Author Topic: Help in checking DMZ setup between 2 routers.  (Read 380 times)

0 Members and 1 Guest are viewing this topic.

Offline boltvoltes

  • PcWinTech Jr. Member
  • Join Date: Apr 2019
  • Posts: 1
  • Karma: 0
Help in checking DMZ setup between 2 routers.
« on: April 29, 2019, 11:05:10 PM »
Hi,

  I decided to get a better router than using my ISP supplied modem/router.  Thus I am not interested in using my new router as access point.  Would appreciate someone cancheck if my setup below is correct.

Hardware:-
1)  Main ISP supplied Modem router:  ZTE ZHXN H108N V2.5 IP address is 192.168.254.254 (ISP supplied modem router)

2)  Secondary router: TP Link AC2300 IP address is 192.168.0.1 (router).

ISP broadband connection is through PPPoE.

Planned set up:

ISP Modem/Router (ZTE ZHXN H108N) LAN port ---->connect through DZM mode --->2nd router (TP-Link AC2300) WAN port

I would also like to put static IP on Router 2 (TP-Link)

************************************************
Router 1 (Main ISP supplied Modem router ZTE)

WAN IP Address: 120.xx.1xx.xxx (default by ISP)

LAN Setup
LAN IP Address:  192.168.254.254 (default by ISP)
Subnet Mask: 255.255.255.0 (default by ISP)
DHCP:  ON
DHCP Range:192.168.254.100 to 192.168.254.200 (default by ISP)

WIFI: OFF

NAT: ON (Guessing here.  Not sure if it will cause double NAT issues.  Please comment.)

UPnP:  ON
WAN Connection: (what to put?)
Advertisement Period (in minutes): not sure what is this?
Advertisement Time to Live (in hoops):  not sure what is this?

DMZ Setup : ON
WAN Connection:  (what to put?)
DMZ Host IP Address: 192.168.0.10 (router 2 IP Address is that correct?)
MAC : ON

Port Forwarding:  Have to setup or not?

How to set up static IP for router 2 (TP Link) in router 1 (ZTE).  Will it be in the WAN or LAN section?

-------------------------------------------------------------------------------
Router 2 (TP-Link AC2300)

WAN IP Address: (what to put)
Gateway: (what to put?)
Primary DNS Server:  (what to put)

Static IP on WAN Port: (what to put?)

LAN Setup
LAN IP Address:  192.168.0.1 (Is this correct?)
Subnet Mask: 255.255.255.0
DHCP:  ON
DHCP Range:192.168.0.100 to 192.168.0.200

WIFI: ON

NAT: ON (Guessing here.  Not sure if it will cause double NAT issues.  Please comment.)

UPnP: ON

FIREWALL:  IPv4 IPv6: ON

Internet Connection:  through Static IP

====================================

Question: 
1) Do I enable the DHCP on BOTH the main modem/router (ie the ZTE ZHXN H108N) and secondary router (TP Link AC2300)? Will it conflict each other?  What range should I put on both?  Does it have to be very different IP address range?

2) Will connecting two routers caused double NAT? Will that even be an issue?

3)  How about Voip? Will it be effected?

4) How about the UPnP? Do i enable it on both or none?

5) What internet connection type do I choose on the secondary router TP Link AC2300 since it offered 5 types (Dynamic IP, Static IP, PPPoE, L2TP and PPTP)?

7) Should I turn off the wireless radio on the ISP modem/router (ZTE)?

8)  Is there two static IPs in a router?  One for WAN and one for LAN?  If so, how do I set it up for both router 1 (ISP supplied modem router ZTE) and router 2 (TP Link)

Thanks in advance.

