1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Double NAT(ASUS) and PPPoE passthrough/DMZ/exposed host/bridge mode/MS Teredo, possible solutions?

Discussion in 'Asuswrt-Merlin' started by deSSy2724, Jan 19, 2020.

  1. deSSy2724

    deSSy2724 New Around Here

    Joined:
    Dec 24, 2018
    Messages:
    3
    Hi all, im not that much into networking but in short I plan to use feautures as an above average user (which I in fact did before with my previus ISP and previous location but thats another story). This might be a long post but I will try to make it as readable as possible.

    Short, im in some way forced/want to use two routers and the thing which bothers me the most is the "Double NAT" problem and proper ways to eliminate it but at the same time to not lose most of the second routers functionality (ASUS RT AC88U). After reading several articles and opinions there are basically many obstacles and possible solutions, basically obstacles like "carrier grade nat", ipv4/ipv6 combo, DSL lite, dual stack, routers which dont support the bridge mode to name a few etc.


    THE CONFUSION (ONLY ISP GATEWAY/ROUTER)
    Anyway, it seems that if I use ONLY the ISPs provided router im getting both the ipv4 and ipv6 public IP adresses and I can use port forwarding just fine, DynDNS and it seems like the NAT is 1:1 (not sure), the router/gateway (FritzBox) provided by my ISP cant be turned into a bridge mode (firmware update disabled it long time ago) or whatever but the main problem being that im not sure if im behind double NAT or not, for example under WIndows 10 while connected directly and only to my ISPs router/gateway (Fritzbox) if I go to All Settings > Gaming > Xbox Network and perform the check for NAT Typ im getting "Open NAT" but under cmd: "tracert 8.8.8.8" the two so called: "hops" are 1. my ISP routers IP, 2. Address which beginns with 10.155........, the 3rd one being 172.17....... does that mean that im behind double NAT or what? On some sites its basically said that if the second IP/hop beggins with 10.... that im under double NAT, but why does the check in Win 10 under the "Xbox Network" says that the NAT Typ is opened? Im confused....



    WHAT I WANT (TWO ROUTERS WITHOUT DOUBLE NAT)

    Now the next problem is If I want to use a second router like the ASUS RT AC88U.... like mentioned above im using a router/gateway from my ISP and I plan to use a second router ASUS RTAC88U which would be connected wired to my ISPs router, the ASUS router is meant for VPN client usage, it has 8 Ethernet ports which is one of the main reasons I bought it, I plan to use it for port forwarding, NAS, security cameras, DynDNS etc. The router (ASUS) is connected from its WAN port to one of the LAN ports of my ISP router/gateway.

    Now, if I connect the two routers and go to the DynDNS settings (ASUS) im getting the following message:
    and while performing a cmd command: "tracert 8.8.8.8" while connected to the ASUS router for example it seems that Im behind double NAT (first two hops are the IPs from both of my routers, both starting with 192......), under Win10 "Xbox Network" settings im getting "middle NAT".


    Now before I get into what I tried, lets get some facts straight because like I said, im not into networking and some things confuses me a bit.


    QUESTIONS/CONCERNS, INFORMATION

    1. Is it true that the VPN connection (VPN client) cant be used if the ASUS is connected via one of its own LAN ports to another router/gateway? I read somewhere that a VPN client connection (ASUS) is possible only if I use the WAN port of the ASUS router, is that correct?

    1.1. Is it true that im directly getting a second NAT if I use the WAN port of my ASUS, but that its possible to eliminate the second NAT if I use the LAN ports of my ASUS router instead of the WAN port to connect to the ISP gateway/routers LAN port? I mean, whats the difference anyway in this example? Some say, use the LAN port, some say use the WAN port of the ASUS router.....


    2. Whats the actual difference between DMZ and exposed host? On the ISP router (FritzBox) I can set the ASUS ip as "exposed host" with the warning saying something like:
    I mean in what way is it different to DMZ, isnt DMZ if all ports are opened for specific private IP? Isnt it basically the same thing as "exposed host"?

