Hi, I have an TP-Link Archer C2 v1 openwrt device page
Im running OpenWRT 24.10.0
I am not familiar with the more advance language and terminology that is used under the network settings page, however I am not completely new to networking & I know the fundamentals, I am afraid that I may misconfigure something as my WAN/ Internet network configuration is abnormal
My WAN/ Internet network configuration:
I get internet from a flat, my flat provides an RJ45 wall jack
I connect this to my router's WAN port via an Ethernet cable
Their network provides internet to me, it has client isolation & is somewhat locked down
To actually receive internet from this upstream network, I had to either (this is how it worked using the stock router firmware)
Login with my account into their network captive portal & allow the MAC address of my router in my account (this gives me internet once I add it) & gives me internet forever
Go into their captive portal, go to a page called "guest signup (24 hours)" input a real name + surname, press a button, I have internet for 24 hours now, for my whole router, not just the device I completed the captive portal on
I was thinking of capturing the packets & replaying it every 24 hours, so I could preserve my privacy
The ISP and Network is managed and owned by a big "managed Internet solutions" company
All of the services on my LAN use a reverse proxy with a lets encrypt cert
TL:DR;
How can I correctly setup my WAN/ Internet (what is the correct way)? Im currently getting internet atm, but I feel like i've configured something wrong/ insecurely
How can I prevent sharing any information/ traffic/ data about my network to the upstream WAN network (im thinking firewall rules)
Any other tips for my specific configuration/ settings to change? I would like to have a permissive firewall policy on my WAN
Well im aiming for privacy, my upstream ISP collects, stores, analyses and sells my traffic
If I dont have an account they cant do this/ know my identity
If I make my WANs mac the same as my last one, it will still be linked to my internet account with all my info
I considered this, but I think its kind of redundant since all my devices already run tailscale and even my services on my LAN are encrypted with https, I was thinking more like firewall rules, possible blocking some outbound ports/ protocols?
Yep your right, but my landlord & my ISP are different companies, im pretty sure they dont actively share the exact flat -> port info with each other since when I had to make an account to add my routers MAC address access to my account (in order to get internet) they asked for my flat number & personal info, so im pretty sure they get all their info from the accounts
They use a MAC whitelist for internet, so you MUST either have your device/ routers MAC on an account/ do the 24 hour guest thing
My bad, i've kinda just spurted a lot of information without making it coherent
the TLDR is that my ISP will sell my traffic & data, my account is associated with my flat and my real information, so im trying to avoid using a static account, even if I add another MAC address to my account they will still associate the traffic with my real info
Alright, thanks for your help
OpenWRT has good defaults by the looks of it, so I wont really need to be doing much configuration, you eased my paranoid haha
Do you always use another MAC, when you use the captive portal? On the other hand, when they associate the wall jack with your flat (i.e. switch 3 port 5 is flat 12) then they will always know from where the traffic originates.
Adding OpenVPN or IPSEC within the OpenWrt router should prevent ISP eavesdropping, and depending on how (or where) you interface with tailscale, it would most likely be redundant either way - agreed. I suppose it depends how paranoid the privacy should be. If I were stuck in such a scenario I would configure a VPN connection from the OpenWrt router to a WAN-based VPS (the VPN server endpoint). From the VPS end you could possibly bridge to your tailscale account. A bit excessive, and if you are concerned about hiding the MAC address(s) associated with your account from some sort of captive portal then none of this will work. Overall, VPNs are the way to go when masking your network traffic.
Im not doing anything illegal haha, in their ToS it said that they share personal data with 3rd parties & it reserves the right to store and analyses traffic
Just be sure the hardware/software you are suing is controlled and operated by you and you only. Maintain data encryption (e.g., VPN) and ensure your browser is properly configured (e.g., hardened) and you should be good.
Running Tailscale is good solution but where is your Tailscale Exit Node to the Internet?
To achieve your privacy goals the Tailscale Exit Node would need to be at another location. It would need to be at a trusted location(friend/relative), alternatively you could use the integrated Tailscale Mullvad Exit Node.