Help Understanding NAT Forwarding From ISP Router To Asus Ax92U

stalq

Occasional Visitor
Hey,

I have a static IP from my ISP assigned to my connection, meaning they changed my IP from public to static from the backend, this was done when I complained I could not play games as my ports were blocked (they had a new policy of blocking ports and changing router admin password - money suckers) PS5 and Xbox showed NAT Type 3, and some PC games even refused to connect, now all of this is working after the Static IP but still not as good as it used to.

Anyways when I connect via my ISP router I get NAT Type 2 or 1 which is perfect, but since the ISP-provided modem is crap when it comes to wifi, I ideally want to connect wifi via Ax92U, the problem is Ax92u shows NAT Type 3, it's connected via LAN port of my ISP router into WAN port, set up to get automatic IP, I have also tried for AX92u: forwarding ports from 1:65000. switched NAT to full-cone, virtual servers, manually added the specific games via the GUI, added its IP in DMZ of my isp-router (I got my ISP password by installing a keylogger when they logged in remotely via my PC lol) nothing works, so clearly I am missing something, or this is not how it works.

Please note my networking knowledge is Novice.

I also tried to put my ISP router in bridge mode so the ax92u will do the PPOE authentication and connection, but it never connects, the logs show authentication failed using PAP or CHAP, but the password and username are correct, I got the password by telneting into the router and accessing the ppp.cfg file I tested it on the ISP router and it connects so both username and password are correct. I assume my ISP won't allow it? as they were not willing to share the password!

One more thing I have installed the Merlin firmware in Ax92u.
 

ColinTaylor

Part of the Furniture
Change the AX92U from router mode to AP mode.
 

stalq

Occasional Visitor
Change the AX92U from router mode to AP mode.
Never thought of that, I will try to make that change once I get home! Also forgot to mention, I am getting 155-192Mb speed on 5gz-2 160mhz channel on my 2 wifi 6 capable devices, which is odd, only if I place my device like 1 inch away from the router do I get 1.2Gbps speed! could it be something wrong with the antenna? however, shouldn't I be getting around 2Gbps?
 

stalq

Occasional Visitor
Change the AX92U from router mode to AP mode.
Alright so switching to AP mode works but now I don't have options I use daily like VPN, Wtfast, and QoS! any workaround for this? Secondly, any idea why this router throws an authentication error when used as a router in bridged mode
 

drinkingbird

Very Senior Member
Alright so switching to AP mode works but now I don't have options I use daily like VPN, Wtfast, and QoS! any workaround for this? Secondly, any idea why this router throws an authentication error when used as a router in bridged mode

My guess is your ISP is using CGNAT range ("semi-private") for dynamic IPs. They aren't blocking ports but they are doing their own huge hide NAT which won't hear your uPNP queries. When you change to static, they are giving you a "real" public IP and you're bypassing their big hide NAT. Their router can now hear and honor the uPNP queries from your game consoles, until you put the Asus in the path which essentially re-creates the same issue.

Yeah you will lose all of the functionality you mentioned (and more) in AP mode. Even if you disable NAT on the Asus a lot of it won't work anymore.

If there is one particular device that is having issues you could try using DMZ mode on the Asus for that device, but I think that will still stop uPNP from hitting their router, which I'm assuming is the issue here.

Sounds like your game consoles aren't liking the double NAT, I'm guessing they rely on uPNP and the Asus is receiving and honoring that, but it isn't being forwarded to your ISP router. When you remove the Asus, now your ISP router hears those queries and opens the ports. You can try toying with features like uPNP and port forwarding (on both your router and the ISP router) to see if you can make them happy. Essentially you'd need to manually open the necessary ports on both their router and yours, then uPNP isn't needed (uPNP won't go through two routers).

Does your ISP have the option to put their router into bridge mode (or remove it completely) so you can use your own and the static would be configured right on the Asus? Or alternatively if you can place their router into a 1:1 NAT scenario like DMZ and have your routers WAN IP as the internal IP for the DMZ, that should theoretically work.

As far as authentication error/bridge mode need more info on what you're talking about for that.

Edit - sorry didn't read your original post, I see you tried bridge mode.

For the PPPoE errors, you're making it past the initial phase, failing at PAP/CHAP implies username/password issue, but they could be restricting on MAC address or they may require some of the additional settings like service name, concentrator name, etc. See if that .cfg file has anything like that in there. Maybe they have some non-standard PPPoE setup too. If you can't get that working, see if their router supports DMZ mode and put your Asus WAN IP as the internal IP. In theory that should fix your issue and also allows you to do port forwarding on the Asus in the future if needed.
 
