Help with double NAT..

[Matthew Patrick]

Hey guys. So my ISP decided to force replace all customers modem. Into a modem/router ... Well that means I have a double NAT problem... And after checking the ISP modem/router , it doesn't have the bridge mode etc. But it does support DMZ .... So after researching.. I need to DMZ my router so it can access all ports. Do you guys have any more suggestions for this kinda setup?? Thanks [emoji3][emoji5].. oh also. Do I need to disable QOS on the ISP modem/router?? Since the only device that'll connect to this ISP modem/router is infact my router... Thanks [emoji5]

 

[CaptainSTX]

You should not need to put your second router in the DMZ. Instead if you need to forward a specif port then forward it on the first router to the IP of the second router and then on the second router forward the same port to the device that needs it. I would first test your setup and see if any services don't function then see about port forwarding.

I run a double NAT setup with 70+ devices connected to both networks and don't use any DMZ or port forwarding.

I would not run any services on the ISP provided router that you don't need. You however could consider running your guest network and connections for IoT devices on the first router because they will be in a different subnet which will protect your devices connected to your second router from any IoT devices with wonky security as well as curious guests.

 

[Matthew Patrick]

You should not need to put your second router in the DMZ. Instead if you need to forward a specif port then forward it on the first router to the IP of the second router and then on the second router forward the same port to the device that needs it. I would first test your setup and see if any services don't function then see about port forwarding.

I run a double NAT setup with 70+ devices connected to both networks and don't use any DMZ or port forwarding.

I would not run any services on the ISP provided router that you don't need. You however could consider running your guest network and connections for IoT devices on the first router because they will be in a different subnet which will protect your devices connected to your second router from any IoT devices with wonky security as well as curious guests.

Okay. So are there anything else I should change on my ISP modem/router? Since I know use double NAT configuration? Thanks btw [emoji3]

 

[CaptainSTX]

Okay. So are there anything else I should change on my ISP modem/router? Since I know use double NAT configuration? Thanks btw [emoji3]

1. Using your ISP modem assign a static IP to your second router, i.e. if your ISP modem is using LAN DHCP 192.168.1.1 you could assign the static IP for the second router as 192.18.1.2. On your second router set to get its IP from DHCP.

2. For your second router assign a different LAN IP and subnet i.e. 192.168.100.0/24 so your LAN IP on this router could be 192.168.100.1. You will be able to connect and administer router 1 when connected and using a device connected to router 2. You will not be able to administer or connect to router 2 or any device on it from any device on router 1. Do not enable permit remote access to either router as it is a major security risk.

3. Connect a cable from any LAN port on router 1 to the WAN port on router 2 and set up your second router as your normally would for any router connected to the WWW.

This is all should need to do. People will moan and groan and tell you double NAT is terrible and will screw everything up and slow your connection down. It probably will add a few ms to your latency as the electrons have to travel through another device and another cable, but unless you are trying to front run the stock market it won't be a problem. The only thing I haven't been able to accomplish in a double NAT using ASUS hardware and Merlin's firmware is run a VPN server on the second router. VPN clients run equally well on either router in my setup.

 

[Matthew Patrick]

1. Using your ISP modem assign a static IP to your second router, i.e. if your ISP modem is using LAN DHCP 192.168.1.1 you could assign the static IP for the second router as 192.18.1.2. On your second router set to get its IP from DHCP.

2. For your second router assign a different LAN IP and subnet i.e. 192.168.100.0/24 so your LAN IP on this router could be 192.168.100.1. You will be able to connect and administer router 1 when connected and using a device connected to router 2. You will not be able to administer or connect to router 2 or any device on it from any device on router 1. Do not enable permit remote access to either router as it is a major security risk.

3. Connect a cable from any LAN port on router 1 to the WAN port on router 2 and set up your second router as your normally would for any router connected to the WWW.

This is all should need to do. People will moan and groan and tell you double NAT is terrible and will screw everything up and slow your connection down. It probably will add a few ms to your latency as the electrons have to travel through another device and another cable, but unless you are trying to front run the stock market it won't be a problem. The only thing I haven't been able to accomplish in a double NAT using ASUS hardware and Merlin's firmware is run a VPN server on the second router. VPN clients run equally well on either router in my setup.

Hmm okay. Since Asus routers are using 192.168.1.1 instead of 192.168.0.1 (What my ISP Router/Modem use) ... That should mean I can just ignore your first and second step right? Also.. do you think I should disable the firewall on the ISP router/modem? And let Asus router handle it? PS: I WILL NOT USE ANY DEVICES DIRECTLY CONNECTED TO THE ISP ROUTER (BOTH ETHERNET WISE AND WIRELESS WISE) ..thanks [emoji3][emoji5]

 

[CaptainSTX]

Hmm okay. Since Asus routers are using 192.168.1.1 instead of 192.168.0.1 (What my ISP Router/Modem use) ... That should mean I can just ignore your first and second step right? Also.. do you think I should disable the firewall on the ISP router/modem? And let Asus router handle it? PS: I WILL NOT USE ANY DEVICES DIRECTLY CONNECTED TO THE ISP ROUTER (BOTH ETHERNET WISE AND WIRELESS WISE) ..thanks [emoji3][emoji5]

No harm in leaving the firewall on both routers and perhaps a little more protection. If I were you I would put my guest networks on router 1. More security and if necessary you may be able to place greater controls on it. Nothing like setting network type to B to really limit how much bandwidth someone on that connection can use.

 

[Matthew Patrick]

No harm in leaving the firewall on both routers and perhaps a little more protection. If I were you I would put my guest networks on router 1. More security and if necessary you may be able to place greater controls on it. Nothing like setting network type to B to really limit how much bandwidth someone on that connection can use.

1. Will the additional firewall on the ISP modem slow things down like ping etc?

And eh I don't need guest network tbh [emoji3]

 

[CaptainSTX]

1. Will the additional firewall on the ISP modem slow things down like ping etc?

And eh I don't need guest network tbh [emoji3]

You can do what you want but without a firewall your first router is more vulnerable to attack. If it is crashed and trashed then your path to the internet is down or could be severely impacted.

 

[hyelton]

You can do what you want but without a firewall your first router is more vulnerable to attack. If it is crashed and trashed then your path to the internet is down or could be severely impacted.

There’s no point to be double firewalled. Unless he’s connecting more than that router to it.


Sent from my iPhone using Tapatalk

 

[Matthew Patrick]

You can do what you want but without a firewall your first router is more vulnerable to attack. If it is crashed and trashed then your path to the internet is down or could be severely impacted.

Hmm

There’s no point to be double firewalled. Unless he’s connecting more than that router to it.


Sent from my iPhone using Tapatalk

Okay. I just wanna know. If by enabling my isp router firewall gonna cost me more latency lag. If it doesn't really add much latency. I might keep it on just in case

 

[hyelton]

HmmOkay. I just wanna know. If by enabling my isp router firewall gonna cost me more latency lag. If it doesn't really add much latency. I might keep it on just in case

If will but you may or may not notice it. I personally would have it disabled. Those modem/router combos are pretty crappy


Sent from my iPhone using Tapatalk

 

[Matthew Patrick]

If will but you may or may not notice it. I personally would have it disabled. Those modem/router combos are pretty crappy


Sent from my iPhone using Tapatalk

TRUE. k. I'll disable it. Just gonna let my AC88U handle the firewall [emoji23]