All operators provide their customers with a wireless router to have an Internet connection, both via cable and via Wi-Fi, however, many users decide to buy a neutral router or a powerful Mesh Wi-Fi system, which provides us with a large quantity of configuration options, and with services as important as VPN servers, FTP servers, possibility of configuring advanced parental control, etc. Today in RedesZone we are going to explain the importance that the router or Wi-Fi Mesh system that we buy has the public IP.
The first thing we must know is that routers have two or more interfaces, one interface corresponds to the Internet WAN, that is, the physical and logical port through which we go to the Internet. Depending on the operator we have, it will use PPPoE or DHCP mainly, this port is normally where we have the public IP provided by the operator, so that we can open TCP / UDP ports without any problem, to access our servers from the Internet web, FTP, VPN etc.
Currently in Spain, FTTH operators make use of the 802.1Q standard to access the Internet, this means that we will have to incorporate a VLAN ID into the router configuration. That the firmware of the router has the possibility of configuring a VLAN ID in the Internet WAN is essential to be able to connect to the Internet and obtain the public IP, otherwise, we will not be able to configure the FTTHs such as Orange, Vodafone and others, the only one that we could configure is that of Movistar FTTH because the Movistar HGU router allows us to put it in single-user mode and does not pass the tagged VLANs, but only passes an untagged VLAN ID 6, therefore, we can use any router without the ability to configure VLANs in the Internet WAN, you would only need to configure PPPoE (in the case of Movistar).
Although there are operators that use CG-NAT technology, and, therefore, the clients’ routers do not have the public IP, most of the operators allow “to leave” this CG-NAT to be able to open ports without any problem. We must remember that CG-NAT is a technology that allows a public IP to be shared by several clients of the operators, and each client will have a private IP that is not routable through the Internet, for this reason, if we are behind the CG- NAT, we will not be able to open ports in our router, since we do not have the public IP, but a router of the operator itself that is in charge of doing the address translation. Some operators that incorporate CG-NAT in their networks are the Masmovil Group with all its brands, but it allows you to get out of this CG-NAT totally free, so Digi has it, which will charge us € 1 more per month if we want a public IP ,
The other interface that we have in the routers is the LAN and WiFi, where we connect the different devices, and the router automatically provides us with a private IP. This local network interface allows the interconnection of the different devices without the need to go to the Internet, all traffic remains in the local network itself. Regardless if we have four or more Ethernet ports, or if we have simultaneous dual-band Wi-Fi or simultaneous triple-band Wi-Fi, everything stays on the local home network.
Routers make use of NAT technologyso that with a public IP on the WAN, we can connect hundreds of devices on the LAN and that all of them can use the Internet simultaneously and without any problem. NAT is responsible for translating the public IP address into the private IP address and vice versa, making use of the different TCP / UDP ports. Thanks to NAT, we can surf the Internet or do any task with a single public IP address, with the corresponding savings in public IP addressing. A very important detail is that NAT is not a security measure, the firewall that the router has is a security measure to allow or deny traffic. A very important aspect is that, when we place an operator router and then a neutral router, we have the dreaded “double NAT”, therefore,
Why is it important that our neutral router has the public IP of the ISP?
All of us have suffered from the wired and Wi-Fi performance of the operators’ routers, and not only that, but they have a firmware that hardly has advanced configuration options (firewall configuration, use FTP servers, DLNA, VPN, advanced QoS, Parental control). In addition, today Wi-Fi Mesh systems are becoming popular to cover our entire home with wireless connectivity, and if we move through our home, the devices will automatically connect to the best node (the closest or the one with the least load) . Thanks to Wi-Fi roaming between nodes with the 802.11k / v / r standards, we will be able to move from one node to another without interrupting the Wi-Fi connection, the same happens with the band steering, now we can have a single SSID in our home, and that the router automatically places us in the 5GHz band (faster) or in the 2.4GHz band (more range), in such a way that we do not worry about the band where we we connect.
