Using Asus Router behind Provider Router

[L&LD]

Benefits of putting the ISP modem/router in Bridge mode include, but are not limited to:

• No ability for the ISP (or others) to spy on your network layout/devices.
• Use of a router and firmware you trust, and a password only you know (for both the router and your wireless networks).
• Consistently faster speeds, even if only by a few Mbps.
• Consistently lower latency, even if only by a few ms.
• Potential to fully use your router/network as you see fit. Whether within it or not.
• Ability to put IoT devices on a separate network (the ISP's router, with some of their offerings), and not on your internal network (without needing to buy a second router to do so).
• Double Nat is not a benefit, but it can be a potential headache.

ISP-provided equipment is not any better than almost any router we would want to buy ourselves. They chase the $0.001 savings too, to the customer's detriment (re: performance).

Older electronics were built better. In the 1950s. They also sold at markedly less volume (so the failure rates in units (not percent) looked better). The actual failure rates (%), I suspect are similar, if not less, today.

The past couple of decades has proven to me that wireless routers become stale (vs. currently available products) after a few years. Having something last a decade is commendable, but an RT-N66U has little relevance to the networks most of us are using and depending on today.

Planned obsolescence started during the industrial revolution. We're still good. The products we're able to buy today still offer value for the pace of technology we're experiencing. And for the time frames needed to reach those next performance levels.

Even if I still want an Asus wireless router with upgradeable RAM, a removable, internal SSD, a greater than 4 core processor, and a 12x12:12 antennae/stream configuration (for less than $500 USD).

 

[Tech9]

No much real benefits:

- the ISP eventually sees one client only - the router behind the ISP equipment
- it doesn't matter what firmware it runs - there is another firewall behind the ISP router; most allow user/pass change
- the speeds are exactly the same - the same modem with the same specifications is used in both configurations
- the eventual latency increase is under 1ms, typically in 0.1ms range - non user detectable or measurable
- no issues using the network the way you want - it's still your network on your router behind the ISP equipment
- you can put IoT on the ISP router network or on your router network - no issues and user's choice
- double NAT is not an issue, may need a bit extra very basic knowledge configuration

Other:

- many folks enable IPv6 even when not needed - think twice about your devices' visibility not only to the ISP, but to the Internet
- with modem/router in bridge mode the ISP doesn't have access to the device and can't push new firmware updates
- if the connection is not working, the ISP will fix it for you - their own device on their own network
- if the connection is not working with your own device - it's your own responsibility, the ISP can't run diagnostics anyway
- some Asus routers have compatibility issues with specific ISP equipment causing WAN disconnection issues
- with no DMZ or port forwarding, own devices are behind two firewalls - eventual attacker has to break both
- ISP provided modem/router can be used with Wi-Fi enabled as a backup - in case your own router fails or you need to reconfigure it
- ISP provided modem router can be used for Guest Wi-Fi, VoIP or IoT - completely independent of your own router network
- access to the modem's config page or line stats may be an issue in bridge mode - device specific
- some ISP provided devices simply don't have bridge mode, the connection requires special VLAN settings or provides VoIP
- some ISP provided devices have faster hardware than most high-end home routers

 

[drinkingbird]

No much real benefits:

- the ISP eventually sees one client only - the router behind the ISP equipment
- it doesn't matter what firmware it runs - there is another firewall behind the ISP router; most allow user/pass change
- the speeds are exactly the same - the same modem with the same specifications is used in both configurations
- the eventual latency increase is under 1ms, typically in 0.1ms range - non user detectable or measurable
- no issues using the network the way you want - it's still your network on your router behind the ISP equipment
- you can put IoT on the ISP router network or on your router network - no issues and user's choice
- double NAT is not an issue, may need a bit extra very basic knowledge configuration

Other:

- many folks enable IPv6 even when not needed - think twice about your devices' visibility not only to the ISP, but to the Internet
- with modem/router in bridge mode the ISP doesn't have access to the device and can't push new firmware updates
- if the connection is not working, the ISP will fix it for you - their own device on their own network
- if the connection is not working with your own device - it's your own responsibility, the ISP can't run diagnostics anyway
- some Asus routers have compatibility issues with specific ISP equipment causing WAN disconnection issues
- with no DMZ or port forwarding, own devices are behind two firewalls - eventual attacker has to break both
- ISP provided modem/router can be used with Wi-Fi enabled as a backup - in case your own router fails or you need to reconfigure it
- ISP provided modem router can be used for Guest Wi-Fi, VoIP or IoT - completely independent of your own router network
- access to the modem's config page or line stats may be an issue in bridge mode - device specific
- some ISP provided devices simply don't have bridge mode, the connection requires special VLAN settings or provides VoIP
- some ISP provided devices have faster hardware than most high-end home routers

