Huawei Modem used only as Wifi router - DHCP & DNS problem?

[Laurijan]

Hello,

I got a Huawei DN9245W modem that I want to use as a Wifi access point in our mobile device repair company for testing repaired devices. Previous device we used is getting old and unsecure.
Idea is that the Wifi is isolated so even if customers can get into the Wifi when we forgot to delete Wifi connection on their phones they are not able to discover the our companies network devices (desktops, printers, IP cameras etc).
Found the Wifi isolation setting already and tested that its working at home where I want to set up the modem. For testing of isolation I use Wifiman on my iPhone.
In work we have a company 5G modem with like 10 ethernet ports but that is completely mobile operator controlled and there is no settings site for example Wifi setup.
My boss said something about the DHCP and DNS of the Huawei modem if connected to our network probably gonna mess up the IP addresses of our devices like PCs, printers etc.
Am no expert in networking so which settings should I change so that nothing gets new IP addresses that shouldnt when I connect the Huawei to the 5G modems ethernet?
If needed I can post pics of the Huawei modems setting site. Idea is to only connect the Huawei with 1 network cable to 5G modem and connect nothing else with cables to Huawei.
Thanks!

 

[Caring1]

If used as only an access point the IP addresses should remain the same.
You can also set up a guest network using the 2.4 and 5G ranges in the Huawei's settings.
I'm no expert but I did just connect an access point to my modem and only thing that changed was the log in to the wi-fi, no modem settings.

 

[TheLostSwede]

If the Huawei device has an access point mode, then it won't issue DHCP leases, nor will the DNS server be enabled.
However, in your specific case, you might not want to use the access point mode. Why? Because you might want to use double NAT, as then your customers devices would only know the Huawei device and wouldn't be able to see the rest of the network. This means leaving it in router mode. The Huawei device would in other words create its own network that it would assing IP addresses to and hide anything that sits on the other side of its WAN port, which you connect to one of the LAN ports on the existing router.
The downside to double NAT is that some services might not work properly, but it it's only for getting the customer devices on the internet, then this should work just fine.

 

[Laurijan]

If the Huawei device has an access point mode, then it won't issue DHCP leases, nor will the DNS server be enabled.
However, in your specific case, you might not want to use the access point mode. Why? Because you might want to use double NAT, as then your customers devices would only know the Huawei device and wouldn't be able to see the rest of the network. This means leaving it in router mode. The Huawei device would in other words create its own network that it would assing IP addresses to and hide anything that sits on the other side of its WAN port, which you connect to one of the LAN ports on the existing router.
The downside to double NAT is that some services might not work properly, but it it's only for getting the customer devices on the internet, then this should work just fine.

could there be an issue connecting the huawei modem with DHCP enabled to the 5G modem that the 5G modem is not main DHCP device anymore and thus messing up our workplaces IP adresses? I would just connect the huawei like any other device with 1 cable on the 5G modem.

 

[TheLostSwede]

could there be an issue connecting the huawei modem with DHCP enabled to the 5G modem that the 5G modem is not main DHCP device anymore and thus messing up our workplaces IP adresses? I would just connect the huawei like any other device with 1 cable on the 5G modem.

No, not as long as the two aren't on the same subnet. So make sure you check the IP address of the main router. It would be a real mess if both had the same IP address for starters, but you also don't want two DHCP servers on the same subnet. Ideally you run the main router on something like 192.168.1.1 or whatever IP address it has and the Huawei on 192.168.2.1 or 10.0.2.1, that way they are guaranteed not to clash. The Huawei still need to be able to issue IP addresses to the connected devices and act as a DNS server for them, hence why it has to be in router mode. The Huawei sort of acts like a firewall to the other network, in the sense that no devices connected to it will be able to see the main network when it's set up this way.

In a normal network, doubt NAT is considered bad, but in your case, it's what you want.

 

[Vincero]

However, in your specific case, you might not want to use the access point mode. Why? Because you might want to use double NAT, as then your customers devices would only know the Huawei device and wouldn't be able to see the rest of the network.

Whilst most sharing and discovery services would not see outside that subnet, it doesn't stop resources being accessible. To guarantee that statement you'd need some effective firewall rules or subnet mask that blocks off the rest of the subnet except for the next gateway device IP.

Depending on what level of security / logical seperation of each subnet OP may be after, this may not be a concern at all, but NAT itself between subnets isn't a security barrier.

