I am wanting to make a home lab server, running Debian. I am wanting to boot my one system from network boot, but with how locked down the ISP’s modem is, I can not touch anything. I know that I can get it in bridge mode, but my cable boxes are IP boxes, and they Have to be behind their modem/DNS, etc. I am not wanting to do a double NAT, is there any other way to make this work? Would I have the server act as a router with two NIC’s and DNS on the client side?
(XB7 modem, Shaw BlueCurve, based on the Xfinity X1 platform)
If you can put your modem into Bridge Mode, any router behind it should be able to get an IP via DHCP, the modem will only act as a media converter.
You could have a virtualized instance of OPNsense on your server if you don’t want to buy new hardware, but that comes with the issues of having router and server on the same machine, which could make things more difficult for you if you’re a beginner.
On the other hand, buying an OpenWRT-compatible consumer router or a small firewall appliance which can run OPNsense doesn’t cost a lot either, if you’re willing to invest 100-200 USD. Something running OPNsense will be futureproof if you want to go down the homelab path deeper, allowing for proper firewall rules with VLANs, VPNs, etc. .
Return the ISP modem and get yourself a modern Motorola Surfboard.
Positives:
Do what the fuck you want with your network
No rental fees
Negatives:
None
Edit: I used to do Wifi/internet level 3 support for comcast. Their modem/router combos are GARBAGE!! I’ve never run into so much of a dumpsterfire of a router than the comcast combo units.I HATED trying to fix those pieces of shit for customers.
Make sure you take pics of the mac address at the return center (if you have a local one) so you can PROVE you returned it. Or get a receipt of some kind. ShitCast is notorious for still charging rental fees after you returned it, or charging you for the device overall (like you stole it or whatever) Cover your ass when it comes to them.
Double NAT, if you can DMZ in between two routers isn’t a problem for 99.999% of things…
… it’s only a problem for random apps used to having unfeathered access and being able to punch holes in your firewall, i.e. upnp based port forwarding, that also rely on upnp to learn their own public IP.
If you put your router between your network and their router, and you configured your router wan interface to a static private IP, and then also configured their router with your router wan IP as a “DMZ”, then 99.9% of the stupid firewall punching apps would still work, and you could put your TV / STB or whatever alongside your router hooked onto XB1, and that’d work too.
Only thing that wouldn’t work in this setup is apps that rely on upnp to get their public IP.
so … most things don’t need to open ports, things that do, can do so. Out of those, most things don’t care to know their own public IP, those that do can use whatever some central registry sees, or of they need to know their own, they can use STUN, or if they rely on UPNP, well they’ll be lied to, and will get your routers wan interface IP instead, which isn’t useful.
You can, but they like to disable bridge mode by themselves for no reason pretty often. Best solution is just get rid of them. seriously, yeah you can sometimes set all the settings you need but it’s like a goddamn windows computer. They reset all the settings whenever the fuck they want.
They provision it to connect to their network. but it’s YOUR modem that only does media conversion. then you supply your own router that doesn’t get touched by your ISP. The security is in YOUR router. the media converter does only that. converts coax to Digital.
They don’t own your modem. You can take that modem and switch ISP’s if you wanted. AND you can get into the modem diag page yourself if you wanted. usually through 192.168.100.1 (your model may vary) but I know thats for Moto surfboards
So if you’re arguing they still have control, which would you like. THEIR modem router combo running their custom software doing god knows what in the background (like comcast enabling the free wifi on consumer routers without permission) or use your own modem and router that you control what happens.Or going further and flashing open firmware like tomato or openWRT that gives you complete control.
Right, do you generally have root on it? … or access to modify any of the docsis parameters…
… honestly asking since I don’t have much experience with this “bring your own modem” thing - here in Europe we don’t really pay for cable “modem rental”, and treat them as random ISP supplied boxes they sometimes want back despite being 5y old / sometimes not but will send a courier to pick up for recycling anyway.
… my bring your own modem experience ended in 2004 with cloned mac address surfboards in early days of docsis.
