Bridged mode vs DMZ
2,761 views
Skip to first unread message
Jay Strauss
Aug 14, 2014, 3:26:10 PM8/14/14
to LUNI - Linux Users Of Northern Illinois (Chicago) - Technical Discussion
Hi, Google has been quite unsatisfactory in this regard.
I have Comcast at home. I have the Comcast provided gateway, Technicolor TC8305C gateway/router/wifi/modem thing. Comcast support had a problem (shocking) that they couldn't put the modem in bridged mode.
So, instead I put my own DD-WRT router in the DMZ zone of the gateway and forwarded all the ports to my DD-WRT.
It all works fine. But, I think I found how to fix the bridge mode on the Comcast gateway.
So... What's the advantage / disadvantage of either setup?
One advantage of the DMZ setup is that I can still reach the gateway's admin page at 10.0.0.1. Whereas, when its in bridged mode it doesn't have an IP (that I know of)
Any others anyone can think of?
Thanks
Jay
Samir Faci
Aug 14, 2014, 4:02:29 PM8/14/14
to luni-c...@googlegroups.com
If I'm not mistaken, if you put it in bridgedmode, would comcast have to allocate you 2 different IP addresses?
I would imagine they would frown on that. Though it's really a matter of preference, I'd imagine bridge mode would be a bit more isolated from your LAN. Since it seems you can still hit internal addresses like your router config.
My only concern is.. can you hit other machines on your network from your DMZ? since you were able to hit your router. If I have a machine that exposes all 65K ports, I'd want to make sure it's properly isolated from anything else.
Just my 2 cents.
--
You received this message because you are subscribed to the Google Groups "Linux Users of Northern Illinois" group.
To unsubscribe from this group and stop receiving emails from it, send an email to luni-chicago...@googlegroups.com.
To post to this group, send email to luni-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/luni-chicago.
For more options, visit https://groups.google.com/d/optout.
Thank you
Samir Faci
Jay Strauss
Aug 14, 2014, 4:18:59 PM8/14/14
to LUNI - Linux Users Of Northern Illinois (Chicago) - Technical Discussion
On Thu, Aug 14, 2014 at 3:02 PM, Samir Faci <sa...@esamir.com> wrote:
If I'm not mistaken, if you put it in bridgedmode, would comcast have to allocate you 2 different IP addresses?
I don't believe so, at least in the past there has never been another IP that I've seen. The way I understand it is, the gateway connects to Comcast in (I'm not sure if it uses TCP/IP or some other protocol), and then the customer's own router gets assigned an external address, like: 50.179.238.122.
I would imagine they would frown on that. Though it's really a matter of preference, I'd imagine bridge mode would be a bit more isolated from your LAN. Since it seems you can still hit internal addresses like your router config.
In DMZ mode, I can hit both my DD-WRT & Gateway's admin pages. In bridged mode I can only get my DD-WRT admin page.
My only concern is.. can you hit other machines on your network from your DMZ? since you were able to hit your router. If I have a machine that exposes all 65K ports, I'd want to make sure it's properly isolated from anything else.
I dunno, and don't know how to test. I don't think so though, as my DD-WRT gets a 10.0.0.x address from the gateway, and then on the DD-WRTs other NIC are my internal 192.168.x addresses.
Jared Moore
Aug 14, 2014, 4:28:06 PM8/14/14
to luni-c...@googlegroups.com
One difference comes to mind, in the DMZ state you are leaving routing to happen at the Comcast gateway whereas in bridge mode your DD-WRT will do it. End result functionally seems pretty much the same either way. I've mostly run my home networks in bridge mode, but I like the DMZ route because you can hit the Comcast from your side in case you need to tweak something.
Trev Peterson
Aug 15, 2014, 2:58:09 AM8/15/14
to luni-c...@googlegroups.com
One thing to consider that you don't have listed. When I was with
comcast they charged something like $10 - $11 / mo for their modem which
had a lot of problems, especially if it was doing NAT. I swapped mine
out for a docsys modem I bought from Best Buy (motorola docsis 3 modem
if I recall). The result was speeds were up, I could put it in bridge
mode when I wanted and the modem paid for itself in less than 10 months.
Within 1 year I went from a free modem to $8/mo to $11/mo so basically I
try to minimize my comcast interaction to the bare minimum (the
bandwidth provider). Your mileage may vary though.
Back to the original question. Here's some of the things I can think of
off the top of my head:
Ads to bridged mode:
1. The comcast device handles a lot less so has less chance of wigging
out. I've found my comcast devices are much more stable when I run them
in bridged mode.
2. NAT is done on your device where you have more control and can setup
things like NAT traversal, mapping external ports to different devices,
etc. This can help a lot in apps like VOIP and some VPNs. Port
forwarding does a lot but is sometimes not enough.
3. Ease of future config. The modem is now a pretty dumb device.
Almost all your config is done via the firewall now so it's one stop
shopping for changes.
Ads to routed mode (on comcast modem):
1. It's the default so you can be a bit lazy ;)
2. It has an IP address but it might try and pull one anyway. Have a
vague recollection of accessing the modem after it was in bridge mode.
Hope this helps,
Trev Peterson
Advanced Reality
Email: tr...@advanced-reality.com
Phone: +1 847 406 9018
comcast they charged something like $10 - $11 / mo for their modem which
had a lot of problems, especially if it was doing NAT. I swapped mine
out for a docsys modem I bought from Best Buy (motorola docsis 3 modem
if I recall). The result was speeds were up, I could put it in bridge
mode when I wanted and the modem paid for itself in less than 10 months.
Within 1 year I went from a free modem to $8/mo to $11/mo so basically I
try to minimize my comcast interaction to the bare minimum (the
bandwidth provider). Your mileage may vary though.
