Double NAT(ASUS) and PPPoE passthrough/DMZ/exposed host/bridge mode/MS Teredo, possible solutions?

[deSSy2724]

Hi all, im not that much into networking but in short I plan to use feautures as an above average user (which I in fact did before with my previus ISP and previous location but thats another story). This might be a long post but I will try to make it as readable as possible.

Short, im in some way forced/want to use two routers and the thing which bothers me the most is the "Double NAT" problem and proper ways to eliminate it but at the same time to not lose most of the second routers functionality (ASUS RT AC88U). After reading several articles and opinions there are basically many obstacles and possible solutions, basically obstacles like "carrier grade nat", ipv4/ipv6 combo, DSL lite, dual stack, routers which dont support the bridge mode to name a few etc.


THE CONFUSION (ONLY ISP GATEWAY/ROUTER)
Anyway, it seems that if I use ONLY the ISPs provided router im getting both the ipv4 and ipv6 public IP adresses and I can use port forwarding just fine, DynDNS and it seems like the NAT is 1:1 (not sure), the router/gateway (FritzBox) provided by my ISP cant be turned into a bridge mode (firmware update disabled it long time ago) or whatever but the main problem being that im not sure if im behind double NAT or not, for example under WIndows 10 while connected directly and only to my ISPs router/gateway (Fritzbox) if I go to All Settings > Gaming > Xbox Network and perform the check for NAT Typ im getting "Open NAT" but under cmd: "tracert 8.8.8.8" the two so called: "hops" are 1. my ISP routers IP, 2. Address which beginns with 10.155........, the 3rd one being 172.17....... does that mean that im behind double NAT or what? On some sites its basically said that if the second IP/hop beggins with 10.... that im under double NAT, but why does the check in Win 10 under the "Xbox Network" says that the NAT Typ is opened? Im confused....



WHAT I WANT (TWO ROUTERS WITHOUT DOUBLE NAT)
Now the next problem is If I want to use a second router like the ASUS RT AC88U.... like mentioned above im using a router/gateway from my ISP and I plan to use a second router ASUS RTAC88U which would be connected wired to my ISPs router, the ASUS router is meant for VPN client usage, it has 8 Ethernet ports which is one of the main reasons I bought it, I plan to use it for port forwarding, NAS, security cameras, DynDNS etc. The router (ASUS) is connected from its WAN port to one of the LAN ports of my ISP router/gateway.

Now, if I connect the two routers and go to the DynDNS settings (ASUS) im getting the following message:

"The wireless router currently uses a private WAN IP address. This router may be in the multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services."

and while performing a cmd command: "tracert 8.8.8.8" while connected to the ASUS router for example it seems that Im behind double NAT (first two hops are the IPs from both of my routers, both starting with 192......), under Win10 "Xbox Network" settings im getting "middle NAT".


Now before I get into what I tried, lets get some facts straight because like I said, im not into networking and some things confuses me a bit.


QUESTIONS/CONCERNS, INFORMATION
1. Is it true that the VPN connection (VPN client) cant be used if the ASUS is connected via one of its own LAN ports to another router/gateway? I read somewhere that a VPN client connection (ASUS) is possible only if I use the WAN port of the ASUS router, is that correct?

1.1. Is it true that im directly getting a second NAT if I use the WAN port of my ASUS, but that its possible to eliminate the second NAT if I use the LAN ports of my ASUS router instead of the WAN port to connect to the ISP gateway/routers LAN port? I mean, whats the difference anyway in this example? Some say, use the LAN port, some say use the WAN port of the ASUS router.....


2. Whats the actual difference between DMZ and exposed host? On the ISP router (FritzBox) I can set the ASUS ip as "exposed host" with the warning saying something like:

"the device would be fully avaliable through the internet (ipv4), this device would be unprotected, visible and accesible to others from Internet and finally that the Firewall would be disabled for this device (the device being the ASUS router)"

I mean in what way is it different to DMZ, isnt DMZ if all ports are opened for specific private IP? Isnt it basically the same thing as "exposed host"?

Does DMZ disables the firewall like the exposed host setting? Tf the exposed host disables the firewall on my ISP router, is the firewall still enabled on my ASUS end and does it matter if im connected through the LAN port or WAN port of my ASUS router?

