New RT-AC86U starting from scratch

[loady]

Leave your ISP router as is, put your RT-AC86U in DMZ on the ISP router, connect all your devices to RT-AC86U.
https://www.snbforums.com/threads/new-rt-ac86u-starting-from-scratch.60088/#post-525927

Ok. How about this, take the Asus downstairs and connect it's wan directly to Lan port on ISP router, thus circumventing the power line, then attach a GB switch upstairs via the power line plugged in to Asus, this will give me Lan ports upstair ?

 

[Val D.]

Ok. How about this, take the Asus downstairs and connect it's wan directly to Lan port on ISP router, thus circumventing the power line, then attach a GB switch upstairs via the power line plugged in to Asus, this will give me Lan ports upstair ?

In theory it should work, in practice it all depends on the quality of your power line adapters, house wiring and levels of noise in power circuit. Your maximum throughput on all switch ports will be limited to the maximum achievable throughput of the power line adapter.

 

[loady]

In theory it should work, in practice it all depends on the quality of your power line adapters, house wiring and levels of noise in power circuit. Your maximum throughput on all switch ports will be limited to the maximum achievable throughput of the power line adapter.

From what I have experienced thus far, I have had top speeds and not experienced any drop outs.

So can I just 'move" the Asus as it is without having to change anything ?..I'm not sure what you mean by 'put it into DMZ' are there other tweaks I have to do. Will I be able to keep the Asus in a different subnet so that it matches that of my media server ?

 

[Val D.]

Move the ASUS, don’t change anything on it, go to your ISP router settings, assign ASUS a static IP, put this IP in DMZ on the ISP router.

 

[loady]

Got it, is this safe ?, I read the 'oh you shouldn't do that' and 'DMZ is safe' arguments

 

[htismaqe]

It's neither and it's both.

A server or system in a DMZ is more exposed to the Internet than a server or system on your LAN, behind a "drop all" firewall/NAT. However, in the DMZ, it's still protected by the firewall in terms of inspecting traffic and blocking requests for stuff that you don't want exposed to the internet.

At least for me, Internet side is untrusted, LAN side is trusted, and DMZ's, guest networks, and the like are semi-trusted. Meaning they exist in a middle ground, hence being called a "demilitarized zone". I treat a DMZ server/host as both trusted AND untrusted. It's less safe than being totally locked down but more safe than being totally exposed to the internet.

 

[CaptainSTX]

In a double NAT setup most everything works just fine without resorting to putting the second router in the first router's DMZ or even setting up port forwards. The one common exception is running a VPN server on the second router. Merlin has made it possible to do it when running his firmware on the second router by just enabling a single port forward on the Internet facing router. Safer to forward just one port than potentially every port.

 

[Val D.]

Got it, is this safe ?

It's as safe as your ASUS being the first router facing Internet. It was designed to work this way and not behind another router in double NAT. As indicated above, it will work both ways with some exceptions. If you want, leave the ISP router as it is, continue using your setup as before. If you encounter any issues, then use DMZ or port forwarding on the ISP router, whatever is best for your needs.

 

[PolarBear]

In a double NAT setup most everything works just fine without resorting to putting the second router in the first router's DMZ or even setting up port forwards. The one common exception is running a VPN server on the second router. Merlin has made it possible to do it when running his firmware on the second router by just enabling a single port forward on the Internet facing router. Safer to forward just one port than potentially every port.

I think OP has already got OpenVPN working from a remote location, by setting the ISP router to give a fixed IP address to his RT-AC86U which is running OpenVPN server, and forwarding port 1194 on the ISP router.

So no need for any configuration changes or DMZ - just bring the RT-AC86U router downstairs right next to the ISP router, and plug the Asus's WAN port into one of the ISP router's LAN ports.

OP, if you need several connections upstairs, you could use your old RT-N66U (I think you still have it?) as an Access Point upstairs, with its WAN port connected to the RT-AC86U downstairs over the powerline connection. Your clients upstairs can connect to the RT-N66U both by radio and with ethernet cables. If this works fast enough for you, there's no need to buy a switch.

 

[loady]

I

I think OP has already got OpenVPN working from a remote location, by setting the ISP router to give a fixed IP address to his RT-AC86U which is running OpenVPN server, and forwarding port 1194 on the ISP router.

So no need for any configuration changes or DMZ - just bring the RT-AC86U router downstairs right next to the ISP router, and plug the Asus's WAN port into one of the ISP router's LAN ports.

OP, if you need several connections upstairs, you could use your old RT-N66U (I think you still have it?) as an Access Point upstairs, with its WAN port connected to the RT-AC86U downstairs over the powerline connection. Your clients upstairs can connect to the RT-N66U both by radio and with ethernet cables. If this works fast enough for you, there's no need to buy a switch.

I didn't buy a switch, I have a spare one, the switch will be cheaper to run than having another router burning upstairs, currently I have the Asus set to DMZ on the ISP router as that's what I thought was previously suggested, my Plex server connected to switch upstairs isn't being forwarded any more by the ISP router so I can't access my Plex server remotely

 

[PolarBear]

In a double NAT setup most everything works just fine without resorting to putting the second router in the first router's DMZ or even setting up port forwards. The one common exception is running a VPN server on the second router. Merlin has made it possible to do it when running his firmware on the second router by just enabling a single port forward on the Internet facing router. Safer to forward just one port than potentially every port.

As the Captain says, it's safer to connect the WAN port of your Asus router to a normal LAN port (not DMZ) of the ISP router. Access from outside via OpenVPN will still work because you previously set up port forwarding and tested that it worked.

You mention that the ISP router is no longer forwarding your Plex. I don't have experience of Plex, but perhaps this is because the Asus router is in the DMZ ? Moving the Asus to a normal LAN port might help.