Saturday, 15 March 2014

How to fix a double NAT scenario for NZ when using two routers

First of all, let me pretence this my stating I'm in New Zealand where the predominate connection to aDSL is using PPPoA, not PPPoE as many routers support.

I recently purchased an ASUS RT-AC68U router but if you use one of these in NZ piggybacked onto an ISP provided modem and you leave your new router set to 'Wireless Router Mode (default), you will end up in a double NAT scenario and in even more trouble if you had devices behind your firewall that you used to access from outside your network as these will no longer be accessible.

I scoured long and hard with most workarounds achieved by either enabling half-bridge mode if your modem supports this (older Dynalink) or by using a Draytek modem that supports PPPoE/PPPoA relaying. This feature (also called PPPoE to PPPoA Bridging or PPPoE to PPPoA Transparent Pass Through) allows LAN devices to use PPPoE protocol to access an ISP who uses PPPoA protocol. Although I had kit that supported both of these modes and it worked, it was very unreliable and the Internet connection kept going down.

Here's what I did which has now provided me with a super rock steady network.

Modem:
Dynalink RTA1335 4-port running 3.64y firmware
LAN IP set to 192.168.3.1
DHCP server must be on and set to 192.168.3.10 - 192.168.3.10*
DMZ zone set to 192.168.3.10












*You need to ensure the router is always leased the same address from the modem as this address is the one you are defining as the DMZ zone (192.168.3.10 in my example above). There are two ways to do this.
  1. Make the DHCP range only one IP i.e. 192.168.3.10 - 192.168.3.10 so the router will always get this address.
  2. If you want to connect devices to both the modem and the router (maybe for support purposes), you'll need to add a DHCP server reservation so the modem always leases the router the IP address defined in the DMZ zone. You'll need to find out the MAC address for the WAN port on your router in order to program this.
Router:
ASUS RT-AC68U
LAN IP 10.0.1.1
WAN IP set to Dynamic
DHCP Server 10.0.1.230 - 10.0.1.254

The modem and the router must be on different subnets and as many use 192.168.1.xxx, you'll either need to change the modem or the router to say 10.0.1.xxx. I actually changed both and used 192.168.3.xxx for the modem and 10.0.1.xxx for the router. I changed the router as all of my LAN devices are on the 10.0.1.xxx subnet.

All of your LAN devices now need to plug into the new router (ASUS AC68 in my case) and they'll be leased addresses in the 10.0.1.xxx range. The WAN port on the router connects to the LAN port/s on the modem. If your modem has WiFi, you can turn this off too as it most likely will not be required and may even cause unnecessary interference?

If you need to route any outside ports to devices inside your network like your NAS for example, do this on the new router as all ports will be passed via the DMZ zone on the modem direct to the router.

I've tested this configuration on both the RT-AC68U/R and my older LinkSys EA6500. With the LinkSys, it's been running this way for many weeks and never missed a beat. Remote access to my various devices also works without a hitch.

FYI, I've also tested DDNS on the ASUS router and this works great too when you've set your network up this way.

Good luck.

P.S There is an excellent article on "Cascading Routers" on the Bitcomet Wiki which explains how to achieve port forwarding through two routers here. While this can be done easily, the method I've used above is way easier utilising a DMZ if you router doesn't support Bridge mode or your ISP uses PPPoA.