 

[Bill_Bright]

You can also set up a guest network using the 2.4 and 5G ranges in the Huawei's settings.

^^^This^^^

 

[TheLostSwede]

Whilst most sharing and discovery services would not see outside that subnet, it doesn't stop resources being accessible. To guarantee that statement you'd need some effective firewall rules or subnet mask that blocks off the rest of the subnet except for the next gateway device IP.

Depending on what level of security / logical seperation of each subnet OP may be after, this may not be a concern at all, but NAT itself between subnets isn't a security barrier.

Well, there's obviously many ways of doing this, I wasn't suggesting an ultra secure solution, just one that would keep 99.9% of their customer from finding anything on their network, in case they forget to delete the network from the phones they test. You got an easier way to do this with a device you're not familiar with, go ahead and share away.

 

[Vincero]

Well, there's obviously many ways of doing this, I wasn't suggesting an ultra secure solution, just one that would keep 99.9% of their customer from finding anything on their network, in case they forget to delete the network from the phones they test. You got an easier way to do this with a device you're not familiar with, go ahead and share away.

That's fine, I was just pointing out for the OP that NAT isn't a security feature in itself - devices may not see other devices but that doesn't equal inaccessible.

The fact that the main 5G gateway device would be comparatively newer means it probably might have a guest AP function that might be useful - that would provide better seperation and less attack area for a hacker in terms of another AP on the normal internal LAN.
Without being there impossible to say what options there are.

 

[Laurijan]

That's fine, I was just pointing out for the OP that NAT isn't a security feature in itself - devices may not see other devices but that doesn't equal inaccessible.

The fact that the main 5G gateway device would be comparatively newer means it probably might have a guest AP function that might be useful - that would provide better seperation and less attack area for a hacker in terms of another AP on the normal internal LAN.
Without being there impossible to say what options there are.

5g modem is controlled by ISP and we would have to call them to set up guest wifi for a monthly cost. Didnt want to do that yet.

 

[Vincero]

That's the sort of ISP who I interpret as not wanting the business...

If you have that little control over it I would interpret as an untrustworthy device and, personally, would have my own firewall/gateway/UTM device handling the routed IP, off of which I'd have an internal/office LAN, guest/dirty LAN, and potentially even a WiFi controlled LAN segment where you can control MAC device access, isolation, etc.

5g modem is controlled by ISP and we would have to call them to set up guest wifi for a monthly cost. Didnt want to do that yet.

OK, well the DN9245W doesn't have an external ethernet socket connection from what I can see from online info.
You're only option with it is to use it as just another wireless access point. To do that you just need to a) configure it to an IP address you know it can use on the LAN, and b) turn off its DHCP services and connect it to your LAN using one of it's LAN sockets. Anything on that wireless network should be able to access any other LAN resources - even if wireless isolation is on, it doesn't protect everything on the network.

Note that if it (the other Huawei router, not the ISP one) has a guest wifi network function, it will likely not work as intended (if at all) as these just are an isolated wireless network that shares the routers WAN connection - in this case it will not have one so the isolated guest wireless network will be dead.

A shame it's not a candidate for OpenWRT / Lede or other option.

If you have a different other router that has an Ethernet WAN connection option then you could use subnet masking to seperate 2 LAN/Wifi networks (both of which can access the gateway device - i.e. the ISP router - but neither of which can access each other).

To be honest, if this is a permanent requirement what you're trying to do, want clear network seperation and control, and have an old defunct but perfectly usable stanble machine and a couple of network cards lying around..... OpnSense, pfSense, IPFire, etc., are all perfectly usable options to fairly easily achieve that (depending on your understanding of networking - it doesn't have to be anywhere near expert level) - you can use the old routers as wireless access points for your 'internal team' wifi and 'customer/guest' wifi.

 

[Bill_Bright]

5g modem is controlled by ISP and we would have to call them to set up guest wifi for a monthly cost. Didnt want to do that yet.

This is why I buy my own modem and my own wireless router. I have full control. And I don't pay a rental fee that, over time, results in paying many times the cost to purchase.

And for the record, I always buy separates too. "Residential gateway" devices (router, modem, wifi, 4-port Ethernet switch integrated into one box) are less expensive. And they are more convenient for ISPs. But not necessarily for users.