PcWinTech.com Forums

Help in checking DMZ setup between 2 routers.
« on: April 29, 2019, 11:05:10 PM »

Offline trpted

  • PcWinTech Guru
  • ******
  • Join Date: Sep 2011
  • Posts: 1,190
  • Karma: 37
Re: Help in checking DMZ setup between 2 routers.
« Reply #1 on: May 03, 2019, 06:57:42 PM »
** Start Copy and paste answer, that might answer some if not all of your questions. **

Let us do this step by step. Starting off with pre-checks.

********************** Pre-check item one  **********************

#1 Most ISP have a TOS ( Terms Of Service )

#2 You need to find that TOS for your ISP.

#3 If your ISP does not say anything that you can not to run any servers of any kind - green light.

#4 If your ISP does not allow you to run any servers of any kind - yellow light.

-> Be sure to know the risk of running any kind of server.

-> You have to decide is worth the risk or not, based upon...

a) ..how easy you can get another ISP to serve you - for example.

b) ..how much does it cost to upgrade the type of account that you have with your ISP. Example from regular consumer to gaming or business plan.

********************** Pre-check item two  **********************

#1 As how to check what the IP Address is/are, Subnet Mask is/are, Default Gateway is, MAC Address(es) is/are, DNS Server(s) are of your computer, it depends on the OS and Version.

#2 Note: This example assumes that you are on Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 or Windows 10

a) Press the Windows Start key to open the Start screen.

b) Type cmd and press Enter to launch the command prompt.

Note: You do not need to click on anything on the Start screen—typing will automatically initiate a program search.

c) Type ipconfig /all at the command prompt to check the network card settings.

d) If not on Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 or Windows 10 and you do not know how to check that network info - then post what is your OS and Version is.

#4 You need to make sure that the Default Gateway on your computer is the same LAN IP as your NAT router.

************* Pre-check item three  ***************

#1 Go to http://ipv4.whatismyv6.com/

#2 On that web page is the non bogan IPv4 (Public) Address that users from Internet use to connect to you.

#3 In your NAT router, somewhere in there you must have the same non bogan IP Address.

Example non bogan IP Address is 999.888.777.666, but in the NAT router the WAN IP is 10.0.0.100 - this is not ok.

#4 Important note: This is not to say that the non bogan IP Address has to be Static.

Example yesterday's IP Address was 999.888.777.666 and today's IP Address is 999.888.777.555 - this is ok.

#5 If the WAN IP in the NAT router does not match the true WAN IP, well it matters what the WAN IP in the NAT router is.

a) If the WAN IP is from 100.64.0.0 - 100.127.255.255, then CGNAT/NAT444/LSN is present.

Quote

If you want more details about CGNAT/NAT444/LSN, you can look at

http://en.wikipedia.org/wiki/Carrier-grade_NAT

The possible fixes to fix your issue if CGNAT/NAT444/LSN is present.

#1 Have them in their NAT router forward the ports to the WAN IP of your NAT router..

#2 Upgrading the type of plan that you are on with your ISP so that you get a non bogan WAN IP Address.

For example if you are a Residential Service Plan, consider going to a Business Service Plan.

#3 Consider switching to another ISP that can give you you a non bogan WAN IP Address.

#4 For the long term future, get IPv6 working.


b) If the WAN IP is one of the RFC 1918 IPs (Meaning 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255 OR from 192.168.0.0 to 192.168.255.255) and if your NAT router is a RJ-45 WAN port NAT router:

Step 1: Physically find your NAT Router

Step 2: Find the WAN port of it.

Info: WAN port could be called Internet or To Modem or To ONT port.

Step 3: Report back what the brand and model of the device that is connected at the other end of the wire that is connected to the WAN port of the NAT router.

c) If the WAN IP is one of the RFC 1918 IPs and if your NAT router is NOT a RJ-45 WAN port NAT router, then CGNAT/NAT444/LSN is present (See fix above if the case).

d) If the WAN IP is one of the RFC 1918 IPs  if your NAT router is a gateway NAT router, it matters how it is connected to the Internet (RJ-45 WAN port or acting a modem combo).

e) If the WAN IP is one of the RFC 1918 IPs and you do not know the type of NAT router yours is, it would help to know the brand and model it is - if you did not post already.

f) If the WAN IP was not any of those, it would be a good idea to check to see how the non bogan IP Address is not the same (and not NAT). If you need help finding why that is, you are to asking for help doing so.

