About my ISP (CHAT/Question)


(Aaron) #1

Can my ISP access openhabs start page from there end I know they can scan the network and see what devices are connected so they can probably scan ports and connect or would that be blocked by the router?

When I have had problems and phoned them always question me about the devices connected too the network eg I have a WiFi access point that looks like its a repeater on the network they always say repeaters are bad I always say its in ap mode so I know they can scan the internal network

They normally ask about other devices on the network too


(Elias H.) #2

What the …?
Are you located in the EU? (DSGVO)

Well okay… normal case you did not forward the openHAB ports to the WAN Interface, so no.
But since they can SCAN YOUR ENTIRE NETWORK (which is really questionable…) I would throw out this router and stay away from that ISP :rofl:

EDIT:
Well if the router sends reports the reports might include like arp talbes and so on, that would explain why they know about your internal network.


(Aaron) #3

Yep UK

No I have not forwarded any ports on my router but they deffinitly have remote access too the router too change settings or push an update so they could forward any port they wanted

This is not a old report they must ask for a current report they list the devices over the phone that are currently connected and not a single that’s disconnected it gives me chills everytime

The ISP in question is virgin Media a major player in the isp world in the UK

Other experiences with this ISP

They setup a program free open WiFi for virgin customers. They achieved this by broadcasting a second SSID from your home router for use by the public, it was rolled out and now many homes are broadcasting a second SSID its supposed too be seperate with VLAN ect but how can you realy trust this. This program was opt out many people will not no they are broadcasting this SSID I found out myself and questioned them on this I saw a second SSID when anylising wifi channels and SSID’s around me

Another bad experience.

One time I was on the phone having slow speeds (SNR Problem) they refused too help until I let them remote desktop connect too one of my computers they made me install a stupid program and rdp in too run there own speed test they just don’t believe me other the phone Internet suggests this is common

Anyway.

I’m planning on putting the router into modem mode soon and installing a pfsense router as
I’m having network problems maby due too the current router this will stop them from doing anything like this


(Elias H.) #4

A good idea, my network looks like this.
WAN <=> pfSense <=> Router <=> VLAN1,2,3,4

ps:
meme brain like… virgin media vs chad media


(anonymous.one) #5

Something to consider if they have the ability to remote admin the device, how can you prevent them from changing it from bridge mode back to router mode?

It is entirely possible to run two routers, just treat the segment between the two routers like a DMZ. I have an Untangle VM setup for this and have different subnets in play to avoid routing issues (Untangle was selected due to an easy way to block Internet resources if others within my household need to be punished/grounded).


(Elias H.) #6

Find a way to block them out. I would monitor the network traffic the next time some support fool is trying to help and then figure out which connection they use.
(or maybe dig into the setting and find the remote support option?)


(anonymous.one) #7

I can’t speak for all ISPs, in my case I have a cable modem and some parts are modified upon the modem provisioning. Putting another layer 3 device in place is the easiest (imo) way to prevent them on your internal LAN.


(Rich Koshak) #8

Well, since they can remote into your gateway router, they have full access to the entire network of devices that are connected to that gateway router. I refuse to run the ISP provided model/router for this very reason, not to mention they charge $13 a month for the privileged of letting them spy on you. And unlike for most of you guys in Europe, I have a grand total of one choice in broadband ISPs and I’m a few blocks away from not having even that one (gotta love the broadband situation in the US).

I’ll second your idea and everyone’s recommendations. Treat the ISP router/gateway as “outside” your LAN and put in a good firewall (Untangled, pfSense, openSense, DD-WRT wireless gateway, even just a good off the shelf wireless router would work) between it and your LAN. Then get an off the shelf wireless gateway in AP mode hanging off of that. The firewall will give you control over what your ISP can see and do on your LAN. The ISP will essentially only see your firewall. Everything else will be hidden from them unless you configure your firewall to expose it. And even then, the ISP will only see that one device.

Of course, if you run that RDP program again it will bypass all that since it is your computer initiating the connection. Unless you block the ISP’s addresses the firewall won’t stop that. But of course, they may refuse to help you if you refuse to do that.


(Aaron) #9

It wouldn’t matter as they would only see the pfsense router/firewall

So in your opinion they could access any Web service hosted thats not passworded this is quite scary considering the amount of information available on openhab uis it knows my address and if I’m home ect they could change the state of some important things…

If this happened wouldn’t the isp have unlawfully accessed my computer systems

I don’t think we pay a rental fee not sure


(Rich Koshak) #10

If they have access to your gateway then they have access to anything that is connected to that gateway.

I don’t think there is much risk that your ISP will compromise you in this way. But, if they happen to have a disgruntled employee or a third party manages to hack into that connection then you might be in trouble. These individuals are not going to care that it’s against the law.

In this case though it really doesn’t take that much to protect you. An off the shelf wireless gateway with the default configuration between your ISP supplied gateway and your LAN would be adequate and probably cheapest. But if you were to get one that can run DD-WRT or Tomato or one of the other open source gateway firmware, or put a machine running pfSense et. al. between your LAN and the ISP’s gateway then you have a lot more control and have access to a lot more features like network wide add blockers, VPN servers so you can access your LAN remotely securely, parental controls, etc.

I personally run pfSense and am very happy with it. I looked into Untangled and was impressed with it as well. Before that I ran DD-WRT on a Netgear Nighthawk R7000 (I still do but it’s just a dumb AP now).