Last edited:

drinkingbird

Very Senior Member
Never thought of that, I will try to make that change once I get home! Also forgot to mention, I am getting 155-192Mb speed on 5gz-2 160mhz channel on my 2 wifi 6 capable devices, which is odd, only if I place my device like 1 inch away from the router do I get 1.2Gbps speed! could it be something wrong with the antenna? however, shouldn't I be getting around 2Gbps?

Try running 80Mhz. 160 will always have to use some of the DFS space and it may be noisy in your area. It also only has 2 ranges to choose from. If you use 80mhz, your router has 5 channel ranges to choose from and can avoid DFS (and especially the weather radar range) completely. You may very well get much better throughput on 80mhz than you do on 160 by avoiding interference and congestion.

AX (and some later AC) does support an 80+80 mode which can be better since it avoids the weather radar and potentially congested ranges (in one mode can avoid DFS completely), but all devices and the router must support it, not sure if Asus does. And even then, it may still be worse than 80 if you have others nearby using 160 or 80+80.

The ideal setup for 160 would probably be 80+80 mode using channels 36-48 and 149-161 but again that assumes one or both of those ranges aren't already congested near you. Next best is standard 160 mode using 36-64 as it avoids the weather radar.

Also your link rate will never be the throughput you actually get on wireless. If you have a 2.4G link rate expect around 1.2G max (in very good conditions). Rule of thumb is about 50% of link rate, a bit higher if conditions are ideal.
 
Last edited:

stalq

Occasional Visitor
My guess is your ISP is using CGNAT range ("semi-private") for dynamic IPs. They aren't blocking ports but they are doing their own huge hide NAT which won't hear your uPNP queries. When you change to static, they are giving you a "real" public IP and you're bypassing their big hide NAT. Their router can now hear and honor the uPNP queries from your game consoles, until you put the Asus in the path which essentially re-creates the same issue.

Yeah you will lose all of the functionality you mentioned (and more) in AP mode. Even if you disable NAT on the Asus a lot of it won't work anymore.

If there is one particular device that is having issues you could try using DMZ mode on the Asus for that device, but I think that will still stop uPNP from hitting their router, which I'm assuming is the issue here.

Sounds like your game consoles aren't liking the double NAT, I'm guessing they rely on uPNP and the Asus is receiving and honoring that, but it isn't being forwarded to your ISP router. When you remove the Asus, now your ISP router hears those queries and opens the ports. You can try toying with features like uPNP and port forwarding (on both your router and the ISP router) to see if you can make them happy. Essentially you'd need to manually open the necessary ports on both their router and yours, then uPNP isn't needed (uPNP won't go through two routers).

Does your ISP have the option to put their router into bridge mode (or remove it completely) so you can use your own and the static would be configured right on the Asus? Or alternatively if you can place their router into a 1:1 NAT scenario like DMZ and have your routers WAN IP as the internal IP for the DMZ, that should theoretically work.

As far as authentication error/bridge mode need more info on what you're talking about for that.

Edit - sorry didn't read your original post, I see you tried bridge mode.

For the PPPoE errors, you're making it past the initial phase, failing at PAP/CHAP implies username/password issue, but they could be restricting on MAC address or they may require some of the additional settings like service name, concentrator name, etc. See if that .cfg file has anything like that in there. Maybe they have some non-standard PPPoE setup too. If you can't get that working, see if their router supports DMZ mode and put your Asus WAN IP as the internal IP. In theory that should fix your issue and also allows you to do port forwarding on the Asus in the future if needed.

I asked my ISP and they confirmed I am not behind a CGNAT, although they did mention they are doing some filtering so if there are some ports I am having issues with even after setting NAT then I need to tell them those ports. I can connect to services using my ISP modem just fine, I get NAT Type Open or 2 in worst cases, it's just the Asus router that is having NAT issues.

I have 5 devices that need NAT/Port forwarding so DMZ is not an option for me, although I set the Ax92u's LAN IP in DMZ on my ISP router, didn't make a difference!

I tried fiddling with the UPnP settings on both routers but still no difference, I think something like an IP Passthrough is what I need or I could be wrong, it feels like everything is rejected if its coming from a different subnet or IP pool then the ISP's!

So funny enough I contacted my ISP again today and he tried to do everything I have already tried plus tried to do what you mentioned "Putting WAN IP in DMZ", I already had that setup, but the guy told me its unexpected behavior and this usually solves the issue but nothing worked, for PPOE they told me they have to allow me from the backend to use another device so I guess you are right about the MAC address thing, he was a nice guy and told me under these circumstances the sales dep might allow me to forward PPOE to my asus router. I was happy but then during the call, my ax92u router went off and won't turn on! there is a single led on for 2.4gz and nothing else no wifi or response on lan! Lol, so I guess now I need a new router as well!
 

stalq

Occasional Visitor
Try running 80Mhz. 160 will always have to use some of the DFS space and it may be noisy in your area. It also only has 2 ranges to choose from. If you use 80mhz, your router has 5 channel ranges to choose from and can avoid DFS (and especially the weather radar range) completely. You may very well get much better throughput on 80mhz than you do on 160 by avoiding interference and congestion.

