Double NAT? Confused!

[Lynx]

I have the following setup:
ASUS RT-AX86U (192.168.1.1) -> Huawei 4G Modem (192.168.8.1)
[Huawei 4G Modem connected to WAN port of ASUS Router]
I have found that the only way I seem to be able to get my ASUS Router to pick up a WAN IP from my Huawei 4G Modem is to ensure that I set my Huawei 4G Modem DHCP mode to: ON before I set the Huawei 4G Modem to Bridge Mode: ON. Unless I do this then my ASUS Router does not pick up a WAN IP address.
My Huawei 4G Modem connects to an ISP that employs CG-NAT.
But I am trying to avoid at least the double NAT scenario as between my ASUS Router and Huawei 4G Modem.
The tests below confuse me.
In the first scenario, with VPN OFF, it looks like my Huawei 4G Modem is NOT operating in bridge mode.
In second second test scenario, with VPN ON, it looks like my Huawei 4G Modem IS operating in bridge mode.
Now when I run tracert 8.8.8.8 with VPN OFF I see:

tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms RT-AX86U-4168 [192.168.1.1]
2 2 ms 1 ms 1 ms 192.168.8.1
3 * * * Request timed out.
4 48 ms 51 ms 45 ms 192.168.213.21
5 43 ms 47 ms 47 ms 192.168.213.22
6 * * * Request timed out.
7 * * * Request timed out.
8 53 ms 47 ms 47 ms 63.130.104.194
9 51 ms 38 ms 47 ms 90.255.251.2
10 47 ms 47 ms 48 ms 216.239.41.149
11 47 ms 47 ms 47 ms 172.253.66.87
12 50 ms 47 ms 47 ms dns.google [8.8.8.8]

When I run tracert 8.8.8.8 with VPN ON I see:

tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 1 ms <1 ms <1 ms RT-AX86U-4168 [192.168.1.1]
2 52 ms 47 ms 47 ms 10.8.0.1
3 50 ms 44 ms 45 ms 5.226.136.129
4 57 ms 48 ms 47 ms ae2.rt0-thn2.ldn.as25369.net [5.226.136.9]
5 48 ms 53 ms 48 ms google1.lonap.net [5.57.80.136]
6 48 ms 55 ms 58 ms 108.170.246.129
7 51 ms 47 ms 45 ms 142.251.54.29
8 * * 46 ms 63.130.104.194
9 * 48 ms 47 ms dns.google [8.8.8.8]

Is my setup messed up? Any idea why I cannot get a WAN IP with Huawei 4G Modem in Bridge Mode: ON unless I have previously set DHCP Mode: ON? I believe bridge mode is supposed to work with DHCP off, but I am struggling then to get my WAN IP passed to my ASUS Router from the Huawei 4G Modem.
Any help much appreciated with this confusion!

 

[ColinTaylor]

In second second test scenario, with VPN ON, it looks like my Huawei 4G Modem IS operating in bridge mode.

No that's not what it's showing. With the VPN turned on the gateway address changes to that of VPN interface (10.8.0.1).

 

[Lynx]

But the 50ms hop means it's over 4G rather than local right? In the first test scenario the next hop appears to be from my Asus router to my 4G modem because it is only 2 ms.
At the moment my Asus router is getting assigned an IP address in the 10.XX.XX.XX range. Is that then being assigned from my Huawei 4G modem DHCP rather than from my ISP?
Any idea how to get my bridge setup to work so that the Huawei 4G modem is transparent? I thought that it what bridge mode is supposed to do?
I tried setting DHCP OFF on the Huawei 4G Modem (and bridge mode: ON), then cloning the MAC address of my 4G Modem in the ASUS router, but that didn't seem to work. As in, my Asus router doesn't then pick up a WAN IP.

 

[ColinTaylor]

I don't know anything about your 4G modem or how it works.

 

[itpp20]

Just use DMZ on the 4g router, forget about 4g/bridge mode. With 150mbps(225 theoretical max) double nat is not going to affect your speed.

 

[Lynx]

Just to make sure I can't get bridge mode to work properly (this Huawei Modem is the B818-263 it can offer pretty big LTE speeds depending on location) are there any basic pointers? Should firewall be OFF on the modem and is any kind of static route needed? Am I right that the modem and router should be on different subnets?

 

[ColinTaylor]

But the 50ms hop means it's over 4G rather than local right?

Correct. The VPN gateway is at the remote end of the tunnel. So everything's working as expected.

 

[itpp20]

Just to make sure I can't get bridge mode to work properly (this Huawei Modem is the B818-263 it can offer pretty big LTE speeds depending on location) are there any basic pointers? Should firewall be OFF on the modem and is any kind of static route needed? Am I right that the modem and router should be on different subnets?

Firewall (both) 4g/Asus on
Static route not needed (4g/DMZ takes care of that with fixed lan ip set on 4g for asus)
Both devices on different subnets

 

[Lynx]

Correct. The VPN gateway is at the remote end of the tunnel. So everything's working as expected.

Forgive me for my lack of understanding but I am very curious about this. Does that mean the entrance to the tunnel eats up what would otherwise be one or more hops? In practice the data must go via my modem anyway so is it behind the scenes that the tunnel includes several nodes that it wraps up together? Is there a way to expose those nodes to see the route traffic takes along the way? Sorry if this does not make sense.

 

[ColinTaylor]

To see the hops between your router and the VPN provider you would need to turn off the VPN and then traceroute to the IP address of the VPN provider.

 

[Lynx]

After further testing it seems actually the Huawei modem is passing on the WAN IP assigned by my ISP to the Asus router.

But why then does the Huawei modem appear as a hop on the traceroute? Wouldn't you expect it to be transparent?

With DMZ would router and modem be on different subnets and where would the WAN IP assigned by ISP get assigned? I presume I set the Asus router as DMZ host?

