Sunday, November 10, 2013

Using a DD-WRT Compatible Router to Stop ISPs from Accessing Your LAN

Introduction

A couple of months ago I called our ISP's customer support line as our speeds dropped significantly. This happened overnight, with no warning, or any apparent reason (change of hardware, software, or even our internet usage habits). Furthermore, this was not the first time it happened - in the last few years it has happened about once a year at random intervals. Every time I called them they mumbled something on the phone, did not accept responsibility for the speed loss, but they agreed to send a technician to our apartment to "check the line" within a day or two. Interestingly, about one hour before the technician arrived our internet speeds were back to the usual, and the technician did not find any problem in the telephone line. Every single time! What a coincidence!

This is not what I wanted to discuss here, but I think it adds to the story of ISPs vs. home users.

On to the conversation with the support personnel

During the conversation I was told that I could choose to follow the steps to make changes in the modem configuration (to test some of the support personnel's ideas - again, it would be a full story discussing those ideas...) or she can make those changes for me. In my modem! With remote management set to off!!! WTF!!! At this point I was very pissed off surprised.

Remote management is quite disabled

The rest of the conversation was not interesting nor productive, it went like previous times I described above.

The problem

One might say "What's the big deal? She just wanted to help you!". Well, I am of a somewhat different opinion:
If somebody can make changes on my modem/router remotely and without my consent (let alone without my knowledge) it means that they can also create settings that allows them to bypass the modem and access my internal network. I cannot rely on their good intentions that they won't. Also, who is to say that my ISP is the only one who has full administrative privileges over my modem?

This issue has two sides:
  1. The modem (Intracom's Netfaster IAD 2), obviously, doesn't work properly, a poorly designed one where security is a joke, not a feature. If it is designed to help ISPs like this - even worse.
  2. The ISP gives these modems to customers while they are aware of this security issue. Customers are not told about this "feature" when they get this modem/router from the ISP for free.

Solution

After the above conversation I decided that I have to put an end to this. The solution is simple: the modem must be ditched and replaced by another one, a trusted one. While doing some research on the internet finding a suitable modem I came across the dd-wrt site. In a nutshell, it's an open source firmware replacement for a variety of router models. A quote from their web site:
DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.
I realize that no solution is bug free or perfect, I just trust an open source solution that has been available for public scrutiny for years more than one that the public knows very little or nothing about.
So, for this reason I decided to give dd-wrt a go.

Implementation

I did a lot of research on dd-wrt's wiki and router database as well as on the offers on eBay to find a good solution. At the end I decided to get a D-link DIR-615 Wireless N300 router. This router does not have modem functionality, but I decided I wouldn't mind it too much as from now on I don't care if someone can access it from the internet: for all intents and purposes the Netfaster IAD 2 modem/router IS the internet from my point of view. At least the next time the ISP tries to do something on my modem they won't notice a thing (apart from not being able to make their way into my LAN).

One of the reasons I got the DIR-615 is that it's very simple to load with the dd-wrt firmware: Just download the appropriate firmware and you can simply upload it through the modems web interface.
There are only two things to be careful with:
  1. Double, triple, quadruple check if you download the correct firmware for your modem. It's not enough to select the right model number (DIR-615) you also have to make sure the new firmware is intended to be used with the hardware revision of your device. Using an incorrect firmware may render your modem useless.
  2. Use a desktop computer with a UPS so that you won't have a power break while you are uploading the new firmware to your router. Losing power during the update will most probably render your modem dead.
After a hard reset and a reboot the router was ready to go with its shiny new firmware.

Hardware setup

The logical arrangement of my setup is the following:

Internet - ISP - Netfaster IAD 2 - D-link DIR-615 - (W)LAN

I used color coding to demonstrate different levels of security on the network, from my point of view:

  • RED: internet,  "anything goes" zone, trust no-one here.
  • ORANGE: ISP's domain, we don't know what's going on here, so it's best to treat as the RED zone.
  • GREEN: this part is under my direct and full control. No solution is 100% safe but for an average home user this should be enough.
The above leads to the following hardware topology:
  1. The PSTN line goes directly to the Netfaster IAD 2 modem/router's WAN input.
  2. One of the LAN ports of the Netfaster IAD 2 modem/router is connected with a standard Ethernet cable to the WAN port of the DIR-615.
  3. Client computers/phones/other devices can connect directly to the LAN ports of the DIR-615, or to its wireless LAN.

Minimum configuration on the modem and the router

Configuring the Netfaster IAD 2 (or any other, not trusted) modem/router is the easier part as we don't want it to do anything but let network traffic through to the DIR-615.
  1. I would recommend to reset the modem/router to its factory defaults, so that in case the ISP resets it for whatever reason (yes, it has happened several times to our modem, too) there is only a minimal number of steps to repeat.
  2. Create a DMZ. (This setting is available on most modem/routers, but under a different name. Usually it's somewhere around the firewall features.) DMZ provides unrestricted access through a modem/router between the WAN and LAN. The endpoint of the DMZ is always a client on the LAN end of the modem/router. Pick the IP address you specify as the WAN address in the dd-wrt configuration step. In my example, this IP address is 192.168.2.2. Save your settings.
  3. I also recommend to switch off the wireless radio of this modem/router. It saves a bit of power and we don't want to use it anyway as it is not safe. This stands for any other features the modem/router has, like USB storage, VPN, etc.
The modem is now ready, let's move onto the router that we can actually control:

I am not giving a general guide for all the features/functions of dd-wrt, as everyone's needs are different. I am only showing the bare minimum.

The below steps assume you have successfully flashed your router with dd-wrt, did a hard reset and entered successfully the web user interface. If you haven't got this far, refer to the dd-wrt forums or wiki for further information. You can also ask me questions, but I'm not a dd-wrt guru, I will most probably send you to the forums :)
  1. In Setup -> Basic Setup -> WAN Setup -> WAN Connection Type select Static IP then fill out the below fields as appropriate on your network. In my example, the IP address is 192.168.1.1. For static DNS server you can put in the LAN IP address of your modem/router (in my case 192.168.2.1) or you can use the one(s) your ISP provides. 
  2. Click Save, then Apply settings.
Done and dusted! Of course, you can go on and use many more of the features of the router, but at this stage you should have a working setup that is (reasonably) protected from your ISP.