(Aaron) #11

I have wanted too add a pfsence machine for along time I have been thinking of running a virtual instance as I said in other posts before

I do actually have this wired with extra nics in my Vm server ect it’s just turning it on and config

It just worries me its a big Job that will completely destroy my network and smarthome

I’m. After some of the decent features pfsence offers like packet analysis, traffic shaping, parental controls ect and some nice graphs showing info about my network


(Rich Koshak) #12

That’s what I did at first. But I ran into a chicken and egg problem.

I run everything on an ESXi machine and that machine has three NICs. So I create a pfSense VM and plugged the cable modem into one NIC, and plugged my wireless AP into another one. Then ran a wire back from the AP to the third NIC which was allocated to the physical host.

I hope you see the problem. In order to access ESXi to administer my VMs I need to go from machine -> AP -> host N2 -> pfSense -> host N2 -> AP -> host N3

What happens if I need to shut down pfSense to, for example, give it more memory? No access to the ESXi. No access to anything on my network. There may be a way to set this up as a VM safely but after scrambling, and thanking the computer gods that I managed to configure the pfSense VM to automatically boot when the host comes back up I decided it wasn’t worth it. So I got one of those small computers with four nics built into it (with support for hardware AES) and now access to my ESXi doesn’t depend on a VM running on the ESXi.

I suppose the proper way would be to set this up with a separate management network but I didn’t do that and am not sure if I had enough hardware to do so.


(Aaron) #13

That’s what I was going too do one nic connected too the actual hyper v server (management)

Pfsence wm has two nics on for modem WAN and another connected too a vswitch for LAN with the vswitch connected too a physical switch with everything else connected and access points connected there

Other Vms share the LAN Vswitch

Pfsensce configured too autostart


(anonymous.one) #14

I have my equipment setup with a VLAN for the network equipment to sit in (router, layer 3 switch), one for end clients, another for systems, and a final one for ESXi. Last one I believe is over kill, I think at the time of setting it up I wanted to provide myself a way to prevent access to the admin interfaces unless from a defined location.

I have the switch ports set to dot1q (Cisco terminology, I believe its 802.1q officially) to the ESX systems providing me the ability to set the Untangle system up with a NIC in the network equipment VLAN and treat things as if they came from the Internet.
Word to the wise it does require a lot of thinking when it comes to setting up a port forward for something you want to access remotely. Also adds some complexity to setting up a remote access solution (OpenVPN) as you have to port forward to the VM and then push the correct routing statements back to the client and also ensure your equipment knows how to route to the remote access system.

Should also mention it is a very very (VERY) good idea that you setup a backup gateway if the VM isn’t running, or you will have some super grumpy people in the household who want to use the Internet and can’t reach it due to a VM not running.

I also threw up a pi-hole VM a few months back, that has been a very helpful piece of software, first few days are painful depending on what block lists you put in place.


(Rich Koshak) #15

When running pfSense one can install the pfBlockerNG extension to do pretty much the same thing.


(Ben Clark) #16

Remote access on the superhub (at leaat the 2) is disabled by default and happens on port 8443, has this been enabled on your router by accident or at some point in the past? You should be able to change these settings yourself.

I too am using Virgin Media, but I have seen nothing to make me distrust them.


(Elias H.) #17

I talked with my data protection commissioner about this topic.
He told me because of the GDPR your ISP needs your personal consent.

They need to explain:

  • How they do it
  • Why they do it
  • Which data they use
  • What they use the data for

They will try the easy way out and tell everyone they do not store or work with personal data.
But the second you send an E-Mail which is not encrypted the do work with personal data. (Just think about normal traffic and personal data)
The GDPR is a very VERY complex topic.


(Aaron) #18

I will look at my router shorty it’s the SH3 but when I have problems they have the ability too reboot the router and they say let me just change some settings so it must be enabled or they have a side enterance


(Aaron) #19

What AP’s do you use? I need too upgrade mine now I have lost the isp routers WiFi aps but don’t want too break the bank cheaper the better here unless needed

I have setup pfsense :wink: that’s why I’m looking for better access points I’m assuming being into the smarthome stuff it’s better too have more AP’s/more aerials than faster AP’S with less ariels as smarthome devices don’t need speed

I’m having WiFi lockup problems that are driving me crazy


(Rich Koshak) #20

Sorry for the tardy reply. I was on vacation and away from the Internet the full time.

I have a Netgear Nighthawk R7000. It has a lot of support in the DD-WRT community and it’s a pretty powerful machine. I run DD-WRT on it, but the stock firmware is pretty good as well. If you plan on running it just as an AP I see no reason why one would need to flash DD-WRT onto it. But at this point it’s getting a little old. I think it came out over 6 years ago. That could be good news as you ought to be able to find it relatively cheaply. It supports 802.11AC and is dual band. Except for it’s age, I do not hesitate to recommend it.

Not necessarily. There are only so many bands available in the WiFi and your separate APs can interfere with each other. I would recommend one powerful AP that can cover the whole house, or if that isn’t possible use a WiFi mesh like Ubiquity.

The R7000 covers my house pretty well. Not so much outside the house, but inside I have full coverage from the top floor to the basement good enough to stream high def video. I don’t even manually segregate the bands. I set them up with the same SSID and password and the devices will choose the 5 or 2.5 bands based on which one works best for them at the time.