************* Pre-check item four  ***************

When forwarding manually remember to forward to your local IP Address, that is unless you are trying to forward some other computer (example to Xbox)

So if you get output...

IP Address 192.168.1.6
Subnet Mask 255.255.255.0
Default Gateway 192.168.1.1
At least one DNS 192.168.1.1

-> you would forward to 192.168.1.6

*** Rest of directions **

#1 if asked for a remote/source IP Address it goes like this.

a) Let us say that the fictional IP Address of 999.888.777.666 existed ( I can assure it does not as IPv4 is only 0.0.0.0 to 255.255.255.255 and IPv6 is all hex with colons between ), it was mine, I did not share my connection with others (parents/son/daughter), and you wanted to only allow me to connect through your NAT router to your computer - then it case you would type in 999.888.777.666

b) If you do not want to only allow only a certain IP Address (OR IP Address Range) to connect to you, it has to be either blank (not filled in) OR if you can not leave it blank then it has to be 0.0.0.0

#2 From DSLR (dslreports.com) -> Forums -> Broadband and Networking -> Networking -> How to know if ports are reaching my computer from outside the post by DSLR user mackey (user # 1479488) on 2015-Sep-24 at 8:05 pm - if you wanted to test port 5154, besides using an inbound client side port checker:

Quote
Run tcpdump (`tcpdump -p -n -i <interface> port 5154` would be a good command to start with). If you see incoming TCP SYN packets (not SYN/ACK), or incoming UDP packets from an IP which did not have an outgoing packet first, then the port is open.

b) For tcpdump on Windows I found this info https://uwnthesis.wordpress.com/2014/05/26/windump-how-to-use-windump-tcpdump-on-windows-7-the-visual-guide/

#3 For a TCP and a UDP port checker you can use https://www.ipfingerprints.com/portscan.php

#4 Using a packet sniffer (like tcpdump = command line / like wireshark = GUI) you should see the traffic from an outside IP address reaching your computer, like I did (when you are forwarding the ports to your computer).

Code: [Select]
    user-name@pc-name:~$ tcpdump -p -n -i eth0 port 5154
    tcpdump: eth0: You don't have permission to capture on that device
    (socket: Operation not permitted)
    user-name@pc-name:~$ sudo tcpdump -p -n -i eth0 port 5154
    [sudo] password for user-name:
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:40:24.169428 IP 192.168.2.138.50157 > 192.168.2.255.5154: UDP, length 6
    08:42:15.839461 IP 4.79.142.206.37174 > 192.168.2.138.5154: Flags [S], seq 1464127243, win 8192, options [mss 1460], length 0
    08:49:05.773987 IP 90.145.69.116.51145 > 192.168.2.138.5154: UDP, length 0
    08:49:06.938818 IP 90.145.69.116.36530 > 192.168.2.138.5154: UDP, length 0
    08:57:57.580814 IP 198.199.98.246.42092 > 192.168.2.138.5154: Flags [S], seq 3027635480, win 14600, options [mss 1460,sackOK,TS val 4240686068 ecr 0,nop,wscale 8], length 0
    08:57:57.712334 IP 198.199.98.246.42093 > 192.168.2.138.5154: Flags [S], seq 1267700791, win 14600, options [mss 1460,sackOK,TS val 4240686102 ecr 0,nop,wscale 8], length 0
    08:57:57.840328 IP 198.199.98.246.42095 > 192.168.2.138.5154: Flags [S], seq 1515263633, win 14600, options [mss 1460,sackOK,TS val 4240686134 ecr 0,nop,wscale 8], length 0
    ^C
    7 packets captured
    7 packets received by filter
    0 packets dropped by kernel
    user-name@pc-name:~$


#5 Some notes about my testing..

a) 192.168.2.138.50157 is from this same computer.

b) As noted at grc.com -> Services -> Shield's Up they own 4.79.142.192 -thru- 4.79.142.207.

c) I believe 198.199.98.246 is from http://www.yougetsignal.com/tools/open-ports/ as it only checks TCP ports.

d) As you can see, I checked port 5154.

