# Time Capsule forces me to use Bridged mode.



## applemaz (Nov 8, 2011)

I have Verizon FIOS so a coaxial cable has to plug into my router.  Since Time Capsule has no Coax interface, I have to plug it into the Verizon router/modem.  I shut off wireless on the Verizon router/modem and then connect my Time Capsule to the Verizon router/modem via an ethernet cable.  

I am not allowed to select anything other than bridged mode on the Time Capsule.  Is there any way around this?  I really only need the Verizon router/modem to act as the modem so my TC can do the routing and wireless.


----------



## Satcomer (Nov 8, 2011)

Does this Verizon "modem" have a router inside of it? If it does then you are going to run into the 'double NAT' error territory, let me explain. 

There are two different versions of IPs the Internet uses (in IPv4). There are Private IPs: 

10.0.0.0 &#8211; 10.255.255.255
172.16.0.0 &#8211; 172.31.255.255
192.168.0.0 &#8211; 192.168.255.255

Private IPs can NOT be "routed" across the Internet. This is done to save IPs (IPv4) for Public IPs across the Internet. 

So your ISP sells you ONE Public IP. Then a "router" does what is called NAT (Network Address Translation).  Then most home routers "translates" all the internet equipment (each network equipment (computers, Network Attached hard drives or printers, etc.)) using DHCP.

Now ALL home "routers" do NAT. That means each router's DHCP gives out a subnet (i.e. 192.168.0.1,). The "subnet mask (i.e. 255.255.255.0) allow you (as a user of the router) to give your network a range of IPs (192.168.0.1 -254) using the DHCP service (automatic IP assigning). 

Now sharing on a network and not sharing across the Internet all device must be in the same "subnet".  So when you put another "router" behind another router (in home networks)  already doing NAT (Network Address Translation). That is why in Apple routers they have "Bridged Mode" to turn off NAT because it is behind another router doing NAT.

Now you know why Apple routers give "double NAT" error. So leave that Apple time Capsule in "Bridged mode" and this will leave the Time Capsule not to do NAT and let the main "gateway" router (router closest to the modem) do the NAT. This will not affect the Time Capsule's function and will prevent future network errors that will happen if you run another NAT behind another router. Collisions will happen all the time and really slow your network down.

Now to prove this to you open System Preferences->Network and remember the router IP of your non-Apple router.  The put that IP into the Address Bar of your favorite browser and it will take you to that router (here are all router default username/passwords). Once in that router find the ISP IP that is assigned to that router. Then put that IP into you browser window and it will take you to your ISP modem's wiki setup page. Be careful because you can really mess up the settings!!!


----------



## applemaz (Nov 8, 2011)

I took the TC out of bridged mode and saw the double-NAT error you spoke of.  Thank you for that explanation.  I definitely don't want to do double-NAT.

The reason I am interested in NOT operating in Bridged Mode, is that I have 2 older Mac's (Pismo and Clamshell iBook) with the original Airport cards and I wanted to use them on my network from time to time by setting up TC's Guest network option.  Unfortunately, it isn't an option when the TC is in Bridged Mode.

I want Wireless-N with WPA2 AES encryption for my main connection while offering my Guest Network lower encryption and the TC's option of having a timed connection (24 hours) then disconnecting the Guest.

Do you have any ideas on getting my Pismo and Clamshell iBook on the network?  I don't believe the original Airport supports WPA2 so they can't get on my network as is and I don't want to compromise security by going WEP.

Can the old Airport be made to support WPA1 and if so, is that still fairly secure?  My current WPA2 passphrase is 25 characters so I'd do the same for WPA1 if that would be about as safe.


----------



## ElDiabloConCaca (Nov 8, 2011)

This is how I did it with AT&T U-Verse, and I suspect it would be similar for your FiOS connection:

1) Access the router set-up page of the FiOS-supplied router.
2) Disable all wireless on this router.
3) Disable DHCP on this router.
4) Give the AirPort Extreme a static IP address.
5) Place the AirPort Extreme's IP address into the DMZ of the FiOS router.

Voila!  All network traffic is now "controlled" by the AirPort Extreme, and for all intents and purposes, it's the most outward-facing router, so if you have any port-forwarding needs, you only need to apply them to the AirPort Extreme... the fact that it's in the DMZ (and also the only device connected to the FiOS router) means that all traffic magically goes to the Extreme by default.

I'm not in front of my setup at the moment, but I believe that's what I did.  There are one or two things you may not have to do verbatim -- for example, I left DHCP on (and simply assigned the AirPort Extreme an IP outside of the range of the DHCP range) so that different U-Verse services can still use the "master" router for their services (for example, the TV boxes must be connected to the U-Verse box in order to function -- connecting them to the AirPort Extreme will not work, but all traffic from the outside STILL goes to the Extreme by virtue of the DMZ setting).


----------



## Satcomer (Nov 8, 2011)

To explain what ElDiablo said "DMZ" means "Demilitarized Zone". In simple terms that means no firewall port that is open to the internet.


----------