AX (and some later AC) does support an 80+80 mode which can be better since it avoids the weather radar and potentially congested ranges (in one mode can avoid DFS completely), but all devices and the router must support it, not sure if Asus does. And even then, it may still be worse than 80 if you have others nearby using 160 or 80+80.

The ideal setup for 160 would probably be 80+80 mode using channels 36-48 and 149-161 but again that assumes one or both of those ranges aren't already congested near you. Next best is standard 160 mode using 36-64 as it avoids the weather radar.

Also your link rate will never be the throughput you actually get on wireless. If you have a 2.4G link rate expect around 1.2G max (in very good conditions). Rule of thumb is about 50% of link rate, a bit higher if conditions are ideal.

Changed to 80Mhz and it was far more stable than 160, although my speeds are violently jumping from 76mbps to 800mbps no idea if its expected behavior, I am sitting 10ft away from the router with clear line of sight!

I think Ax92u does not support 80+80 as I can't see this option! or do you mean I manually change the frequencies for both 5ghz and 5ghz-2?

Anyways my router went toast last night, il create another post to see if anyone else had a similar issue and solved it!

But thanks a lot @drinkingbird for helping me out!
 

drinkingbird

Very Senior Member
Changed to 80Mhz and it was far more stable than 160, although my speeds are violently jumping from 76mbps to 800mbps no idea if its expected behavior, I am sitting 10ft away from the router with clear line of sight!

I think Ax92u does not support 80+80 as I can't see this option! or do you mean I manually change the frequencies for both 5ghz and 5ghz-2?

Anyways my router went toast last night, il create another post to see if anyone else had a similar issue and solved it!

But thanks a lot @drinkingbird for helping me out!

Unless there is severe interference in your area it should not be fluctuating like that especially on 80Mhz channel, and double especially if it wasn't selecting a DFS channel.

Sounds like maybe your router was a dud, the speed/throughput issues you were seeing may have just been a precursor to the total death. Hopefully the replacement is better.
 

drinkingbird

Very Senior Member
I asked my ISP and they confirmed I am not behind a CGNAT, although they did mention they are doing some filtering so if there are some ports I am having issues with even after setting NAT then I need to tell them those ports. I can connect to services using my ISP modem just fine, I get NAT Type Open or 2 in worst cases, it's just the Asus router that is having NAT issues.

I have 5 devices that need NAT/Port forwarding so DMZ is not an option for me, although I set the Ax92u's LAN IP in DMZ on my ISP router, didn't make a difference!

I tried fiddling with the UPnP settings on both routers but still no difference, I think something like an IP Passthrough is what I need or I could be wrong, it feels like everything is rejected if its coming from a different subnet or IP pool then the ISP's!

So funny enough I contacted my ISP again today and he tried to do everything I have already tried plus tried to do what you mentioned "Putting WAN IP in DMZ", I already had that setup, but the guy told me its unexpected behavior and this usually solves the issue but nothing worked, for PPOE they told me they have to allow me from the backend to use another device so I guess you are right about the MAC address thing, he was a nice guy and told me under these circumstances the sales dep might allow me to forward PPOE to my asus router. I was happy but then during the call, my ax92u router went off and won't turn on! there is a single led on for 2.4gz and nothing else no wifi or response on lan! Lol, so I guess now I need a new router as well!

If it works fine when connected to your ISP router directly, then it shouldn't be anything to do with port filtering on their end.

uPNP will only traverse a single router. My guess is when you're connected to ISP router, it hears those requests and maps the ports. But when you insert the Asus, the Asus now maps the ports but the ISP router does not.

So the ISP router does support DMZ? If so then that should work for you. On the ISP router is where you would want to put the IP of the ASUS WAN in as the internal IP for DMZ. No DMZ needs to be enabled on the Asus, that will just operate as normal. The asus will receive the UPNP requests and open the necessary ports, then the ISP router will just have a 1:1 mapping essentially having all ports open. You may need to disable any firewall on the ISP router, but typically using DMZ does that for you.

But if they're willing to let you connect your router directly, that's the better solution anyway. At that point, you probably should not need a static IP anymore (as long as they aren't using CGNAT for dynamic IP customers). Not sure if they're charging you for that or not.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top