Will I be more secure with my own router behind my ISP's router?
My ISP has been accessing my router, (to fix or update something). The ISP’s router is GigaHub 823G-2 (FTTH conection) and my router is a TP-Link TPTD-W8968. They accidentally changed my SSID and thanks to that I realize the following:
- I have no control over the device, no telnet, some fixed values, etc.
- If I need to restore from factory, I would need to call them.
- Passwords are unencrypted.
- I feel my own devices, connected to this router, potentially vulnerable.
I found this question very relatable:
Does an ISP have admin access to your modem/router?
Since I can't replace the device entirely with my own, I thought about putting my own router behind theirs.
Here is mentioned the bridge alternative, which I don't fully understand:
ISP modem/router, how do I enable Bridged Mode and use my own router?
None of this routers have a bridge mode, so I did the following:
I connected my own router via Ethernet to the ISP’s router. Then in my router the wan is:
-
IPv4:
192.168.2.10
-
Subnet:
255.255.255.0
-
Gateway (ISP’s LAN):
192.168.2.1
I also disabled UPnP and dynamic DNS from both, and Wi-Fi from the ISP’s router.
So will the devices connected to my router be secured from anyone inside of the ISP’s router?
Could someone tell me if this is a bridged connection, or its difference from a bridged connection?
The setup I mentioned above seems to be working as expected, but I want to be sure it's the right way or at least the safest way to do it.
Solution 1:
Not 100% sure but TR-069 might be the standard involved that is allowing your ISP to access your CPE (modem/router) and get information from it. Probably all DSL modems you buy and certainly any you get from the ISP will be TR-069 enabled.
I have cable (DOCSIS) and bought my own modem, without a built in router, and then bought a separate router. This is a good setup if you do not want the ISP to do anything with your equipment.
DSL is different. I believe all consumer level DSL modems will have a built-in router. The way to disable the router part of a DSL modem/router is to enable bridge mode. Then add your own router.
What you're doing is kinda the right thing to do if you can't change your situation.
It's not bridged. Basically you created (or should be creating) a separate network between your ISP and your devices. Done this way, the only thing the ISP can see is anything in the middle network, which ought to only contain your DSL device and your home router.
If your router has TTL spoofing, enable it, then your ISP can't use TTL to detect if the router is speaking or devices behind it.
Here's the right way to do what you want. It's a crappy MSPaint diagram, but hopefully is clear enough.
Solution 2:
About "bridge mode"
-
"Bridge mode" on ISP "router" is important if you get Public IP from ISP.
It allows you to install this public IP on your router WAN port.
And if You ask your ISP about it, ask something like:
"I want to set my public IP on WAN port of my router, how it possible?"
Bridge mode can be useful on some ADSL/cable modems-routers, which CPU not too powerful. It allows the establishment of a PPPoE connection from your router and remove performance bottleneck and ISP router hangs.