View Full Version : Two-router setup questions

01-11-05, 11:02 AM
I'd appreciate it if somebody could answer any of the following questions.
My modem is a D-Link DSL-500 single-port DSL/router. This connects to a Netgear FR314 firewall/router. Three PCs running XP SP2 connect to the Netgear.

The D-Link runs in PPPoA mode, it is on its own subnet with NAT and DHCP enabled (it only serves an IP to Netgear). To stealth it, I've pointed its DMZ to a non-existent IP within its subnet.
The Netgear, in another subnet, runs as NAT with dynamic IP and also has DHCP enabled.

Both devices have uPnP enabled.

Questions and concerns:

1) D-Link has an option to activate RIP (1 or 2). It is disabled at the moment. Any advantage in enabling it?

2) Should uPnP be enabled in both devices as it is now or do I have a problem I don't know about yet?

3) If I use Traceroute from some site's page, it works fine. If I use tracert from a DOS prompt, it gets to the D-Link, then to an ISP server, and then dies. What do I have to enable to get it to work (and still keep the system safe -- it's fully stealthed at the moment).

4) Could something in my setup affect transfer speeds drastically? In all tests I've run, my download speed gets close to 900kbps which is almost right but the upload has dropped down to about 30kbps which is abysmally low. My link speed is 1024/256. Nothing shows on any logs and no TCP parameter changes affect the upload results.

Thanks in advance for any advice.

01-11-05, 11:47 AM
You're making things extra complicated, by "double NAT'ing" your setup.

The DLink, without checking up on your model, you describe it as a modem/router? It acts as a DSL modem (bridge)...as well as has a router feature enabled? If that's the case, as I do in my setups...

1) Simply uplink a switch to it to share to the rest of your computers
2) Disable the built in router feature, turning it into a pure DSL modem, and uplink to your Netgear and let the Netgear do the PPPoE and share the connection.

Double NAT'ing, as you can see, technically it works with "most" things. But you get a performance loss, and as you've seen, somethings don't work 100% when getting double NAT'd like that.

UPnP...some software (like some of the latest IM Messengers) have overcome their limitations under NAT by making themselves UPnP compliant. So if you use those, try enabling it on your router.

RIP is, hmmm, how to describe it briefly...a method of communication between routers, where you can set them to update each other as far as changes made to one area. Say you manage a wide area network, made up of many routers. You change the subnet at one location...RIP can be the lazy mans approach of updating all the other routers connected to it, so you don't have to manually edit the routing on the other routers to tell them about the one you just changed. For the home users, since you're using those in gateway mode, you don't need to enable RIP.

01-11-05, 01:20 PM
Thanks for the comments.
The D-Link runs in PPPoA mode, not bridged.

Originally I had the D-Link in PPPoA, as is now, and everything worked fine. It was a weird subnet configuration for sure though and I couldn't get past the Netgear firewall to host an ftp server.

So I switched it to bridged mode and put the Netgear into PPPoE mode.

That's where the speed problems started.

So I reverted back to PPPoA but with a cleaner subnet setup. Unfortunately the upload slowdown didn't go away therefore the search for a solution.

Replacing the Netgear with a switch would help but I want to save some money as well as keep its firewall.

As for uPnP, what about my scenario? Does having it enabled in both devices cause a problem?


01-11-05, 03:58 PM
Lets backup a minute.

What kind of authentication does your ISP require? It's either PPPoE (most common), or PPPoA (not that common), or Bridged/DHCP RFC1483 (this is what I have at home, no username or anything required at all...just pull an IP address like on a LAN)

From quickly looking at some FAQs on the DLink DSL-500...it's a combo modem/router. By default, it serves up a 192.168.0.XXX private range.....doing so using NAT. Right there...that's your basic firewall. Adding another NAT box behind it gives you no further protection (by default)...it's not like "some stuff can sneak through the first NAT". A wall is a wall. You gain nothing but complication, performance issues, and occasional hiccups...by putting another NAT router behind that.

Now if the Netgear has some better SPI features than the DLink, and you wish to use that router instead of the DLinks router...then my advice would be to disable the router in the DLink, reverting it back to a pure bridge...basically it's just a DSL modem now, you'd uplink it to the WAN port of your Netgear router, it gives your Netgear WAN port a public IP address, and your Netgear router does the only authentication to your ISP. I run into that scenario a lot these days, as broadband ISP's are doing a smart move...and giving people combo DSL modems with built in routers. This is good for people who don't know any better to go purchase a router to protect their computer...as not long ago, ISP's only gave out DSL modems...and people plugged their computers right into these modems, opening themselves up to hacking and worms and the such. So a lot of times, I go onsite to setup a client, I might need to use a special router, and because I don't like double NAT'ing...I log into the provided modem/router combo...disable the router feature, and turn it into a plain modem. Then set it up on the router I brought with me.

UPnP..if you use a compliant messenger that needs those services running for voice 'n what not...then yes you'd want it turned on. Working through double NAT though, I don't know if it would work. UPnP was supposed to take off in other areas, making for seamless integration of other devices on the network through self discovery, and seamless removal without having to "touch" each machine...but it hasn't really taken off much yet, some new versions of Messengers about the only thing I've seen that utilize it much. Yes there was a UPnP exploit that came out a while ago, but if you're a prudent safe computing person...you'd have done your windows updates and patched that exploit..so it's a non-worry.