Agreed for the most part but speeds and latency with double router/NAT will be a *bit* worse. Not enough for most people to notice or care, but good to avoid if possible. The serialization delay and processing, even with CTF and hardware acceleration, adds some latency and every extra bit of latency impacts throughput. But again, not an issue for most.

Many people have FIOS and must use the ISP router for the Guide and On Demand (and some other functions) since they also have TV service. For them, when they want better wireless signal, I will leave the ISP router as the only L3 device and just put the router of choice behind it in AP mode, disabling the WIFI in the ISP's router. The ISP router is more than capable of the throughput they need but typically has lousy wireless, so the two combined give the same result as replacing the ISP router with your own, while retaining the proprietary functions of the ISP router. Little to no additional latency over having it in a single device (in the long run it is the same thing, just an extra few feet of wire, which is nanoseconds).

Not really concerned with the ISP being able to see what devices are on the network. Don't see how that would be a privacy concern unless you've named it "illegal file sharing server" or something. Even then, they aren't looking unless you ask them to for troubleshooting.

Some older VPN clients won't work with double NAT but most modern ones have no issue. Some really old ones didn't work with NAT at all but obviously that's going way back.

Personally, as a network architect and engineer, avoiding unnecessary NAT and routing layers is good practice. However in reality in the home setting, it is extremely unlikely to be an issue and most should not give it a second thought, especially if they aren't doing a lot of port forwarding or hardcore gaming (and even then, not a huge deal).

 

[Tech9]

adds some latency

I have measured it with my own ISP device - the added latency is 0.2ms. It's hard to measure, actually.

However in reality in the home setting, it is extremely unlikely to be an issue

Exactly. Changing ISP or buying own modem for this sole purpose is not worth it. More headaches for nothing.

 

[drinkingbird]

I have measured it with my own ISP device - the added latency is 0.2ms. It's hard to measure, actually.



Exactly. Changing ISP or buying own modem for this sole purpose is not worth it. More headaches for nothing.

If you're just testing using ping the results will be fairly irrelevant for a number of reasons, mainly that ICMP is processed totally differently from TCP and is de-prioritized by just about every network device in the path.

To truly test the performance of the router you'd need to employ a test set like Smartbits with an IMIX pattern or a sniffer capable of tracking latency of each packet. But even that isn't going to show you the real impact on user experience.

The way hardware acceleration (which is employed in these routers and pretty much any decent consumer router these days) works is that the first packet (TCP SYN) will have higher latency, probably in the 1-3msec range. The response (TCP ACK) will be better, but still not full speed, and the completion of the handshake (TCP SYN ACK) will be almost full speed. All the rest of the packets with the same source/destination IP and ports will run full speed, probably around 1/4 msec/250 uSec on wired. Wireless will vary more obviously just due to its nature.

So if you're connecting to a game server and just establish a few connections, and they stay live the whole time, the impact is negligible. The vast majority of your packets will be fully hardware accelerated. However, surfing websites is totally different. Most sites have dozens, some even have hundreds, of TCP connections established for all of the advertisements, tracking cookies, ad tracking, etc. So when you total up 1-3 msec for each, loading a website could be slowed by 1/2 to 1 second approximately. Yeah, I know, that isn't that long, but over time while you're surfing, it can be a noticeable impact vs not having the dual NAT setup.

Again, not disagreeing that it probably isn't worth all this discussion, but also important that people understand that there is some impact, and if it can be avoided, it certainly isn't going to hurt anything, and probably will help things a tiny bit. Some people will notice the difference, others won't. Depends on how sensitive the person's perception is, and what things they're doing online. And if you're ultra-security conscious, maybe the second layer is worth the penalty to you. Though if someone is skilled enough to hack an ISP router, they are probably skilled enough to hack the router behind it too (or be able to access it directly, sneaking through a hole in the ISP router). You're far more likely to be impacted by a virus from a website or a phishing email than you are to have someone hack your router, and no amount of routers in series is going to prevent those threats.

