isp router design mistakes 30/04
This commit is contained in:
parent
56538becb8
commit
3c6a8fb0af
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
title: "ISP Router Design Mistakes"
|
||||
date: 2024-04-30T09:00:00+02:00
|
||||
categories:
|
||||
- software
|
||||
tags:
|
||||
- design
|
||||
---
|
||||
|
||||
Time for another [design mistake](/tags/design), this time from our new Internet Service Provider (ISP). We switched last week because I required a business subscription as part of the cost-optimization plan. In Belgium, there's very little choice when it comes to ISPs, with two giants completely dominating the market: Proximus and Telenet. We used to have a Scarlet subscription which is the "cheap part" of Proximus, meaning all the hardware is from Proximus, it's just coated with another software layer.
|
||||
|
||||
Proximus/Scarlet modems/routers (integrated) are aptly called [_B-Box_ routers](https://setuprouter.com/router/belgacom/b-box-3/) appended with a revision number. Our previous one was _B-Box 3_: a basic but functional router with crappy Wi-Fi capabilities. With our new installation came a revision upgrade: welcome, _B-Box 4_ also known as the _Internet Box_! That alias raised serious suspicions that were confirmed as soon as the technician started the installation: you can no longer configure your modem locally.
|
||||
|
||||
Wait. What?
|
||||
|
||||
That's right, no more logging into the router with `http://192.168.1.1` with user `root` and the password as mentioned on the sticker at the bottom. Instead, you use something called The Internet to navigate to the ISP site, log into the client portal, drown in a series of dubious links and menus, to eventually find your internet connection, click on that, and locate a button "configure". That means, in order to connect my internal network to the outer world, I first have to find another device or hijack my neighbor's Wi-Fi to configure my own network using an external website? What the hell were they thinking?
|
||||
|
||||
|
||||
|
||||
That also means that if someone hacks your MyProximus customer account, they can happily change your Wi-Fi password, disable it, or mess with the DHCP settings, or even mess with the router IP itself. Or disable the firewall. Or open up port `80` or setup a series of port forwarding rules. Or keep on rebooting the router. From a security point of view, that sounds like a job well done!
|
||||
|
||||
Even if there's an option to disable any features and treat it as a pass-through device in order to bring in my own router, I still cannot disable the publicly (if you've got the credentials) accessible part of the configuration, where config can be messed up at will.
|
||||
|
||||
None of the Flemish tech-related websites that cover the new Internet Box, like [this Knack DataNews article](https://datanews.knack.be/nieuws/alles-wat-je-moet-weten-over-de-nieuwe-internetbox-van-proximus/), seem to care about this: all they care about is how future-proof the 1GB DDR3 RAM and 512M flash storage is compared to its predecessor that had "only" 256MB RAM and 128MB storage. Hurray for digitization and technological progress.
|
||||
|
||||
Belgian ISPs are great at screwing over their customer when it comes to customizing networks: everything's shut tight, supposedly because of certain laws that require DNS resolvers to forward to `fccu-stop.services.belgium.be` in case a domain is blocked by the government. It was never possible to configure your own DNS server in any B-Box, but I fixed that [with a Pi-Hole acting as the DHCP server](/post/2022/02/how-to-setup-pi-hole-on-synology-nas/).
|
||||
|
||||
Speaking of which, the new B-Box 4 kept on broadcasting an IPv6 DNS server---namely himself---that had our macOS laptops bypass the Pi-Hole because macOS treats the DNS server list as round-robin, not as a priority list. By enabling IPv6 support on the Synology NAS, on the DHCP server and DNS server settings of the Pi-Hole, and by fiddling with the Box DNSv6 config, I eventually did manage to throw out the wrong one. (And yet there's no option to customize the DNSv4 one?)
|
||||
|
||||
Sure enough, the Proximus Support pages list [ways to setup your private router](https://www.proximus.be/support/nl/id_sfaqr_router_install/particulieren/support/internet/internet-thuis/geavanceerde-instellingen/je-priverouter-instellen-als-draadloze-router.html)---via a bridged LAN Host that results in 2 networks---but also clearly state that the TV box won't work. Great. I've had trouble with the TV decoder before that didn't accept an IP from the Pi-Hole DHCP. The new installation also came with a new TV box: now it's suddenly an Android-based one that does flow through the Pi-Hole, allowing me to block certain domains.
|
||||
|
||||
Another problem is that using custom modems [requires certifications from the ISP](https://nl.forum.proximus.be/internet-10/goedgekeurde-firmware-fritzbox-7590ax-56326) that seem to be very reluctant to hand them out. Judging from the Userbase and Proximus forums, diving in that rabbit hole will easily take days. I've tried to set up custom modems before and it never worked, meaning I had to fall back to using it merely as a router. Still, that's better than having someone else remotely configuring my local Wi-Fi settings.
|
||||
|
||||
---
|
||||
|
||||
I recently discovered a set of alternative modem/router devices [seemingly compatible with Proximus](https://be.avm.de/service/fritzbox-werkt-op-elke-aansluiting/fritzbox-voor-gebruik-op-de-aansluiting-van-proximus-configureren/) called _FRITZ!Box_ that seem to be certified for the Belgian VDSL network that Proximus offers in our neighborhood... I might go ahead and order one to keep myself busy for the coming month.
|
||||
|
||||
Another related interesting read (in Dutch): [free modem choice in Belgium: possible since 2015 but no ISP allows it](https://techpulse.be/achtergrond/318285/vrije-modemkeuze-in-belgie-hoe-zit-dat-juist/).
|
||||
|
|
@ -65,6 +65,7 @@ Here's a list of apps I now rely on:
|
|||
- Etar Calendar: a FOSS calendar widget alternative.
|
||||
- NetGuard: currently under evaluation, with this you can block internet access on (system) package level.
|
||||
- Automate: currently under evaluation, with this you can create widgets that activate a custom workflow (see [Zach Young's notes on this](https://zachyoung.dev/posts/obsidian-quick-capture-for-android)). Used as a quick link to my Obsidian Scratchpad note file.
|
||||
- [Material Files](https://github.com/zhanghai/MaterialFiles) as a proper FOSS File Explorer.
|
||||
|
||||
Switching smartphones was---besides the hassle of installing and configuring all of the above---surprisingly easy, thanks to Syncthing and DAVx5. I was already exporting all critical data and I already de-Googled my life, so there wasn't anything on the old Sony XZ1 Compact phone that I had to backup or copy before switching over. I don't save chat conversation history anymore: most of my messages are ephemeral anyway.
|
||||
|
||||
|
|
|
|||
Binary file not shown.
|
After Width: | Height: | Size: 60 KiB |
Loading…
Reference in New Issue