3. Whats PPPoE passthrough if I set it up on my ISP router and connect my ASUS router to it, whats archived this way?

4. I read somewhere that there is a way to disable NAT on one of the routers to avoid double NAT and still able to use its feautures like DynDNS, VPN etc. and many others say its impossible.... very confusing.

WHAT I TRIED:

HINT:
- Only the ISP router is not a solution because like I said, I would like to have a VPN connection (only possible with the ASUS router), I want 8 ethernet ports and so on.
- The goal is to connect the main PC and most of the devices (8. LANs) to the ASUS router, the ASUS router to the ISP router.


1. First try, I connected the ASUS Wireless Mode and default settings(WAN) to my ISP router default settings(LAN) and it seems that im always behind double NAT (according to tracert and Win10 Xbox Network settings)

2. ASUS IN AP works (internet) but disabled DynDNS, VPN..... basically like a dumb switch for me

3. I disabled teredo under my ISP router and it was possible to have NAT Open under XBox Network settings sometimes, other PCs are behind "middle NAT" etc. some say it solves NAT problems with gaming consoles

4. I set up the exposed host on my ISP router to my ASUS router IP and now basically, if Im connected to the ASUS router its basically like im connected directly to my ISP router, Xbox Network settings are showing "Open NAT" but tracert still indicates that im behind double nat (second hop is 10......)...... very close to what I want but im concerned about security, if the NAT is really open, am I missing something?

5. What else to try............

Now, If to get rid of the FritzBox, the modem/router gateway (bridge support) should also support supervectoring profile 35b (my DSL ISP requirements) and speeds up to 250 Mbit/s down and 40 Mbit/s upload and what should I buy? Like I said, the FritzBox cant be put in the bridge mode.

 

[ColinTaylor]

I'll make a few comments rather than try an answer all your questions as some of them might not be applicable any more.

1. It doesn't sound like your ISP is NATing your connection. The traceroutes are often misleading. Can you log into the FritzBox and see what the WAN address is? That will tell you if you have a public address.

2. Yes, to use the Asus as a VPN client it must be "router mode". The VPN client will work without any problems in a double NAT situation.

3. Regardless of how many routers you have or what their NAT setup is, all traffic sent through a VPN tunnel will be NATed by the tunnel. Unsolicited incoming traffic would not be normally be allowed back through the tunnel to you unless the VPN provider offers this as a service.

4. PPPoE passthrough is a kind of bridge mode.

 

[deSSy2724]

Sorry for the really late reply....

On my FritzBox there is no mention of "WAN" but under: "Internet, IPv4" it says: "IP-Adresse: 100.7X.1XX.XXX" (which is not my public IP), It seems that its a local IP...... I know that VPN would work but others port forward related things would have problems if the ASUS router is connected to my ISP gateway (FritzBox).

On this FritzBox there is no option for turning on: "PPPoE passthrough" but I remember other FritzBoxes do have this option. My main problem is the Double NAT which I would like to avoid, would PPPoE passthrough solve this issue?

Anyway, can you recommend any good modem/router combo which obiviously supports the bridge mode, VDSL supervectoring, profile 35b (up to 250 Mbit/s in download an 40 Mbit/s in upload)

 

[ColinTaylor]

On my FritzBox there is no mention of "WAN" but under: "Internet, IPv4" it says: "IP-Adresse: 100.7X.1XX.XXX" (which is not my public IP)

Addresses between 100.64.0.1 and 100.127.255.254 (100.64.0.0/10) are reserved for use by ISPs for Carrier-grade NAT. This type of NAT is applied by the ISP in their infrastructure, it's not something you can change using the equipment in your home.

So as it stands there is no way for you to remove this layer of NAT. Your only option is to contact your ISP and tell them you want a public IP address and not a CGNAT address.

 

[ank]

Addresses between 100.64.0.1 and 100.127.255.254 (100.64.0.0/10) are reserved for use by ISPs for Carrier-grade NAT. This type of NAT is applied by the ISP in their infrastructure, it's not something you can change using the equipment in your home.

So as it stands there is no way for you to remove this layer of NAT. Your only option is to contact your ISP and tell them you want a public IP address and not a CGNAT address.