I work in an industry (high speed trading) where people will pay big money to shave nanoseconds off their latency so have done a lot of testing in the area. We've even seen a total 180 in technology, switches decades ago were "cut through" but when Cisco and other vendors started adding features and functionality, they had to move to "store and forward" in order to be able to apply those features to frames as they passed through. Now all the major vendors have re-enabled the option of having cut through switching on their devices, as long as you're willing to sacrifice a lot of the features that you once had. They've actually developed a hybrid model (very similar to hardware acceleration on a router) where the first frame is store and forward and all frames matching the same parameters are then sent cut through. This lets them apply some of the features that people need like VLAN tagging while still maintaining the ultra low latency. If you give up nearly all the features of a managed switch, you can get as low as 1/8 microsecond (125 nanoseconds) through a switch, but there are even Layer3 switches that can do NAT, VLANs, complex routing, etc all in under 250 nanoseconds (for the 2nd and all remaining frames anyway, the first frame is in the 2-5 microsecond range).

Long story short, this was a long story and irrelevant for most

 

[Ranger802004]

Agreed for the most part but speeds and latency with double router/NAT will be a *bit* worse. Not enough for most people to notice or care, but good to avoid if possible. The serialization delay and processing, even with CTF and hardware acceleration, adds some latency and every extra bit of latency impacts throughput. But again, not an issue for most.

Many people have FIOS and must use the ISP router for the Guide and On Demand (and some other functions) since they also have TV service. For them, when they want better wireless signal, I will leave the ISP router as the only L3 device and just put the router of choice behind it in AP mode, disabling the WIFI in the ISP's router. The ISP router is more than capable of the throughput they need but typically has lousy wireless, so the two combined give the same result as replacing the ISP router with your own, while retaining the proprietary functions of the ISP router. Little to no additional latency over having it in a single device (in the long run it is the same thing, just an extra few feet of wire, which is nanoseconds).

Not really concerned with the ISP being able to see what devices are on the network. Don't see how that would be a privacy concern unless you've named it "illegal file sharing server" or something. Even then, they aren't looking unless you ask them to for troubleshooting.

Some older VPN clients won't work with double NAT but most modern ones have no issue. Some really old ones didn't work with NAT at all but obviously that's going way back.

Personally, as a network architect and engineer, avoiding unnecessary NAT and routing layers is good practice. However in reality in the home setting, it is extremely unlikely to be an issue and most should not give it a second thought, especially if they aren't doing a lot of port forwarding or hardcore gaming (and even then, not a huge deal).

My Primary WAN is AT&T Fiber and I use the IP Passthrough which is really just IGMP sharing the public IP with your router. I configure IPv6 in passthrough mode and that avoids NAT all together and my IPv4 traffic is NAT’d but not as bad as a true double NAT.

 

[Ranger802004]

Do you mean WAN Bridge Mode like for example in the attached setup of a Huawei router? When seeing whether Asus supports something similar, I only came across Media Bridge Mode https://www.asus.com/support/FAQ/1043884 which seems to be something different.

If you are referring to bridging the WAN, should I assume that if the Asus router does not support the WAN protocol provided by the provider directly, it would not be able to support the WAN connection if the provider's router would be able to provide WAN Bridge mode?

View attachment 40704

Usually "Bridge Mode" or "IP Passthrough" from a ISP Router is just IGMP and yes ASUS routers support it.

 

[drinkingbird]

Usually "Bridge Mode" or "IP Passthrough" from a ISP Router is just IGMP and yes ASUS routers support it.

Having your ISP router in bridge mode and IGMP/Multicast have nothing to do with each other. Pretty much every switch supports IGMP, and the switch in Asus routers supports IGMP snooping (stripping the traffic off ports that don't need it) on LAN and wireless but since multicast is rarely used on a home network it isn't a big feature, and again has nothing to do with this scenario. Bridge mode is literally just that, removing the L3/router functionality and making it a bridge (essentially a switch). When in bridge mode the public IP is not on your ISP router anymore, it is assigned directly to your router's WAN port. They will typically have a separate management IP on the router so they can still monitor it.

 

[drinkingbird]

My Primary WAN is AT&T Fiber and I use the IP Passthrough which is really just IGMP sharing the public IP with your router. I configure IPv6 in passthrough mode and that avoids NAT all together and my IPv4 traffic is NAT’d but not as bad as a true double NAT.

