I bought a TP LINK router, because I read it will increase my home security network, but my ISP is not allowing me to use bridge mode on their modem/router.
So if I’m using my ISP’s NAT like that does it increase security vulnerabilities compare to without ISP’s NAT(direct access of public IP to my router through ISP’s modem/router with bridge mode) ?
If there are issues with security when using ISP’s NAT like that, can I do something with Qubes to make it as secure as it wouldn’t use ISP’s NAT ?
IIRC, double nating causes connectivity issues, but it shouldn’t have any impact on security. Just make sure you connect to your router and not your ISP’s.
I read that private routers increase security etc
I looked for the modem software and there’s no ability to use bridge mode and the ISP’s representative confirmed it’s not possible and they don’t support this feature
I don’t understand.
You wan’t to exchange ISP modem-router with your own or connect your own router to ISP modem-router?
If first situation then no, most ISP don’t allow to replace it’s own hardware to connect to their network. Most of the time you even don’t have access to ISP’s modem-router management page.
A better way to understand this is that private routers CAN increase your security and privacy, but what they really do is shift the control and responsibility to you. You would have to do the research and configure it properly and understand what you want and how that’s done in order to actually have better security. In fact, you can also make things worse by using a router you buy without understanding it properly, because then you risk setting it up improperly.
So, yes and no. The internet works like the mail. This is very simplified, but you basically send mail asking for a server to give you it’s website, say qubes-os.org. Then the server sends mail back to you with its website. You can control what you send and receive by say sending it in a locked box instead of an envelope (encryption, VPN, etc.), but you still can’t stop your ISP from tampering with what you send. Much of the existing software that promises to alleviate this really just shifts the responsibility, like VPNs. VPNs encrypt your traffic to the VPN, preventing the ISP from seeing where you go and what you do or silently changing those things. But the VPN provider then becomes to you what the ISP was and can do those things themselves.
A router pass traffic from a network to the other, in your current case it’s the Internet to your local network. If you add a second router (hence the “double NAT”), you would route between the ISP router ↔ your router network and your local network.
That does not do much with security, however if you add a firewall (a router can sometimes do firewall, it’s not always the case), this allows you to control what’s going in / out if you know what you are doing and how to configure it.
Adding a cheap TP-link router to the chain will not help unfortunately.
It depends what you want to protect. If you want to protect Qubes OS, the easiest part is to consider every network non trusted, so whetever you are at home or elsewhere it does not matter.
You can use Tor or/and a VPN to hide traffic from your ISP. Using a VPN moves the trust from your ISP to the VPN provider.
No ! I wanted to connect my private router to ISP’s modem/router and switch it to bridge mode. But the ISP’s modem/router doesn’t support this apparently and I’m not sure what implications this have because I’m not yet so knowledgeable in networking !
I understand that ! I’m asking in terms of what my ISP can do with that compare to when I connect with my router and ISP’s modem/router in bridge mode !
I want to understand the potential implications of such connection !
Don’t scare me mister !
There’s many settings in that router, but not that many ! What settings are you referring to exactly ?
I understand that !
But the part that scares me is that before reaching the internet my traffic goes through the NAT of my ISP and I’m not sure what it means(what they can do etc) !
If I’m getting my public IP directly I guess it’s going through directly, isn’t ? I’m confusing myself now !
So potentially with NAT they can intercept the HTTPS / VPN and then act as MITM ? I am not sure !
Will my router treat ISP’s router somehow differently in terms of security if we compare connection with and without bridge ? So if I connect my router to ISP’s modem/router without bridge(to ISP NAT), will my private router still protect me the same ?
It’s not cheap at all and it does do firewalling !
So if I do firewalling it will conflict with NAT ? How would I control the incoming traffic if it’s going first through NAT of my ISP ?
What do you mean exactly by considering ??? What do I need to do ?
If I have my private router connection to ISP’s modem/router without bridge and I have multiple devices in my local network, does it mean I can’t communicate between them in a trusted way as I would if the ISP’s modem/router would be connected with bridge mode ???
You seem new to taking privacy and security into your own hands, so I’d like to pass on some advice I wish I was told at the outset:
If you want digital privacy and security, go find something heavy, destroy everything with an internet connection, and go outside. It doesn’t exist and likely will not soon (our lifetimes). The internet used to be a beautiful thing wher you could connect and find information, but it has since become an ugly system that abuses its users. I’d trace this back to several major changes, such as transforming from pull media to push media, the monetization of ‘free’ resources with ads/commercialization, the pseudo-necessity of the internet for practically everything in developed countries, and the development of wireless internet (it used to be a place that you went to and left, but now it’s everywhere). This has created the perfect storm that incentivizes taking control from users, and you can see where we are now. No matter where you are in your knowledge, it’s worse than you think.
