I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
In all honesty, even that is an improvement. You’re effectively segregating the access to your data already. I also started with Eero because I didn’t know better. Since you already invested in Amazon’s devices, I would start by using the main network for your devices and that of your family (computers, phones, game consoles and media devices) in the main network, and if you have IoT devices, put those kn the guest network. That way the insecure IoT devices are segregated from your data. If you don’t have IoT devices at home (smart cameras, robot vacuums, light switches and such), then I would move the media devices to the guest network.
After that, I would suggest you start, at your own pace, slowly, researching moving to Infrastructures that will give you more ckntrol. But again, slowly. Don’t make the mistake I made of doing it all at once, which lead me to making too many mistakes like buying stuff only to find something better 2 days later. I even made the mistake of getting a full unifi infrastructure, and while its a huge improvement in terms of segregation control, it lacks too many features and is, by all intents and purposes, yet another US tech company, so I can’t trust them.
Do some research on OPNSense (some people would point you to PFSense, which is also better than closed source stuff) and then start looking into more open access points like Grandstream or similar if you want vlan tagging.
The possibilities are endless, but fair warning, this turns into a rabbit hole real fast. Once you’re here you’ll be wanting to add adguard home or pihole, then you’ll be looking at self-hosting everything (still looking into self-hosting our fridge 🤣).
But don’t fret, you’re at a good start, and there is no rush. You’ll see that, if you start by asking here in Lemmy, maybe also in Mastodon and some forums dedicated to this workflow, you’ll find the path that best adheres to your specific needs. As long as you don’t allow the pressure of getting it done get to you (good luck with that, as I think that’s the toughest battle) you can do this one step at a time. For example, you can start at the root by researching open source router OSs (OpenWRT, OPNSense, PFSense, IPFire, etc.), and once you find the one you’re comfortable with, you can deploy it between your ISPs modem and your Eeros to start. That’s a huge step up, and probably will take you about 60 - 75% to where you need to be in terms of control of your networks.
Come and ask in Lemmy. Yes, you will have ro face some assholes, but most of the folks here are passionate about these topics and are happy to help bring in more to the community.
Thank you so much for this write up! I may PM you if I come across questions, if that’s okay. It’ll be likely down the line though, have a few things to sort out before going back into my network.
By all means. I enjoy helping in what I can to make more people take back control. And if I already messed up spectacularly, I see no reason to see others go through that as well if they can learn from my mistakes.
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Yeah, you’re absolutely correct here. But him having already made the investment and removing some of the control over his network from his ISP is a step in the right direction. It should also be noted that, for someone that does not have the knowledge yet, one step at a time is the sanest path, and I say this from my own experience. I went all in, and that led me to making many mistakes.
As you say, adding something like OPNSense or OpenWRT between the Eeros and the ISP modem is the next logical step. Then, getting a switch (or some switches depending on his needs) and ssid-vlan taggable APs to replace the Eeros. After that, its time to have 7 or more local networks in the house 🤣. It can get wild, and its so much fun. The feeling of empowerment this provides is second to none.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
By all means man. Full disclosure, what I suggest is because it worked for me, so it’s always wise to research based on anyone’s suggestions and then choose the path that would work best for your intentions. In my case, I have a VLAN for my kids because their access goes away every night at 8pm on weekdays, for example. My wife has her own VLAN because there some stuff I have blocked that she wants access to. Then I have a media VLAN for gaming consoles and streaming devices, IOT is separate, CCTV in it’s own VLAN, etc. I you scroll up a bit, you’ll find another reply I just added. If you can tell us what you’re looking to achieve, and what infrastructure you currently run, I know some of us will love to suggest options to point you in the right direction.
On a separate note, I still want someone to tell me if there’s anything else I can do on my ONT modem to harden it even more.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
I was pumped to finally get decent Internet in the US, until I saw my ISP’s router appears as a device on the LAN. Luckily I’m savvy enough to put the whole local network behind a firewall on a different subnet, since there’s no other way of fixing this.
It’s not just US ISPs, this is worldwide behavior. Good on you to put a firewall between your network and your ISP’s gateway.
I don’t know if you went further than that, but in my case, once I had my OPNSense deployed, I went ahead and disabled all the radios of the ISP’s ONT gateway, changed it’s DNS server to Mullvad, and only left 1 LAN IP address to the OPNSense.
If you are aware of more things that can be done to give the ISP modem even less room to move around inside, I would appreciate you sharing it as well.
I wish more people would take the time to learn a bit about securing their home networks. What I do is that I offer my knowledge for free to neighbors, friends and family. Some actually want it and act on it, but the sad truth is that the vast majority still has this ‘I have nothing to hide’ mentality, and I’m not explaining how much marketing BS that is to them for the 100th time.