 

[itpp20]

After further testing it seems actually the Huawei modem is passing on the WAN IP assigned by my ISP to the Asus router.

>> My Huawei 4G Modem connects to an ISP that employs CG-NAT

I seriously doubt this is happening with CG-NAT and even if you see a WAN address being passed its a fake one as thats what cg-nat is all about. Cg-Nat deployment is not instant, you may see a delay and at this delay time you may see 'real' wan addresses.

 

[Lynx]

Semantics. So by 'WAN IP' I mean this is whatever local IP on my ISP network that is getting assigned. What do you think it is? My LTE router (192.168.8.1) shows WAN IP in range 10.x.x.x - that is just a local IP on my ISP's network right? And I see if I put my LTE router in bridge mode that same IP gets passed on to my Asus router (192.168.1.1). So bridge mode is doing its job - IP assigned by ISP gets passed to my Asus router. No it's not accessible from outside. Does that make this not a WAN IP? Whatever. But that's my understanding of what's going on here in terms of IP assignment.

If I am completely mistaken please let me know. I might be.

I don't know how this arrangement compares with DMZ or the pros and cons of each. I'd be interested to know.

Overall I'm just very confused that the Huawei B818 manages to pass on the IP from ISP to Asus router (so not double NAT, right?) and yet it appears as a hop on traceroute. Does this make sense to anyone?

The B818 seemingly adds itself as a hop with bridge mode enabled. I presume it does this to provide access to its web interface and passing anything else not for 192.168.8.1 onwards?

 

[dave14305]

There are too many private IPs being tossed around here to make sense of anything. When your Asus has a 10.x.x.x WAN address, is 192.168.8.1 still the next hop in a traceroute run from the Asus itself?

 

[Lynx]

Yes I think so. Here is the traceroute from the Asus router:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.8.1 (192.168.8.1) 1.028 ms 0.944 ms 0.922 ms
2 * * *
3 192.168.213.21 (192.168.213.21) 52.228 ms 52.218 ms 52.197 ms
4 192.168.213.22 (192.168.213.22) 52.157 ms 52.148 ms 52.128 ms
5 * * *
6 * * *
7 63.130.105.134 (63.130.105.134) 46.741 ms 63.130.104.194 (63.130.104.194) 49.756 ms 49.738 ms
8 90.255.251.2 (90.255.251.2) 50.828 ms 50.777 ms 50.763 ms
9 108.170.246.129 (108.170.246.129) 51.828 ms 74.125.242.65 (74.125.242.65) 43.992 ms 53.975 ms
10 209.85.241.93 (209.85.241.93) 55.965 ms dns.google (8.8.8.8) 60.850 ms 142.251.54.47 (142.251.54.47) 61.811 ms

With this mobile phone network provider it seems that devices get assigned WAN IP in range 10.x.x.x. And the traceroute above shows various initial local hops on the network of the provider .The 4g router without bridge mode also reports via its GUI a WAN IP in the 10.x.x.x range - and my mobile phone on the same network reports the same. With bridge mode the previously shown IP address on the 4g router GUI gets passed on to my Asus router if I do it all quickly enough.

Similarly, from my mobile phone, which gets assigned WAN IP in range 10.x.x.x, traceroute shows various hops in range 192.168.x.x on mobile network and then finally truly external hops.

For completeness, here is the traceroute from my mobile phone:

Traceroute: www.google.com
---------- step 1 ----------
Request timed out
---------- step 2 ----------
IP: 192.168.213.21
Time: 58.880 ms
---------- step 3 ----------
IP: 192.168.213.22
Time: * ms
---------- step 4 ----------
Request timed out
---------- step 5 ----------
Request timed out
---------- step 6 ----------
IP: 63.130.127.213
Time: * ms
---------- step 7 ----------
IP: 90.255.251.18
Time: 51.469 ms
---------- step 8 ----------
IP: 108.170.246.129
Time: 43.136 ms
---------- step 9 ----------
IP: 142.251.54.33
Time: * ms

 

[Ostracizado]

I have the following setup:
ASUS RT-AX86U (192.168.1.1) -> Huawei 4G Modem (192.168.8.1)
[Huawei 4G Modem connected to WAN port of ASUS Router]
I have found that the only way I seem to be able to get my ASUS Router to pick up a WAN IP from my Huawei 4G Modem is to ensure that I set my Huawei 4G Modem DHCP mode to: ON before I set the Huawei 4G Modem to Bridge Mode: ON. Unless I do this then my ASUS Router does not pick up a WAN IP address.
My Huawei 4G Modem connects to an ISP that employs CG-NAT.
But I am trying to avoid at least the double NAT scenario as between my ASUS Router and Huawei 4G Modem.
The tests below confuse me.
In the first scenario, with VPN OFF, it looks like my Huawei 4G Modem is NOT operating in bridge mode.
In second second test scenario, with VPN ON, it looks like my Huawei 4G Modem IS operating in bridge mode.
Now when I run tracert 8.8.8.8 with VPN OFF I see:

When I run tracert 8.8.8.8 with VPN ON I see:

Is my setup messed up? Any idea why I cannot get a WAN IP with Huawei 4G Modem in Bridge Mode: ON unless I have previously set DHCP Mode: ON? I believe bridge mode is supposed to work with DHCP off, but I am struggling then to get my WAN IP passed to my ASUS Router from the Huawei 4G Modem.
Any help much appreciated with this confusion!

I'm having the same problem, with a Huawei B535 - Asus AC86U.
The bridge doesn't seem to be working on the LTE Router... Still Double NAT.

The same results with tracert 8.8.8.8: 1º the Asus' ip, then the Lte router.

... the kid's giving me a headache about games, and Xbox, and Teredo, and whatever...