wayjac
Premium
join:2001-12-22
Indy | IP Passthrough and DMZ
I get the impression that the forum posters frown upon the use of "IP Passthrough" I would like to know the reasons for this |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| When normally configured, your router provides Network Address Translation and Port Address Translation (NAT & PAT). I'm not going to call this a 'firewall' but it does provide machines connected behind it some level of protection in that the machine is not entirely and directly exposed to the internet.
When you use the so called 'DMZ' or 'IP Passthrough' features, the target machine loses all benefits of NAT & PAT. This approach does simplify things in that port forwarding is no longer required - everything just works. But the downside is huge.
Also, the concept of DMZ here is completely bogus in that your entire network is at risk if the DMZ'd machine becomes compromised.
A real DMZ is a separate network with the firewall in between the DMZ network of machines, and the LAN. Real DMZ capability is available on real routing code types of firewalls, but not these cheap home routers. If you want this or need it, it's easy enough to get. |
|
wayjac
Premium
join:2001-12-22
Indy | So IP Passthrough and DMZ are ok when implemented on a router/modem connected to a router? |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| You're missing the point. Nothing is accomplished by putting a machine in DMZ or Passthrough if that machine is behind more than one router.
Do yourself a favor and don't use these features until you understand the problems they also introduce. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| reply to wayjac
You might be missing some context.
Most bellsouth users have Westell modems. Most Ameritech users have Speedstream modems.
The Westell modems are often fully fledged routers in their own right, and using them with IP pass through makes little sense. The speedstream modems are crippled routers, so using IP passthrough has some benefits when connected via a real router.g
I am currently using a Westell 327w, though in Ameritech territory. I cannot think of any reason to use IP pass through, except perhaps out of curiousity to see how it works. I also have a Speedstream 5100b as a spare modem, and that is configured for IP pass through (gives the best results that way).
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.14 |
|
wayjac
Premium
join:2001-12-22
Indy | Here's the setup I have, a bellsouth 2210 modem and a linksys wrt54g router.
I configure the 2210 for PPPoE and ip passthrough or dmz |
|
wayjac
Premium
join:2001-12-22
Indy | reply to nwrickert
I didn't want to include att/sbc speedstream modems in this discussion.
Bellsouth modems are router and modem, and usually connected to a second router. |
|
ropeguru
Premium
join:2001-01-25
Hollywood, FL
clubs:
edit:
May 6th, @04:54PM
| reply to wayjac
Save yourself a lot of headache and just setup the 2210 in bridged mode and let your linksys do the PPPoE and get the external IP. Even when ip passthrough is enabled or you setup the DMZ, some applications just don't like it. |
|
Canezoid
join:2001-02-16
Powder Springs, GA | reply to wayjac
Are you trying to setup something for a gaming issue?
Just curious. |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| Thanks for the reply......
I'm not trying to setup something for a gaming issue or asking for advice.
Perhaps I should rephrase the question
Bellsouth modems are also routers, yet the advice given is to "bridge it" ignoring any other options. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to ropeguru
said by ropeguru  :Save yourself a lot of headache and just setup the 2210 in bridged mode and let your linksys do the PPPoE and get the external IP. Even when ip passthrough is enabled or you setup the DMZ, some applications just don't like it. Although wayjac doesn't want to hear about the SBC SpeedStream modems, I'd like to weigh in with my experience. Putting my SS4100 modem in "PPPoE on the modem, use a public IP address" worked for me, and is comparable to the IP passthrough. The only problem I encountered was that every time I reset my router, I forced a new IP address, and that required a number of other steps to get my mail server on track again.
I am currently using "PPPoE on the modem, use a private IP address". The result is "cascaded NAT".
Now I've learned that you AT&T Southeast folks have your own way of doing things, primarily based on the nature of the CPE issued by Bellsouth. But SBC issued equipment with a different configuration, and we have actually figured out how to make things work with the SBC issued CPE. For those of us with single user modems, even with limited router functions, adding a router was necessary for IP sharing because the SpeedStream modems, being crippled routers, were no good at IP sharing. For us, cascaded NAT has rarely been a problem, and bridging the modem is usually a last resort, not a first resort.
It appears that wayjac has decided to become a Lab Rat, and try to mix BS CPE in an old SBC region, and is merely trying to find a new way of doing things.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Canezoid
join:2001-02-16
Powder Springs, GA
·AT&T Southeast
| It basically boils down to the same result, maybe just different wording. The issue of bridging of AT&T SE CPE gateways is usually the result of a sub using a 3rd party router, aka Linksys and not understanding the NAT'g of the 2 devices when they are in series and not being able to configure either device correctly, hence they can't surf, game or whatever.
I'm not really sure what jist of the question is. Yes, Bellsouth CPE are "routers", they have DHCP functions, most ISP issued equipment will nowadays. The "advice" of bridging is only given as per what I said above. It's not that "other" functions are being ignored, it's just what's done sometimes.
Mixing equipment between ISP areas would usually only require the VPI/VCI settings to be reconfigured, has nothing to do w/ IP Passthrough. |
|
wayjac
Premium
join:2001-12-22
Indy
·AT&T Midwest
| Thanks for the reply.