#6 The only UDP ports that grc.com checks, that I know of, are:

a) DNS (53) grc.com -> Freeware -> Utilities -> DNS Benchmark -> DNS Spoofability Test Introduction (or grc.com -> Services -> DNS Spoofability Test)

b) Universal Plug n'Play (UPnP) = 1900

https://www.grc.com/port_5000.htm

From grc.com -> Services -> Shield's Up: Click on Proceed and then GRC's Instant UPnP Exposure Test.

#7 Here are some notes about listening:

Quote

a) If you are on Windows I point you to http://www.howtogeek.com/howto/28609/how-can-i-tell-what-is-listening-on-a-tcpip-port-in-windows/

b) If you are not on Windows (Mac, Unix/Linux), go look lookup listen on port and then your OS name using Google (or your other favorite search engine).

c) If nothing is listening any TCP ports that you check with a web based port checker, then TCP ports does not show up as open.

d) Be advised that you can not have two servers listening on the same the port on the same computer. So for example before you use an inbond-client side port checker you must make sure that uTorrent is not running - which explains on http://portforward.com/softwareguides/utorrent/utorrent.htm that they say

Quote
If uTorrent is currently open, you will need to completely close it at this time. Make sure that the green uTorrent icon is not still hiding in your notification area (next to your clock). If it is, right click on it and choose "Exit". Before moving forward to things like selecting torrents, seeders, and leachers, we need to verify that your port is open. We recommend downloading our free Open Port Check Tool to test if incoming connections are being allowed through your router on your uTorrent Listening Port

e) And generally if the program/app is running that you are trying to forward for, then the server is listening.

#8 Here are some catches about ping:

a) If the server that you forwarded requires that you reply to ping, well then you must enable responding to ping in the NAT router.

b) If the server that you forwarded does not require that you reply to ping, well that depends on another factor..

As to what that other factor is, I point to and quote the post by nwrickert (DSLR user #1070900) in DSLR (dslreports.com) Forums >Broadband Tech > Security > Security > DMZ and portforwarding are equally dangerous? on 2010-08-21 at 13:53:23.
Quote
Quote
While he tells people that responding to ping is dangerous, he replys to ping.

That's a pretty minor point. The reason some people prefer to not respond to ping, is to avoid demonstrating their presence on the net. Gibson has a public site whose presence on the net is well known, so that reason for not responding to ping simply does not apply.

While Steve Gibson does sometimes say some useful things, he mostly seems to be making mountains out of molehills

Note: Sorry for my misspelling, I meant replies.

c) There are certain troubleshooting tools that require that you reply to ping.

For example if you wanted to use the followings tool(s) at DSLR (dslreports.com) -> Tools: Smokeping, Line quality - Ping Test, and for 24x7 Line Monitoring...

d) If the ports are open (this means not just in the NAT router) but the program/app does not work: I have an odd feeling that with this server, you must reply to ping.

#9

You must provide to users from the outside either your non bogan IP Address or DDNS.

What DNS is, here is the simple as possible version as how it works.

Quote
I know of a given domain name. What is their IP Address for that domain?

The first D in DDNS means/allows you to have a domain name the follows your non static non bogan IP Address. Which is a lot easier to provide and normally most people use DNS over the IP Address for the content servers that they want to connect to.. ;)

** End Copy and paste answer **

Unless I am missing something, you missed a number. Opps.

You have both a RJ-45 WAN port NAT router and modem combo.

