I am planning my first OpenWrt setup, to better secure a network currently served by an ISP fibre optic gateway on 500 Mbps.
I can see 2 solutions:
OpenWrt router behind ISP modem
I can purchase a router and place it behind the ISP device:
internet --> ISP device on bridge mode --ethernet --> OpenWrt router
OpenWrt gateway
I can purchase a router that has a fibre optic input and bin the ISP device. My ISP has confirmed that they allow that.
From reading this forum, it seems that the most common solution is 1. This certainly seems easier to me as a setup.
However, I was wondering if there might be some security advantage in removing entirely the ISP's device. I want to treat their modem as compromised (they have remote access and bad security practices, it is easy for any bad actor to compromise this hardware).
I can see the argument that this setup is secure, since the ISP device is outside my network, and there's a chain of ISP devices in any case that I have to rely on for accessing the internet.
However I am wondering if there's something that I am not aware of, that makes the modem special compared to other ISP devices along the way.
You've answered your own question. You don't trust the hardware, and your ISP won't object to your using a different bit of kit in its place. That's all the justification you need.
A lot of people may think that their own device is more secure, and that's true to a certain extent.
But the catch is, if something happens with the ISP equipment, you can always delegate the task of solving the issue to your ISP, otherwise you need to spend additional time on troubleshooting.
The final decision depends on the resources you are ready to invest in your infrastructure maintenance.
One thing to keep in mind, with a bridged ISP device, really only the WiFi issues is novel (and that is IMHO unlikely) as the ISP can simply intercept all you traffic while it traverses the ISPs network. That obviously assumed that the ISP device allows true bridging.
this is kind of unlikely as it requires installation of large software in the ISP device, and assumes the wifi of such device can be put in "monitor mode" to allow sniffing.
Anyway it can be easily mitigated by placing the ISP device in a sturdy metal box, that will act as a faraday cage and block wifi signal.
I choose No. 2...and still realized if I need ISP support (or to re-install a set-top TV box), I still need their equipment. I use a FiOS based ISP with a FttH-to-Ethernet ONT connection...and their router equipment is a downstream LAN of my OpenWrt with igmpproxy installed for the set top box/mobile app system to work.
Why?
I also use a network with an IP Protocol No. 4 tunnel...
For some reason, I guess they thought I was stupid and really opened this by accident - the NAT Forward kept disappearing!!!
No IPv6
There are hidden ports facing WAN that cannot be closed (some appear unrelated to the set top box system - and may actually be how they closed the forward remotely); and
hidden access points broadcasted by my ISP's device - this is not related to the common free WiFi services of some ISPs; or WiFi access for others with accounts on their network
(Also, it's a security risk to route from a IPENCAP tunnel downstream without a lot of firewalling.)
EDIT: I was also told by an insider in the ISP they may be closing "odd ports and protocols" as an attempt to better meter/keep track of IP connections (which are primarily TCP and UDP for most users).
I feel that risk is somewhat low to me, as I am planning to use strong Wifi encryption (WPA3), so the ISP device should not be able to collect any useful info.
@lleachii thanks for that. I didn't fully understand your point though. Given your experience, what is your recommendation?
Thanks for that. I agree with the overall sentiment that it is uncomfortable to have a modem to which the ISP has remote access. However, I am trying to figure out if there is an actual, identified security flaw in doing so. Then I can decide if that specific risk is worth:
the increased complexity of setting up a gateway rather than a simple router
the reduced choice for which router I can buy (it seems that there are significantly fewer routers with fibre optic input).
Some kindly highlighted the risk of ISP device snooping over wifi, but I feel with WPA3 encryption, I am ok discarding that risk.
Do you have another specific risk that you could give me as an example?
Thanks, I'll research further on the SolarWind attack (I have heard about it, but do not know the technical details).
I thought gateway meant modem+router.
No I am not. In my mind, that is part of the added complexity of setting up a device that does both modem+router, instead of being a simple router behind the ISP modem.
Here in Canada, Bell has fiber/SFP to the home and many people (including me) uses a SFP media converter that converts SFP to ethernet, then connect that to our router's WAN port and all you have to do is tag VLAN 35 on WAN, and PPPOE dial-up with your own credentials
TP-Link MC220L (I'm using this one) or 10GTek "Gigabit Ethernet Media Converter"
Ah that's very interesting. I was not aware of that option, thank you.
Can you share technically how I can tag VLAN 35 on WAN and do PPOE dial-up on OpenWRT?
(I assume I'll have to contact my ISP to get my PPPOE credentials...)
I think here that you should consider using DOH (DNS over HTTPS) or DOT (DNS over TLS) for your router DNS server, and certainly do not use the ISP's DNS server. Over 80% of web traffic is over https and not subject to monitoring in most cases, but an ISP can list the web sites you have visited if they record your DNS lookups.