Will I be more secure with my own router behind my ISP's router?

networking router security isp
7,014

Solution 1

Not 100% sure but TR-069 might be the standard involved that is allowing your ISP to access your CPE (modem/router) and get information from it. Probably all DSL modems you buy and certainly any you get from the ISP will be TR-069 enabled.

I have cable (DOCSIS) and bought my own modem, without a built in router, and then bought a separate router. This is a good setup if you do not want the ISP to do anything with your equipment.

DSL is different. I believe all consumer level DSL modems will have a built-in router. The way to disable the router part of a DSL modem/router is to enable bridge mode. Then add your own router.

What you're doing is kinda the right thing to do if you can't change your situation.

It's not bridged. Basically you created (or should be creating) a separate network between your ISP and your devices. Done this way, the only thing the ISP can see is anything in the middle network, which ought to only contain your DSL device and your home router.

If your router has TTL spoofing, enable it, then your ISP can't use TTL to detect if the router is speaking or devices behind it.

Here's the right way to do what you want. It's a crappy MSPaint diagram, but hopefully is clear enough.

enter image description here

Solution 2

About "bridge mode"

  1. "Bridge mode" on ISP "router" is important if you get Public IP from ISP.

    It allows you to install this public IP on your router WAN port.

    And if You ask your ISP about it, ask something like:

    "I want to set my public IP on WAN port of my router, how it possible?"

  2. Bridge mode can be useful on some ADSL/cable modems-routers, which CPU not too powerful. It allows the establishment of a PPPoE connection from your router and remove performance bottleneck and ISP router hangs.

Share:
7,014

Related videos on Youtube

Giacomo1968
Author by

Giacomo1968

Updated on September 18, 2022

Comments

  • Giacomo1968
    Giacomo1968 over 1 year

    My ISP has been accessing my router, (to fix or update something). The ISP’s router is GigaHub 823G-2 (FTTH conection) and my router is a TP-Link TPTD-W8968. They accidentally changed my SSID and thanks to that I realize the following:

    1. I have no control over the device, no telnet, some fixed values, etc.
    2. If I need to restore from factory, I would need to call them.
    3. Passwords are unencrypted.
    4. I feel my own devices, connected to this router, potentially vulnerable.

    I found this question very relatable:

    Does an ISP have admin access to your modem/router?

    Since I can't replace the device entirely with my own, I thought about putting my own router behind theirs.

    Here is mentioned the bridge alternative, which I don't fully understand:

    ISP modem/router, how do I enable Bridged Mode and use my own router?

    None of this routers have a bridge mode, so I did the following:

    I connected my own router via Ethernet to the ISP’s router. Then in my router the wan is:

    • IPv4: 192.168.2.10
    • Subnet: 255.255.255.0
    • Gateway (ISP’s LAN): 192.168.2.1

    I also disabled UPnP and dynamic DNS from both, and Wi-Fi from the ISP’s router.

    So will the devices connected to my router be secured from anyone inside of the ISP’s router?

    Could someone tell me if this is a bridged connection, or its difference from a bridged connection?

    The setup I mentioned above seems to be working as expected, but I want to be sure it's the right way or at least the safest way to do it.

    • barlop
      barlop about 5 years
      How about you don't use the router supplied by your ISP, and how about you call them up tell them to access your router, if they do then ok.. Then change the router to another make (or lock down your router wtih whatever settings you see), then call them and say you have a problem can they access it.. And if they can't then I guess maybe mission accomplished . BTW you should do an online port scan on your router to see what others see.
    • BlueCacti
      BlueCacti about 5 years
      In some ISP-provided modem/routers you can put a device in the DMZ, which will open it to the internet. You could place your router there if you're planning to manage port forwarding from your own router. If not, you can stay within the router's LAN. Also note that some ISPs do some routing trickery to manage e.g. digital television, which will often require that you connect your digital TV box to the ISP modem/router or do lots of networking (for which the info is often not provided by the ISP).
    • BlueCacti
      BlueCacti about 5 years
      @barlop The ports used by the ISP may not be internet-accessible, as they may use a seperate VLAN (virtual IP) for your modem which would be in the internal network of the ISP, while your browsing etc. would go out through a public IP. In some countries it's often very difficult to obtain a modem-only connection for which you provide your own router, unless you get an enterprise contract.
    • Mast
      Mast about 5 years
      You don't need a bridge, do you? Just put your new router behind their router by cable, disable WLAN on theirs, do everything over yours. I'm confused why you'd even mention a bridge.
    • barlop
      barlop about 5 years
      @Mast when you say he should put his router behind theirs, do you mean he should put his nearer the wall? if so, why not just not use theirs at all?
    • Admin
      Admin about 5 years
      @barlop A port scan is a good idea, I will do it.
    • Admin
      Admin about 5 years
      @BlueCacti They indeed use some internal network between customers and the Internet, and they also provide me with digital television, so replacing their device is not a simple thing.
    • Admin
      Admin about 5 years
      @Mast The bridge mode would turn off the router capabilities of the ISP's modem/router and leave it only as a modem, delegating routing to my device. But as I mentioned above, the option is not available.
    • Admin
      Admin about 5 years
      I tried the above setup an it's not only working but it has improve the performance since the job is now split into two devices.
    • Mazura
      Mazura about 5 years
      "replacing their device is not a simple thing" - why? There's an RG6 coax cable that comes into your house, right? Is your ISP unwilling to support third party cable modems, so that they can charge you extra money to rent theirs? The "right way" is not paying for that.
    • Mast
      Mast about 5 years
      @Mazura Configuring a new modem with settings your ISP doesn't want to supply isn't easy. It's not right, I know, and with a bit of pushing you can usually get a long way anyway, but 'they' want a sense of uniformity/control/whatever and like their modems being first point of entry.
  • BlueCacti
    BlueCacti about 5 years
    If you have an ISP that also provides Digital Television through a device provided by them (often called Digibox/Digicorder), you may need to attach that device to the ISP router. The ISP often uses certain routing configurations (VLAN, virtual IP, port forwarding) to connect to those devices; which will be impacted by the addition of an intermediate router
  • Boris the Spider
    Boris the Spider about 5 years
    When I redid my parents' internet I used a DrayTek Vigor 130, that is specifically a DSL modem only - I added a router separately. Your answer doesn't go into the perils of double-NAT and the issues it can cause.
  • Admin
    Admin about 5 years
    TR-069 is exactly what I found, which of course can not be disabled. They used to provide me cable through coaxial conection, now it's FTTH and coaxial to the TVs, (RF video). I don't have the option of bridge and I don't have the option of TTL Spoofing. However, the diagram you draw is acurate and clear. The setup is working as expected and the performance of the network has improved since the job is split between the two devices.
  • Admin
    Admin about 5 years
    I don't have available the bridge mode on the ISP router and I don't have a public ip neither, but as you mention, there was a bottleneck, which I did not know, and somehow is now gone; with the separate network my device acts as router (with wifi), and the ISP's router acts only as modem, with little routing, (since wifi is disabled).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Someone keeps hacking my wifi router
How to circumvent a private WAN IP address?
How should I connect 2 ISPs to a single LAN?
can a router be hacked from across the internet? what are possible ways it can be hacked?
Assign a public static IP address to a router
Router Intrusion in firewall's log
Rerouting all internet traffic for more direct path and lower ping
How can I find the source of connections coming from private IPs?
Double NAT. How can it be detected? (and why/how it should create issues?)
Will the internet speed decrease on second router if there are multiple devices connected to primary router?