You absolutely must secure your home router and you probably can't


#1

Originally published at: https://boingboing.net/2018/01/03/wishful-thinking.html


#2

Done.
Well, not done. I still patch it on a regular basis.

(OpenWRT)


#3

Glad I never used one of those home routers and opted for a Linux box and just use iptables.

Probably not a great solution for anybody that isn’t into Linux command line shit.


#4

I did that with PF and BSD for years.


#5

I have several layers of tin foil around mine, with pixie dust between layers, I’m all good over here.

PS. I just upgraded my password from 0000 to 1234. Nobody’s ever going to screw with me.


#6

This has definitely not been my experience:

  • Comcast: Not only can you bring your own router, you can even still bring your own modem and avoid the “equipment rental” fees.
  • Charter: Same, though this was 3 years ago and it may have changed.
  • Verizon (Fios): If you don’t get TV from them, you can bring your own router, no problem. If you do need cable, you need to keep their router, because it provides the data for the TV channel guide; but you can work around it by either putting it behind your router or putting your router behind it (this is a pain, but workable).

And those aren’t exactly ISPs with a great reputation…

[Edited to remove a paragraph that in retrospect read like an advert for my router.]


#7

Wait… what?

I freely admit I’ve been negligent in home router security, but I’ve replaced a few over the years, and it was always just a question of grabbing some box off the shelf at the local big-box. I don’t recall anyone putting any constraints on which I could use. This would have been with a few different ISPs, too.

Am I missing something? This old-timer does have trouble keeping up sometimes.


#8

As @nodolra points out above your post, the number of equipment vendors shipping MOCA-capable routers that will let you watch FIOS TV is very small.

You used to be able to get the old standalone Motorola MOCA bridges from eBay. I did, but the amount of heat generated was frightening - I routinely pick up glowing coals and toss them into the fire, I pull the wire rack out of the toaster oven with my bare finger, but I could not hold the Motorola MOCA bridge comfortably in my hand if it had been plugged in for a day. And I don’t think the old ones ever got past MOCA 1.1 anyway.

Currently I have my Verizon-provided, MOCA capable, low quality router’s wireless disabled and antenna removed, and it’s firewalled off of the Internet with another, more secure and capable system masquerading its MAC address. Basically all the craptacular Verizon box does is act as a MOCA bridge and ethernet hub for the entertainment wall.

If you look at the strategy being pursued by the big connectivity providers, you quickly realize they want all customers to be forced to host one of the ISP’s publicly accessible wireless nodes on the customer’s router, so it’s not surprising they are working towards making it impossible to use your own equipment.


#9

Oh gods. I have regular problems with my internet service and the router they provided, but when it doesn’t work it’s at least their problem. My new Windows desktop stopped being able to access the internet and after a week of troubleshooting and applying potential fixes, I still have no freaking clue why it doesn’t work. The thought of having to also maintain a router just gives me a massive headache.


#10

AT&T UVerse required the use of their (massive) Residential Gateway when I was their customer. I worked around this by turning off their routing features (DMZ Mode) and putting an OpenWRT router next in line. It had a wonderful quirk wherein the DHCP lease between the RG and my router was only for an hour, and my router took actual time to reestablish the lease. This led to my internet dropping every hour on the hour for around a year before I switched to a new ISP which had no issue with me using my own equipment.

I’m now on Google Fiber, which requires me to jump through a few hoops to get my equipment running at top speed, but I’m able to do so fairly easily by using a bespoke pfSense router. I’m in the process of replacing my router-as-AP with a Ubiquiti due to it failing for no explainable reason at least once a day, and not having received an update in nearly two years.

Being your own sysadmin is not my favorite thing. By analogy: I do not enjoy driving, but I enjoy being a passenger even less.

Apropos of nothing, but does anyone know why my pfSense box would be talking to the internet at 1Gb, but to my internal network at only 100Mb? It would be nice to be able to use all of my bandwidth, even if 100Mb has rarely been a bottleneck.


#11

Every router I’ve had from various ISPs have the option to operate in a bridge mode.

The most excellent choice. For those who don’t know PFSense, this is a Unix router OS that will run on your old computers (though you may need to add a network card) which will turn your old PC into a routing powerhouse. It’s secure, stable, extensible, and free. And since it runs on a PC it’s going to have tons more horsepower than any home router. You don’t need to know anything about Unix either. It’s simple to setup and you manage it from your web browser.


#12

I used straight PF and FreeBSD. GUIs are just extra attack surface. :wink:
(I don’t begrudge anyone using PFSense though.)


#13

Could be a bottleneck somewhere on your LAN with an Ethernet link that can only run at 100BASE-T, either due to some Ethernet device not supporting gigabit, or a bad cable?

I believe higher-end home routers will have hardware accelerated routing, whereas a PC with a few network interfaces will always be routing via the CPU, so a PC won’t always perform better. I’m not sure how much of a difference this really makes.


#14

That was my thinking as well. I just need to dedicate the time to troubleshoot this. It plugs directly into my GbE switch, so it should either be the cable or the port, I assume. PfSense is reporting a 100Mb connection, and I’m seeing a max of 11MB/s throughput, which is consistent with that. I’ll try to avoid derailing any further.

For Science!:

Mine is pretty much the one pictured, which they call the Homebrew 2.0.


#15

It depends on what you want to do and what kind of hardware acceleration your home router offers. Using NAT acceleration (a common feature on many Asus and other home routers) and want to inspect every incoming packet? If so, your hardware accelerated NAT or cut through forwarding is not going to allow that, QoS is also incompatible with such hardware acceleration as is PAT.
You also should consider that BSD uses PF (packet filter) and not netfilter (iptables), ipfw or ipfilter like you’ll see on most home routers. PF is faster and more stable than most other offerings and most of your retired boxes these days are dual core with more RAM than a router will need so slowdowns should not be an issue.


#16

Same here,re-purposed an old micro PC with pfsense and have been happy for years.

Had to bodge in a mPCIE LAN card to replace the Wifi card, but it works great :slight_smile:


#17

Check the make and model of the LAN side NIC? Is it on the PFSense (BSD) supported device list? Most NICs will work but the driver situation can be a bit buggy for the ones that aren’t on the supported device list.


#18

The other elephant in the room here is that most ISPs won’t let you bring your own router

I almost did a spit take at that. A month ago, our ISP (Optimum/Cablevision) called us about having our old modem replaced, and when we went to exchange it they were really pushing hard their “free” router, despite my having made clear several times that we had no need for it.

I won’t ever be using an ISP-given router, nor wireless, as those run counter to our household sigint policies.

Another thing to keep in mind with regards to using an old “PC” is the vulnerability/performance-hit of that speculative execution bug many are currently discussing. So re-purposing an old PPC/MIPS/ARM/AMD for router/firewall duties should also be an option to consider.


#19

Perhaps I just got stuck on the level 1 idiot perimeter; but when I asked Verizon about 'how about we just skip the MoCA nonsense and let me plug my router into the ethernet jack we both know the ONT has?" I got a response somewhere between the one reserved for people who leak state secrets and people who plan their audacious acts of necrophilia in public.

I’m not sure if knowing something about the CPE junction equipment or not wanting an atrocious cable box was considered more transgressive.


#20

Swap out the cable for cat six, and make sure you don’t have any inductive loops in power wires nearby.

I have both the coax and RJ45s on my Verizon ONT lit up. Still need the MOCA bridge anyway, because stupid STB design. I forget the details, unfortunately. :frowning:

This is a metaphor for my whole life.