Print Story Ask HuSi: Home Networking
By FlightTest (Mon Jul 14, 2014 at 01:57:52 PM EST) (all tags)
Higher internet speed without a cost increase, but new complications.

And yes, I checked the up/down speeds before and after and it made a huge difference.  They weren't lying after all. 

The good:  TWC increased our internet speed without raising rates (sometimes helps to live in a huge major city with actual competition).

The maybe good/maybe bad: Doing this required swapping out the cable modem (yes I know it's not a modem, but it's easier for me to call it a modem, so that's what you get) from dumb bridge to a full gigabit router with wifi.  New device is Arris TG1672.

The ugly: Arris's website says if you got your device from your cable co., they are responsible for firmware updates.  I don't trust TWC to update the firmware if a bug is found, so I'm reluctant to rely on it for a firewall.  So I end up with a double NAT, from the "modem" to my firewall, then from my firewall (pfsense) to the rest of the my network.  My OCD doesn't like this.  I haven't had any problems, but it just feels wrong.

Unfortunately, I'm just not quite smart enough to figure out how best to set this up.  I could set it up as a bridge just like the old one was, but then I'm not quite sure there isn't an open port somewhere listening for connection to the web gui.  If there is I can't figure out what address it's listening on.  As a result, once I have it set up as a bridge, I have to do a factory reset to get back into the web gui.  I suppose that makes sense but the fact that it's not documented if bridge mode stops the web gui altogether or not bugs me.

Or is NAT under NAT not as bad as it seems and I should just live with it?  How much security does HuSi think this device really has?  It has a dual channel wifi router built in also, I'd like to take advantage of that if possible.  I'm probably over-thinking this but I'd like to keep my home network fairly secure.
< Now I understand | cool runnings >
Ask HuSi: Home Networking | 18 comments (18 topical, 0 hidden) | Trackback
isn't that how many do it ? by sasquatchan (2.00 / 0) #1 Mon Jul 14, 2014 at 03:23:43 PM EST
as in, the modem we get from Cox is unprogrammable -- it's a coax in, and ethernet out (1 port). So that port goes to a firewall/router/wifi device..  (and to a few gig switches)

I don't know by FlightTest (2.00 / 0) #2 Mon Jul 14, 2014 at 03:26:47 PM EST
 Do you get a private network address from your Cox modem?  I got an internet routable IP from my old bridge and get the same if I put the new modem in bridge mode.

[ Parent ]
well, we're a funny case ... by sasquatchan (2.00 / 0) #3 Mon Jul 14, 2014 at 03:42:28 PM EST
we get a static IP from Cox (cable company) because we have the business service (the Mrs company pays for it). So I have to program the router specifically to work with the cable modem. (Vs how most home cable modems work -- you plus in router, it uses DHCP to talk to the cable modem and off you go .. Ours needs a bit more work..)

[ Parent ]
That's how I do it by ucblockhead (4.00 / 1) #4 Mon Jul 14, 2014 at 07:36:19 PM EST
Cable modem has one ethernet, which goes to the router/firewall.  In my case, the wifi is a separate device that connects to the router.
[ucblockhead is] useless and subhuman
[ Parent ]
No... by Gedvondur (2.00 / 0) #8 Tue Jul 15, 2014 at 09:54:01 AM EST
Time Warner is handing out Arris units that function as a DOCSIS cable modem and also as a home router.  I have one.  Piece of shit, the routing/wifi/firewall portion anyway.

[ Parent ]
Simples by anonimouse (4.00 / 1) #5 Mon Jul 14, 2014 at 08:16:03 PM EST
It sounds as though you might be overthinking this.

If you're reluctant to flash the device your phone company gave you, buy an identical or similarly specced model and flash that to your hearts content. 

Girls come and go but a mortgage is for 25 years -- JtL
Or replace it with something completely different. by gmd (2.00 / 0) #6 Mon Jul 14, 2014 at 08:27:35 PM EST
 Cable/phone companies don't really care what you plug in so long as they don't have to support it..

gmd - HuSi's second most dimwitted overprivileged user.
[ Parent ]
I'm not 100% sure I can by FlightTest (4.00 / 1) #12 Tue Jul 15, 2014 at 01:44:26 PM EST
I know I had to go to TWC's website and "activate" the modem - I couldn't do anything else on the net.  That may have had to do with the difference in technology between the old modem and the new though.  

And to the mouse's point, I'm not afraid to flash TWC's modem, I just don't trust TWC to actually issue an update, even if Arris gift wrapped it with a bow for them.

[ Parent ]
don't listen to the FUD, wifi is the bees knees by the mariner (4.00 / 2) #7 Tue Jul 15, 2014 at 05:18:24 AM EST
look, i know people say wifi is slow and broken, hard to set up, and even causes latency issues. i have a buddy who swears up and down that he gets worse hitreg in halo 2 when he uses his mom's wifi. (kinda like the prima donnas who won't use a wireless mouse, amirite?)

i'm here to say i switched to wifi this year and it's just great. no more of those countless hours spent crimping and recrimping cables until you're down to three feet of cord and you have to start over! it's just plug-in, fire up netscape, and surf the web on your PC or laptop to your heart's content.

just make sure you've got yourself a pcmcia card for your laptop with wireless support compatible with your operating system and watch out for those tabs and dongles -- some of them are just winmodems in disguise. not linux compatible!

