I’m seeing lots of good discussions concerning routers (ISP Provided vs Privacy firmware like DD-WRT, etc.) but what about ISP Modems? Are there practices or changes we should be implementing on the ISP modems? My initial assumption is that we have little to no configurable options on that modem, except to be sure and randomize my Routers MAC address.
1 Like
You should avoid using it for anything other than a modem.
Ideally you should enable PPPoE passthrough (or ask your ISP to enable it) and then just use a proper (possibly OpenWRT) router behind it with your PPPoE credentials.
If it’s lacking such a feature, then the next best thing is bridge mode.
2 Likes
On this point, I recommend reading my post on what randomizing the routers MAC address will and won’t do. Its a relatively low-effort but low-yield outcome.
You can also buy your own Modem, but this gets trickier with fiber. Even so, the ISP needs to configure your modem to work with their setup.
PPPoE seems to be common for DSL from what I briefly read. For cable or fiber, don’t think this is an option. And I’m not sure why you’d recommend bridged mode - this is for specific topologies, not just every use case.
1 Like
I’m on gigabit fiber with PPPoE, with passthrough to my OpenWRT router right now.
Because you’d want to entrust NATing, LAN traffic, and firewalling to your trusted proper router, instead of the ISP’s. And double NAT is stupid.
some starter links for ont bypasses:
Thank you for the reply and this information on “Router MAC address randomization”. I am doing my best to understand the value of which devices can “see” my routers specific MAC address. The best I can determine on that part is that to be of any value, a person must reboot a Randomized MAC address regularly, but even then (per this write-up), it doesn’t actually help with privacy from the ISP? (I thought one specific privacy recommendation was to always use a Randomized MAC address on the Router).
As for the Modem configuration, I think I am understanding that we should log into the Modem and configure PPPoE passthrough. This Modem configuration will increase Privacy because it bypasses the ISP’s ability to “see” what we are doing?
(as always, I have to ask stupid questions to get my brain to actually comprehend..)
The ISP will always see your outgoing traffic, you’re sending it to them. If you want to avoid that, you want a VPN. (And maybe configure it on your router to tunnel everything.)
What moving PPPoE to your trusted router can help with is that it removes any insight or access the ISP modem has or could have to your internal traffic, connected devices, etc. It turns the device into a box that just turns ethernet into fiber / dsl (this is a bit of an oversimplification). It no longer does (much) networking.
EDIT:
There’s a great recent DEFCON talk about hacking ISP modems: https://www.youtube.com/watch?v=MmpkfM8I33Q
Generally you just want to give the least amount of access to the ISP’s devices to both your network and your traffic, so reducing its role in everything is always the best step you can take. Really, just assume the thing is just outright malicious, since they’re all notably insecure. That can be
- Replacing it entirely (See How should I configure my ISP-provided modem? - #5 by SkewedZeppelin )
- Moving PPPoE to your router
- Moving off NATing and firewalling at least.
The earlier point you can do the better, but it depends on your connection type, your ISP’s policies, and your ISP modem.
1 Like
I logged into the ISP DSL Modem (C4000LG) and the best I can tell, the closest option to “PPPoE Passthrough” is labeled as “Transparent Bridging” (it is at the bottom of this links page).
Is this correct?
Happy to move this to its own question if it becomes an involved answer or seems too off topic.
Comcast/Xfinity is the only reliable ISP in my area, and so I decided to move to an offbrand modem as a potential minimal connection enabled along with Firewalla. I’m not sure if this actually does anything other than enable me not to use their router since there’s no modem only option. My hopes were that using an off branded modem would at least slow the capabilities that they would have with their own modems.
I just did a basic up with the modem, and then everything else lives behind my FireWalla as the router where I do all my managing. All of the management and configs exist locally with a small amount of traffic that routes directly between me and FireWalla servers to provide dynamic DNS that keeps a consistent domain name for my external home services when xFinity changes the IP address. I then just route all my traffic through Proton VPN when communicating outside and anything anon obviously routes me to Tor which likely blends in better for Proton’s traffic patterns.
Is there any configuration I need to consider for this modem since it’s mostly just a medium to connect to the XFinity and I otherwise keep everything well blocked behind Firewalla/VPN?
