OpenWrt Router behind ISP modem VS OpenWrt gateway : security comparison

I am planning my first OpenWrt setup, to better secure a network currently served by an ISP fibre optic gateway on 500 Mbps.

I can see 2 solutions:

  1. OpenWrt router behind ISP modem
    I can purchase a router and place it behind the ISP device:
    internet --> ISP device on bridge mode --ethernet --> OpenWrt router

  2. OpenWrt gateway
    I can purchase a router that has a fibre optic input and bin the ISP device. My ISP has confirmed that they allow that.

From reading this forum, it seems that the most common solution is 1. This certainly seems easier to me as a setup.

However, I was wondering if there might be some security advantage in removing entirely the ISP's device. I want to treat their modem as compromised (they have remote access and bad security practices, it is easy for any bad actor to compromise this hardware).

I can see the argument that this setup is secure, since the ISP device is outside my network, and there's a chain of ISP devices in any case that I have to rely on for accessing the internet.
However I am wondering if there's something that I am not aware of, that makes the modem special compared to other ISP devices along the way.

Any insight appreciated.

1 Like

Theoretically, when the ISP device has wifi, it could be used to sniff wifi traffic in your house, which cannot be done from a more upstream router.


You've answered your own question. You don't trust the hardware, and your ISP won't object to your using a different bit of kit in its place. That's all the justification you need.


A lot of people may think that their own device is more secure, and that's true to a certain extent.
But the catch is, if something happens with the ISP equipment, you can always delegate the task of solving the issue to your ISP, otherwise you need to spend additional time on troubleshooting.
The final decision depends on the resources you are ready to invest in your infrastructure maintenance.


One thing to keep in mind, with a bridged ISP device, really only the WiFi issues is novel (and that is IMHO unlikely) as the ISP can simply intercept all you traffic while it traverses the ISPs network. That obviously assumed that the ISP device allows true bridging.


this is kind of unlikely as it requires installation of large software in the ISP device, and assumes the wifi of such device can be put in "monitor mode" to allow sniffing.

Anyway it can be easily mitigated by placing the ISP device in a sturdy metal box, that will act as a faraday cage and block wifi signal.

1 Like

I choose No. 2...and still realized if I need ISP support (or to re-install a set-top TV box), I still need their equipment. I use a FiOS based ISP with a FttH-to-Ethernet ONT connection...and their router equipment is a downstream LAN of my OpenWrt with igmpproxy installed for the set top box/mobile app system to work.


  • I also use a network with an IP Protocol No. 4 tunnel...

For some reason, I guess they thought I was stupid and really opened this by accident - the NAT Forward kept disappearing!!!

  • No IPv6
  • :warning: There are hidden ports facing WAN that cannot be closed (some appear unrelated to the set top box system - and may actually be how they closed the forward remotely); and
    • hidden access points broadcasted by my ISP's device - this is not related to the common free WiFi services of some ISPs; or WiFi access for others with accounts on their network

(Also, it's a security risk to route from a IPENCAP tunnel downstream without a lot of firewalling.)

EDIT: I was also told by an insider in the ISP they may be closing "odd ports and protocols" as an attempt to better meter/keep track of IP connections (which are primarily TCP and UDP for most users). :wink:


That's a good point.

I feel that risk is somewhat low to me, as I am planning to use strong Wifi encryption (WPA3), so the ISP device should not be able to collect any useful info.

@lleachii thanks for that. I didn't fully understand your point though. Given your experience, what is your recommendation?

I guess in your security paradigm, you may be OK with:

  • unknown people having an AP on your router
  • the ability to control it
  • making changes you don't approve of
  • having ports open you don't agree to

...but I'm not.

You sure...? my case they have their own don't bridge if that's your case too!

I want 100% control over my WAN interface. I sit those devices on their own separate LAN. I plug their router into that subnetwork/VLAN.


Thanks for that. I agree with the overall sentiment that it is uncomfortable to have a modem to which the ISP has remote access. However, I am trying to figure out if there is an actual, identified security flaw in doing so. Then I can decide if that specific risk is worth:

  1. the increased complexity of setting up a gateway rather than a simple router
  2. the reduced choice for which router I can buy (it seems that there are significantly fewer routers with fibre optic input).

Some kindly highlighted the risk of ISP device snooping over wifi, but I feel with WPA3 encryption, I am ok discarding that risk.

Do you have another specific risk that you could give me as an example?

  • Heard of SolarWinds?
  • And the risks of a 3rd party having the ability to control hardware/software at remote locations en masse.

The terms are synonymous, unless there's some other software you have in mind.

Are you 100% sure that the fiber connection meets standard SFP specs (or you can find a compatible SFP) anyway?

In my ISP's case, it is not a standard SFP. The use 3 lightwaves for different services - on one strand of fiber - not 2.

1 Like

Thanks, I'll research further on the SolarWind attack (I have heard about it, but do not know the technical details).

I thought gateway meant modem+router.

No I am not. In my mind, that is part of the added complexity of setting up a device that does both modem+router, instead of being a simple router behind the ISP modem.

Here in Canada, Bell has fiber/SFP to the home and many people (including me) uses a SFP media converter that converts SFP to ethernet, then connect that to our router's WAN port :slight_smile: and all you have to do is tag VLAN 35 on WAN, and PPPOE dial-up with your own credentials

TP-Link MC220L (I'm using this one) or 10GTek "Gigabit Ethernet Media Converter"

Sample listing on Amazon, ~20 USD


Ah that's very interesting. I was not aware of that option, thank you.

Can you share technically how I can tag VLAN 35 on WAN and do PPOE dial-up on OpenWRT?
(I assume I'll have to contact my ISP to get my PPPOE credentials...)

(You must also change the WAN interface from eth0.2 to eth0.35)

1 Like

What I meant was, for us Canadian Bell customers, we do VLAN 35 and PPPOE with our bell ID/password

You need to find out how to do that for your ISP (unless you're with Bell as well :upside_down_face: )


Ah, got it. Thank you!

I think here that you should consider using DOH (DNS over HTTPS) or DOT (DNS over TLS) for your router DNS server, and certainly do not use the ISP's DNS server. Over 80% of web traffic is over https and not subject to monitoring in most cases, but an ISP can list the web sites you have visited if they record your DNS lookups.


Thanks for that. I agree, I was planning to do that.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.