If we intend to buy a Wi-Fi Mesh system or a high-performance neutral router, it is essential to configure the operator’s router so that it “passes” this public IP to the equipment you buy. There are many users who connect the WAN port of the neutral router or Wi-Fi Mesh system to the LAN port of the operator’s router, and they do not get a public IP but a private IP from the local network of the operator’s router, because they have not configured the network correctly. ISP router. In this article we are not going to go into how to carry out this configuration in the different operators’ routers, since depending on the operator and the operator router that we have, it is done in one way or another.
This configuration of passing the public IP to the router that we put behind, is called “bridge” or “bridge”, and the only thing that the router will do is act as ONT, passing the data frames, but it will not act as a router or NAT. The routers of the easiest operators to carry out this action are those of Movistar, O2, Másmóvil, Yoigo and Pepephone, since they have routers that do allow you to configure this specific option in their configuration web interface, so we recommend these operators if you are going to buy a router or a high-performance Mesh Wi-Fi system.
Higher performance, the operator’s router acts as ONT exclusively
When we configure our operator’s router in bridge mode, it will only act as ONT, passing the frames (link layer) through its ports, it does not have to do the work of routing the packets nor does it do the NAT functionality. In this way, we will not have any type of bottleneck in the operator’s router, and we will be able to make the most of our high-speed FTTH connection.
If you are a basic user who only surfs the Internet and uses smartphones, you will not notice it too much, but it is very common to find problems if we use the operator’s router with P2P programs. P2P programs establish a large number of TCP connections simultaneously, to connect with the different peers that download or upload data, so the performance of the entire local network is affected by this, and the operator’s router could even crash completely, and we would have to stop or limit the downloads, and even restart it so that it works correctly again.
We will not have double NAT problems
If the public IP is owned by the operator’s router, we must remember that this router does the NAT function to translate the public IP address to private, and vice versa. If we connect another router on the LAN using its Internet WAN port, until we reach the connected device we will have “double NAT”, that is, one NAT is done by the operator’s router, and the second NAT is done by the router or Wi-Fi system. Fi Mesh that we have bought. This double NAT is the worst thing there can be, because all network traffic will be limited by the operator’s router, especially if you use P2P programs you will notice it. In addition, with double NAT we will have to do double port forwarding, that is, we will have to open a certain port on the operator’s router to the private IP of the WAN of the neutral router that you buy, and later on the neutral router you will have to do a port forwarding to the corresponding device.
Another option is to open the DMZ in the operator’s router to the private IP of the neutral router, in this way, we will be forwarding all TCP and UDP ports except those that we have explicitly open. However, we will have to go through its NAT and the performance you will get will not be good.
In case of double NAT, we will not be able to use Dynamic DNS services of the neutral router, since it will detect that the WAN IP is a private IP, and, therefore, it is not routable through the Internet, so we will depend on the services DDNS from the carrier’s router.
Ability to configure QoS and make it work properly
One of the most notable characteristics of a neutral router or a high-performance Wi-Fi Mesh system is the possibility of configuring the QoS to prioritize some computers over others, or some Internet services over others. Having the public IP in the router you buy, you can use QoS and you will have a great user experience, however, if we do not have the public IP in the router, we will depend on what the operator’s router does when doing the NAT , so it is very possible that what “we have gained” by the QoS, we will lose it by the double NAT that we have.
Services like FTP, VPN, Nextcloud and NAS access are accessible by doing port forwarding
If the neutral router or Wi-Fi Mesh system that you buy has FTP and VPN servers, you will not have to do any port forwarding, since the equipment itself will be in charge of configuring the NAT internally. In case of having it on a NAS server, then you will have to do port forwarding, but only on the neutral router or Wi-Fi Mesh system, where we have the public IP address. All these services will be fully available through the Internet by doing the corresponding port forwarding, something that we could not do if we are behind CG-NAT or if we do not have a public IP address in our router, in case of having double NAT, we would have to do an additional step which is to open the DMZ of the operator router to the neutral router.
As you have seen, configuring the operator’s router in bridge or bridge mode, and that the neutral router or Wi-Fi Mesh system that we buy has the public IP is the best thing you can do to have the best possible performance, so that we strongly recommend that you always have your network in this way. It is also very important to choose an operator that allows this possibility, since not all allow it, and even if they allow it, we could “lose” the VoIP, so we have to see the different scenarios, but it is clear that putting it in bridge mode and putting a router behind it has many advantages.