I would guess it’d be something to do with TR-069
Technically? Yeah, it passes through a device where they control software.
Realistically? They don’t give a shit.
Is it still a privacy problem? Yes, ISP modems are frequently hacked, potentially by someone who does give a shit.
A few years ago, on an ISP provided modem/router combo device I found a port forward (WAN to LAN) that I know I did not add. I had added a couple of port forwards of my own, fully documented that, and their rogue port forward was obvious. I do not know if the ISP did that or if it was a random bad actor. My personal router/firewall behind the ISP provided modem router combo device neutralized whatever they were attempting, but it provided a lesson in how insecure using someone else’s equipment really is. Never trust the ISP provided hardware.
1 Like
You will have to check your local laws before assuming this is true. In most cases with ISP-provided routers they do log at least all your local MAC addresses at minimum, and if they do that then there are also laws in many places requiring they retain that information for law enforcement investigations.
2 Likes
I’m seeing lots of good discussions concerning routers (ISP Provided vs Privacy firmware like DD-WRT, etc.) but what about ISP Modems? Are there practices or changes we should be implementing on the ISP modems? My initial assumption is that we have little to no configurable options on that modem, except to be sure and randomize my Routers MAC address.
1 Like
You should avoid using it for anything other than a modem.
Ideally you should enable PPPoE passthrough (or ask your ISP to enable it) and then just use a proper (possibly OpenWRT) router behind it with your PPPoE credentials.
If it’s lacking such a feature, then the next best thing is bridge mode.
2 Likes
On this point, I recommend reading my post on what randomizing the routers MAC address will and won’t do. Its a relatively low-effort but low-yield outcome.
You can also buy your own Modem, but this gets trickier with fiber. Even so, the ISP needs to configure your modem to work with their setup.
PPPoE seems to be common for DSL from what I briefly read. For cable or fiber, don’t think this is an option. And I’m not sure why you’d recommend bridged mode - this is for specific topologies, not just every use case.
1 Like
I’m on gigabit fiber with PPPoE, with passthrough to my OpenWRT router right now.
Because you’d want to entrust NATing, LAN traffic, and firewalling to your trusted proper router, instead of the ISP’s. And double NAT is stupid.
some starter links for ont bypasses:
Thank you for the reply and this information on “Router MAC address randomization”. I am doing my best to understand the value of which devices can “see” my routers specific MAC address. The best I can determine on that part is that to be of any value, a person must reboot a Randomized MAC address regularly, but even then (per this write-up), it doesn’t actually help with privacy from the ISP? (I thought one specific privacy recommendation was to always use a Randomized MAC address on the Router).
As for the Modem configuration, I think I am understanding that we should log into the Modem and configure PPPoE passthrough. This Modem configuration will increase Privacy because it bypasses the ISP’s ability to “see” what we are doing?
(as always, I have to ask stupid questions to get my brain to actually comprehend..)
The ISP will always see your outgoing traffic, you’re sending it to them. If you want to avoid that, you want a VPN. (And maybe configure it on your router to tunnel everything.)
What moving PPPoE to your trusted router can help with is that it removes any insight or access the ISP modem has or could have to your internal traffic, connected devices, etc. It turns the device into a box that just turns ethernet into fiber / dsl (this is a bit of an oversimplification). It no longer does (much) networking.
EDIT:
There’s a great recent DEFCON talk about hacking ISP modems: https://www.youtube.com/watch?v=MmpkfM8I33Q
Generally you just want to give the least amount of access to the ISP’s devices to both your network and your traffic, so reducing its role in everything is always the best step you can take. Really, just assume the thing is just outright malicious, since they’re all notably insecure. That can be
- Replacing it entirely (See How should I configure my ISP-provided modem? - #4 )
- Moving PPPoE to your router
- Moving off NATing and firewalling at least.
The earlier point you can do the better, but it depends on your connection type, your ISP’s policies, and your ISP modem.
1 Like
I logged into the ISP DSL Modem (C4000LG) and the best I can tell, the closest option to “PPPoE Passthrough” is labeled as “Transparent Bridging” (it is at the bottom of this links page).
Is this correct?
The pfSense / PF documentation is murky on this, but it is my understanding that one or both of them provide a feature called Static Port. Regardless of the vague naming, I think Static Port sets the WAN / outgoing traffic MAC address of all traffic to the MAC address of the router/firewall’s WAN MAC address. Instead of LAN MAC addresses being shown in Internet traffic, everything outside appears to be the router/firewall’s WAN MAC. Supposedly, Static Port handles all the MAC address translation similar to how NAT handles the IP address translation.
Please correct me if I am off base on this. Again, the product docs could use some work. If I understand all this correctly, Static Port would keep LAN MAC addresses out of ISP logs.
Hello,
I have a WiFi router provided by my ISP that runs on closed-source firmware. My question is, does using a VPN service (specifically Mullvad) ensure that my internet activity remains private and secure from my ISP? Thank you.
2 Likes
If the connection starts downstream closer to your PC, probably. Your connection eventually routes through your ISP regardless.
Maybe I haven’t been exposed to much in this space around routers but my issue with these devices is usually the lack of features in the firmware or some other limitation.
Thanks for the reply. 
Welcome to the forum!
Usually the ISP provided routers are extremely cheap and cannot competently connect and route multiple devices. They may even cheap out on the LAN ports and give you a non-full duplex port. Yes it can do gigabit transfers but only in one direction and cannot upload and download simulaneously at 1 gigabit. Or worse yet, give you 4 LAN ports with a shared connection and all 4 ports can only do a total of a gigabit speed at any one time. This is enough for non-power users but probably not enough for tech savvy people like us.
Get a router you own and control (like a Protecli) then connect it to the ISP via a VPN that tunnels all your traffic.
You can also connect directly to ISP provided router and use the VPN on top of the OS but if you are using iOS and MacOS, they dont like that you are using a VPN and will undermine it and connect directly to its Apple servers. I personally do not like that and would not want to wrestle with the computer that I own. It should repect my preference so I force it to a VPN tunnel outside its OS that it cannot control.
You can use other OS but you risk exposing your WiFi/LAN ports MAC Address. This is less of an issue if you are using a privacy oriented device (like GrapheneOS) that can randomize MAC on a per connection (or even per session setting).
1 Like
Thank you for your response and welcome to the forum! 
Unfortunately, I’m currently stuck with a MacBook for now, and it’ll likely take a few years before I can afford to buy a new PC.
I was confused by your statement that ‘if you are using MacOS, they don’t like that you are using a VPN and will undermine it and connect directly to their Apple servers.’ Could you please clarify what you meant by this?
Furthermore, I have a few questions:
How can I tell if my MacBook is connecting directly to Apple servers and not Mullvad’s?
Is there anything I can do to prevent MacOS from connecting to Apple servers and instead route all internet traffic through Mullvad VPN only?
Lastly, I don’t understand how my IP address can be showing as from Singapore (Mullvad VPN location) but my traffic is through Apple’s servers. I don’t understand how this is possible. Can someone explain this to me? I’m a total beginner when it comes to this stuff, so feel free to explain it in detail.
You can just boot another OS, no need to replace a functioning computer.
2 Likes
Is there anything private and safe besides Asahi Linux? Unfortunately, it doesn’t work for me since my main screen is broken, and the MacBook Pro M1 2020 lacks HDMI output for an external display, which I confirmed on GitHub via the Asahi Linux documentation wiki."