DMZ or Disable NAT on router? (double NAT situation)

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
Hi all, I bought an ASUS AC86U router because I want to run a VPN server in order to access my network securely. However I had the displeasure to learn that my ISP doesn’t permit their modem/router combo to go into bridge mode.

Now my understanding is that I can put the router behind the modem’s DMZ.This would essentially save me from port forwarding on both the router and the modem.

My question is: can I just disable NAT on the router and have my ISP modem/router do the NAT?... would this “neuter” some of the router’s capabilities? I know it’s a decently fancy router with a fast processor and I want file transfers to continue to be speedy throughout my private network. Any negatives from doing this??

thanks!

matt
 
Last edited:
Joined
Dec 30, 2016
Messages
807
Reaction score
622
Location
Somewhere in the space/time continuum
Hi all, I bought an ASUS AC86U router because I want to run a VPN server in order to access my network securely. However I had the displeasure to learn that my ISP doesn’t permit their modem/router combo to go into bridge mode.

Now my understanding is that I can put the router behind the modem’s DMZ.This would essentially save me from port forwarding on both the router and the modem.

My question is: can I just disable NAT on the router and have my ISP modem/router do the NAT?... would this “neuter” some of the router’s capabilities? I know it’s a decently fancy router with a fast processor and I want file transfers to continue to be speedy throughout my private network. Any negatives from doing this??

thanks!

matt
If you don't have to use their modem/router, I would look into purchasing your own. I live in the states, and don't know how Internet providers work in Canada. Many providers in the States (Comcast, WOW, Charter, etc.) allow you to buy your own device to interconnect with the ISP. This is the way to go, as you save rental fees. If you do this, make sure the modem/router can run in bridge mode first before purchase. If you go this route, you won't have issues setting up OpenVPN or some other VPN service on your Asus router. and the best part, you control DHCP, Port Forwarding and the firewall on you network.
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Hi all, I bought an ASUS AC86U router because I want to run a VPN server in order to access my network securely. However I had the displeasure to learn that my ISP doesn’t permit their modem/router combo to go into bridge mode.

Now my understanding is that I can put the router behind the modem’s DMZ.This would essentially save me from port forwarding on both the router and the modem.

My question is: can I just disable NAT on the router and have my ISP modem/router do the NAT?... would this “neuter” some of the router’s capabilities? I know it’s a decently fancy router with a fast processor and I want file transfers to continue to be speedy throughout my private network. Any negatives from doing this??

thanks!

matt

The DMZ feature effectively exposes hosts to the internet (eg a web server), it's not really meant to be for putting your asus router there, but it may work. If you were to do that, I would only do it for your CCTV equipment not your entire LAN.

I don't think you can disable the firewall functionality, even if you could, you'd be turning the asus router it into a very expensive switch. You shouldn't have to do any port forwarding, the VPN server should be accessible on the WAN IP address.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
If you don't have to use their modem/router, I would look into purchasing your own. I live in the states, and don't know how Internet providers work in Canada. Many providers in the States (Comcast, WOW, Charter, etc.) allow you to buy your own device to interconnect with the ISP. This is the way to go, as you save rental fees. If you do this, make sure the modem/router can run in bridge mode first before purchase. If you go this route, you won't have issues setting up OpenVPN or some other VPN service on your Asus router. and the best part, you control DHCP, Port Forwarding and the firewall on you network.
thanks for your reply. Unfortunately my ISP allow that either since my cable boxes rely on the ISP’s modem to get their signal. The tech support people basically follow a script when I talk to them and aren’t very helpful for Answering many of my questions.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
The DMZ feature effectively exposes hosts to the internet (eg a web server), it's not really meant to be for putting your asus router there, but it may work. If you were to do that, I would only do it for your CCTV equipment not your entire LAN.

I don't think you can disable the firewall functionality, even if you could, you'd be turning the asus router it into a very expensive switch. You shouldn't have to do any port forwarding, the VPN server should be accessible on the WAN IP address.
Thanks for the response, I believe I can turn off the NAT on the router but leave firewall enabled. NAT would be handled by the ISP box. Right now I have my router listed in the DMZ of the ISP modem box with NAT enabled on both. This effectively creates a double NAT regardless. I am noticing that my chromecasts “reconnect” every so often but only when idle. There is no disconnects while streaming. I guess I can live with that.

My other issue is with the OpenVPN server. I am not able to connect with clients on my LAN even though it seems that I am able to connect to the VPN server (the IP address on my IOS device displays my home IP). I have heard that enabling static routes might resolve this but I don’t know what to put into the fields, see image....

Any help is appreciated!!DFF6F9D0-2C16-48C0-942A-D220BE5600CE.jpeg
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Can you post a network diagram?. The LAN side of the ASUS will not be able to see the LAN side of your ISP router when on the DMZ. That's why I mentioned keeping only the cctv items there.

Another and perhaps better option might be to place the Asus modem behind the ISP modem, A LAN port from the ISP modem connects to the WAN on the Asus (assuming it's an ethernet interface). Yes, there will be double NAT happening. For OpenVPN to work, on the ISP modem you would have to port forward OpenVPN port 1194 to the Asus WAN IP (ensure it's a fixed IP). The Asus LAN subnet will be a different network to your ISP subnet.

It's a bit messy and I've never done this but on paper it should work.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
hey Valiant,

ISP's lan to the router's WAN is the way that I have it set up.

You mention that I would port forward to the OpenVPN WAN IP but I tried this to no avail. I thought that putting the router behind the DMZ of the ISP's router would take away the need to port forward anything to the Asus router. correct me if im wrong.

see the network diagram attached:
Screen Shot 2020-04-02 at 9.43.26 PM.png
 
Last edited:

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
The Port forward rule on the ISP modem WAN IP/port 1194 should forward to internal Asus 192.168.0.137/port 1194 (udp, or tcp&udp). This way, OpenVPN traffic hits the Asus router. If OpenVPN on the Asus is configured correctly, you should then be able to see your Blue Iris machine and other hosts on the unmanaged switch.

Does the BI machine have internet access with the above setup ?. What IP settings are on that ('Im assuming the gateway will be 192.168.50.1) ?

Another thing you could try is - Does your internet modem have wifi ? If you connect to that wifi on the 192.168.0 network, you could try connecting to the OpenVPN server directly on 192.168.0.137, this way you eliminate any port forward configuration issues on the ISP modem. Get this working first before trying to connect from the internet.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
1. Yes the port forwarding rules are enabled. I am able to connect my iOS device to the OpenVPN server and browse the internet over LTE as if I was browsing on my home network.
2. BI machine does have internet access and yes you are correct, the gateway is 192.168.50.1.
3.As per your advice I did try this and was able to access my BI machine while connected thru the VPN. What does this mean now?
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
3.As per your advice I did try this and was able to access my BI machine while connected thru the VPN. What does this mean now?
It means you are making progress. I assume you mean via the ISP wireless LAN?, your OpenVPN is configured and operational.

2. BI machine does have internet access and yes you are correct, the gateway is 192.168.50.1.
good, your Lan connectivity works.

1. Yes the port forwarding rules are enabled. I am able to connect my iOS device to the OpenVPN server and browse the internet over LTE as if I was browsing on my home network.
If that is the case, can you not see your BI machine ?. Are you connected via 4G ?, disable wifi on your phone. Ensure you are connecting to your home network via the internet using the external WAN IP. If you can connect to OpenVPN, means your port forward rules are working between the ISP modem and your asus router.

Only other gotcha I can think of is your ISP is doing some type of shared WAN IP using CG-NAT. If above doesn't work, you may need to contact them and query whether you in fact have a non shared WAN IP address.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
It means you are making progress. I assume you mean via the ISP wireless LAN?, your OpenVPN is configured and operational.


good, your Lan connectivity works.



If that is the case, can you not see your BI machine ?. Are you connected via 4G ?, disable wifi on your phone. Ensure you are connecting to your home network via the internet using the external WAN IP. If you can connect to OpenVPN, means your port forward rules are working between the ISP modem and your asus router.

Only other gotcha I can think of is your ISP is doing some type of shared WAN IP using CG-NAT. If above doesn't work, you may need to contact them and query whether you in fact have a non shared WAN IP address.
I must say that I rlly appreciate all your help! But yes they is correct, I cannot see clients located on the subnet 192.168.50 while connect to the OpenVPN server.

I read about assigning a static route between VPN’s subnet and the gateway but my understanding is that the ASUS router handles this using NAT and is unnecessary.
My only other thought is whether the firewall on the BI machine is the culprit (windows10).
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
From your point 3, "3.As per your advice I did try this and was able to access my BI machine while connected thru the VPN"

You mentioned you can see the BI server ?, is that correct ?.

Someone with OpenVPN on an Asus router may be able to assist further. I'm pretty sure it doesn't require setting up static routes. The OpenVPN server or wizard to configure it will likely take care of that for you.

Yes Win 10 firewall is definitely worth disabling temporarily!.
 

Predki

n3wb
Joined
Oct 14, 2019
Messages
19
Reaction score
1
Location
Canada
From your point 3, "3.As per your advice I did try this and was able to access my BI machine while connected thru the VPN"

You mentioned you can see the BI server ?, is that correct ?.

Someone with OpenVPN on an Asus router may be able to assist further. I'm pretty sure it doesn't require setting up static routes. The OpenVPN server or wizard to configure it will likely take care of that for you.

Yes Win 10 firewall is definitely worth disabling temporarily!.
Regarding point 3, i was able to see the BI server only while I was on the ISP’s Wi-Fi subnet 192.168.0 and connected to the OpenVPN server. I wonder if that means it isn’t the firewall then... I will try again tomorrow. Gotta love this stuff! :)
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Right, OpenVPN is working, move on from the Asus.

Does OpenVPN connect successfully from your mobile connection ? If not,

-Check you are using the correct WAN IP address when testing OpenVPN via 4G (google what's my ip)
-Check to see your port forward rule is working for port 1194 (I like to use Network Tools by YouGetSignal.com ) Web site should report OpenVPN port is open
-Perhaps reboot your ISP modem, some behave funny after changes are made, (if point 2 fails)
-check with your ISP that your WAN IP is a valid routable IP address (they shouldn't use CGNAT)
 
Top