Never heard of Firewalla, I just use OpenWRT and a cheap as shit Xiaomi router, but if what you’re saying is correct and it just tunnels everything and isn’t misconfigured real bad, you should be golden. Regardless of whatever modem you use actually. Moving PPPoE to the router or switching to bridge mode just improves latency / bandwidth / reliability / overall sanity of the setup since you reduce the useless hops the traffic goes through, as in my experience ISP modems are pretty shit.
1 Like
My hope is to be understand the correct Privacy configuration/settings for the ISP modem on DSL.
Here is what I think I’ve learned so far:
Modem: Configure it to be a simple passthrough (my modem only offers “Transparent Bridging” which I am assuming provides close to the same as PPPoE passthrough).
Router: This requires the Router to be configured with the PPPoE authentication username and password.
Question: Does the fact that the router now logs into the ISP/DSL account now expose the router to privacy issues, since it is now tied to the ISP user account where before it was “one step removed”?
1 Like
Yeah Firewalla doesn’t tunnel by default but it is very easy to set up and more importantly maintain. The hardware is small SoC hardware with semi-managed (in that you are provided sensible defaults and dead simple knobs to adjust settings) open stack. Its not great if you are wanting to teach yourself stuff or get into a very detailed opinionated setup. Their target consumer is knowledgable enough prosumers that don’t have time or interest.
I’ve really enjoyed the control it has moved back to my court with less time sinks and sweating the security setup.
Thanks for the vote of confidence I’ll avoid hijacking this thread much more and just ask anyone who has any suggestions on modem configs or concerns let me know or I’ll just leave it be and give my router all the power.
1 Like
Is there any benefit to add a new router with openwrt after ISP’s modem/router? It’s a cable router with no option to replace it and it’s locked so no bridge mode or DNS change is possible.
I guess double NAT is inevitable.
That sounds pretty terrible. Anyway, it’d still mask your devices’ MACs, route internal traffic, firewall off the modem from the rest of your devices, and let you use custom DNS or set up tunneling everything. Bridging, PPPoE passthrough or full replacement all just improve performance, bandwidth, latency, security. Ultimately the traffic that’s just passing through the modem is always visible on the other end of the cable.
2 Likes
As annoying as Double NAT is, if it is your only option it still is the best way to go to secure your network.
Worst case scenario, you can connect game consoles to the ISP router and everything else to your own router. Those devices usually handle the double NAT situation the worst, and probably don’t need access to the devices on your trusted internal network in the first place. Everything else you can kind of resolve with double port forwarding.
1 Like
I feel like the original question on this thread was never really answered.
If you have your own separate router that (is the only thing which) connects to the modem, then the answer to this question…
…is no. The edge of your network is controlled by your router/firewall that all of your devices connect to. The modem is the edge of the ISP’s network, and their responsibility. If applicable, simply typing in PPPoE credentials or otherwise configuring your router with ISP-provided config info is fine, but installing ISP-provided software/firmware would be dangerous.
5 Likes
To add to this for people like myself and @bitsondatadev where Comcast/Xfinity is the only game in town, Xfinity charges an extra $30/month if you want unlimited data and use your own modem. This makes it much tougher to try and stick with your own equipment and have an affordable internet bill.
It seems things have gone a complete 180 from when you could get a discount for using your own equipment.
Its unclear to me how much a privacy concern an Xfinity modem/router combo in bridge mode is but, obviously not ideal.
1 Like
Yup, they charge me $20/mo so my impression is they are proffiting on something when you use their modem. A less skeptical take could be that it offsets some maintenance costs if they have to troubleshoot different modems and routers. I think the former us more likely so to me I consider it a “privacy tax” and in some strange way makes me feel validated for doing it despite the absurdity.
I really hope there’s political shifts that open up the internet globally that isn’t so dependent on centralized infra.
I’m definitely excited to get local meshes going here in my town as an emergency system. If local meshes become the norm then there can be tactics people build to start connecting them across townships and cities.
Plenty of big cities do this which is possible due to the proximity of tall buildings. Just need to get local governments involves in community building of mesh networks in suburbs and rural areas https://www.nycmesh.net/
for those in the USA you should double check on National Broadband Map because some places do have non/under advertised municipal offerings
4 Likes