 

[Laurijan]

No, not as long as the two aren't on the same subnet. So make sure you check the IP address of the main router. It would be a real mess if both had the same IP address for starters, but you also don't want two DHCP servers on the same subnet. Ideally you run the main router on something like 192.168.1.1 or whatever IP address it has and the Huawei on 192.168.2.1 or 10.0.2.1, that way they are guaranteed not to clash. The Huawei still need to be able to issue IP addresses to the connected devices and act as a DNS server for them, hence why it has to be in router mode. The Huawei sort of acts like a firewall to the other network, in the sense that no devices connected to it will be able to see the main network when it's set up this way.

In a normal network, doubt NAT is considered bad, but in your case, it's what you want.

The IP address of the Huawei somethink 192.168.100.1 and subnet mask 255.255.255.0 and the 5G has completely different IP address but same subnet 255.255.255.0. Is it necessary to change subnet of Huawei to like 252.0.0.0 that they dont clash?

 

[Vincero]

The IP address of the Huawei somethink 192.168.100.1 and subnet mask 255.255.255.0 and the 5G has completely different IP address but same subnet 255.255.255.0. Is it necessary to change subnet of Huawei to like 252.0.0.0 that they dont clash?

It doesn't work like that.
If you're not using the gateway function and DHCP functionality from the Huawei, the subnet mask it applies is irrelevant/unused - no IP masking is happening on the Huawei device.

Only IP addresses can clash. Also, if you end up just using the Huawei device as a wireless AP with no DHCP functions, the internal LAN address it uses can be something completely different (i.e. 'x' can be in a different range 192.168.x), most devices which bridge the LAN/Wifi are not doing it on a network layer that impacts TCP operation - the only reason to have it use an address within the same range is so you can access admin functions via internel IP on the LAN.

This is why I buy my own modem and my own wireless router. I have full control. And I don't pay a rental fee that, over time, results in paying many times the cost to purchase.

And for the record, I always buy separates too. "Residential gateway" devices (router, modem, wifi, 4-port Ethernet switch integrated into one box) are less expensive. And they are more convenient for ISPs. But not necessarily for users.

Yeah, routers which do not have an option to enable/disable TR-069 protocol (regardless of if the ISP is really using it or not) is another reason I live in a modem mode way of working in terms of ISP supplied connection kit.

 

[Bill_Bright]

5G has completely different IP address

I think it is important to use correct terminology when discussing technical issues to avoid confusion and worse, mistakes.

5G commonly refers to the "5th generation" or "5G" cell phone network and has nothing to do with home wifi networks.

If we are talking about the 5 gigahertz or "5GHz" frequency band provided by most WAPs (wireless access points) found in wireless routers or gateway devices, then we should be saying 5GHz when talking about that wifi frequency or band.

5G is NOT the same thing as 5GHz.

 

[Laurijan]

It doesn't work like that.
If you're not using the gateway function and DHCP functionality from the Huawei, the subnet mask it applies is irrelevant/unused - no IP masking is happening on the Huawei device.

Only IP addresses can clash. Also, if you end up just using the Huawei device as a wireless AP with no DHCP functions, the internal LAN address it uses can be something completely different (i.e. 'x' can be in a different range 192.168.x), most devices which bridge the LAN/Wifi are not doing it on a network layer that impacts TCP operation - the only reason to have it use an address within the same range is so you can access admin functions via internel IP on the LAN.


Yeah, routers which do not have an option to enable/disable TR-069 protocol (regardless of if the ISP is really using it or not) is another reason I live in a modem mode way of working in terms of ISP supplied connection kit.

I think it is important to use correct terminology when discussing technical issues to avoid confusion and worse, mistakes.

5G commonly refers to the "5th generation" or "5G" cell phone network and has nothing to do with home wifi networks.

If we are talking about the 5 gigahertz or "5GHz" frequency band provided by most WAPs (wireless access points) found in wireless routers or gateway devices, then we should be saying 5GHz when talking about that wifi frequency or band.

5G is NOT the same thing as 5GHz.

Yes its a cellular 5G didnt want to cause confusion. Our customers also cant tell 5GHz wifi apart from 5G mobile connection

 

[Bill_Bright]

Our customers also cant tell 5GHz wifi apart from 5G mobile connection

It is confusing. This is why we in the know must always use the right terms so eventually they, or some of them at least, will get it sorted out too.

It is common among many terms. And sadly, marketing weenies are often to blame. For example, technically, there is no such thing as a "wireless routers". All routers are wired. Period. But they are marketed as wireless routers.

Having an integrated WAP included in the same box to add wifi support does not make it a wireless router. "Modem" and "router" are often confused too. Heck, many still call their entire computer a CPU.