networking

Bell Giga hub - double NAT or PPoE?

Fahim Abdun-Nur

5 min read
Bell Giga hub - double NAT or PPoE?
Photo by Hert Niks / Unsplash

What is double NAT and why is it bad?

Network address translation (NAT) is a function that your router or gateway performs to create your network. NAT changes the wide area network (WAN) IP address that your Internet service provider (ISP) assigns you from public to private, which allows multiple devices in your network to share it. NAT also secures your network by blocking direct access to your local IP addresses.

Double NAT occurs when you connect your router to an ISP gateway or another router. Because NAT is performed by each router or gateway, your network is split into two different private networks. The devices connected to one private network might have communication problems with the devices connected to the other private network, and you might experience problems with automatic port forwarding/triggering.

Is it really bad though?

I feel as if most people just automatically jump to the conclusion that this is a bad thing; it is a bit more nuanced than that.

Some could consider this a blessing in a way; the UPnP protocol isn't exactly going to win over any security-conscious network administrators and so perhaps it is a good thing that port forwarding rules and static routes have to be defined explicitly. I certainly do - it's almost another hurdle that any rogue bots or programs would have to get over (albeit not a difficult one, but still a roadblock of sorts). The only port I do have explicitly defined is the one I have for the Plex server I share with family and friends.

Sure, there's some overhead/performance hit as a result of having to translate addresses twice. Probably not something to lose sleep over, however.

IPv6

One of the main reasons we have NAT, to begin with, is the finite pool of IPv4 addresses; in a typical home scenario the idea was to take one public IP address and then map it to one of the private RFC1918 ranges (i.e. 10.x.x.x, 172.16.x.x, 192.168.x.x)

Will IPv6 addresses run out eventually? In practical terms, no. There are 2^128 or 340 trillion, trillion, trillion IPv6 addresses, which is more than 100 times the number of atoms on the surface of the Earth. This will be more than sufficient to support trillions of Internet devices for the foreseeable future.

IPv4 still lives on though; while there's undoubtedly been a slow migration to v6, there are a lot of legacy devices and ISPs (including Bell Canada seemingly) that haven't made the switch. Google publishes some interesting statistics about the % of users that access Google over IPv6 here

As I found out recently - Rogers/Teksavvy does seem to be handing out both types of addresses.

Bridge mode

As I mentioned in an earlier post - I'm not a fan of the ISP router doing anything other than interfacing with the WAN-side infrastructure - I don't need it to also be a router, DHCP server, wifi access point, etc.

Teksavvy cable internet quirks
Preface I recently had the “opportunity” to try out Teksavvy’s cable service. Long story short, I was a bit disillusioned with Bell because they were offering better prices to new customers vs rewarding long-time customer loyalty. In a fit of controlled and passive-aggressive rage, I requested Bell to cancel all
Fahim's Home LabFahim Abdun-Nur

Unfortunately, Bell doesn't let us prosumers switch the Giga Hub into bridge mode (albeit their business customers can?). There have been some rumors, however, that if you encountered a kind and benevolent technician and offered them milk and cookies - they'd be willing to take pity on you and end your suffering and make the change for you.

PPPoE pass-through

Go onto Reddit or Redflagdeals and you'll see tons of posts on how to get this done (you'll need your B1 username and password - if your installation tech didn't give it to you - you can get it from the Bell online account portal or the MyBell app)

According to various accounts, the Giga Hub's aren't very reliable - they could possibly lose configured settings (e.g. disabled Wifi somehow miraculously coming back), so I'm not a fan of that.

PPPoE client performance is another concern I have; another basic web search will lead you to reports of poor PPPoE performance with either Linux or BSD. Unless of course, you have a beefy CPU where a fast single core can make up for the fact the client is single-threaded.

PPPoE is a Point-To-Point protocol. It's essentially a relic of good old DSL that authenticates you to your ISP server. It encapsulate the packets with a session ID so the distant server can verify to who's the packet belongs to and if the packet is allowed on the network. However, it can cause packet fragmentation. Encapsulation is a costly process because the device needs to open the ethernet frame to incorporate the PPPOE header, reconstruct the packet to send it back on the desired interface, just like a VPN (kind of but in clear text).

That's why PPPOE encapsulation tended to be done on a separate, coprocessor/ASIC to offload the CPU. Encapsulating 3 or 8 Gbps at line rate without latency increase requires either a coprocessor or a powerful x86/ARM CPU because this workload is often single thread. PPPOE is disappearing. Manufacturers don't include dedicated hardware because it's not used anymore, except for a few remaining ISPs, like Bell. It's still a good protocol for what it's supposed to do I suppose. That's why it's better to activate the Advanced DMZ at speeds higher than 1.5 Gbps because your equipment likely don't have dedicated PPPOE hardware, thus you'll be limited in speed, while the GigaHub is specced to support at least up to 8 Gbps PPPOE encapsulation rate. It depends on the router/appliance and the other services the appliance needs to handle. A Ubiquiti UDM-Pro with PPPOE session at 3 Gbps, with full IPS/DPI and Protect for cameras and its built in controller is likely to bottleneck somewhere.

In an ideal world - why is Bell Canada still even using PPPoE? Please just let us have DHCP.

So what exactly is my current setup?

I've taken the approach of - fine; I'll just let the Bell Giga Hub do its thing, but I'll clip its wings.

Disabled all forms of wifi.

Turned off UPnP/DLNA/SIP etc.

Left DHCP on, but I have only one other device connected to it over the 10G ethernet port

My pfsense router Athena, named after the ancient Greek goddess of wisdom, can handle the actual networking internals of my LAN.

I've also put Athena into the Advanced DMZ

I've been using this for months now, and I'm happy with the performance and stability so far - I get to deploy and be responsible for my own gear and infrastructure and on the WAN side I get the 1.5Gbps/900Mbps service I pay for so I'm content.

Still hope that one day not too far in the future Bell Canada will just give us a bridge mode that "just works" using DHCP.