Now on to your questions..

#1

a) As long as the two NAT routers are not connected LAN to LAN port (setup as a hub/switch/WAP), yes you may leave the DHCP Server in both enabled.

Because..

Quote

a) #1 No DHCP Server is found the computers generate a random IP Address starting with 169.254.

#2 As far as I know, you can not have two DHCP Servers in the same subnet (LAN to LAN port).


b) For IP Address(es), yes some how and way they must be different. For example one at 192.168.254.254/24 and the other at 192.168.0.1/24

#2 For setting a Static IP Address(es) there are two ways of doing it, manual / DHCP.

Quote
For Manual Static IP it goes like this.

#1 In NAT router you must find the DHCP Range.

#2 You must make sure that the DHCP Range does not occppy the whole subnet.

#3 If the DHCP Range occppies the whole subnet, you must make it smaller.

For example with the NAT router at 192.168.254.254 and if the DHCP Range was 192.168.254.1 to 192.168.254.253, you could make it 192.168.254.100 to 192.168.254.200.

#4 On the computer OR NAT router you setup a Static IP outside of that DHCP Range.

For example since the NAT router at 192.168.254.254 and since the DHCP Range is 192.168.254.100 to 192.168.254.200, then a Static IP outside of the DHCP Range is 192.168.254.6

--
For DHCP Static IP.

#1 You must find this feature if your NAT router supports it (not all of them do).

#2 Basicly you are going to tell the NAT router to handle out the same IP Addres each time to a given client.

For example to phyical/MAC/Hardware Address 00:00:00:00:AA:A0 give it 192.168.254.6.

#3 Also please note that not all NAT routers support it the same way. Inside of the DHCP Range, outside of the DHCP Range or does not matter inside or outside of the DHCP Range.


#2 One of the issues is that you must forward the ports twice (or DMZ in the primary NAT router to the WAN IP of the second NAT Router).

#3 Unknown how, since this is what I have:

Quote

#1 Provider has underground wire, that wire enters this house and hits the first splitter.

#2 That splitter splits it three ways.

a) One wire goes to the Internet Modem (not modem combo) = Motorola SB6141 - and that in turn is connected to my RJ-45 WAN Port NAT router with my computers behind it by wire or wireless (or both).

b) Second goes to Phone Modem (with only TV wire, phone wire & power supply connected to it - and is hanging on a wall). = Arris TM602G/115

c) Third is for TV..


#4 To find out the setting for that in the second NAT router: Do you have more than one game console that you currently or ever want them connected to the Net?

#5 Second NAT router behind primary, I sort of answered that already.

b) For WAN Connection, the one that is handling the Public Address.

c) Unsure what you meant by, MAC : ON.

Guessing..

Quote

a) Phyical/MAC/Hardware Address spoofing/cloning?

b) If that is in the forwarding/DMZ page and it is NOT Phyical/MAC/Hardware Address spoofing/cloning feature, then it might be possible to tell the NAT router to forward to that Phyical/MAC/Hardware Address even if the IP Address of that device is not some how and way static.


#6  If the only wires that are going to be connected to the primary NAT router are: Power, DSL and the WAN port of the second NAT router, yes.

While you do not want to setup the second NAT router as a hub/switch/WAP, you could set the modem to bridged mode (setup it up to act as it were only a modem).

b) If you change your mind and set the modem to bridged mode, strongly suggested disabling the wireless in the modem combo.

#7 I believe I covered that already.

a) PPPoE as normal for the WAN connection in the ISP supplied modem combo.

b) As normal that includes: DHCP-PPPoE or Static-PPPoE (with the settings provided by the ISP).

c) Different LAN subnets for both NAT routers. For example one at 192.168.254.254/24 and the other at 192.168.0.1/24

d) Static IP setup somehow and way. That is unless you can tell the NAT router to always forward/DMZ to the certain phyical/MAC/Hardware Address (guess b for feature MAC : ON).
« Last Edit: May 03, 2019, 07:26:42 PM by trpted »
Private messages (PM) are not for support questions or for hints to not yet answered topics. The PMs are basically for confident conversation between the users, off the forum.