As someone with a basic background in IT, nothing advanced, but enough to be the “family tech guy”, I just bought my router(mesh network) what can I do? Where do I start? I think I may have messed up with my brand choice, being EERO, as they seem to have things locked into their proprietary app. I was sorta desperate for a quick fix at the time, didn’t do the due diligence I should have.
Edit: preemptive thank you if you take the time to reply. As I am not “friends or family to you”. I do appreciate the expertise!
In all honesty, even that is an improvement. You’re effectively segregating the access to your data already. I also started with Eero because I didn’t know better. Since you already invested in Amazon’s devices, I would start by using the main network for your devices and that of your family (computers, phones, game consoles and media devices) in the main network, and if you have IoT devices, put those kn the guest network. That way the insecure IoT devices are segregated from your data. If you don’t have IoT devices at home (smart cameras, robot vacuums, light switches and such), then I would move the media devices to the guest network.
After that, I would suggest you start, at your own pace, slowly, researching moving to Infrastructures that will give you more ckntrol. But again, slowly. Don’t make the mistake I made of doing it all at once, which lead me to making too many mistakes like buying stuff only to find something better 2 days later. I even made the mistake of getting a full unifi infrastructure, and while its a huge improvement in terms of segregation control, it lacks too many features and is, by all intents and purposes, yet another US tech company, so I can’t trust them.
Do some research on OPNSense (some people would point you to PFSense, which is also better than closed source stuff) and then start looking into more open access points like Grandstream or similar if you want vlan tagging.
The possibilities are endless, but fair warning, this turns into a rabbit hole real fast. Once you’re here you’ll be wanting to add adguard home or pihole, then you’ll be looking at self-hosting everything (still looking into self-hosting our fridge 🤣).
But don’t fret, you’re at a good start, and there is no rush. You’ll see that, if you start by asking here in Lemmy, maybe also in Mastodon and some forums dedicated to this workflow, you’ll find the path that best adheres to your specific needs. As long as you don’t allow the pressure of getting it done get to you (good luck with that, as I think that’s the toughest battle) you can do this one step at a time. For example, you can start at the root by researching open source router OSs (OpenWRT, OPNSense, PFSense, IPFire, etc.), and once you find the one you’re comfortable with, you can deploy it between your ISPs modem and your Eeros to start. That’s a huge step up, and probably will take you about 60 - 75% to where you need to be in terms of control of your networks.
Come and ask in Lemmy. Yes, you will have ro face some assholes, but most of the folks here are passionate about these topics and are happy to help bring in more to the community.
Thank you so much for this write up! I may PM you if I come across questions, if that’s okay. It’ll be likely down the line though, have a few things to sort out before going back into my network.
By all means. I enjoy helping in what I can to make more people take back control. And if I already messed up spectacularly, I see no reason to see others go through that as well if they can learn from my mistakes.
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Yeah, you’re absolutely correct here. But him having already made the investment and removing some of the control over his network from his ISP is a step in the right direction. It should also be noted that, for someone that does not have the knowledge yet, one step at a time is the sanest path, and I say this from my own experience. I went all in, and that led me to making many mistakes.
As you say, adding something like OPNSense or OpenWRT between the Eeros and the ISP modem is the next logical step. Then, getting a switch (or some switches depending on his needs) and ssid-vlan taggable APs to replace the Eeros. After that, its time to have 7 or more local networks in the house 🤣. It can get wild, and its so much fun. The feeling of empowerment this provides is second to none.
Just adding if you have any resources about how to go about this i would more than appreciate any nuggets you can share. I have a some networking background from college but its been about a decade since I used any of it so any help to point me in the right direction of hardening my network like this would be extremely appreciated. Thanks!
By all means man. Full disclosure, what I suggest is because it worked for me, so it’s always wise to research based on anyone’s suggestions and then choose the path that would work best for your intentions. In my case, I have a VLAN for my kids because their access goes away every night at 8pm on weekdays, for example. My wife has her own VLAN because there some stuff I have blocked that she wants access to. Then I have a media VLAN for gaming consoles and streaming devices, IOT is separate, CCTV in it’s own VLAN, etc. I you scroll up a bit, you’ll find another reply I just added. If you can tell us what you’re looking to achieve, and what infrastructure you currently run, I know some of us will love to suggest options to point you in the right direction.
On a separate note, I still want someone to tell me if there’s anything else I can do on my ONT modem to harden it even more.
Same. My housemates called the ISP for support once when they couldn’t wait literally 15 minutes for me to check out why their Internet was down (router just needed a restart) and the first thing out of the ISP dudes mouth was “with the way your network is configured I can’t see anything on your side” (which yeah, that’s the fucking point) he was in the middle of walking them through resetting the ISP router back to defaults when I arrived and put a stop to it. Why the fact that he was able to connect to their endpoint wasn’t sufficient to indicate to them that the Internet connection was not the issue I do not know.
L1 isn’t there to think, they’re there to read from their script.
I mean yeah, but I was hoping the people I share living space with would have at least been smart enough to work that out.