HI Colin quick question for you my modem is set to a private IP however on my Asus router my wan 184.1xx.7x.xxx do I have my PPPOE set up correctly? I am unsure if I am experiencing double nat or not, the most I can tell you that I am able to access the modem from my router in router mode and when doing a traceroute (yes I read the previous conversations) I get my modem and router IP address.

Thanks in advanced

 

[ColinTaylor]

@ank Have a look at the screenshot in this post.

On the right where it says WAN IP do you have 2 IP addresses, one private and one public (184.1xx.7x.xxx)? If so then that's good and you don't have double NAT.

 

[ank]

@ColinTaylor thanks for the quick response, you said if I have to ips then I am good? looking at my networks status I do have a private 192 and a public 184, two DNS and two gateways. Should I disable DHCP as the linked article suggested?

Edit :

I did try disabling Enable VPN + DHCP Connection and my 2nd IP disappears but I still do have 2 DNS does that make any sense? Should the DHCP be off on the modem and on on the router?

 

[ColinTaylor]

Two DNS servers is normal.

Leave the DHCP settings at their default values. You should only change them if there's a requirement to do so from your particular ISP.

 

[SheikhSheikha]

I see a lot of questions but if I understand it right your sittuation is as follows:
You have an ISP wifi router/gateway.
You want to use an Asus router behind that ISP router for VPN services to your devices.

First of all: Double NAT is not an issue with your Asus router and Merlin.

Maybe my configuration (at least a part of it) will help you out so I will describe it:
ISP WiFi router/gateway issuing IP addresses with DHCP
Asus Router (in fact I got two but I focus on only one):
The ISP gateway is only used to issue ip addresses to my two routers and further ignored (gives my routers connection but is further ignored).

The ISP gateway DHCP should preferrably issue a fixed ip to your router. (if your ISP gateway does not allow that make the static ip address below into automatic)
On the Asus side:
WAN Section:
Static IP Address / Enable WAN / Enable NAT / disable UpnP
Now That fixed IP address (from your ISP gateway) is used in the WAN IP Settings section of your Asus / subnet mask 255.255.255 and the IP address of your ISP address should be hammered in the default gateway
Configure your WAN DNS Settings and do NOT forward local domain queries to upstream DNS
LAN Section:
Give your LAN an ip address in the tab Lan IP
In the DCHP section: Make sure your default gateway is the ip address you entered in the Lan IP tab. LEAVE THE DNS SERVERS EMPTY!
Advertise router's IP in addition to user-specified DNS set to NO
I have chosen to manually asign IP addresses to my devices

Cabling:
A lan cable from your ISP gateway will be connected to the WAN port of your Asus.

The above settings give you the starting point that makes the ISP gateway a dumb gateway that you further ignore. You can now focus on the further setup of your Asus router.
My 5 cents: first focus on the router configuration before you focus on setting up your VPN client.
Give yourself some time to get familiar with all the possibilities that the Merlin firmware provides you with. Experience bit by bit what all the configuration tabs mean and if a setting contributes or not to your WiFi experience with your Asus router.

Before you start with the VPN configuration:
Observe the NAT passthrough settings in the WAN section
NAT Acceleration in Switch Control tab of the LAN section should be on Auto
Set your WiFi channels to a fixed channel:

After everything is working as you have as objective take the power from all for at least 5 minutes (remove the power cables). Start with your ISP gateway and boot your asus once that is up and running.
Your network is now fully managed by your Asus router and your ISP gateway can be ignored as long as it provides traffic to your Asus. (dumb gateway).

I hope this helped you out. Njoy your Asus Merlin router!

 

[ank]

I see a lot of questions but if I understand it right your sittuation is as follows:
You have an ISP wifi router/gateway.
You want to use an Asus router behind that ISP router for VPN services to your devices.

First of all: Double NAT is not an issue with your Asus router and Merlin.

Maybe my configuration (at least a part of it) will help you out so I will describe it:
ISP WiFi router/gateway issuing IP addresses with DHCP
Asus Router (in fact I got two but I focus on only one):
The ISP gateway is only used to issue ip addresses to my two routers and further ignored (gives my routers connection but is further ignored).

