1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Configuring a modem/router in front of Tomato (with QoS) - Best practices

Discussion in 'Tomato Firmware' started by RixNox, Jan 30, 2013.

  1. RixNox

    RixNox Serious Server Member

    The present
    As for the present date I have successfully installed Tomato Toastman on Asus RT-N16 router. Testing has been performed attaching the router to a LAN connected to the Internet. Tomato was configured as a wireless access point, no WAN, no DHCP, "gateway".

    The future
    Now that I have performed some testing, I will need to change Tomato's configuration to run directly behind a modem/router, retaining/enabling Tomato's QoS capability (I see that this can only be accomplished on the WAN port). I understand that changes in Tomato's config this will depend mostly on the modem/router (Mikrotik) configuration.

    At the moment it is uncertain if the Mikrotik will be user-configurable or not; the only established fact is that the ISP offers a sort of degree of port/mappings configuration, upon user request. That is, I have been instructed from the customer care to forward an email to the technical support, explaining what kind of configuration I'd like to achieve on the Mikrotik.

    As a result I'm writing here to understand and evaluate solutions, possibly aiming to the best one. Suggestions are welcome. :)

    Conclusion
    Can someone list (in a sorted order by best option) the best configuration options to allow Tomato to run flawlessly and effectively? Should the modem/router be configured as a bridge, allowing Tomato to be the only router in the lan? If not possible (ISP deny)? Configure the modem router to open all ports, redirecting traffic to Tomato? Disable modem/router's NAT?

    In conclusion, what kind of configuration should I ask to the ISP for the modem/router and if not possible, what should be the second and third possible configuration?

    Thanks for helping
     
  2. Monk E. Boy

    Monk E. Boy Network Guru Member

    Ideally you should have the modem setup in bridge mode. In bridge mode the router attached to the modem gets a real IP address, not a NAT address. As a result all traffic intended for that IP passes direct to the router. With most ISPs you can only have a single host behind the modem in bridge mode.

    Less ideal, but normally still functional, is to designate the router's IP address as a DMZ host. This means all traffic not intended for the modem itself gets forwarded to the DMZ host. There are problems that can occur in this mode, caused the modem overflowing its connection table and similar performance problems caused by the modem performing NAT translation, but if you're lucky and it all works perfectly then it can be functionally identical to bridge mode. Typically this requires either a manual IP address assigned to the router or a static DHCP lease configured in the modem, since if the address changes it breaks the DMZ host function.
     
  3. RixNox

    RixNox Serious Server Member

    In this case, Tomato should manage a PPPOE connection to allow login to the ISP, correct? Also NAT should be enabled on the Tomato?
     
  4. occamsrazor

    occamsrazor Network Guru Member

    Hi, could you explain a bit more about these problems? I'm running fiber modem to DMZ to Tomato router and generally all is working fine including VOIP which is surprising rock-solid. But the moment I start torrenting - even bandwidth-limited in the app to a fraction of my internet speed - the Internet becomes almost unusable on other machines. I do have QoS set up as well, but now I'm thinking it could be to do with the issues you mention. Thanks.
     
  5. Monk E. Boy

    Monk E. Boy Network Guru Member

    If your connection requires PPPoE then, yup, Tomato would need to be configured to handle PPPoE. The modem is basically being switched from operating in layer 3 to layer 2, so it would be incapable of handling PPPoE itself.

    NAT will have to be enabled unless you have a publicly routable IP subnet (e.g. a business with web, mail, application, etc. servers that other systems on the internet need to talk to directly) behind Tomato. For pretty much all home users this means NAT has to be enabled.
     
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    In my experience those problems are typically related to the modem/router you have, and switching to another model, sometimes another manufacturer's equipment, cures it. Unfortunately ISPs are ruled by beancounters who try to save $.50 in the dumbest of places, I'm rarely satisfied with any of equipment they provide.
     
  7. occamsrazor

    occamsrazor Network Guru Member

    Thanks, but are you saying running the modem in bridge mode solves/reduces these problems, compared to running DMZ to the Tomato router? Or are you just saying the modem will have these problems because it's a bad modem regardess of whether you set up Bridge or DMZ to the Tomato router? Thanks.
     
  8. Monk E. Boy

    Monk E. Boy Network Guru Member

    If it's running in true bridge mode it shouldn't have any problems, since it's just a layer 2 device at that point. Not all devices support true bridge mode though. For example, AT&T's early UVerse modems required significant hacking in order to allow you to enable bridge mode, and their new modems don't allow it at all.

    In DMZ mode the modem has to be operating in layer 3, which means it has to maintain a connection table, route packets between interfaces, perform NAT transforms, etc. The hardware ISPs hand out is usually so borderline it makes a WRT54G look like extravagant luxury, so the less you can ask it to do the better off you'll be. Bridge mode is a significantly simpler task for the modem to perform, which is why under normal circumstances its superior to DMZ mode.

    If the DMZ mode doesn't work, unless you can coax the ISP into performing a firmware update on your device, it's likely going to take hardware replacement with a different model or make/model to get a functioning DMZ mode. Unless you have full access to the device and can configure it yourself - many ISPs these days are limiting users ability to change settings - and find some magic combination of settings that makes DMZ mode functional (typically this involves disabling features - remember, the less their rinky-dink hardware has to do, the better off you'll be).
     
  9. RixNox

    RixNox Serious Server Member

    Thank you :)
     
  10. RixNox

    RixNox Serious Server Member

    Old topic, still topical.
    Unfortunately my request to configure the modem in bridge mode has been reject by the ISP.
    Apart from the alternative DMZ host solution, what would happen when Tomato is configured as a router and the modem too? Double routing and double nat? Problems?
     
  11. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    For home networks,one of the issues is port forwarding & UPnP. Symptoms such as problems with communication in multiplayer games would be common. Remote access can also be a problem.
     
  12. RixNox

    RixNox Serious Server Member

    At the moment none of those options is active (port forwarding, gaming, upnp) remote access could be an issue (teamviewer...)
     
  13. Marcel Tunks

    Marcel Tunks Networkin' Nut Member

    I don't know for sure, but you may be able to get Teamviewer going as long as you can set port forwarding on both the modem/router and your Tomato router.
     
  14. RixNox

    RixNox Serious Server Member

    More news! It looks like the ISP can configure the modem opening all ports and redirecting traffic to the DMZ host (tomato). Wonder why this config may hinder Tomato.... isn't all traffic reaching Tomato anyway, when the modem is setup in bridge mode?
     
  15. RixNox

    RixNox Serious Server Member

    I have realized that as for the DMZ solution/option you meant that the modem could be potentially overwhelmed/stressed ... well the same question is here: at the moment the modem is already configured as a router with NAT (and Tomato is configured as an access point)..... so why should the modem be stressed further once Tomato will be configured in router mode?
     

Share This Page