25

My ISP has been accessing my router, (to fix or update something). The ISP’s router is GigaHub 823G-2 (FTTH conection) and my router is a TP-Link TPTD-W8968. They accidentally changed my SSID and thanks to that I realize the following:

  1. I have no control over the device, no telnet, some fixed values, etc.
  2. If I need to restore from factory, I would need to call them.
  3. Passwords are unencrypted.
  4. I feel my own devices, connected to this router, potentially vulnerable.

I found this question very relatable:

Does an ISP have admin access to your modem/router?

Since I can't replace the device entirely with my own, I thought about putting my own router behind theirs.

Here is mentioned the bridge alternative, which I don't fully understand:

ISP modem/router, how do I enable Bridged Mode and use my own router?

None of this routers have a bridge mode, so I did the following:

I connected my own router via Ethernet to the ISP’s router. Then in my router the wan is:

  • IPv4: 192.168.2.10
  • Subnet: 255.255.255.0
  • Gateway (ISP’s LAN): 192.168.2.1

I also disabled UPnP and dynamic DNS from both, and Wi-Fi from the ISP’s router.

So will the devices connected to my router be secured from anyone inside of the ISP’s router?

Could someone tell me if this is a bridged connection, or its difference from a bridged connection?

The setup I mentioned above seems to be working as expected, but I want to be sure it's the right way or at least the safest way to do it.

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
  • 1
    How about you don't use the router supplied by your ISP, and how about you call them up tell them to access your router, if they do then ok.. Then change the router to another make (or lock down your router wtih whatever settings you see), then call them and say you have a problem can they access it.. And if they can't then I guess maybe mission accomplished . BTW you should do an online port scan on your router to see what others see. – barlop Apr 23 '19 at 08:10
  • 1
    In some ISP-provided modem/routers you can put a device in the DMZ, which will open it to the internet. You could place your router there if you're planning to manage port forwarding from your own router. If not, you can stay within the router's LAN. Also note that some ISPs do some routing trickery to manage e.g. digital television, which will often require that you connect your digital TV box to the ISP modem/router or do lots of networking (for which the info is often not provided by the ISP). – BlueCacti Apr 23 '19 at 08:41
  • @barlop The ports used by the ISP may not be internet-accessible, as they may use a seperate VLAN (virtual IP) for your modem which would be in the internal network of the ISP, while your browsing etc. would go out through a public IP. In some countries it's often very difficult to obtain a modem-only connection for which you provide your own router, unless you get an enterprise contract. – BlueCacti Apr 23 '19 at 08:45
  • 3
    You don't need a bridge, do you? Just put your new router behind their router by cable, disable WLAN on theirs, do everything over yours. I'm confused why you'd even mention a bridge. – Mast Apr 23 '19 at 10:42
  • @Mast when you say he should put his router behind theirs, do you mean he should put his nearer the wall? if so, why not just not use theirs at all? – barlop Apr 23 '19 at 21:43
  • @barlop A port scan is a good idea, I will do it. –  Apr 24 '19 at 00:00
  • @BlueCacti They indeed use some internal network between customers and the Internet, and they also provide me with digital television, so replacing their device is not a simple thing. –  Apr 24 '19 at 00:01
  • @Mast The bridge mode would turn off the router capabilities of the ISP's modem/router and leave it only as a modem, delegating routing to my device. But as I mentioned above, the option is not available. –  Apr 24 '19 at 00:01
  • I tried the above setup an it's not only working but it has improve the performance since the job is now split into two devices. –  Apr 24 '19 at 00:02
  • "replacing their device is not a simple thing" - why? There's an RG6 coax cable that comes into your house, right? Is your ISP unwilling to support third party cable modems, so that they can charge you extra money to rent theirs? The "right way" is *not* paying for that. – Mazura Apr 24 '19 at 02:41
  • @Mazura Configuring a new modem with settings your ISP doesn't want to supply isn't easy. It's not right, I know, and with a bit of pushing you can usually get a long way anyway, but 'they' want a sense of uniformity/control/whatever and like their modems being first point of entry. – Mast Apr 24 '19 at 07:23

2 Answers2

26

Not 100% sure but TR-069 might be the standard involved that is allowing your ISP to access your CPE (modem/router) and get information from it. Probably all DSL modems you buy and certainly any you get from the ISP will be TR-069 enabled.

I have cable (DOCSIS) and bought my own modem, without a built in router, and then bought a separate router. This is a good setup if you do not want the ISP to do anything with your equipment.

DSL is different. I believe all consumer level DSL modems will have a built-in router. The way to disable the router part of a DSL modem/router is to enable bridge mode. Then add your own router.

What you're doing is kinda the right thing to do if you can't change your situation.

It's not bridged. Basically you created (or should be creating) a separate network between your ISP and your devices. Done this way, the only thing the ISP can see is anything in the middle network, which ought to only contain your DSL device and your home router.

If your router has TTL spoofing, enable it, then your ISP can't use TTL to detect if the router is speaking or devices behind it.

Here's the right way to do what you want. It's a crappy MSPaint diagram, but hopefully is clear enough.

enter image description here

LawrenceC
  • 73,030
  • 15
  • 129
  • 214
  • 5
    If you have an ISP that also provides Digital Television through a device provided by them (often called Digibox/Digicorder), you may need to attach that device to the ISP router. The ISP often uses certain routing configurations (VLAN, virtual IP, port forwarding) to connect to those devices; which will be impacted by the addition of an intermediate router – BlueCacti Apr 23 '19 at 09:14
  • 1
    When I redid my parents' internet I used a DrayTek Vigor 130, that is specifically a DSL modem only - I added a router separately. Your answer doesn't go into the perils of double-NAT and the issues it can cause. – Boris the Spider Apr 23 '19 at 18:27
  • TR-069 is exactly what I found, which of course can not be disabled. They used to provide me cable through coaxial conection, now it's FTTH and coaxial to the TVs, (RF video). I don't have the option of bridge and I don't have the option of TTL Spoofing. However, the diagram you draw is acurate and clear. The setup is working as expected and the performance of the network has improved since the job is split between the two devices. –  Apr 24 '19 at 00:13
2

About "bridge mode"

  1. "Bridge mode" on ISP "router" is important if you get Public IP from ISP.

    It allows you to install this public IP on your router WAN port.

    And if You ask your ISP about it, ask something like:

    "I want to set my public IP on WAN port of my router, how it possible?"

  2. Bridge mode can be useful on some ADSL/cable modems-routers, which CPU not too powerful. It allows the establishment of a PPPoE connection from your router and remove performance bottleneck and ISP router hangs.

Dave M
  • 13,138
  • 25
  • 36
  • 47
Mikhail Moskalev
  • 2,008
  • 16
  • 13
  • I don't have available the bridge mode on the ISP router and I don't have a public ip neither, but as you mention, there was a bottleneck, which I did not know, and somehow is now gone; with the separate network my device acts as router (with wifi), and the ISP's router acts only as modem, with little routing, (since wifi is disabled). –  Apr 24 '19 at 00:21