Ping reply

[abax2000]

That's true, but it's common practice for a "bridged" connection to also present the public IP address to the customer's router. This is how cable modems work. A similar principle applies to ADSL/VDSL modems with PPPoE connections.

Does this mean that in this case, pings will be replied by the modem?
(question for educational reasons)

 

[Grisu]

Maybe because you are using TV from ISP and so it needs to be in router mode, otherwise it cant route TV to modem port 4 (or where it is).
As it is in router mode it will give a private IP 192.168.x.x to router WAN port.
Thats a typical double NAT condition, nothing strange but better would be mode in bridge mode if you have a good router behind and wont use TV.
If you dont have ports forwarded to your router for sure the modem answers the pings.

 

[abax2000]

Maybe because you are using TV from ISP and so it needs to be in router mode, otherwise it cant route TV to modem port 4 (or where it is).

Very good point.
Stiil, NAT seems to be configurable by connection; so it should be possible to have NAT=off for data connection.

If you don't have ports forwarded to your router for sure the modem answers the pings.

Nice weekend project...thank you.

 

[ColinTaylor]

Does this mean that in this case, pings will be replied by the modem?
(question for educational reasons)

Yes, that is what I expect to be happening. I looked in the modem's manual but couldn't find any option to turn ICMP replies off. But as previously pointed out that's not really a problem.

 

[abax2000]

The modem (Huawei HG8240T) is not a modem, but a gateway (now I realise).
And yes, menu access is restricted (there is a "user" level, and a "telecomadmin" level). All usual (and much more) settings are there, but invisible to the "user".
It is set to "route" mode (as opposed to "bridge").

As Grisu said, "...a typical double NAT condition, nothing strange but better would be mode in bridge mode...".
But cannot change that myself.
That being so, Asus firewall is of minimal (if any) relevancy. And AiProtection seems that still works fine, for whatever worth.

For the sake of it, tried different combinations, with a laptop connected by wire on the gateway:

All seems reasonably OK.

Just theorising:
as for Grisu's comment "...better would be mode in bridge mode if you have a good router behind...".
Isn't better, at the end of the day, to have double protection (double NAT, double firewalls) ?

Anyhow, many thanks to all, for their inputs and help.

 

[ColinTaylor]

Isn't better, at the end of the day, to have double protection (double NAT, double firewalls) ?

Not really, it just makes it more cumbersome to administer because any changes have to be done on two devices instead of one.

The main reason people don't like double-NAT is because it can create problems for services that work with unsolicited incoming connections. That would be situations like where you are hosting a web site on your LAN, running a game server, or voice over IP.

 

[abax2000]

Received...
I do no happen to have these considerations. Still I am giving it a try, putting the router in gateway's DMZ.
Unfortunately, cannot get [DHCP Static IP] working in gateway, which would be preferable.

Strangely, pings are still replied (I suppose that now the packets reach Asus).
Otherwise, DMZ seems working; if something is left open on Asus, port scanners find it.