Offline trpted

  • PcWinTech Guru
  • ******
  • Join Date: Sep 2011
  • Posts: 1,190
  • Karma: 37
Re: Help in checking DMZ setup between 2 routers.
« Reply #2 on: May 04, 2019, 05:53:38 AM »
While I can re-edit my post above, I will post more info and corrections.

#1 Issue one

Router 2 (TP-Link AC2300)

WAN IP Address: (what to put)
Gateway: (what to put?)
Primary DNS Server:  (what to put)

**


#1 WAN IP Address = covered already if either:

a) The modem combo is in router mode

b) OR if the modem combo is in bridge mode and you want to access the modem combo.

c) Note Covered already for Internet Connection (do not setup a Static IP outside of RFC 1918. Pure Static or any other Static other than pure Static.[ ex PPPoE-Static.])

#2 Missing Subnet Mask or slash notation, opps.

255.255.255.0 the same as the modem combo's LAN IP if either:

a) The modem combo is in router mode

b) OR if the modem combo is in bridge mode and you want to access the modem combo.

255.255.255.0 = /24

#3 Gateway = covered already if either:

a) The modem combo is in router mode.

b) OR if the modem combo is in bridge mode and you want to access the modem combo.

c) Note Covered already for Internet Connection (do not setup a Gateway that outside of RFC 1918 for any other Static other than pure Static.[ ex PPPoE-Static.])

#4 DNS Server (or Servers) =

a) At least one but typically two.

b) At first you may want to use the same DNS info that the NAT router provided to you (either via DHCP from behind the NAT router or via the router's Status screen where the WAN IP, Subnet Mask, Default Gateway, and at one DNS Server was provided).

c) Once you know the connection is working with most ISPs you are allowed to change it to some other DNS Server.

Examples..

Quote
a) the third party DNS Server provider OpenDNS.

b) your own local DNS Server behind the NAT router.

--

Issue two: Correction on two DHCP Servers enabled or not.

While I said
Quote

As long as the two NAT routers are not connected LAN to LAN port (setup as a hub/switch/WAP), yes you may leave the DHCP Server in both enabled.

slight tiny correction.

If you change your mind and want to put the modem combo into bridge mode, I suggest that you disable the DHCP Server in the modem combo.

Sure for me while I had DSL and a pure Static IP with my modem combo in bridge mode and it's DHCP Server was enabled once, there was a delay in connecting. While I do not recall what that exact delay was, I will use an example instead.

a) DHCP Server disabled in the modem combo = up to 30 seconds after the DSL light on the DSL modem stopped flashing I could go places and do things online.

a) DHCP Server enabled in the modem combo = up to 1 minute after the DSL light on the DSL modem stopped flashing I could go places and do things online.

Unknown what would happen on anything other than pure Static IP..

#3 Issue three.

For Voip you can go to DSLR (or some other website with message boards), then either find the general networking board or the Voip board if they have one (not talking about DSLR's boards since I know that they have both of those in there) and ask them.
« Last Edit: May 04, 2019, 06:10:37 AM by trpted »
Private messages (PM) are not for support questions or for hints to not yet answered topics. The PMs are basically for confident conversation between the users, off the forum.

Offline Rashowwy

  • PcWinTech Jr. Member
  • Join Date: May 2019
  • Posts: 2
  • Karma: 0
Re: Help in checking DMZ setup between 2 routers.
« Reply #3 on: May 08, 2019, 12:10:29 AM »
I am very interested in this matter. But still did not get into something

PcWinTech.com Forums

Re: Help in checking DMZ setup between 2 routers.
« Reply #3 on: May 08, 2019, 12:10:29 AM »