Network question: use DSL modem's 4-port in bridge mode?

Posted by: mlord

Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 00:24

I have a DSL modem/router with a built-in 4-port LAN switch. The modem/router is used only in bridge mode, so it acts only as a modem not as a router. I have a separate router that connects to it via one of the LAN switch ports. The separate router runs PPPoE to establish internet connectivity through the bridged modem.

Can I safely use the other three ports on the modem as ordinary LAN ports? I know I can use them, because I do, and it all works nicely.

But I don't know if any LAN traffic leaks out through the modem when doing this. Is it even possible for that to happen, given that the modem is just a PPPoE bridge ?

Thanks
Posted by: gbeer

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 00:29

So what is your definition of "safely"?
Posted by: mlord

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 00:35

Originally Posted By: gbeer
So what is your definition of "safely"?

Originally Posted By: mlord
But I don't know if any LAN traffic leaks out through the modem when doing this.

Not leaking LAN traffic would be the definition.
Posted by: wfaulk

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 00:55

Without knowing a lot more about how the modem deals with its traffic there's no way to know for sure. However, given that you have a computer of some nature behind the modem and still communicating with something on the other side of the modem via Ethernet, it seems to me that it is possible for such data to leak out under the right circumstances. Effectively, anything plugged into that switch, even on the other side of your broadband link, is going to be on the same physical Ethernet (layer 2) network, and anything that can gain access to that network has an avenue of attack. If you could segregate those extra ports into a separate VLAN then you should be okay, but even if the switch supports VLANs, which it probably doesn't, you probably don't have enough access to configure it.

My guess is that if you're paranoid enough to ask, then it's probably not safe enough for you.
Posted by: mlord

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 01:10

I figure it is safe. But I also know there are enough bright people here to think of any loopholes. smile

The only connection from the modem to the outside world is via ethernet packets being transported over ATM. Ethernet packets are strictly routed point-to-point by MAC address. It is not possible for an ethernet packet to be sent over the phone line (ATM) unless the source knows the MAC address of something on the other side.

In the modem, the only way this happens is within the envelope of the PPPoE session. Packets arriving at the modem without a PPPoE wrapper simply cannot be routed.

That's my understanding. smile

Cheers
Posted by: wfaulk

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 01:28

Right. They can't be routed (that is, cross IP network boundaries), but the packets could conceivably be seen on the other side of the modem itself connection. This could be at the phone company, the ISP (if it's different from the phone company), or someone that has tapped your phone line.

Effectively, the phone company is using ATM as a bridge between two segments of an Ethernet network. Part of the PPPoE protocol is discovery of the MAC address of the PPPoE "server", and it accomplishes this via a broadcast Ethernet packet. I don't see what would prevent other broadcast Ethernet packets. And that sort of a bridge is not really any different from the way Ethernet switches (as opposed to hubs) work nowadays anyway.

So the question is: are you okay with one of the ports on your LAN Ethernet switch being connected to your ISP, through the phone company through a largely physically insecure series of copper and fiberoptic cables?
Posted by: K447

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 01:49

This is just to employ the 3 'unused' ports as a simple hub, rather than having a separate small hub? confused

Small hubs are not expensive. Why bother with the risk of re-using those ports on the modem?
Posted by: drakino

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 02:11

Who makes the DSL modem out of curiosity?
Posted by: Shonky

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 03:10

I do exactly that with a Billion modem. It also allows direct access to the modems internal webserver too which can be handy. I just give it a LAN IP address.

Not actively looked for any dodginess but given the PPPoE stuff is all happening on the separate firewall box, I can't see how anything can get anywhere on the ADSL itself.
Posted by: frog51

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 06:53

What configuration options does your modem/router give you? By default many are set up that the default route for all traffic on the LAN ports is outbound.

Which means they do get encapsulated up and spat over ATM to the ISP for onward forwrding.

Easy to turn off though - just change the default route for those other ports.
Posted by: mlord

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 10:45

But this is just a modem, in bridge mode. Not a router. So it doesn't have "routes" to manage. Any thoughts of routing IP/TCP don't come into the discussion at all.

The only thing the modem knows about are ethernet packets, which are strictly routed by MAC. So unless something on my LAN feeds it a packet with the MAC of the DSLAM at the far end, then no ethernet packets will travel across the phone wires. EDIT: or perhaps they may pass that far, then get dropped at the far end due to MAC mismatch?

Bitt brought up the one point I'm only 99% certain about: what happens with ethernet broadcasts, that are not MAC address specific?

The regular PPPoE negotiation from the router, through the modem, to the DSLAM, and back.. uses PADI/PADO MAC discovery broadcasts, which are specific to the PPPoE protocol.

I suppose the Great Unknown here is whether or not the modem ever passes any other broadcast packets through the phone wires, or if it identifies and passes on only the PADI/PADO ?

For the curious, the "modems" in this case are by TP-Link. One is a TD-8841, the other is a TD-8901G at a buddy's house. Each has a built-in 4-port LAN switch, built-in router (disabled), and ADSL2+ modem.

We're each using them with multi-line MLPPP, managed by a WRT54GS/L router with Tomato/MLPPP on it. Since I have two modems here, one connects to the router over the (totally secure) WAN port, the other uses a LAN port. Since the latter is already on the LAN, its three extra ports become available for LAN use too.

In my buddy's case, his modem is in the basement, but the router is in his second floor office, with a single ethernet link between them. He needs more ethernet ports in the basement, so we just use the spare ports on his modem. This avoids the need to open up walls for running additional ethernet cables.

(yes I know/use the trick of two ethernets per cat-5 cable, too).

Cheers

Posted by: mlord

Re: Network question: use DSL modem's 4-port in bridge mode? - 23/03/2011 19:22

Mmm.. having thought and read about all of this much more now, I believe Bitt's assessment to be pretty accurate. Ethernet broadcasts are probably leaking out, and the ISP and/or carrier could perform ARP attacks back in if they felt like it.

I'll fix that in my setup with a VLAN sometime Real Soon Now.

Cheers