I am planning my first OpenWrt setup, to better secure a network currently served by an ISP fibre optic gateway on 500 Mbps.
I can see 2 solutions:
OpenWrt router behind ISP modem
I can purchase a router and place it behind the ISP device:
internet --> ISP device on bridge mode --ethernet --> OpenWrt router
I can purchase a router that has a fibre optic input and bin the ISP device. My ISP has confirmed that they allow that.
From reading this forum, it seems that the most common solution is 1. This certainly seems easier to me as a setup.
However, I was wondering if there might be some security advantage in removing entirely the ISP's device. I want to treat their modem as compromised (they have remote access and bad security practices, it is easy for any bad actor to compromise this hardware).
I can see the argument that this setup is secure, since the ISP device is outside my network, and there's a chain of ISP devices in any case that I have to rely on for accessing the internet.
However I am wondering if there's something that I am not aware of, that makes the modem special compared to other ISP devices along the way.
A lot of people may think that their own device is more secure, and that's true to a certain extent.
But the catch is, if something happens with the ISP equipment, you can always delegate the task of solving the issue to your ISP, otherwise you need to spend additional time on troubleshooting.
The final decision depends on the resources you are ready to invest in your infrastructure maintenance.
One thing to keep in mind, with a bridged ISP device, really only the WiFi issues is novel (and that is IMHO unlikely) as the ISP can simply intercept all you traffic while it traverses the ISPs network. That obviously assumed that the ISP device allows true bridging.
I choose No. 2...and still realized if I need ISP support (or to re-install a set-top TV box), I still need their equipment. I use a FiOS based ISP with a FttH-to-Ethernet ONT connection...and their router equipment is a downstream LAN of my OpenWrt with igmpproxy installed for the set top box/mobile app system to work.
I also use a network with an IP Protocol No. 4 tunnel...
For some reason, I guess they thought I was stupid and really opened this by accident - the NAT Forward kept disappearing!!!
There are hidden ports facing WAN that cannot be closed (some appear unrelated to the set top box system - and may actually be how they closed the forward remotely); and
hidden access points broadcasted by my ISP's device - this is not related to the common free WiFi services of some ISPs; or WiFi access for others with accounts on their network
(Also, it's a security risk to route from a IPENCAP tunnel downstream without a lot of firewalling.)
EDIT: I was also told by an insider in the ISP they may be closing "odd ports and protocols" as an attempt to better meter/keep track of IP connections (which are primarily TCP and UDP for most users).
Thanks for that. I agree with the overall sentiment that it is uncomfortable to have a modem to which the ISP has remote access. However, I am trying to figure out if there is an actual, identified security flaw in doing so. Then I can decide if that specific risk is worth:
the increased complexity of setting up a gateway rather than a simple router
the reduced choice for which router I can buy (it seems that there are significantly fewer routers with fibre optic input).
Some kindly highlighted the risk of ISP device snooping over wifi, but I feel with WPA3 encryption, I am ok discarding that risk.
Do you have another specific risk that you could give me as an example?
Here in Canada, Bell has fiber/SFP to the home and many people (including me) uses a SFP media converter that converts SFP to ethernet, then connect that to our router's WAN port and all you have to do is tag VLAN 35 on WAN, and PPPOE dial-up with your own credentials
TP-Link MC220L (I'm using this one) or 10GTek "Gigabit Ethernet Media Converter"
I think here that you should consider using DOH (DNS over HTTPS) or DOT (DNS over TLS) for your router DNS server, and certainly do not use the ISP's DNS server. Over 80% of web traffic is over https and not subject to monitoring in most cases, but an ISP can list the web sites you have visited if they record your DNS lookups.