3 routers network config rewiev

[Mr_KoKa]

I had newer done network configuration beyond 1 router so I would like to ask if these configurations are right. First I had this:

All rotuers connected to eachother lan to lan, and dhcp only on the "internet" router. I had access to all 3 routers config from my pc and upnp worked.

The only thing I wanted to try was QOS on router where pc is connected, but QOS works only on WAN so I made this:

 

Now internet router connects to the pc router lan to wan, to make upnp work i had to do dmz (internet router has no bridge mode available), that is my first concern but I think it is ok?

After setting dmz for the pc router I disabled upnp on internet router and enable upnp on pc router.

And all I wanted is still working, I can access configs of all 3 routers and upnp works, the question is, are those 2 configs correct, or should it have been done differently?

 

As of router on the left of the diagrams I don't care about it too much, its just a wifi for phones.

[VectorTech]

24 minutes ago, Mr_KoKa said:

-snip-

What is the use case that requires you to utilize three WiFi routers (all broadcasting their own SSIDs) opposed to just additional Wireless Access Points?

There's plenty of room in this setup for things to be misconfigured or just not work properly.

[jagdtigger]

Not to mention the OP should disable UPNP ASAP..... Its one hack of a gaping hole in network security and does not worth the small convenience it provides.

[VectorTech]

31 minutes ago, Mr_KoKa said:

-snip-

This is what I would do, assuming you need to have three AP's and two SSID's for a home network and for a guest / dmz / untrusted device network.
 

 

As far as products to achieve this go I would recommend the following;

 

TP Link Omada AC1350 x (however many AP's you want)

TP Link 5 Port POE Switch

 

and you can use any home router that supports multiple SSID's / a primary SSID and a DMZ.

[Mr_KoKa]

ye you're right I should give you some more details on use case,

the router on left is wifi 2.4ghz router at 20% transmition power,

the middle router is just does as a modem really, it has wifi turned off, but it's only thing i can attach LTE external antennas, I cannot use it's wifi because it makes phones to drain battery and instaed phone holding 4 days it holds less than one, idk why that is but adding that one router fixed it, i have two of these lte routers (separate devices, two different networks) and they both cause my phone to drain battery.

the last one router on the right is new wifi 6 router i want to be connected directly to it because the plan is to user quest 2 with it wirelessly, pc is wired to it.

 

I could get try and see if my phone is not unhappy with new wifi 6 router and make it also do 2.4 GHz wifi and it might not influence gameplay streaming on vr headset.

 

So what I thought i'm just redirect all internet incoming trafic to the router wher epc is connected and it will figure upnp that way, I don't need upnp on my phones. Without setting DMZ i'm behind double NAT, right? I had to forward port from LTE router to wifi6 router and from wifi router to PC

 

But if DMZ is wrongly applied here then I can disable it and forward ports manually on both rotuers, and also disable upnp and pick constant port for teredo so it wont use upnp and forward that manually

 

My main question for now is, does DMZ set up like i did makes jus tso wifi 6 router is exposed to internet like LTE router was before, and disabling DMZ would just change which router is exposed?

I really would like to know if first configuration diagram with "all lan" is correct, as I might just get back to that config at some point

 

 

[Donut417]

4 hours ago, Mr_KoKa said:

double NAT, right?

No your likely on Triple NAT. Most cellular providers dont provide a public IPv4 address, I would assume unless you are paying for the privilege. 

[Mr_KoKa]

Ye I'm paying, forgot about that 3rd possible nat and assumed just my routers at home

[Falcon1986]

11 hours ago, Mr_KoKa said:

Ye I'm paying, forgot about that 3rd possible nat and assumed just my routers at home

To me, this is an unnecessarily complicated setup. I wouldn’t have set it up in this way.

 

The ‘left’ and ‘right’ routers should NOT be running in router mode, especially because they’re on the same subnet; they should be running in AP mode. Then you don’t have to worry about DMZ/firewall/QoS as these things would be managed by the central router.

[Mr_KoKa]

left router cannot be run in AP mode, right can but I'm not sure if QOS is ran then, would have to check

last time (first diagram) QOS was not working if internet connection was via lan port instead of wan port

 

only router on the right is capable of QOS, and only middle one is capable of LTE, the left one is redundant but it works for now.

 

From what I have read by a quick google QOS works only on wan

[Donut417]

25 minutes ago, Mr_KoKa said:

From what I have read by a quick google QOS works only on wan

That may be but you want 3 layers of NAT? 

[Lurick]

33 minutes ago, Mr_KoKa said:

From what I have read by a quick google QOS works only on wan

QoS is ignored on the WAN from your LAN.

[Mr_KoKa]

First layer of nat from LTE is taken cared of by paying for public ip, so ther ei sno nat there (or is it but just forwarded/different type?)

 

Then I'm left with 2 layers of nat, one on LTE router and another where LTE router connects to WAN port.

 

So its not that I want that second nat, but since qos requires me to connect internet to wan port the second nat is side effect of that.

To skip LTE router nat I do DMZ and pointing the QOS router.

 

I might not understand DMZ, but isn't that just like forwarding all ports to one ip?

