Using a consumer grade router alongside an ISP provided modem router

Question

I find myself in a position where my current ISP is unable to provide high speed internet. This situation will likely change in time. The ISP has provided a very basic router with a built in modem supporting ADSL.

Currently I have locked down the ISP modem router as best I can and have attached a raspberry PI via ethernet cable. The custom OS on the Pi handles all device connectivity, firewall, VPN and ad-blocking, among other things. It is the defacto router in my setup. The ISP modem router still has all its firewall and security features enabled, but really it is just acting as the modem of my network.

While this solution works OK, I want to replace the rapsberry pi router with a consumer grade router with improved hardware and software features which I have full control over, including the firmware running on it (DD-WRT). There are a lot of options with built in modem support for modern connection methods (fibre optic) but almost none for supporting my current connection option (ADSL).

Since my situation will likely change in future, I would prefer to purchase a modern modem/router (likely supporting fibre optic) so that when the time comes, I can use it as the sole router. However, until then I would 'drop it in place' of the raspberry pi - i.e. alongside my current ISP router connected via an ethernet cable.

I believe this should pose few issues, considering the raspberry Pi does all this at the moment, but I just wanted clarification because I have only had experience using modem routers using their modems to connect.

I should note that the Pi is not acting like a router in bridged mode, but simply as another router.

If I purchase a consumer grade modem/router but rather than use the build in modem, I instead connect the router to my current ISP modem/router via ethernet cable, will all (or most) hardware and software features still work? I.e. Can I set up the router to treat the network on the ethernet port more like an unsecured network and to enable full firewall rules etc? (and is there a name for this?)

Are there any security downsides to this? For example, if the ISP router is compromised, could the physical ethernet connection pose some sort of elevated risk? I would prefer to keep an ethernet connection to reduce the signal noise and to eliminate another (localised) attack vector.

Answer 1

If I purchase a consumer grade modem/router but rather than use the build in modem, I instead connect the router to my current ISP modem/router via ethernet cable, will all (or most) hardware and software features still work? I.e. Can I set up the router to treat the network on the ethernet port more like an unsecured network and to enable full firewall rules etc? (and is there a name for this?)

For most consumer grade routers, that's already the default configuration: that's how the port marked "WAN" works out of the box. The router doesn't really know whether it's being connected to another local router or not, so it always assumes that the "WAN" port is indeed connected directly to the Internet.

(There are some exceptions where the router detects another similar consumer router upstream and switches to bridge mode or similar, but this is a somewhat uncommon feature and typically works only between identical products, e.g. "Link+" between two Huawei routers.)

(For routers that don't have predefined ports, it's just called "configuring the firewall". If you started with an empty ruleset, you add a forward rule that allows packets to be forwarded e.g. from bridge1 ("LAN") to ether1 ("WAN"), then add one which allows packets for "active" connections and one that drops everything else, and finally a masquerade rule that enables the usual NAT that home routers do.)

For example, if the ISP router is compromised, could the physical ethernet connection pose some sort of elevated risk?

Assuming the main router actually has the firewall rules: no, it couldn't.

(However, that's one situation where "NAT is not a firewall" very much applies – a device with a direct connection to a NAT gateway can send packets to private IP addresses "behind" that gateway, if the inner router didn't have firewall rules preventing it.)