With 2wire, speedstream and a few others reconfiguring vpi/vci is not needed they "autoconfigure"
The 2701HG-B has a PVC list
8/32, 8/35, 8/37, 8/38, 8/81, 0/32, 0/35, 0/38, 0/105, 0/100
The user can set the vpi/vci to 88/332 and the modem will detect and use the vpi/vci if its on the list |
|
NetFixer
From my cold dead hands
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·Comcast
edit:
May 8th, @03:13PM
| reply to wayjac
It is not entirely clear to me exactly what you want to know, or if this thread is just intended to provoke AT&T SE/BellSouth users. I am going to make a guess that you are asking why do AT&T SE/BellSouth users prefer to use the AT&T SE/BellSouth provided modem/routers in bridge mode if they are to be used as the head end for another router.
My motto is that a picture is worth at least 1000 words, so here is a picture showing a Westell 6100 in both modes. The IP Passthrough mode is the left most time period, and the bridge mode is the right most time period. I have had similar results with a 2wire 2701HG-B.
In addition to the packet loss, I also had problems with NAT loopback with the Westell 6100, and incoming VPN sessions through both devices did not work very well. Sessions would take a very long time to establish (if at all), and would then randomly drop out. In bridge mode, there were no such problems.
Of course, if using your Motorola 2210 in DMZ or IP Passthrough mode in front of another router works for you with no problems, then please use it in whatever mode you wish to use and I doubt that anyone here will think less of you for doing so. On the other hand, if you come back here with problems and the solution is to use bridge mode, be prepared for a great deal of heckling. 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
FAQFixer
Premium
join:2004-06-28
Powder Springs, GA
edit:
May 8th, @12:38PM
| reply to wayjac
My thinking is always to use the least amount of resources to do the job correctly. It comes down to using the least amount of layers to get the job done. I think it's better to use one device (Bellsouth modem/router) to do just Layer 1 and 2 and let the third party router do Layer 3 and above. Having two separate devices do Layer 3 and above requires more resources and usually leads to more headaches. |
|
wayjac
Premium
join:2001-12-22
Indy | reply to NetFixer
Thanks for the replies,
I'm not trying to provoke anyone, that is not my purpose |
|
Canezoid
join:2001-02-16
Powder Springs, GA
·AT&T Southeast
| reply to FAQFixer
said by FAQFixer :My thinking is always to use the least amount of resources to do the job correctly. It comes down to using the least amount of layers to get the job done. I think it's better to use one device (Bellsouth modem/router) to do just Layer 1 and 2 and let the third party router do Layer 3 and above. Having two separate devices do Layer 3 and above requires more resources and usually leads to more headaches. I'll ditto! |
|
joeblow
join:2007-07-14
Knoxville, TN
| reply to wayjac
Well it porvoked me. Im a new DSL user of about 2 months now and when I got my Westall 6100 modem I just plugged it up and then eternet to my Dlinks router and we were off. I never gave it much thought until I started following up here some. I just helped a friend Monday with a DSL start up with the newer Motorola modem and just pluged a Dlink wireless to it with the same results. Shes surfing like there's no tomorrow.
I looked at net fixers graph and the next time I game I will try it direct to the computer. I guess Im not understand what exactly im missing.
Sorry if this should be another topic just my results so far. |
|
NetFixer
From my cold dead hands
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
·Vonage
·Cingular Wireless
·AT&T CallVantage
·Comcast
edit:
May 9th, @01:38AM
| said by joeblow :Im a new DSL user of about 2 months now and when I got my Westall 6100 modem I just plugged it up and then eternet to my Dlinks router and we were off. I never gave it much thought until I started following up here some... I looked at net fixers graph and the next time I game I will try it direct to the computer. I guess Im not understand what exactly im missing. If you aren't having any problems, you probably aren't missing anything. The symptoms I had when using the IP Passthrough mode likely would not be a problem for 99.99% of residential users who are not hosting services and do not do inbound VPN to devices behind their router(s). In other words, if it ain't broke, you don't need to fix it.
On the other hand as others have pointed out, putting the AT&T supplied modem/router into bridge mode and doing the PPPoE on your primary router is a bit more efficient, and if you are a gamer every nanosecond helps.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| reply to NetFixer
Line quality graph, before, and after IP Passthrough enabled. | 
SS4100 in | 
D-Link gets public IP address from modem. |
said by NetFixer :My motto is that a picture is worth at least 1000 words, so here is a picture showing a Westell 6100 in both modes... In addition to the packet loss, I also had problems with NAT loopback with the Westell 6100, and incoming VPN sessions through both devices did not work very well. Sessions would take a very long time to establish (if at all), and would then randomly drop out. In bridge mode, there were no such problems. I haven't tried incoming VPN sessions. I've known that was a possible issue. Outgoing works fine though. I've known that loopback is an issue; but never needed it, myself.
The blue spike in the West Coast server graph is the changeover point. I put my SS4100 back in "IP Passthrough" mode there. Well, it really isn't called that, as the screen shots show.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