IPv6 Traffic is never NAT'd (at least not on the internet and rarely in other scenarios) regardless of whether your router is in bridge mode or not. For IPv6, home routers act as router only, no NAT. And as already mentioned, IGMP Has nothing to do with any of this. Yes you can run some advanced manual configurations to do some IPv6 NAT on Asus but there is really no point in doing that, IPv6 specifically was designed to not be NAT'd.

 

[Ranger802004]

Having your ISP router in bridge mode and IGMP/Multicast have nothing to do with each other. Pretty much every switch supports IGMP, and the switch in Asus routers supports IGMP snooping (stripping the traffic off ports that don't need it) on LAN and wireless but since multicast is rarely used on a home network it isn't a big feature, and again has nothing to do with this scenario. Bridge mode is literally just that, removing the L3/router functionality and making it a bridge (essentially a switch). When in bridge mode the public IP is not on your ISP router anymore, it is assigned directly to your router's WAN port. They will typically have a separate management IP on the router so they can still monitor it.

My Primary WAN uses IGMP to share it’s public IP from the CPE router to my ASUS router and I have to make a firewall exception to allow the traffic but what do I know? Lol

 

[Ranger802004]

IPv6 Traffic is never NAT'd (at least not on the internet and rarely in other scenarios) regardless of whether your router is in bridge mode or not. For IPv6, home routers act as router only, no NAT. And as already mentioned, IGMP Has nothing to do with any of this. Yes you can run some advanced manual configurations to do some IPv6 NAT on Asus but there is really no point in doing that, IPv6 specifically was designed to not be NAT'd.

Again I’m behind a CPE router and yes there are some scenarios where IPv6 is NAT’d for example my OpenVPN ULA subnet being NAT’d on the server side for the Public IPv6 address of that router.

 

[drinkingbird]

My Primary WAN uses IGMP to share it’s public IP from the CPE router to my ASUS router and I have to make a firewall exception to allow the traffic but what do I know? Lol

Unless you're running multicast IPTV with your ISP then it isn't using IGMP. Even if you are, it would have a separate unicast address for all other traffic. If for some reason your ISP's router requires IGMP communication with your router and you aren't using multicast IPTV that is some glitch or bug. IGMP is strictly used for multicast IPs in the range of 224.x through 239.x.

If your ISP router is truly in bridge mode, there is no sharing of IP going on. Your router is getting an IP directly from their DHCP server and the ISP router is just acting as a mostly L2 device at that point. If they're running some funky setup where they're attempting to share an IP it still wouldn't need to use IGMP, it would just be intercepting some traffic (management traffic etc) and letting the rest pass through to your router. But that would be a pretty lousy network design on their part.

 

[drinkingbird]

Again I’m behind a CPE router and yes there are some scenarios where IPv6 is NAT’d for example my OpenVPN ULA subnet being NAT’d on the server side for the Public IPv6 address of that router.

Yes like I said there are some unusual circumstances where people will set up a custom manual config for it but the average home user will not have it, nor will the vast majority of commercial users. In some cases it is necessary, where you're running your own servers and your ISP refuses to give static IPv6 (which they are supposed to do but don't like to) and/or doesn't allow you to dynamically update their DNS when an IP changes. Even then, there are ways around it other than NAT. The IPv6 standard essentially requires that ISPs do one or the other but most still want to charge for static IPs even on v6.

 

[Ranger802004]

Unless you're running multicast IPTV with your ISP then it isn't using IGMP. Even if you are, it would have a separate unicast address for all other traffic. If for some reason your ISP's router requires IGMP communication with your router and you aren't using multicast IPTV that is some glitch or bug. IGMP is strictly used for multicast IPs in the range of 224.x through 239.x.

If your ISP router is truly in bridge mode, there is no sharing of IP going on. Your router is getting an IP directly from their DHCP server and the ISP router is just acting as a mostly L2 device at that point. If they're running some funky setup where they're attempting to share an IP it still wouldn't need to use IGMP, it would just be intercepting some traffic (management traffic etc) and letting the rest pass through to your router. But that would be a pretty lousy network design on their part.

It is literally multicast group using IGMP to share the public IP, argue with a wall not me lol.

