Router & DSL Modem

[Casey H]

Greetings –

My DSL modem gave up the ghost after quite a few years of good service.  It was a Netgear DM111PSPv2, it’s output fed to a Linksys N750 EA3500-NP router which gave me my wireless access point.  The modem has been replaced by a Centurylink C1100T, which is billed as a modem/router.  From a security perspective, I’m wondering if it would be a good idea to double up as before, disable the wireless on the modem, and run the output through the old router, using its wireless.  The Centurylink device is more restrictive in its password protocols–a limit of 60 characters, letters & numbers only.  Additionally, even though the GUI password to access the device settings is specific to this particular device, it is only 8 characters long, and the settings don’t seem to allow a password change to something more robust. On the other side of reasoning, the router is approximately 5 years old, so I’m wondering about its security as well.  Thanks for the help, folks.

Casey H.

[MrJimPhelps]

I had a similar situation (router/modem combo unit, which I rented from my ISP). It was old, and I couldn’t access all areas of the unit when I logged into it.

Fortunately my ISP allowed me to purchase a modem-only unit, which I was able to then connect to my own router. I then did a firmware update on the router, bringing it more up to date than it was previously. If there isn’t a recent firmware update available for your router, you might consider buying a new one. They aren’t very expensive.

My ISP is a small-town phone company. Hopefully CenturyLink will be as accomodating for you on this issue as my local phone company was for me.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

Casey H

[Paul T]

Feeding your wireless router from another router may result in double NAT, which you probably don’t want.
The simplest fix is to set the ISP router with a DMZ pointing at the wireless router, then the wireless router is effectively your new external router. Now you connect all your devices to your wireless router.

cheers, Paul

1 user thanked author for this post.

Casey H

[Casey H]

Thanks Paul.  Is DMZ pointing simply a matter of enabling it, then typing in the router’s IP address?

Another area of concern.  The only way to access the GUI of my old router is to be physically connected to it.  I thought I had accomplished the same thing with the new rig but discovered I can access it via wireless.

Casey H.

[Casey H]

Forgot to ask for clarification: it sounds like simply going with the new combo unit is not recommended.  True statement?

Casey H.

[Casey H]

There’s no doubt about a billion choices for routers.  My current EA 3500 gives me wireless internet access throughout the house and in the outside yard as well.  My location seems to limit my DSL connection to an upload speed that tops out around 5 mb/sec.  Security is my primary concern.  I have favored Linksys in the past, out of habit if for no other reason.  Recommendations?

Casey H.

[Paul T]

Re-reading your post I think you can probably use the new router to do everything, with the following caveats.

1. You must be able to turn off remote administration on the router (GUI and console).
2. Change the admin password. Use your password manager to choose a random password.
3. Change the wifi PSK. 60 characters is plenty of security.

To confirm your router is behaving you can test it at the GRC site via this direct link.

cheers, Paul

1 user thanked author for this post.

Casey H

[Casey H]

Thanks Paul.  Oof–this was hard work.  Wifi password change: no problem.  Admin username change: no problem.  Admin password change: big problem.  Apparently this modem/router only allows an admin password to have a maximum length of 23 characters.  It took a while to discover that, as I started with 6o characters and worked my way down by 10’s and 5’s until I finally pinpointed the maximum.  My earlier concern about remote access is apparently unfounded.  Earlier I was able to access the GUI from my laptop, but that was connected to the network via wifi.  Today I tried accessing the page with my phone (wifi on & wifi off) and could engage the GUI connected but not when disconnected. So all seems good.  All of your caveats seem satisfied.  One less box under the desk to gather dust.

Casey H.

[Casey H]

The plot thickens.  Attempting to avoid double NAT, I set up my Linksys router in the CenturyLink DMZ.  The CL data indicated my L router was outside the CL firewall & outside the CL NAT.  Running tracert 8.8.8.8 from a command line prompt, however, indicated two private IP addresses in the trace.  I ultimately was able to avoid the double NAT by switching the ISP Protocol in the CL WAN settings from Autoselect to Transparent Bridging and rebooting the CL modem/router.  I then changed the L router internet settings from Autoconfig DHCP to PPPoE and entering the CL username & password.  After rebooting everything, I had a good internet connection, and running tracert 8.8.8.8 indicated just the one private IP Address.  The problem is once I rebooted the CL device, the GUI page disappeared from my browser, and I can no longer access the CL device.  At least for now, I don’t really see a need to access it, but in case I should have to, I’d like to be able to do it other than by pushing the reset button and loading everything up from scratch from the factory defaults.  I’ve already spent way too much time on this project, but my sense is the current configuration is better than either just using the CL device or having the double NAT.  Web pages seem to load faster with the current setup, and my L router has better wireless range than the CL device.  Any additional advice would be appreciated.  Thanks.

Casey H.

[PKCano]

Are you connecting directly to the CL device to access it?

[Casey H]

I’ve tried both.  I really thought that if I unplugged the router and hooked the computer directly to the CL device it would work.  I also tried connecting to the CL device both using the WAN port and one of the four ethernet ports.  No luck in either case.

Casey H.

[mn–]

… right. If it’s in transparent bridge mode, it doesn’t have any IPv4 address of its own?

That’d be entirely typical, and technically is the exactly correct way to do it – wouldn’t be completely transparent if it did anything else on the same link.

That’s why I greatly prefer devices that have a separate console port… too bad about the extra cost nowadays though.

(It might still have an IPv6 link-local address or some such.)

1 user thanked author for this post.

Casey H

[Paul T]

2 private IP addresses doesn’t mean double NAT. The DMZ is a bridged connection instead of firewalled so you have 2 IP addresses with only one NAT.

You only have to worry about double NAT if you use internal services externally – gaming, VPN etc.

cheers, Paul

1 user thanked author for this post.

Casey H

[Casey H]

Thanks guys

I think I finally understand what’s going on.  A good experience as it’s taught me some stuff about networks, which I’ve never really thought much about in the past–set & forget.  I think I’ll do the factory reset thing on the CL device and go back to the DMZ setup.  Serves me right for getting advice from somewhere other than here on the Lounge.

Casey H.

[Author]

Posts