Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Internet without a modem

danish.

danish.

macrumors newbie
Original poster
Oct 25, 2012
15
1
Copenhagen, Denmark
My building just had fiberoptic internet installed, which is great. I can now go from an already excellent 50/20 mbps to an even better 100/100 mbps connection, at less than half the price. Win.

I got round to installing my router, and possibly hit a snag.

Backstory: The new connection is delivered to my apartment has a cable with an ethernet socket at the end. No modem is required, I just hook my iMac up straight to the ethernet port on the wall, visit a website to sign up, and them I'm good to go. This works fine, speed is as promised, all good.

Problem: I hooked up my AirPort Express straight to the wall socket, and this would only work in bridge mode - I got a double NAT error if I tried DCHP & NAT, and had to define an IP range for DCHP-only. Alarm bells started ringing. It seems that with my new ISP I no longer have control over the actual router that my devices hook up to. Instead, my AirPort Express is acting exclusively as a WIFI AP. The ISP seems to be allocating IPs to the entire building using the same range (i.e. 10.1.9.XX) - I am basing this on the fact that earlier today my router was allocated an IP in the 60s, and my iMac an IP in the 70s. These devices, by the way, have to register online the first time they access my network, and it seems that IP and MAC are locked together from that point on.

This seems problematic for me for two reasons. First of all, I can't just let a guest have my WIFI key (or set up a guest network) and leave it at that - I have to register their device with my ISP online. Second, and potentially worse, I feel that from a security standpoint I am worse off by having my ISP perform the functions of a router remotely than if I had my own router, especially as they seem to have the whole building on the same 'router'? I can ping other computers/devices in the building using other IPs in the local IP range, which doesn't fill me with confidence.

TL;DR: I don't need a modem for the internet in my apartment, and all router functions are managed by my ISP. My router is in bridge mode, and the internet works. My entire building is allocated IPs in the same IP range by my ISP. I can ping the other users, so I have network access to them. Am I right in thinking that this is a significant security risk?

For the time being, I'm not using the new internet connection. I need to be fairly sure of the security of the connection for both my work and my girlfriend's. Any comments/reactions would be much appreciated.

For any Danes who stumble across this, the new ISP in question is Bolig:Net
 
M

Mikael H

macrumors 6502a
Sep 3, 2014
864
538
That sounds like a major security hole. I wouldn't trust most home computers further than I can throw a very large building, and grouping them all together in a nice and cozy place where they're all potentially reachable to each other is just asking for trouble.
I would actually ask Bolig:Net if they allow private firewalls; possibly setting up a dedicated one between the network jack and your Airport Express unless you can get the Airport to work. If they don't, I'd start a crap gale and even consider going back to a DSL or mobile connection.
 
  • Like
Reactions: bdubblut
kiwipeso1

kiwipeso1

Suspended
Sep 17, 2001
646
168
Wellington, New Zealand
danish. said:
My building just had fiberoptic internet installed, which is great. I can now go from an already excellent 50/20 mbps to an even better 100/100 mbps connection, at less than half the price. Win.

I got round to installing my router, and possibly hit a snag.

Backstory: The new connection is delivered to my apartment has a cable with an ethernet socket at the end. No modem is required, I just hook my iMac up straight to the ethernet port on the wall, visit a website to sign up, and them I'm good to go. This works fine, speed is as promised, all good.

Problem: I hooked up my AirPort Express straight to the wall socket, and this would only work in bridge mode - I got a double NAT error if I tried DCHP & NAT, and had to define an IP range for DCHP-only. Alarm bells started ringing. It seems that with my new ISP I no longer have control over the actual router that my devices hook up to. Instead, my AirPort Express is acting exclusively as a WIFI AP. The ISP seems to be allocating IPs to the entire building using the same range (i.e. 10.1.9.XX) - I am basing this on the fact that earlier today my router was allocated an IP in the 60s, and my iMac an IP in the 70s. These devices, by the way, have to register online the first time they access my network, and it seems that IP and MAC are locked together from that point on.