Back to the original question. Here's some of the things I can think of
off the top of my head:
Ads to bridged mode:
1. The comcast device handles a lot less so has less chance of wigging
out. I've found my comcast devices are much more stable when I run them
in bridged mode.
2. NAT is done on your device where you have more control and can setup
things like NAT traversal, mapping external ports to different devices,
etc. This can help a lot in apps like VOIP and some VPNs. Port
forwarding does a lot but is sometimes not enough.
3. Ease of future config. The modem is now a pretty dumb device.
Almost all your config is done via the firewall now so it's one stop
shopping for changes.
Ads to routed mode (on comcast modem):
1. It's the default so you can be a bit lazy ;)
2. It has an IP address but it might try and pull one anyway. Have a
vague recollection of accessing the modem after it was in bridge mode.
Hope this helps,
> --
> You received this message because you are subscribed to the Google
> Groups "Linux Users of Northern Illinois" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to luni-chicago...@googlegroups.com.
> To post to this group, send email to luni-c...@googlegroups.com.
> Visit this group at http://groups.google.com/group/luni-chicago.
> For more options, visit https://groups.google.com/d/optout.
--
> You received this message because you are subscribed to the Google
> Groups "Linux Users of Northern Illinois" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to luni-chicago...@googlegroups.com.
> To post to this group, send email to luni-c...@googlegroups.com.
> Visit this group at http://groups.google.com/group/luni-chicago.
> For more options, visit https://groups.google.com/d/optout.
Trev Peterson
Advanced Reality
Email: tr...@advanced-reality.com
Phone: +1 847 406 9018
Matthew Kurowski
Aug 15, 2014, 8:27:06 AM8/15/14
to luni-c...@googlegroups.com
Bridge-mode in itself does not affect routing or require extra IPs. Though not always implemented as pure L2 extensions that is essentially what they are. (Bridges can do packet mangling.)
There are numerous advantages to bridge mode esp if one uses a highly functional or capable termination point. With multiple IPs being allocated even moreso.
One very small example: multiple internal shared service terminations (XB360, standard web ports, VPN tunnels...)
Outbound services or applications sometimes require true front-facing IPs (VPN).
A great approach for security scaling for the home user is to bridge the bridge and apply security in the first transparent physical hop before it reaches the untrusted interface on the interior router/host.
I would use bridge mode if you have the resources to support security termination and packet processing. Because of dd-wrt's capabilities, you may overload your the router depending on your setup. For instance routed mode on the Comcast allows connections that would effectively bypass the dd-wrt router except for route lookup, dhcp (depending on settings), NAS, LAGs etc.
Anyhow there is no right or wrong since there are numerous factors to consider. If you feel up to the challenge (if only in potential additional primary maintenance) and want a more direct approach, do the bridged mode.
Sorry for short, thumb pecked response... :-)
--
Matthew Kurowski
Jay Strauss
Aug 16, 2014, 10:44:54 PM8/16/14
to luni-c...@googlegroups.com, luni-c...@googlegroups.com
Hi
Yes my monthly rental fee is $8/mo, but have looked online and it seems the same router costs $125+
Not sure I want to buy or not, but I haven't had any problems.
Pro bridged
2. I don't have a VPN but may want one in future.
Pro regular
I like lazy :)
Ill probably try the bridged just for grins.
Thank you,
Jay Strauss
312.617.0264
Sent from my iPhone
Yes my monthly rental fee is $8/mo, but have looked online and it seems the same router costs $125+
Not sure I want to buy or not, but I haven't had any problems.
Pro bridged
2. I don't have a VPN but may want one in future.
Pro regular
I like lazy :)
Ill probably try the bridged just for grins.
Thank you,
Jay Strauss
312.617.0264
Sent from my iPhone
Jay Strauss
Aug 16, 2014, 10:48:48 PM8/16/14
to luni-c...@googlegroups.com, luni-c...@googlegroups.com
Matt thanks for responding
I'm still on the fence, as there doesn't seem a whole lot that affects me.
I'm not doing any interesting networking stuff
Trev Peterson
Aug 16, 2014, 10:54:06 PM8/16/14
to luni-c...@googlegroups.com
I bought this one and it's worked great:
www.amazon.com/ARRIS-Motorola-SB6121-SURFboard-DOCSIS/dp/B004XC6GJ0
They have a newer one that seems to allow more bandwidth and gets as
good reviews but I have no person experience with it:
www.amazon.com/ARRIS-Motorola-SurfBoard-SB6141-DOCSIS/dp/B00AJHDZSI/ref=dp_ob_title_ce
Either of them are less than a 10 month ROI and you don't have to worry
about comcast silently increasing the price or other problems with them.
It is your equipment though so if it breaks you have to fix it.
Something to keep in mind. Hope it helps,
www.amazon.com/ARRIS-Motorola-SB6121-SURFboard-DOCSIS/dp/B004XC6GJ0
They have a newer one that seems to allow more bandwidth and gets as
good reviews but I have no person experience with it:
www.amazon.com/ARRIS-Motorola-SurfBoard-SB6141-DOCSIS/dp/B00AJHDZSI/ref=dp_ob_title_ce
Either of them are less than a 10 month ROI and you don't have to worry
about comcast silently increasing the price or other problems with them.
It is your equipment though so if it breaks you have to fix it.
Something to keep in mind. Hope it helps,
Jay Strauss
Aug 16, 2014, 11:11:53 PM8/16/14
to luni-c...@googlegroups.com, luni-c...@googlegroups.com
But I need the kind with 2 phone lines
I currently have a technicolor tc8305c. Comcast indicates there is a arris model too that works
I currently have a technicolor tc8305c. Comcast indicates there is a arris model too that works
Reply all
Reply to author
Forward
0 new messages