Double NAT setup advice

[TrebleTA]

Hi all, so this is my problem my ISP is Sky broadband and they provide voip via there device. So I need to use there device, or no phone. The isp device is poor, no features, no bridge mode etc. So for now I've been using my asus ax82u, in a double nat setup, my internet is used for gaming, on Xbox X, Playstation 5 and pc.

This is my settings.
ISP device IP 192.168.100.20, turned the wifi off, dhcp off, ipv6 and dchp ipv6 off, and in the DMZ I put 192.168.100.40. Respond to ping wan disabled. Upnp disabled.

On my Ax82u device.
Wan setting,
ip static 192.168.100.40,
Subnet 255.255.255.0
Gateway 192.168.100.20
Dns server 1 192.168.100.20
Dns server 2 blank.
Then I set dns over tls, an set Strict.

Then on the ax82u ip 192.168.140.1,
Ipv6 disabled. Also ipv6 firewall.
Respond to ping wan disabled.
Dos protection disabled.

All seems to run fine, but have some questions.

1. On the isp device, should I disable the firewall to help with latency, or disabling the firewall on the isp device a bad idea?

2. The ax82u wan settings should I put dns server 1 in the 2nd dns server or is leaveing it blank ok?

3. If any of the above are bad or anything missing?

Thanks

 

[Tech9]

All seems to run fine,

You only need to place your router's WAN IP in ISP device DMZ. Disable Wi-Fi, but no need to disable anything else.

On your AX82U router:
WAN IP static 192.168.100.40 (you can use static, if you want to)
Subnet 255.255.255.0
Gateway 192.168.100.20
DNS server 1 (your preferred external DNS server 1)
DNS server 2 (your preferred external DNS server 2)

DNS-over-TLS is not necessary.
Disabling IPv6 Firewall is not necessary.

If any of the above are bad or anything missing?

Game consoles may complain. Games open many ports and your UPnP may not be working with private WAN IP. I see miniupnpd shutting down on later firmware when private WAN IP is detected. You can check this in System Log on your router.

 

[TrebleTA]

I have set up port forwarding to the consoles for there default ports, also on the isp device, I've made a firewall rule to allow all to the ax82u, as by default there is a ipv4 block all rule for inbound, that can not be removed or disabled. Yet have DMZ set. Thanks for the advice, I was disabling wifi dhcp etc to lessen the workloads.

 

[TrebleTA]

So what you was saying about miniupnpd, would enabling dhcp on the isp device and auto on the ax82u work?

 

[Tech9]

So what you was saying about miniupnpd

I've noticed it doesn't work with private WAN IP anymore. It used to work on older firmware.

would enabling dhcp on the isp device and auto on the ax82u work?

No, you still have the same private WAN IP for your AX82U router. In general double NAT is not an issue, unless you use games connecting to multiplayer online servers and trying to open many ports via UPnP. I'm not a gamer, but it may be an issue for you depending on the games you play.

 

[TrebleTA]

Thanks I did try both static and auto for the wan and both showed.
Mar 12 02:43:33 miniupnpd[9324]: shutting down MiniUPnPd
Mar 12 02:43:33 miniupnpd: it is advised to use network interface name instead of 192.168.100.40.

So i will need to set ports, if I do notice problems in games, or is there a way to fix?
P.s I use to see this message when I was using the dsl ax82u as the main device and setting up wan via auto and mer opt 61.
So upnp has not been working since release?

 

[drinkingbird]

Thanks I did try both static and auto for the wan and both showed.
Mar 12 02:43:33 miniupnpd[9324]: shutting down MiniUPnPd
Mar 12 02:43:33 miniupnpd: it is advised to use network interface name instead of 192.168.100.40.

So i will need to set ports, if I do notice problems in games, or is there a way to fix?
P.s I use to see this message when I was using the dsl ax82u as the main device and setting up wan via auto and mer opt 61.
So upnp has not been working since release?

Have you asked the ISP if they can bridge their router? Just because you don't see a setting for it, doesn't mean it can't be done by them.

What is the WAN on the Sky device? If ethernet, you may be able to just plug it in as a client behind your Asus (plug it into the LAN) and have it just serve VOIP only. You might have to forward some ports for that to work. Probably better off asking stuff like that in a Sky forum somewhere.

You can disable firewall in their device, that would happen if you put it in bridge mode anyway. Whether it will make a big difference in latency, only way to know is to try.

 

[Tech9]

So upnp has not been working since release?

Most likely. Not in Double NAT at least.

So i will need to set ports, if I do notice problems in games, or is there a way to fix?

This won't be easy because different games require different ports. Gamers around will five you advice what can be done.

 

[drinkingbird]

Most likely. Not in Double NAT at least.



This won't be easy because different games require different ports. Gamers around will five you advice what can be done.

Gamers will just tell him to put his console in DMZ on the Asus since gaming is far more important than security. Double DMZ, it's the new double NAT

 

[Tech9]

This may actually work because game consoles are firewalled. I remember Xbox plugged directly into my ISP modem getting an external IP straight. My ISP provides 2x public IPs for connected devices in bridge mode. What hackers are going hack so much on my Xbox? Steal my game scores?