This seems problematic for me for two reasons. First of all, I can't just let a guest have my WIFI key (or set up a guest network) and leave it at that - I have to register their device with my ISP online. Second, and potentially worse, I feel that from a security standpoint I am worse off by having my ISP perform the functions of a router remotely than if I had my own router, especially as they seem to have the whole building on the same 'router'? I can ping other computers/devices in the building using other IPs in the local IP range, which doesn't fill me with confidence.

TL;DR: I don't need a modem for the internet in my apartment, and all router functions are managed by my ISP. My router is in bridge mode, and the internet works. My entire building is allocated IPs in the same IP range by my ISP. I can ping the other users, so I have network access to them. Am I right in thinking that this is a significant security risk?

For the time being, I'm not using the new internet connection. I need to be fairly sure of the security of the connection for both my work and my girlfriend's. Any comments/reactions would be much appreciated.

For any Danes who stumble across this, the new ISP in question is Bolig:Net
Click to expand...

This is really insecure, as it means you have to trust that your neighbours don't get viruses, engage in spam relays, or possibly even get torrents insecurely (if your country has a legal problem with filesharing).

I would suggest that if you can get a firewall on your airport express, do it now.
 
  • Like
Reactions: bdubblut
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
487
Elkton, Maryland
danish. said:
For the time being, I'm not using the new internet connection. I need to be fairly sure of the security of the connection for both my work and my girlfriend's. Any comments/reactions would be much appreciated.
Click to expand...

I would personally attempt to configure the AirPort in DHCP & NAT mode and ignore the Double NAT warning. This will also offer a NAT firewall between your network and the rest of the building.
 
  • Like
Reactions: bdubblut and CreatorCode
C

CreatorCode

macrumors regular
Apr 15, 2015
159
279
US
What's the problem with double-NAT? Are you running a server or some other system that needs to be accessible from the outside?

Double NAT is messy (in the sense that it's unnecessarily complicated) and adds some overhead to your traffic, but it's probably the best and safest option.

[EDIT: Ninja'd]
 
  • Like
Reactions: bdubblut
L

LC Phil

macrumors newbie
Apr 7, 2016
15
6
Vienna
You're kidding. So it's CAT5/6 connecting you to the floors switch then from there to the router.

Correct me if I'm wrong but they have run fibre to the building and not to the individual dwellings. Correct? What SHOULD have been done is what is known as a GPON network/setup, where the fibre is split and a connection goes to each apartment and each apartment has it's own ONT. Unfortunately fibre runs alone costs a LOT, it's something done in new construction.

It's possible there's a network config stuff up. You should be on your own VLAN and not be able to see anything outside your own network, let along ping. For example can you see any shared printers, file share, AirPlay? Can you remove the authentication for devices after you've added?

You can dual NAT it, but...*shrug*
 
  • Like
Reactions: DJLC
danish.

danish.

macrumors newbie
Original poster
Oct 25, 2012
15
1
Copenhagen, Denmark
So I dug around a bit more (after a vacation away, hence the radio silence), and things are looking better.

I spoke to the ISP, and they "corrected an issue" (whatever that Means), and now I can no longer ping my neighbours. Might just have been a setup error.

Double-NAT works fine after I re-registered the AirPort's MAC-address. In fact, now that I can double-NAT, I only need to register the AirPort with the ISP, not the devices that are downstream from the AirPort. I expect that my Xbox One and Back to mu Mac will give me trouble, however...

With the AirPort now running in double-NAT, I'm at least happier about the security, even if it isn't entirely convincing.
 
Altemose

Altemose

macrumors G3
Mar 26, 2013
9,189
487
Elkton, Maryland
danish. said:
Double-NAT works fine after I re-registered the AirPort's MAC-address. In fact, now that I can double-NAT, I only need to register the AirPort with the ISP, not the devices that are downstream from the AirPort. I expect that my Xbox One and Back to mu Mac will give me trouble, however...

With the AirPort now running in double-NAT, I'm at least happier about the security, even if it isn't entirely convincing.
Click to expand...

Yes. Leave the AirPort as the device registered, but you may have issues either way with Back To My Mac and your Xbox since you are downstream of a router that is out of your control.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom