Return to Level1Techs.com

ISP backdoors in WAN router - What to do?

Hi all,

About a month ago, I switched ISPs and am now on 100Mb/s FTTH (fibre) and my local Telco provided an ‘el chepo’ ZTE F660 router. The techs spliced and looped in the optical fibre and set this up with default PPPoE settings etc.

At the time, I logged in and reset the admin password, and turned off the Wifi radio. More importantly, I did some port-forwarding to allow OpenVPN traffic through to my inner EdgeRouter.

However, about a week later, I found my OpenVPN connection just wouldn’t work. Uh oh. I couldn’t even login to the ZTE. I had to use the default unsecured ‘admin/admin’ creds to get into it. WAT :confounded::scream::scream::dizzy_face:

Yeah, that was my reaction. Anyways, I’ve since gone back in made the same changes and so far it has been behaving itself.

Couple questions -

  • How can I get an idea of the ingress traffic into this router?
  • What about ports being accessed?

If I perform a port-scan over the interwebs, I get nada. Even the router’s web UI cannot be accessed. However, there are supposed attack vectors that can be run from the WAN side - I’m just not sure what they are. I wonder if this is a task for Kali Linux/Metasploit?

I would have liked to have pfSense/Suricata to help with something like this, but I am not sure how to deal with IPS on the WAN side (being the wild-wild-web)…

Thoughts???

The reset probably happened because of a firmware upgrade or reprovisioning of configuration. Many routers have a physical switch for the wireless radio, but if your ISP doesn’t preserve user data om upgrade (could be months until the next one, or whenever you reboot it next - try it out), you should have your own router behind your ISP’s, or look into replacing it (ask your isp for guidance so you don’t break the fibre, and for pppoe details).

Have you talked with your isp and heard what they have to say about it?

1 Like

Disable any kind of DHCP on the modem/router, that way to have your router as the first connection that gets the public IP.

I had to do this with my ISP because every single one of them is bent on giving you the dumpster-fire that are modem/router combo’s these days (in USA).

1 Like

This is not technically what occurs on most fiber modems. They actually use VLAN tagging to differentiate between TV and internet (further vlan tagging can occur here for different speeds and limitations) … A cable modem is the the type of modem that reprovisions. Vlan tagging example: Century Link Vlan tag for fiber internet @40 mbps is 201. Each vlan tag operated by the ISP has an access control list in some shape or form so you cant just change the tag and voila its faster but it is useful knowing it if you wish to grant your own device access which is generally permitted

That being said you are correct a ISP can do an upgrade like this but an ISP always has managed level access of its modem which means its software can be reset remotely including its configuration.

Do not nmap or port scan any device that is not yours some ISPs consider that malicious and will issue a cease and desist I have seen it.

That being said the port could be open to a specific protocol vs just generically being open to an IP ping.

1 Like

If he connects over pppoe, chances are that it is a wholesale solution, which may still require loading remote configuration to provision triple play (or just sip fir the voip). Or whatever. Could just have been a firmware upgrade or a fluke - could be that you need to write to startup config. Not going to argue with you ; )

Sacrilege! Not sure they’d cop to it, but I could try hmm.

Build your own PF sense router, buy a router and put tomato on it, or shut up and deal with big brother helping out.

1 Like

Well its your isps modem, they provide you a moden that your allowed to use on “their” network.
So in other words the isp will allways have acces to it, to provide firmware updates and for support etc.
The only real solution to not allow your isp to do changes to “their” modem,
is to let it switch into bridge mode, sometimes you can do it yourself,
But sometimes the isp has to do this, this depends on if the modem has a custom isp’s firmware or not.
Then the modem will only work as a modem, and you could buy your own router instead.

Another option is to buy your own modem, but not every isp will allow you,
to use your own modem on their network.
Because then they cannot give you any support or service anymore.

1 Like

Run your own router behind it. Set the DMZ IP on the telco provided router and make that IP your WAN IP on your router. Just don’t use the same private network on both your router and the telco network.
Done.

2 Likes

This is the current config I have, i.e. ISP issues a WAN IP and the ZTE connects to my EdgeRouter on the 192.168.x.x subnet. The ZTE’s LAN address is also on the same subnet and I can access the web GUI via that IP.

Not sure if I can ‘pass’ the ZTE’s WAN IP through though (is that possible?). I may have misunderstood you, so do correct me if I’m off-base here.

I’m not sure I understood all that. Here’s an example

Telco router:
WAN IP: whatever
LAN Network: 192.168.1.0/24
DMZ IP: 192.168.1.2

Your router:
WAN IP: 192.168.1.2
LAN Network: 192.168.100.0/24

1 Like

Not to mention he could also change the subnet …

I have my network at home xxx.xxx.xxx.xxx/28

I just did some reading up on DMZ, and from my understanding any ingress traffic (from WAN) will basically pass through the DMZ. Given your configuration, the DMZ IP is 192.168.1.2

So, if say an attacker attempts to connect to port 8881 on the WAN IP, I should see that as ingress access at 192.168.1.2:8881? If so, that’s exactly what I’m looking for - reason is, I’d then place the pfSense router I’m building at this point so that I filter/log all intrusion attempts.

The point of DMZ is to separate a potentially compromised machine from the remainder of the internal network. Even DD-WRT can’t help you here, b/c attacks originating from the DMZ don’t pass through the router’s ruleset, they just hit the switch. DMZ is an illusion unless it’s on a separate physical connection

DMZ just means port forward all ports and protocols. So, yes, your scenario would give you the result you want.

1 Like

@NetBandit’s config will work because putting your personal router in a DMZ will let all traffic from the outside to it. If it were me, I would call the ISP and request that their modem/router be put in bridge mode. This turns off all routing functions of their equipment and just operates as a modem. You may not be able to login to it after this is done depending on how they implement it on that specific device, but you shouldn’t need to. PPPoE info or any other WAN info your ISP requires should be configured on the WAN interface on your router. The ISP should be able to give you this information.

2 Likes

that’s a better solution, if they allow it.

Aye, that’s a nice way to look at it.

Realistically in a secure setup though, I’d wager a proper DMZ would be something like this (Off topic though…)

DMZ ------(any public webservers sit here)—> (Firewall) ----- DNAT----> secure internal systems.

It’s funny how ‘DNZ Host’ is a total faux-pas with regards to simple home-routers, as you described well, it’s just a direct ‘forward all ports/protocols’ to the (LAN) switch.

dude what? no. that makes no sense

That also doesn’t make sense

As I said, that configuration - is how “DMZ” is meant to be deployed. I went tad OT there.

What you’ve described, is correct for what I’m looking to achieve. So thanks!!

My earlier comment meant to reflect this - https://superuser.com/a/17638