Skynet skynet - bridge mode/Disable CG-NAT message

[walter carboni]

Hi to everyone, I installed an RT-AX88U in my new remote office, I managed to create an openvpn connection between this site and the primary one, which is running another RT-AX88U, without any issue! In the primary site I have a FTTH connection and Skynet is working perfectly, in the new office unfortunately I can only get a VDSL connection, which is fine in terms of performance, but there I am forced to use the Asus RT in a cascade config with the ISP modem provided, which gives me the warning about the "bridge mode/CG-NAT.

In the web ui for the second RT-AX88U I can only see banned IP, no inbound or outbond blocks, I suppose this is caused by the private WAN IP I get:

Is Skynet working efficiently or not with this network layout? Is there something I could change in its configuration to make it work better?
I cannot configure the ISP modem in bridge mode, I should change it with a different device which supports this feature, is there any suggestion to be more protected on this remote office site?
thanks for all the great work you're doing with Skynet!
cheers!

 

[ColinTaylor]

Any inbound attacks would be blocked by the firewall on the ISP router and will never reach the Asus.

 

[walter carboni]

Any inbound attacks would be blocked by the firewall on the ISP router and will never reach the Asus.

Thanks for reply, the ISP modem which is also a router btw must be configured without firewall, at least this is the best practice suggested.
So I am someway vulnerable, am I wrong?

 

[ColinTaylor]

I don't know the details of your VDSL modem/router. When you said your Asus was "cascaded" behind it I assumed you were talking about a double-NAT setup, e.g. the ISP device creates a LAN of say 192.168.1.x, and your Asus has a LAN of 192.168.2.x. Maybe I'm misunderstanding your setup.

I can't think of a scenario where it would ever be "best practice" to turn off a firewall.

 

[walter carboni]

I don't know the details of your VDSL modem/router. When you said your Asus was "cascaded" behind it I assumed you were talking about a double-NAT setup, e.g. the ISP device creates a LAN of say 192.168.1.x, and your Asus has a LAN of 192.168.2.x. Maybe I'm misunderstanding your setup.

I can't think of a scenario where it would ever be "best practice" to turn off a firewall.

Yes this is exactly my scenario, I enabled DMZ on ISP modem/router and it runs a different private network from the Asus, whic is connected to it via WAN port.

 

[ColinTaylor]

I see. It might just be a difference in terminology or the way options are being presented in your ISP router.

But generally speaking, enabling DMZ for a specific device (the Asus in your case) will bypass the ISP router's firewall for that device only. You would still want the firewall on the ISP router to be enabled so that it is protecting the ISP router itself from attacks as well as any other LAN devices connected directly to it.

Getting back to your original question; as your Asus is in the DMZ then I would still expect Skynet or AiProtecion to be intercepting the usual hacking attempts. Maybe you can test this by trying to remotely access something on the Asus that would normally be flagged by Skynet.

 

[walter carboni]

I see. It might just be a difference in terminology or the way options are being presented in your ISP router.

But generally speaking, enabling DMZ for a specific device (the Asus in your case) will bypass the ISP router's firewall for that device only. You would still want the firewall on the ISP router to be enabled so that it is protecting the ISP router itself from attacks as well as any other LAN devices connected directly to it.

Getting back to your original question; as your Asus is in the DMZ then I would still expect Skynet or AiProtecion to be intercepting the usual hacking attempts. Maybe you can test this by trying to remotely access something on the Asus that would normally be flagged by Skynet.

thanks for your suggestions and time, I will try to test Skynet functions to get more info about its behaviour!