    Does DMZ disables the firewall like the exposed host setting? Tf the exposed host disables the firewall on my ISP router, is the firewall still enabled on my ASUS end and does it matter if im connected through the LAN port or WAN port of my ASUS router?

    3. Whats PPPoE passthrough if I set it up on my ISP router and connect my ASUS router to it, whats archived this way?

    4. I read somewhere that there is a way to disable NAT on one of the routers to avoid double NAT and still able to use its feautures like DynDNS, VPN etc. and many others say its impossible.... very confusing.

    WHAT I TRIED:

    HINT:
    - Only the ISP router is not a solution because like I said, I would like to have a VPN connection (only possible with the ASUS router), I want 8 ethernet ports and so on.
    - The goal is to connect the main PC and most of the devices (8. LANs) to the ASUS router, the ASUS router to the ISP router.


    1. First try, I connected the ASUS Wireless Mode and default settings(WAN) to my ISP router default settings(LAN) and it seems that im always behind double NAT (according to tracert and Win10 Xbox Network settings)

    2. ASUS IN AP works (internet) but disabled DynDNS, VPN..... basically like a dumb switch for me

    3. I disabled teredo under my ISP router and it was possible to have NAT Open under XBox Network settings sometimes, other PCs are behind "middle NAT" etc. some say it solves NAT problems with gaming consoles

    4. I set up the exposed host on my ISP router to my ASUS router IP and now basically, if Im connected to the ASUS router its basically like im connected directly to my ISP router, Xbox Network settings are showing "Open NAT" but tracert still indicates that im behind double nat (second hop is 10......)...... very close to what I want but im concerned about security, if the NAT is really open, am I missing something?

    5. What else to try............

    Now, If to get rid of the FritzBox, the modem/router gateway (bridge support) should also support supervectoring profile 35b (my DSL ISP requirements) and speeds up to 250 Mbit/s down and 40 Mbit/s upload and what should I buy? Like I said, the FritzBox cant be put in the bridge mode.
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,685
    Location:
    UK
    I'll make a few comments rather than try an answer all your questions as some of them might not be applicable any more.

    1. It doesn't sound like your ISP is NATing your connection. The traceroutes are often misleading. Can you log into the FritzBox and see what the WAN address is? That will tell you if you have a public address.

    2. Yes, to use the Asus as a VPN client it must be "router mode". The VPN client will work without any problems in a double NAT situation.

    3. Regardless of how many routers you have or what their NAT setup is, all traffic sent through a VPN tunnel will be NATed by the tunnel. Unsolicited incoming traffic would not be normally be allowed back through the tunnel to you unless the VPN provider offers this as a service.

    4. PPPoE passthrough is a kind of bridge mode.
     
    Last edited: Jan 19, 2020
    Vexira likes this.
  3. deSSy2724

    deSSy2724 New Around Here

    Joined:
    Dec 24, 2018
    Messages:
    3
    Sorry for the really late reply....

    On my FritzBox there is no mention of "WAN" but under: "Internet, IPv4" it says: "IP-Adresse: 100.7X.1XX.XXX" (which is not my public IP), It seems that its a local IP...... I know that VPN would work but others port forward related things would have problems if the ASUS router is connected to my ISP gateway (FritzBox).

    On this FritzBox there is no option for turning on: "PPPoE passthrough" but I remember other FritzBoxes do have this option. My main problem is the Double NAT which I would like to avoid, would PPPoE passthrough solve this issue?

    Anyway, can you recommend any good modem/router combo which obiviously supports the bridge mode, VDSL supervectoring, profile 35b (up to 250 Mbit/s in download an 40 Mbit/s in upload)
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,685
    Location:
    UK
    Addresses between 100.64.0.1 and 100.127.255.254 (100.64.0.0/10) are reserved for use by ISPs for Carrier-grade NAT. This type of NAT is applied by the ISP in their infrastructure, it's not something you can change using the equipment in your home.

    So as it stands there is no way for you to remove this layer of NAT. Your only option is to contact your ISP and tell them you want a public IP address and not a CGNAT address.
     
    Vexira and skeal like this.