware and marketed as AC1750 class router. RT-AC68U models up to the fastest RT-AC1900P variant are marketed as AC1900 class routers.

 

[fozzie bear]

It is indeed updated version of RT-AC68U internally, but in my experience RT-AC66U B1 has a bit weaker WiFi in real life conditions. Both routers use the same radio modules, but the antennae design is different and RT-AC68U vertical design versions perform a bit better. There is another difference - offered as low-cost alternative, RT-AC66U B1 is actually a bit throttled in original firmware and marketed as AC1750 class router. RT-AC68U models up to the fastest RT-AC1900P variant are marketed as AC1900 class routers.

Thanks for the clarification Val D. If I am to disable the router WiFi in favour of my EAp225 Mesh presumably I can use the later RT-AC66U B1 without any issues with throttling unless this also applies to routing as well as WiFi?

 

[Val D.]

unless this also applies to routing as well as WiFi?

It does apply for routing as well, but on your 50Mbps ISP line the older model shouldn't have any issues with routing. The latest firmware version for RT-AC66U is from Nov 2019, so security-wise it should be OK. Actually, I don't understand what the issue is with the ISP provided router. Even if you keep your network busy 100% all the time with few thousand connections, it should be able to handle it. Try with what you already have, if it doesn't produce acceptable for you results look for other options. You are a tech person obviously, you have a good switch, good APs are coming soon, why not a good wired router as @Trip suggested above? I personally use a pfSense box for firewall and routing duties, but other options are available. Consumer routers' single advantage is easy setup, but it shouldn't be a problem for you to run something better.

 

[L&LD]

The 'classic' RT-AC68U is inferior overall to the updated RT-AC66U_B1 in my testing.

@fozzie bear, for just routing, you will not see any issues with a fully updated (RMerlin 384.15_0 release) RT-AC66U_B1.

 

[Val D.]

@fozzie bear, for just routing, you will not see any issues with a fully updated (RMerlin 384.15_0 release) RT-AC66U_B1.

He doesn't have RT-AC66U B1 apparently. The router he has is RT-AC66U h/w version B1. The older model had versions A1/B1, as far as I remember. I would run Tomato on it. No hardware acceleration in Tomato, but the CPU processing is good for up to 160Mbps anyway. Should be good enough for 50Mbps line at the moment. There is current development going on called FreshTomato - https://exotic.se/freshtomato/.