01-11-05, 04:39 PM
The ISP supports both PPPoE and PPPoA transparently. I can switch between them just by modifying my hardware setup. The connection requires an ID/password combo.

I have 3 PCs so the D-Link as a router is not enough (it's single-port). I'd have to buy another switch to replace the Netgear with and I'd rather not. So that forces me to set up the D-Link in bridged mode. Problem is that I'd tried that and the speed had gotten worse, plus I couldn't get inbound calls to my server. I'll try again just in case...

uPnP in both devices works, at least for Messenger. I just don't know if it has any effect on speed.


01-11-05, 04:47 PM
Hmmm...supports both huh? Where/who is this?

Anyways, having the DLink in bridged mode should not have slowed down things..if anything, I'd wager speed it up...one less device doing any routing/NAT'ing. The DLinks CPU would be freed up even more.

UPnP should not really affect speed.

Inbound calls...what kind of service are you trying to make public?

If you don't want to pickup a switch (can snag a little 10/100 5 port switch for under 30 bucks ya know)...you can get tricky with your Netgear. Jot down the Netgears LAN IP address. Make sure it's not the same LAN IP address as your DLink router (in other words...make sure they're not both

By default the DLink is
By default, Netgears if I remember are also
Having them setup as you did..double NATing, with both of them at 192.168.0.XXX would create issues. If you MUST for some reason keep double NAT'd, make sure one of the router is different from the other...such as 192.168.0.XXX for the DLink, and 192.168.1.XXX for the Netgear. As long as that third octet is different.

But...back to my quick fix...as long as the LAN IP of the Netgear is not the same as the LAN IP of the DLink, and as long as DHCP is disabled on the Netgear....turn it around, connect the uplink port of the Netgears LAN side to the LAN port of the DLink. Now you're just using your Netgears "switch" side as a switch only. Connect PC's to the regular LAN ports. You're basically bypassed its router part..only using the LAN switch.

01-12-05, 02:20 AM
The ISP is in Greece.
That also explains why I don't pick up a switch. They are more than $30 here and the selection is small. I could order it from the States but the thieving Customs here even tax on shipping costs. What do you expect from a place where a 1024/256 connection costs between 170 to more than 240 euros per month?

Back to the regular program... :)

My current setup (PPPoA) is as you described it.
D-Link is (NATs and DHCPs to 192.168.1.x).
Netgear is It's NAT with dynamic IP and connects on the WAN port with the D-Link (it's given by it a WAN IP of Its DHCP assigns IPs in the to .9 range.
The PCs connect to Netgear's LAN ports and use hardcoded IPs in the range to .4. They use Netgear ( as gateway.

They all can talk to each other this way.

If I understand you right, you said that on the above, I should disable the DHCP on the Netgear. Is that right?
If so, would the PCs still talk to each other and what would they use as a gateway?

I've tried unsuccessfully to set up an FTP server as well as an HTTP one. I had port-forwarded the appropriate ports. The problem was that nobody from the internet could reach my IP. They would always time out waiting. I had no problem getting to the servers from another PC in my LAN.
There was nothing on Netgear's logs so the calls must have been stopped by D-Link.
Running the DSL-50x Utility on the D-Link, it shows no ICMP traffic at all even now. Ignoring pings on the D-Link makes no difference. Maybe it's a bug in it, I don't know. Might explain why tracert doesn't work either.
Things should have been simpler...

Thanks for the help.

01-12-05, 06:16 AM
My current setup (PPPoA) is as you described it.
D-Link is (NATs and DHCPs to 192.168.1.x).
Netgear is It's NAT with dynamic IP and connects on the WAN port with the D-Link (it's given by it a WAN IP of Its DHCP assigns IPs in the to .9 range.
The PCs connect to Netgear's LAN ports and use hardcoded IPs in the range to .4. They use Netgear ( as gateway.

They all can talk to each other this way.

If I understand you right, you said that on the above, I should disable the DHCP on the Netgear. Is that right?
If so, would the PCs still talk to each other and what would they use as a gateway?

Yah, that's pretty much how I pictured your setup to be as. Computers use the Netgear as their gateway, once they get ot the WAN side of the Netgear, they use the DLink as their gateway....they're stepping through two NATs.

So remember the LAN IP of the Netgear...and disable DHCP service on the Netgear. Take the cable that currently connects to the WAN port of the Netgear to a LAN port of the DLink...remove it from the WAN port of the Netgear, and put it on an uplink port on the LAN side of the Netgear. If you don't have an uplink port, do you have a port with a button that switches it from straight to crossover? If not....then you'd need a crossover cable. Should be able to pick one of those up for pretty cheap.

Once you've done this...now plug your computers into the 3x remaining ports of the Netgear...now you're using it only as a switch. The computers will pull an IP address from the DLinks DHCP service. Your computers will be given 192.168.1.XXX addresses.

01-12-05, 08:34 AM
I got it clear now.
Your setup should work fine except that I'd be losing the firewall capabilities of the Netgear.
I tend to prefer the setup where the D-Link runs in bridged mode. I'll try it again and see what happens to the upload speed.
Thank you again for the great help.

01-12-05, 10:12 AM
Yeah, the Netgear has SPI...a wee bit better, but not really all that much of a difference for the home user. Not a big issue to fret over.

You have NAT, keep your windows updates and antivirus good, be smart when surfing and downloading, and there's not much to worry about.