And then is it much different than just connecting QOS router to internet directly? (which I would do if I could but I have to use LTE part of first router)

 

8 minutes ago, Lurick said:

QoS is ignored on the WAN from your LAN.

I don't know if I understood you, but I know that QOS only works for devices connecting to the QOS router, I know it wont make any change for devices connected directly to LTE router or router on the left.

[Lurick]

Just now, Mr_KoKa said:

I don't know if I understood you, but I know that QOS only works for devices connecting to the QOS router, I know it wont make any change for devices connected directly to LTE router or router on the left.

Correct, I thought you were trying to say QoS would work past your router onto the internet. QoS is only going to work where it's honored on the local network.

[jagdtigger]

10 minutes ago, Mr_KoKa said:

So its not that I want that second nat

Cant you just add static routes? In that case only the main LTE router would do NAT, after setting up the static routes you can disable nat and firewall  on the rest of the routers.

[Mr_KoKa]

1 minute ago, jagdtigger said:

Cant you just add static routers? In that case only the main LTE router would do NAT, after setting up the static routes you can disable nat and firewall  on the rest of the routers.

What would that require? I have my WAN connection type set to static ip 192.168.8.50

but turning off NAT makes me unable to reach LTE router (no ping to router reaches, no internet)

[jagdtigger]

23 minutes ago, Mr_KoKa said:

What would that require? I have my WAN connection type set to static ip 192.168.8.50

but turning off NAT makes me unable to reach LTE router (no ping to router reaches, no internet)

Because without NAT the main LTE router does no know what to do with traffic destined to the subnet behind the 2nd router. It does not "know" it exists and that it should use the 2nd router as a gateway to it. This is for ddwrt but the setup should be similar on every router:
https://wiki.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes

[Mr_KoKa]

3 minutes ago, jagdtigger said:

Because without NAT the main LTE router does no know what to do with traffic destined to the subnet behind the 2nd router. It does not "know" it exists and that it should use the 2nd router as a gateway to it. This is for ddwrt but the setup should be similar on every router:
https://wiki.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes

I think I won't be able to do that with the LTE router, just to be sure, the static route would have to be set on LTE router and point to QOS router?

that LTE router is very modest in configuration options.

[jagdtigger]

5 minutes ago, Mr_KoKa said:

just to be sure, the static route would have to be set on LTE router and point to QOS router?

Yes.

 

5 minutes ago, Mr_KoKa said:

that LTE router is very modest in configuration options.

If a crappy tplink router had that option it would be a pretty bad omen if that LTE thingy does not have it...

[Mr_KoKa]

6 minutes ago, jagdtigger said:

Yes.

 

If a crappy tplink router had that option it would be a pretty bad omen if that LTE thingy does not have it...

ye, its huewei 525s-25a, it has least options of the 3 but is the only one with LTE support (modem and external antennas),

so in that case would the dmz be ok to use? or will it cause performance/security issue?

[Donut417]

7 minutes ago, Mr_KoKa said:

ye, its huewei 525s-25a, it has least options of the 3 but is the only one with LTE support (modem and external antennas),

so in that case would the dmz be ok to use? or will it cause performance/security issue?

You could always see if the LTE router has bridge mode or IP pass thru mode. That essentially will make it in to a standard modem and then you can hook up your fancy router with QoS with out extra layers of NAT. 

[jagdtigger]

13 minutes ago, Mr_KoKa said:

ye, its huewei 525s-25a, it has least options of the 3 but is the only one with LTE support (modem and external antennas),

Didnt found anything useful, maybe your ISP could help...   I hate ISP provided equipment, more often than not its some customized e-waste without any info floating around the net. And even if it is a standard thingy they can sill screw you by disabling the webui(<- my ISP does this with the cable modem they provided).

[Mr_KoKa]

no i had to buy that one ISP did not provide anything with external GSM antennas. From ISP I got usb stick ;]

[Donut417]

1 minute ago, Mr_KoKa said:

no i had to buy that one ISP did not provide anything with external GSM antennas. From ISP I got usb stick ;]

See if you had the USB stick, the router I have the Synology RT2600 AC could use that via its USB port. On top of the fact the router can dedicate or limit bandwidth per device. Its kinda neat, I dont use the feature but its kinda neat. The problem is many LTE gateways are just limited if they come from the ISP or not. 

[Mr_KoKa]

1 minute ago, Donut417 said:

See if you had the USB stick, the router I have the Synology RT2600 AC could use that via its USB port. On top of the fact the router can dedicate or limit bandwidth per device. Its kinda neat, I dont use the feature but its kinda neat. The problem is many LTE gateways are just limited if they come from the ISP or not. 

Nah, I use external antenna on cable connected to lte router, usb stick modem has no antenna port

[Donut417]

Just now, Mr_KoKa said:

Nah, I use external antenna on cable connected to lte router, usb stick modem has no antenna port

I didnt say the USB stick had antenna ports,  but the fact is the USB stick would be easier to use, because there are good routers that do offer LTE connectivity via the USB port. LTE Gateways like you have are limited and you will likely never be able to properly configure thru double NAT. So I hope you dont plan to game or host any servers because that likely is going to be very difficult or impossible in the configuration you choose to use.