Internet without a modem

Discussion in 'Mac OS X Server, Xserve, and Networking' started by danish., Apr 22, 2016.

  1. danish. macrumors newbie

    danish.

    Joined:
    Oct 25, 2012
    Location:
    Copenhagen, Denmark
    #1
    My building just had fiberoptic internet installed, which is great. I can now go from an already excellent 50/20 mbps to an even better 100/100 mbps connection, at less than half the price. Win.

    I got round to installing my router, and possibly hit a snag.

    Backstory: The new connection is delivered to my apartment has a cable with an ethernet socket at the end. No modem is required, I just hook my iMac up straight to the ethernet port on the wall, visit a website to sign up, and them I'm good to go. This works fine, speed is as promised, all good.

    Problem: I hooked up my AirPort Express straight to the wall socket, and this would only work in bridge mode - I got a double NAT error if I tried DCHP & NAT, and had to define an IP range for DCHP-only. Alarm bells started ringing. It seems that with my new ISP I no longer have control over the actual router that my devices hook up to. Instead, my AirPort Express is acting exclusively as a WIFI AP. The ISP seems to be allocating IPs to the entire building using the same range (i.e. 10.1.9.XX) - I am basing this on the fact that earlier today my router was allocated an IP in the 60s, and my iMac an IP in the 70s. These devices, by the way, have to register online the first time they access my network, and it seems that IP and MAC are locked together from that point on.

    This seems problematic for me for two reasons. First of all, I can't just let a guest have my WIFI key (or set up a guest network) and leave it at that - I have to register their device with my ISP online. Second, and potentially worse, I feel that from a security standpoint I am worse off by having my ISP perform the functions of a router remotely than if I had my own router, especially as they seem to have the whole building on the same 'router'? I can ping other computers/devices in the building using other IPs in the local IP range, which doesn't fill me with confidence.

    TL;DR: I don't need a modem for the internet in my apartment, and all router functions are managed by my ISP. My router is in bridge mode, and the internet works. My entire building is allocated IPs in the same IP range by my ISP. I can ping the other users, so I have network access to them. Am I right in thinking that this is a significant security risk?

    For the time being, I'm not using the new internet connection. I need to be fairly sure of the security of the connection for both my work and my girlfriend's. Any comments/reactions would be much appreciated.

    For any Danes who stumble across this, the new ISP in question is Bolig:Net
     
  2. Mikael H macrumors 6502

    Joined:
    Sep 3, 2014
    #2
    That sounds like a major security hole. I wouldn't trust most home computers further than I can throw a very large building, and grouping them all together in a nice and cozy place where they're all potentially reachable to each other is just asking for trouble.
    I would actually ask Bolig:Net if they allow private firewalls; possibly setting up a dedicated one between the network jack and your Airport Express unless you can get the Airport to work. If they don't, I'd start a crap gale and even consider going back to a DSL or mobile connection.
     
  3. kiwipeso1 Suspended

    kiwipeso1

    Joined:
    Sep 17, 2001
    Location:
    Wellington, New Zealand
    #3
    This is really insecure, as it means you have to trust that your neighbours don't get viruses, engage in spam relays, or possibly even get torrents insecurely (if your country has a legal problem with filesharing).

    I would suggest that if you can get a firewall on your airport express, do it now.
     
  4. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #4
    I would personally attempt to configure the AirPort in DHCP & NAT mode and ignore the Double NAT warning. This will also offer a NAT firewall between your network and the rest of the building.
     
  5. CreatorCode macrumors regular

    CreatorCode

    Joined:
    Apr 15, 2015
    Location:
    US
    #5
    What's the problem with double-NAT? Are you running a server or some other system that needs to be accessible from the outside?

    Double NAT is messy (in the sense that it's unnecessarily complicated) and adds some overhead to your traffic, but it's probably the best and safest option.

    [EDIT: Ninja'd]
     
  6. ddmcnair macrumors member

    Joined:
    Apr 25, 2011
  7. DJLC macrumors 6502a

    DJLC

    Joined:
    Jul 17, 2005
    Location:
    Mooresville, NC
    #7
    Agree, double NAT all day in that scenario. Hopefully you don't need any outgoing ports...
     
  8. LC Phil macrumors newbie

    Joined:
    Apr 7, 2016
    Location:
    Vienna
    #8
    You're kidding. So it's CAT5/6 connecting you to the floors switch then from there to the router.

    Correct me if I'm wrong but they have run fibre to the building and not to the individual dwellings. Correct? What SHOULD have been done is what is known as a GPON network/setup, where the fibre is split and a connection goes to each apartment and each apartment has it's own ONT. Unfortunately fibre runs alone costs a LOT, it's something done in new construction.

    It's possible there's a network config stuff up. You should be on your own VLAN and not be able to see anything outside your own network, let along ping. For example can you see any shared printers, file share, AirPlay? Can you remove the authentication for devices after you've added?

    You can dual NAT it, but...*shrug*
     
  9. danish. thread starter macrumors newbie

    danish.

    Joined:
    Oct 25, 2012
    Location:
    Copenhagen, Denmark
    #9
    So I dug around a bit more (after a vacation away, hence the radio silence), and things are looking better.

    I spoke to the ISP, and they "corrected an issue" (whatever that Means), and now I can no longer ping my neighbours. Might just have been a setup error.

    Double-NAT works fine after I re-registered the AirPort's MAC-address. In fact, now that I can double-NAT, I only need to register the AirPort with the ISP, not the devices that are downstream from the AirPort. I expect that my Xbox One and Back to mu Mac will give me trouble, however...

    With the AirPort now running in double-NAT, I'm at least happier about the security, even if it isn't entirely convincing.
     
  10. Altemose macrumors G3

    Altemose

    Joined:
    Mar 26, 2013
    Location:
    Elkton, Maryland
    #10
    Yes. Leave the AirPort as the device registered, but you may have issues either way with Back To My Mac and your Xbox since you are downstream of a router that is out of your control.
     

Share This Page