I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
I mean yeah, but I was hoping the people I share living space with would have at least been smart enough to work that out.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!