I don’t mean to come off so negatively, but this is the fact of the matter. Things like the Mastodon social network and gopher protocol are steps in the right direction, but the second fact of the matter is the only way that you could get privacy and security on the internet is to become an expert in all the working parts and do it yourself. This is in all ways practically impossible because computers and the internet are getting exponentially more complex over time, and the direction of trends aren’t in our favor. It took me years of learning everything I could get my hands on to come to this conclusion. There is even heavy and often heated debate between experts/developers such as this recent forum post. That is far from the only debates, as you’ll see as you go deeper down the rabbit hole.
Take this how you will. I’m not advocating to throw all your computers out and become a Luddite, but you do need to think about what balance you want to have. Anything on the internet is to one degree or another not private nor secure. You have to understand that the first 50% will take work but shouldn’t be too hard. Every percent after that will take twice as much work as the last. For some people, they’re perfectly fine with the state of things as long as their accounts aren’t hacked. For some like me, I take a minimalist/functionalist approach apart from career and learning. I know some who don’t use it at all for anything and do just fine.
Edit: Also, that’s not to undermine wonderful projects like QubesOS, GrapheneOS, etc. They are great projects that help users manage some security and privacy, especially QubesOS due to being able to have air-gapped VMs. But complete privacy and security for the masses is currently a pipe dream because of how the internet theoretically and practically works.
Your ISP is connecting your home (using their hardware or yours, this does not matter here) to the Internet by providing a pipe. Whether they control both side of the pipe (their side and the hardware in your home) or only their side in their datacenter does not change much they can do whatever they want with what goes into that pipe.
The way you add the TP-link firewall/router into your network is just a technical details, this does not change the fact your ISP controls the pipe. A firewall you own added between your local network and that pipe will create “a gate” that YOU control and allow you to tell what’s going in and out. You could consider the local network with your own devices a trusted network up to the firewall. But configuring a firewall has implication, you might want to block all initiated incoming traffic, which does not bring much by default as you have a NAT in play so anyone hitting your public IP will land on the ISP router, but at least, you have some guarantee that if the ISP router is misconfigured or hacked, incoming connections will be blocked. Then, you can configure outgoing traffic policies to block some devices from reaching the internet or limiting them by destination or port, this requires fine tuning.
In order to balance things out, I need to understand them first !
That’s why I want to know the implications of connection my private router to ISP’s mode/router with and without NAT !
I don’t live in fairy tale !
At least not in computer related things !
I read lots of related things and you just summed it so easily
YOU ARE AMAZING ! THANK YOU !
Okey, I think I got this part !
So answering my own question:
The answer is nothing ?
And regarding the ISP potentially becoming MITM, ISP’s NAT doesn’t affect this and ISP can become MITM regardless ? Did I get this right ?
You can use a VPN, but then the VPN can become the MITM. I’d recommend choosing one you can trust.
VPN provider recommendation
Mullvad is a great option because they’ve taken steps they don’t have to in order to be more secure, such as porting their servers to FOSS firmware, a very difficult and costly process that they could have chosen not to do.
One thing. ISP router can’t work in bridge mode because then it will no longer be router but simple switch or access point. But it is router at the edge between yor network and ISP network so it need to be NAT machine, DHCP server and router that make route for packages.
You can use your private router in bridge, but it’s valid use like in my case, when ISP router is to far away to connect with cable so my router is taking data with wifi from ISP router and I can connect my 3 computers (including NAS) by cable to switch and switch to router in bridge mode.
I don’t trust VPNs ! At least not more than my own ISP !
I appreciate you saying that ! All good !
My friend has another ISP that is not available in my city, so she has ISP’s modem that is in a bridge mode ( she asked for it ! it was combo router/modem before ! ) and she has access to the modem’s GUI and she is using her own ( also TP LINK ) router that recieves public IP directly to her router !
I don’t understand why would my ISP block me from using their combo router/modem as modem only ! Does this gives them more control ?
Why not, if you don’t mind me asking? Are you comfortable giving more details to your situation that would help us better understand the solution you’re looking for, like what exactly you’re trying to do?
How i understand, the main idea looks like that. Your ISP probably want to monitoring your local network and send data about your devices (maybe something more, for example device uptime, MAC addresses, network activity, local services) on their servers. Don’t trust them. So you can use your custom router before ISP’s router for controlling your network. Most local services don’t use encryption for communications, in this case ISP’s router can sniff netflow. Sorry for my bad English.
Just for fun you can install the extra router before ISP’s router and sniff ISP’s router network activity, for predict what the ISP’s router is really doing. Or maybe reverse engineering their software.
and it does do firewalling !