I don’t know if they actually fixed the protocol in newer versions to disallow the abuse, or did they “fix it” by denying the end user root.
It’s your modem, do what you want with it. you think the comcast modem is gonna give you root?
I think you’re arguing down a rabbit hole that goes nowhere. You want root and change docis parameters? The original post was about how the comcast modem doesn’t really help the needs of the OP.
Maybe you could open up a moto surfboard and get root through a jtag? IDFK don’t quote me on it. I’ve never had the need to do so.
At the end of the day, I’ll refer back to my previous post
It was interesting to consider whether you can actually treat your own modem as something secure, e.g. something where you can run your own software, or not. It seems like that’s not the case.
Comcast giving you root on a box shouldn’t really be an issue for Comcast if the protocols are well designed - or if there’s mitigations in place for various shared medium abuse. For example, I heard that these days there’s this BPI thing that might help the ISP not have to trust the modems as much, but I don’t know how it would compare to 802.1x and some kind of decent L1/L2 security.
Anyway, topic for another day - hopefully we all swap coax with fiber soon.
Thanks for the input. I HAVE to use the ISP modem, it is a free rental, and if I put it in bridge mode with anything else, PFsense box, another router, etc, I loose my TV/IPTV and my wife would hate me.
I might re consider doing a double NAT, if 99% of apps will work with it. I just have to find 2 NIC’s that will do 2.5 gig+ for not a large amount of money, in Canada, to be able to get the Full 1.5 gig connection I have on coax.
Where I am, there is one Telco (Telus) that has ADSL only in my area, and Cable (Shaw) where I can get my 1.5Gb down. There is no fiber in my city, and my friend who has (Telus) fiber in the town/city next to us, is having Major problems with the connection and speed.
I am trying to make lemonade with the bruised lemons that I have been handed.
2.5G rtl8125 based cards are about $30 a piece; they’re great with Linux but I don’t know about pfSense or multiport
Do you already have a faster than 1G switch? You could get by with a single port and router on a stick setup if your switch supports VLANs.
Alternatively, if you’re spending money on two ports, look for an x550-T2 (they’re about $200, but they’re great cards all around with sr-iov and dual 10G ports that also work with multi gig)
Have you actually tested bridging the device yet? If you can, I say try to find something to test it with even if it’s not the device you want to ultimately keep.
With the original device in bridge mode the new device should pull an IP for it’s external interface from the ISP DHCP just like the original one did, and since this is now logically your edge device it should provide NAT services for your local network in exactly the same manner the original one did (as long as it’s configured properly). The original device in bridge mode is transparent to all of this.
I have not tried it yet, this is just planning, etc, in my head. 1. I want to plan things out Before I do stuff, have as much as I can figured out, how to put it back to normal if all breaks apart… 2. I am the kind of guy that if something Could go wrong, it will. I have learned to be very cautious in all that I do.
Thank you though, It would be a good test to see, even on a cheap router, to see if it would still work. I am going to ponder it and see if I can make it work for the TV IP boxes.
Definitely try bridge mode first. You will need some kind of router to test it. If that works, you have all kinds of options on what to do. A stock plastic router is better than what you have. OpenWRT or similar is better. Right now, I’m running a PC Engines APU SBC as my router. I was running Linux on it (any lightweight distro will work well), and recently moved to SmartOS.
If bridge mode doesn’t work, you could try setting up a subnet a few different ways. The tricky part is the locked down router will need to know about the subnet. Some options, with varying degrees of unlikeliness:
Setup a static route on the locked down router
Run a routing protocol like RIP
Leverage IPv6 Prefix Delegation
All of these require some sort of cooperation from the locked down router.
Alternatively, if all you want is PXE boot, you just need to set some options in the DHCP server. You can do a couple of things here:
Disable DHCP on the router and run your own.
MitM the router. Put a 2 port device between the router and the rest of the network. Block DHCP from the locked down router, run your own DHCP server on said device, and forward everything else.
i only do an ISP modem, maybe my own one day. if it’s a shitty router go to DSL report forums and get the PW to get in and change it to bridge mode and use my own home built router with dd-wrt or untangle.