 

[drinkingbird]

It is literally multicast group using IGMP to share the public IP, argue with a wall not me lol.

Ugh, I guess I should. Unicast IPs have nothing to do with multicast groups and routing, and multicast routing and groups have nothing to do with unicast IPs. They are two completely independent routing processes and protocols. I'll give up now and try and explain it to the wall.

 

[Ranger802004]

Ugh, I guess I should. Unicast IPs have nothing to do with multicast groups and routing, and multicast routing and groups have nothing to do with unicast IPs. They are two completely independent routing processes and protocols. I'll give up now and try and explain it to the wall.

Lol you should because you seem to not understand that the 2 routers are in a multicast group sharing the same Public IP (IGMP). Lmao

 

[PR3MIUM]

Also keep in mind that some ISP Modems/Routers are also not fully supporting IPv6 sometimes and just nativ 4to6/6to4 via Tunnel

My current Setup:
From ISP Modem/Router over the LAN Port1 with Cabel connected to the WAN Port on Main Asus AX88U (WLAN enabled on Main Asus AX88U and all Traffic over VPN)
|
-> First AiMesh Node
|
-> Second AiMesh Node

 

[drinkingbird]

Also keep in mind that some ISP Modems/Routers are also not fully supporting IPv6 sometimes and just nativ 4to6/6to4 via Tunnel

My current Setup:
From ISP Modem/Router over the LAN Port1 with Cabel connected to the WAN Port on Main Asus AX88U (WLAN enabled on Main Asus AX88U and all Traffic over VPN)
|
-> First AiMesh Node
|
-> Second AiMesh Node

Many ISPs (even Verizon in most areas) don't support IPv6 at all, if you want it you have to set up your own tunnel via Hurricane Electric or similar. Personally I did it for a while but it was pointless, extra latency and lower throughput for some sites and there isn't anything that is IPv6 only yet (if ever).

 

[Ranger802004]

Also keep in mind that some ISP Modems/Routers are also not fully supporting IPv6 sometimes and just nativ 4to6/6to4 via Tunnel

My current Setup:
From ISP Modem/Router over the LAN Port1 with Cabel connected to the WAN Port on Main Asus AX88U (WLAN enabled on Main Asus AX88U and all Traffic over VPN)
|
-> First AiMesh Node
|
-> Second AiMesh Node

My ISP is providing full native IPV6, I have the ASUS Router configured in passthrough so it just gets IPs issued to it and devices behind it from the CPE Router's subnet. I prefer IPv6 traffic in my scenario.

 

[abir1909]

Benefits of putting the ISP modem/router in Bridge mode include, but are not limited to:

• No ability for the ISP (or others) to spy on your network layout/devices.
• Use of a router and firmware you trust, and a password only you know (for both the router and your wireless networks).
• Consistently faster speeds, even if only by a few Mbps.
• Consistently lower latency, even if only by a few ms.
• Potential to fully use your router/network as you see fit. Whether within it or not.
• Ability to put IoT devices on a separate network (the ISP's router, with some of their offerings), and not on your internal network (without needing to buy a second router to do so).
• Double Nat is not a benefit, but it can be a potential headache.

ISP-provided equipment is not any better than almost any router we would want to buy ourselves. They chase the $0.001 savings too, to the customer's detriment (re: performance).

Older electronics were built better. In the 1950s. They also sold at markedly less volume (so the failure rates in units (not percent) looked better). The actual failure rates (%), I suspect are similar, if not less, today.

The past couple of decades has proven to me that wireless routers become stale (vs. currently available products) after a few years. Having something last a decade is commendable, but an RT-N66U has little relevance to the networks most of us are using and depending on today.

Planned obsolescence started during the industrial revolution. We're still good. The products we're able to buy today still offer value for the pace of technology we're experiencing. And for the time frames needed to reach those next performance levels.

Even if I still want an Asus wireless router with upgradeable RAM, a removable, internal SSD, a greater than 4 core processor, and a 12x12:12 antennae/stream configuration (for less than $500 USD).

Hi L&LD, i have the unifi dream machine pro as the main router at my work. I want to put my AX86U behind it and be able to use the Asus router with VPN functionality! if i put in AP mode, the router lacks of many functions including VPN. what would you recommend for me to do in order to get the Asus router to work with the VPN enabled? and how do i connect them? Lan to Wan? Lan to Lan? thanks