Can an ISP can see LAN traffic?

anonymous293 · May 11, 2025, 2:08am

If I use their stock router can they see the LAN traffic across machines? Like shares on a NAS?

jonah · May 11, 2025, 2:16am

Yes, that’s why you don’t.

SkewedZeppelin · May 11, 2025, 3:28am

hm, there was actually a pretty good CCC or DEFCON? talk about this like a decade ago, I can’t seem to find it, anyone remember it?

edit: here is a related one: Beyond your cable modem - media.ccc.de

jonah · May 11, 2025, 3:31am

I would guess it’d be something to do with TR-069

Stiffly2505 · May 11, 2025, 5:18am

Technically? Yeah, it passes through a device where they control software.

Realistically? They don’t give a shit.

Is it still a privacy problem? Yes, ISP modems are frequently hacked, potentially by someone who does give a shit.

Machkiel · May 12, 2025, 7:11am

A few years ago, on an ISP provided modem/router combo device I found a port forward (WAN to LAN) that I know I did not add. I had added a couple of port forwards of my own, fully documented that, and their rogue port forward was obvious. I do not know if the ISP did that or if it was a random bad actor. My personal router/firewall behind the ISP provided modem router combo device neutralized whatever they were attempting, but it provided a lesson in how insecure using someone else’s equipment really is. Never trust the ISP provided hardware.

jonah · May 12, 2025, 1:31pm

You will have to check your local laws before assuming this is true. In most cases with ISP-provided routers they do log at least all your local MAC addresses at minimum, and if they do that then there are also laws in many places requiring they retain that information for law enforcement investigations.

Machkiel · May 12, 2025, 7:04pm

The pfSense / PF documentation is murky on this, but it is my understanding that one or both of them provide a feature called Static Port. Regardless of the vague naming, I think Static Port sets the WAN / outgoing traffic MAC address of all traffic to the MAC address of the router/firewall’s WAN MAC address. Instead of LAN MAC addresses being shown in Internet traffic, everything outside appears to be the router/firewall’s WAN MAC. Supposedly, Static Port handles all the MAC address translation similar to how NAT handles the IP address translation.

Please correct me if I am off base on this. Again, the product docs could use some work. If I understand all this correctly, Static Port would keep LAN MAC addresses out of ISP logs.

Topic		Replies	Views
VPN on router and/or pi-hole Questions	0	162	August 17, 2024
Privacy on my home network getting dynamic public IP Questions	2	357	December 15, 2023
Is Mullvad Local Network Sharing Safe? Questions	1	1327	June 8, 2023
What data ISP can gather on me and what can I do about it General	6	688	July 26, 2023
Is my internet activity private if I use Mullvad VPN but have an ISP-provided router with closed-source firmware? Questions	14	866	December 18, 2023

Can an ISP can see LAN traffic?

Related topics