Don't double NAT - That's shitty by Gedvondur (4.00 / 2) #9 Tue Jul 15, 2014 at 10:02:33 AM EST
I am on Time Warner.  I can help you with this.  I have an Arris cable modem as well.

I assume you already have a home wifi/router/firewall of our own.

Go into the Arris setup and turn off....Well everything.  Turn off WiFi and turn off DHCP.

Let your old wifi/router get an external IP from TW, just like before and let it do the DHCP.

Last bit of advice.  If your wifi/router is more than three-four years old, replace it.  Many of these old units simply cannot handle the higher speeds that your ISP are providing and become a bottleneck.

I would go with an Apple airport router or anything with a Broadcom or Atheros chipset.  Some high end Linksys, DLink and Asus units use those chipsets.

Source:  I work for a really big router and switch company

But *why* is it shitty? by Dr Thrustgood (4.00 / 2) #10 Tue Jul 15, 2014 at 10:50:06 AM EST
Unless you want to route something from the outside world to a local machine (and even then - ngrok), what difference will it really make, day-to-day?

(genuinely curious - been running double-nat out of sheer laziness for a while now)

[ Parent ]
It may not make any practical difference. by gmd (4.00 / 1) #14 Tue Jul 15, 2014 at 02:40:32 PM EST
 But for OCD type autism spectrum computer geeks, the fact that it is sub-optimal in theory will have them constantly thinking about it.

i know I would be.

gmd - HuSi's second most dimwitted overprivileged user.
[ Parent ]
Complexity, mostly by Gedvondur (4.00 / 1) #15 Wed Jul 16, 2014 at 10:36:12 AM EST
It generally works, but its an unnecessary layer of complication.  Plus some security schemes (mostly corporate) don't function properly in a double NAT environment.

Essentially, you are asking two routers to keep track of state and path.  If either router loses track, the flow is lost.  Weirdly, the issues with double NAT have changed. In the past, a lot of software and even some web application blew up when encountering double NAT.  That doesn't happen that much anymore.  Today, the issues are more around the number of small and short term flows that are established.

Each flow has to be tabled and routed through the NAT.  The reason older home routers keel over and die isn't the raw speed increase of the ISP connection, its the veritable FLOOD of small flows that are set up and tore down quickly.  For a mental example of modern software behavior, think of BitTorrent and how it makes and drops connections.  That's a good example of how some software behaves.  Routers quickly run out of table space and more importantly they run out of CPU cycles to handle the connections.  This means a loss of throughput, but not bandwidth.

With two devices, you are essentially doubling the work and doubling the possibility of failure.  If one router is older and shittier than the other, the total throughput will not be any faster than the slowest router.  It's a little like hooking two water pumps in series.  Both work and pump water, but the total throughput will only be the GPM of the slower pump, despite the pipe size being the same for both (bandwidth).

So you can do it, it will work in practically all cases, but it's a needless complication that can introduce issues.

[ Parent ]
Double NAT by sjn37 (4.00 / 1) #18 Wed Jul 16, 2014 at 02:59:33 PM EST
I am also on TW and got the same upgrade modem. I was running with double NAT for a while. The one issue I had was that my IP phone service (NetTalk) stopped working. I could still make calls, but when someone called me, there was no sound. I put the modem in bridged mode and the problems went away.

[ Parent ]
My wifi/router/NAT/NTP/etc by FlightTest (4.00 / 1) #11 Tue Jul 15, 2014 at 01:38:48 PM EST
Is pfsense ( running on IIRC an old PIII/800 but I could be wrong on the speed - it Just Works so I don't mess with it much except to fetch the latest version from pfsense.

I get the full advertised throughput (50 down / 15 up) so my firewall is probably not a bottleneck.  Internet comes through the cable modem, into the box, then to a gigabit switch.  My wifi access point is actually an Atheros card in the firewall box that can be put into access point mode.  All the NIC's are Intel Pro/1000.

[ Parent ]
Wow by Gedvondur (2.00 / 0) #17 Wed Jul 16, 2014 at 10:41:48 AM EST
Okay, then.  I agree, your router is probably not the issue.

Unless you are really hands-on with the security, I would then revise my advice to just using the router/firewall/wifi in the cable modem.

What you are doing works fine, it's a workable setup.  But from a complexity and power-consumption standpoint, you will save time, money, and effort using an appliance (home router or the one in the cable modem) rather than dedicating an ancient PC for the job. You will save space time and effort. Just my opinion, if you are comfortable with the setup as you have it, just turn off the router in the cable modem and keep on keeping on.  :-)

[ Parent ]
So if I turn all that off by FlightTest (4.00 / 1) #13 Tue Jul 15, 2014 at 02:33:47 PM EST
I presume also put it in Bridge mode on the LAN setup screen?  Once I do that, the only way back in to the Web GUI AFAICT is by reseting to factory defaults?

[ Parent ]
Yes..... by Gedvondur (2.00 / 0) #16 Wed Jul 16, 2014 at 10:37:45 AM EST
But since the cable modem side will auto-configure with Time Warner and if you've turned it off, you don't need to worry about the old config, that's not really a big deal.  If you really wanted back it's pretty simple.

[ Parent ]
Ask HuSi: Home Networking | 18 comments (18 topical, 0 hidden) | Trackback