Hey guys,

Wondering if I can find some help here. Haven't been able to find it anywhere else.

A month or so ago, I had our internet provider come out and install one of their modems, since my old modem was about 6 years old and sucked.

Ever since then, when I leave the house and come back, my phone will not reconnect automatically. I have to go to my settings and reconnect to wifi. When the available wireless networks show up, my network says "Disabled". I can click "connect" and everything is fine for a while. It will usually stay connected for less than an hour before it disconnects again and says "disabled".

This is driving me nuts. Is there an easy fix in my router settings or do I need to call the service provider out again?

The Modem/Router is a Hitron CGNVM-3582.

Are you locked into the provider's equipment? Buying your own separate modem and router is cheap these days. Can get both at Walmart

Thanks, guys. I think I'm just gonna go buy my own. Should have done that in the first place. Just thought maybe it was a simple fix. Tired of messing with it.

Now, I might be on here in a couple of days asking all kinds of questions on how to get it all set up!

If their router is required (which is quite possible) you should be able to plug your own router into it and connect to it. Just run a patch cable from the wan port on your router to one of the lan ports on theirs.

...and be sure and turn OFF wifi on THEIR router.

Also, make sure that the lan ip address blocks are different. If they are both the same, then it can't route the traffic.

For example, if their router uses 192.168.1/24 and your router uses 192.168.1/24 for the lan side, then your router will have a 192.168.1/24 address on each side and you won't be able to pass traffic. If you encounter this, it can take a while to figure out.

Ya router behind router is a TERRIBLE ideal. Double NAT breaks lots of things (like most VOIP and lots of VPNs) and is wrong on many levels. If you must keep their gateway in routing mode you need to put your router in the DMZ. It looks like the hitron software expects you to supply the DMZ members IP address. This is similar to what you have to do to put a external router behind most UVerse routers. Assign a static mapping in company router for the MAC address of the WAN of your router and add that IP address to the DMZ. Lots of Uverse examples you can use as a guide.

UmustBKidding said:

---

Ya router behind router is a TERRIBLE ideal. Double NAT breaks lots of things (like most VOIP and lots of VPNs) and is wrong on many levels. If you must keep their gateway in routing mode you need to put your router in the DMZ. It looks like the hitron software expects you to supply the DMZ members IP address. This is similar to what you have to do to put a external router behind most UVerse routers. Assign a static mapping in company router for the MAC address of the WAN of your router and add that IP address to the DMZ. Lots of Uverse examples you can use as a guide.

---

If you have VOIP or a VPN, there are routers that can be set up as bridges that will just pass the traffic through. It will let you get the IP address from the first router and that one will solely control the traffic.

Just put it in the dmz it's the right way to do it. Two layers of NAT is just lazy and stupid. A layer 7aware router is unlikely to exist on the shelf at Walmart which is what the thread was suggesting.

UmustBKidding said:

---

Just put it in the dmz it's the right way to do it. Two layers of NAT is just lazy and stupid. A layer 7aware router is unlikely to exist on the shelf at Walmart which is what the thread was suggesting.

---

If you set the second up as a bridge, you don't have two layers of NAT.

I realize that, but why put a bridge or router in at all then. He said the only reason not to just use the one the company provided is that the Wifi disassociates it self with his cell phone. He does not need a router he needs an access point. But not many access points for sale at box stores like WalMart/BB etc and even far fewer "routers" that do bridging or voip/vpn pass through. The problem is that we have trained people that all in one is good and cheap is better. Unfortunately good/secure/quality devices cost a little bit more and are not as plug and play so you most end up with junk boxes that work at the least acceptable level.
If people saw the output of a IPS/IDS system on their network connection most would be shocked and maybe practice a little more network hygiene.

UmustBKidding said:

---

I realize that, but why put a bridge or router in at all then. He said the only reason not to just use the one the company provided is that the Wifi disassociates it self with his cell phone. He does not need a router he needs an access point. But not many access points for sale at box stores like WalMart/BB etc and even far fewer "routers" that do bridging or voip/vpn pass through. The problem is that we have trained people that all in one is good and cheap is better. Unfortunately good/secure/quality devices cost a little bit more and are not as plug and play so you most end up with junk boxes that work at the least acceptable level.
If people saw the output of a IPS/IDS system on their network connection most would be shocked and maybe practice a little more network hygiene.

---

My primary router/firewall device is a computer running OpenBSD with pf on it. Among other things, on an IP address by IP address basis, we have three categories of routable addresses on both IPv4 and IPv6.

The first category, LOCAL, permits connections originating at the address but refuses all connections originating at remote addresses. The second category, USA, permits connections originating at IPv4 or IPv6 address blocks within the US but refuses all connections from outside the US. The third category, ALL, allows all connections. Nearly every IPv4 address here is in the LOCAL category. The smallest category is ALL.

It's amazing how much this reduces port scans of our network. For example, when I added the categories above, one server that was seeing tens of thousands connections to port 22 (SSH) per day as attackers tried to guess passwords saw a reduction in traffic to about ten to twenty such connections per day. Prior to doing this, one server saw 1.3 million connections to port 22 in two months of which a little more than half were from one /24 block in Beijing, China.

While this won't stop break-ins, it should hopefully slow them down. Also, one nice thing for most of our customers who don't upgrade the firmware on their routers, it is going to be much harder for anyone to get to their router to break in since theirs are nearly always in the LOCAL category.

One thing I'm getting ready to add is to monitor incoming attempts to addresses that aren't currently being used (currently about 12) and add the IP addresses of any and all who attempt to connect to these addresses to a table and refuse all incoming attempts from them to any address. The bad thing is that the number of such scans we see each day will probably fill up our tables within two or three days.

Until we ran out of IPv4 addresses, the firewall itself didn't even have IP addresses. I just had to go to the computer room to access it. Now I'm stuck with using a pool of NAT addresses for many of our devices.

IPv4 is taking too long to die off. It would be great if everything was IPv6 and we could stop using NAT forever.

I run pfsense at home and both Cisco and juniper at work locations. But would far rather have people running pf than even dd/open wrt, tomato etc. Pf with snort, bogon and Geo blocking tames things a lot. But they would rather buy a $40 craptastic router at Wal-Mart. I lived through the net conversation from ncp to IP and the only reason it worked was there was a drop dead dates. The imps magically quit routing ncp and it was done. Unfortunately the 4to6 thought coexistence was a good thing and Nat facilitated even more devices to be deployed as ipv4 making the transition harder. There are devices that will never support ipv6 and people won't throw them away so things like nat64 and toredo unfortunately will be around.
And this guy's gateway supports ipv6, maybe they are converting is why they forced it on him.