 

[drinkingbird]

This may actually work because game consoles are firewalled. I remember Xbox plugged directly into my ISP modem getting an external IP straight. My ISP provides 2x public IPs for connected devices in bridge mode. What hackers are going hack so much on my Xbox? Steal my game scores?

Turn on the camera and blackmail you . Yeah the risk is definitely lower than a PC but in the distant past I know it was an attack surface (stealing your Xbox live login or other info etc), didn't know they had added a firewall, in that case it may be a viable solution, as long as you're cautious to give the game box a manual DHCP reservation so you don't inadvertently end up putting another device into DMZ if it gets that IP. Not a bad idea to keep the camera covered when not in use either - I do that regardless of how much security I have (well on my PCs and video conf system, I don't have any game consoles).

 

[tgl]

What hackers are going hack so much on my Xbox? Steal my game scores?

No, but they might be interested in getting into your Xbox as a stepping stone to hacking the rest of your network. You could figure on that being okay if the Xbox is part of your DMZ and lacks any access to machines with more-sensitive data ... but it's something you ought to worry about. The idea that gaming consoles are more secure than other gear does not merit a response.

(Actually, an even more likely problem is for somebody to hack your exposed Xbox and co-opt it as part of a DDoS or spam network. Which doesn't directly hurt you ... until your ISP notices the traffic and cuts you off.)

 

[Tech9]

Turn on the camera and blackmail you .

Ah, okay... no more Just Dance naked.

The idea that gaming consoles are more secure

No idea how secure they are. Similar to any consumer product, I guess.

 

[drinkingbird]

No, but they might be interested in getting into your Xbox as a stepping stone to hacking the rest of your network. You could figure on that being okay if the Xbox is part of your DMZ and lacks any access to machines with more-sensitive data ... but it's something you ought to worry about. The idea that gaming consoles are more secure than other gear does not merit a response.

(Actually, an even more likely problem is for somebody to hack your exposed Xbox and co-opt it as part of a DDoS or spam network. Which doesn't directly hurt you ... until your ISP notices the traffic and cuts you off.)

Guess it depends how good the firewall on the Xbox is. The Asus certainly isn't foolproof either and has been used for exactly the same sort of things you describe in the past.

@TrebleTA what about putting your game consoles off the ISP router so that their uPNP will function properly and everything else behind the Asus? You could still put the Asus in DMZ but at that point probably not necessary.

 

[drinkingbird]

I've noticed it doesn't work with private WAN IP anymore. It used to work on older firmware.

Actually, I think I have a more elegant solution. @TrebleTA - first try changing the LAN on the ISP router (and the WAN on the asus) to use CGNAT space. 100.64.0.0/24 (or 1.0/24 or whatever). See if that works. That should allow miniUPNPd to work. Still have your Asus as DMZ on the ISP router and that should solve the issue and let you keep everything behind the asus. In reality, you can use any public range, since it is on a private segment, but you don't want to use one that may contain something you need to reach on the internet as it would stop the traffic from getting there.

240.0.0.0/4 was formerly "future use" but there is a draft suggesting to convert it to actual use so probably not a good range to use, as it may become live on the internet at some point.

There are several other reserved ranges out there that are not "private" but not sure what the daemon will detect as public vs private, so rather than trying a bunch, first try CGNAT as that is the "proper" solution.

I guess your ISP router may reject using public IP on the LAN, but not sure why it would really care.

 

[TrebleTA]

Thanks all for the replys. DMZ I have 3 xboxs 1 playstation, can not do it to all of them and in the past, My playstation 4 has been hacked in the past, they get my playstation info and was getting games an such. Playstation did not know what to say when I contacted them as they could see them charging me, yet not to a system.

CGNAT space, will give that a try later today.

Ports on consoles are all more less the same, ports on PC's are very random.

 

[TrebleTA]

Just a update, the CGNAT space address has worked, in the logs under ports I see upnp there, also no MiniUPnPd shutdown message.

on the isp device I disabled ipv6 firewall was no option for ipv4. But do have the asus in DMZ also made a inbound allow all ipv4 firewall on the isp device for the asus.

Thanks for the help all.

 

[drinkingbird]

Just a update, the CGNAT space address has worked, in the logs under ports I see upnp there, also no MiniUPnPd shutdown message.

on the isp device I disabled ipv6 firewall was no option for ipv4. But do have the asus in DMZ also made a inbound allow all ipv4 firewall on the isp device for the asus.

Thanks for the help all.

Good to know - this will serve as a good solution for others going forward.

Pretty sure if you've put the Asus in DMZ you probably don't need an inbound firewall rule, but shouldn't hurt anything either. I guess it might let some common known stuff through that would have been blocked otherwise but really depends on how the firewall in that router is configured. If it is an ISP router, it probably isn't much of a firewall regardless, and the one on the Asus is plenty.

 

[TrebleTA]

Somthing I've noticed is say I set port fwd up for x ip and port, yet upnp still open that port, so the log show?

 

[drinkingbird]

Somthing I've noticed is say I set port fwd up for x ip and port, yet upnp still open that port, so the log show?

I don't see how the uPNP daemon would know what you've set up in port forwarding, so that is probably to be expected. If you're going to have uPNP enabled, just let it do its thing, at least that way when you aren't gaming, those entries can get removed.