The ISP gateway DHCP should preferrably issue a fixed ip to your router. (if your ISP gateway does not allow that make the static ip address below into automatic)
On the Asus side:
WAN Section:
Static IP Address / Enable WAN / Enable NAT / disable UpnP
Now That fixed IP address (from your ISP gateway) is used in the WAN IP Settings section of your Asus / subnet mask 255.255.255 and the IP address of your ISP address should be hammered in the default gateway
Configure your WAN DNS Settings and do NOT forward local domain queries to upstream DNS
LAN Section:
Give your LAN an ip address in the tab Lan IP
In the DCHP section: Make sure your default gateway is the ip address you entered in the Lan IP tab. LEAVE THE DNS SERVERS EMPTY!
Advertise router's IP in addition to user-specified DNS set to NO
I have chosen to manually asign IP addresses to my devices

Cabling:
A lan cable from your ISP gateway will be connected to the WAN port of your Asus.

The above settings give you the starting point that makes the ISP gateway a dumb gateway that you further ignore. You can now focus on the further setup of your Asus router.
My 5 cents: first focus on the router configuration before you focus on setting up your VPN client.
Give yourself some time to get familiar with all the possibilities that the Merlin firmware provides you with. Experience bit by bit what all the configuration tabs mean and if a setting contributes or not to your WiFi experience with your Asus router.

Before you start with the VPN configuration:
Observe the NAT passthrough settings in the WAN section
NAT Acceleration in Switch Control tab of the LAN section should be on Auto
Set your WiFi channels to a fixed channel:

After everything is working as you have as objective take the power from all for at least 5 minutes (remove the power cables). Start with your ISP gateway and boot your asus once that is up and running.
Your network is now fully managed by your Asus router and your ISP gateway can be ignored as long as it provides traffic to your Asus. (dumb gateway).

I hope this helped you out. Njoy your Asus Merlin router!

Hi thanks for all your help! I did get to learn a lot from my response. However, on my Asus router, I have the rog firmware, not merlin, although very similar they do differ a bit. to begin I did try media converter and PPPOE and for some reason, I only get 50% of my download speed, I do find that to be odd because my isp modem reads 1gig of down and 750( I get 780 up). unsure the reasoning for that and I am not interested in a technician coming to my house in this pandemic. I did try multiple ethernet cables and no improvements (cat 7 and 5e) and different devices.


As for my ASUS router:
I do not have a static IP option in my wan tab and I can not set it on my isp modem(pretty stupid).
"Advertise router's IP in addition to user-specified DNS set to NO" option is not there.

as for cabling I do have it connected with a cat 7 from lan 1 to wan as you have mentioned

Thanks for the response

 

[SheikhSheikha]

Hi thanks for all your help! I did get to learn a lot from my response. However, on my Asus router, I have the rog firmware, not merlin, although very similar they do differ a bit. to begin I did try media converter and PPPOE and for some reason, I only get 50% of my download speed, I do find that to be odd because my isp modem reads 1gig of down and 750( I get 780 up). unsure the reasoning for that and I am not interested in a technician coming to my house in this pandemic. I did try multiple ethernet cables and no improvements (cat 7 and 5e) and different devices.


As for my ASUS router:
I do not have a static IP option in my wan tab and I can not set it on my isp modem(pretty stupid).
"Advertise router's IP in addition to user-specified DNS set to NO" option is not there.

as for cabling I do have it connected with a cat 7 from lan 1 to wan as you have mentioned

Thanks for the response

We are dealing here with Asus Merlin Firmware. ROG is Asus stock firmware. Where you selected PPPoE you can set automatic IP as well. Maybe that will speed up things. Further I cannot help you out with ROG but what is possible with ROG from my previous post, should help you out into the direction of speed. a VPN client will cost you line capacity. 50% of your initial connection with a vpn client is not bad at all!

 

[ColinTaylor]

Can we use this thread to solve the CGNAT situation for my case?

Primarily for the Plex Server to be shared with family from outside.

If you're trying to access a Plex server behind CGNAT from the internet it will not work.

 

[ColinTaylor]

Short of getting a static ip, i'm willing to try anything. Still impossible?

Yes impossible, unless your ISP provides a port forwarding option on your account.