What's new

To Bridge or not to Bridge

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

choochoo44

New Around Here
Hi, first time poster here responsible for a 22,000 sq ft church property (as a volunteer)... I'm trying to figure out if I should setup our two routers with one in Bridge mode or just take out one of the routers.

My Setup: The main Spectrum modem/router (model SMC8014W-G) LAN is 10.0.0.x but all but one device hangs off a 2nd router (model CISCO RV260) configured as 192.168.1.x. Both do DHCP. I'm adding a mesh network with Netgear WAX615 and WAX620 access points. Because of the location of the 10.0.0.x router, it will be much easier to tie one of the APs to the Spectrum SMC router. But then my mesh network won't work as all the APs won't be on the same LAN.

Question: What's the best way to reconfigure the network? Should I setup the Spectrum router in bridge mode and allow the Cisco router to handle all the DHCP? Or should I remove the Cisco router and replace it with a switch (and set the SMC router LAN to 192.168.1.x instead of 10.0.0.x). I have to add a POE+ switch anyway, so a switch is available.

Factors that might influence this decision
1. In the current setup with two routers, there is network isolation, so traffic across the entire network is reduced. If instead I use bridge mode or take out a router does that increase the traffic throughout the network?

2. I believe, perhaps incorrectly, that my current setup provides an additional layer of security as the modem LAN is 10.0.0.x but the majority of my devices are in the 192.168.1.x LAN. But maybe there are just better ways to secure the Spectrum modem/router from outside penetration...

3. The two routers are separated by about 75 feet. The longest run of cable connected to any of the routers is about 150 ft. We have three floors and when the ethernet cable enters each floor it plugs into an gigabit switch that then distributes the network throughout that floor.

Thank you from a networking newbie!
 
Bridge the modem.
Use the Cisco for DHCP.
Add a switch to the Cisco for more ports.
If you want to keep things tidy use vlans to segregate the WiFi/church traffic.
The wax APs should support vlans as well.

This all of curse depends on if you plan on hosting WiFi to the parishioners. If Not You don't need the vlans.
 
Thanks for the confirmation as Bridging was my first inclination. I will add a VLAN for the guest wifi for parishioners and use the main wifi VLAN for staff.
 
Yeah, bridges are the old way.

I'd leave the default of vl1 and then make vl100/vl200 and bundle internal traffic to 100,1 and open traffic to 200,1. 1 is the default for most devices and untagged traffic.

All the equipment will communicate on vl1 and then everything else to their assigned vl. Then you just have to configure the switches and router for them and assign firewall rules as needed.
 
I would run the ISP device in modem/router mode and Cisco behind it in double NAT. This way the main network is behind two firewalls*, the ISP can access the modem/router and push firmware updates and in case of service disruptions the ISP has no grounds to blame customer's own equipment. All internal devices connected to the Cisco router, VLANs optional depending on the needs. There will be no performance penalty with this setup.

* - Cisco RV260 is EoL router and won't receive security updates. I would run it behind another firewall for added security.
 
@Tech9 - I am glad I read this; I better understand what you were referring to in my other thread regarding the RV340. So rather than installing a firewall between the ISP Modem (currently bridged) and my RV340 (EOL), you might consider running the ISP modem as a router (I would still not use the wireless capabilities due to the way the rest of my network is set up) and then keeping the balance of my configuration the same as today.

In essence, the added layer of security I am looking for could come from my ISP modem in router mode?
 
In essence, the added layer of security I am looking for could come from my ISP modem in router mode?

Cisco RV series are subject of interest. They had multiple security holes and backdoors through the years. My advice to both of you @jasonreg and @choochoo44 - take them off Internet, hide them behind ISP router NAT, don't use DMZ on the ISP router, disable UPnP on both routers, turn off dual-stack. If opening of ports is needed - use non-standard ports, if possible. Most attacks come from inside the network, less secure client. Use spam/phishing/malware filtering DNS service, use blocking categories, educate your network users, keep your devices and browsers updated. And you can continue using RV routers with no issues. Upgrade to something better when the budget and knowledge allows.
 
thanks Tech9. Very helpful. I will turn off as much as possible within my RV260 router and then replace it as soon as budget allows.
 
The ISP router may cause problems if does not support many states or have small timeouts for tcp and udp connections.
I vote for the bridge setup, with vlans.
 
RV340 is 8 years old router model. I'm pretty sure the ISP provided gateway has more processing power. It may have better firewall as well running simple locked down firmware. It's less likely to be an attack target - there are millions around. With RV behind also in gateway mode with firewall enabled the network will have better protection. From this point on it depends what the user is doing. This router doesn't have DNS requests interception, IP blocking, DNS blocking, can't do DNS encryption, can't do true IDS/IPS - just a basic router. I was using 3x RV345P for simplicity only.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top