ADSL bridge/PPPoE Question…



  • Is it any less secure plugging an ADSL modem (running in bridge mode) into a switch before connecting it to the WAN port of a pfSense box?

    For years I've had my ADSL modem plugged directly into the WAN port of my pfSense box. From there the LAN port would go straight to my switch, which then provides my network with internet connectivity. The only problem with this is, I've never been able to connect to my modem because I assume its "on the other side of the router"…

    Recently I discovered I can connect my bridged modem to a switch first, then plug it into both the LAN and WAN port on my pfSense box, and still get the same outcome. Except now I can also connect to my modem too.

    Initially I thought this might make my network "open to the internet" but upon thinking about it more I dont think it does.

    Thoughts?





  • @chpalmer:

    Heres another way…

    https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

    :)

    Thank you that is good to know. However, it doesn't answer my paranoid question above…



  • Ah yes…  Its late.

    PPPoE is a session between your wan and your ISP. Sort of a tunnel. Kinda one of the reasons you can't reach the modem from inside the tunnel.

    Its why someone supposedly cannot connect a device to your phone lines somewhere along the wire route and snoop on you.

    One of my locations uses an ISP that allows "bridging" which is basically pure IP from them to me, No login session.  I had it for a short time and could see the modems pages no problem by using its IP address.  Both my modems are Zoom 5x15 models.  (no router of any kind, bridge device only.)  one uses 192.168.10.1 and the other uses 10.0.0.1.

    my belief is that your switch is perfectly safe.  But Ive been known to be wrong.



  • @Towawi:

    Is it any less secure plugging an ADSL modem (running in bridge mode) into a switch before connecting it to the WAN port of a pfSense box?

    Thoughts?

    I wouldnt, go physical every time and even then its still possible to get data out of the cable using other methods which are taught in physics.

    Sometimes less is more.

    A conversation once with someone who worked for Cisco basically said they were amazed at the innovation demonstrated at getting access to switches to control the network.

    Considering zero days, its best to mitigate against the inevitable zero day attack where possible, so having your lan and wan connected to the same switch is just asking for trouble.


  • Netgate

    OP didn't say he was connecting LAN and WAN to the same switch.

    If you are putting the modem and WAN port on an unmanaged switch there is little, if anything, anyone can do.  You are introducing another point of failure, though.

    If it's a managed switch you can put two ports on a unique, blank VLAN and be reasonably safe.  The switch should support a management VLAN and should not respond to any management requests (web interface, telnet, ssh, snmp, etc) on any port not on that VLAN.

    I do this.  I like to be able to query the switchports via SNMP and mirror a port to wireshark/tcpdump if I feel so inclined. Would I like it to be a separate, "outside" switch, sure.  But the reality is it's good enough for me here.

    Other places I manage have dedicated outside switches just for outside-firewall WAN switching and I wouldn't dream of putting unfirewalled WAN traffic on the same switch as LAN traffic.

    So the answer is, as usual, "it depends."



  • @Derelict:

    OP didn't say he was connecting LAN and WAN to the same switch.
    @Towawi:

    Recently I discovered I can connect my bridged modem to a switch first, then plug it into both the LAN and WAN port on my pfSense box, and still get the same outcome. Except now I can also connect to my modem too.

    Initially I thought this might make my network "open to the internet" but upon thinking about it more I dont think it does.

    I got the impression he was.

    If you are putting the modem and WAN port on an unmanaged switch there is little, if anything, anyone can do.  You are introducing another point of failure, though.

    If it's a managed switch you can put two ports on a unique, blank VLAN and be reasonably safe.  The switch should support a management VLAN and should not respond to any management requests (web interface, telnet, ssh, snmp, etc) on any port not on that VLAN.

    I do this.  I like to be able to query the switchports via SNMP and mirror a port to wireshark/tcpdump if I feel so inclined. Would I like it to be a separate, "outside" switch, sure.  But the reality is it's good enough for me here.

    Other places I manage have dedicated outside switches just for outside-firewall WAN switching and I wouldn't dream of putting unfirewalled WAN traffic on the same switch as LAN traffic.

    So the answer is, as usual, "it depends."

    This is interesting. http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

    Although the names used to identify the hacks on switches might be different to those used elsewhere, some of the methods used amount to being basically overflow attacks of sorts, ie the mac flooding as one example.

    Simply put, floods of data in various forms seem to have unintended consequences.


  • Netgate

    I believe switches, and their code, have gotten better since 2002.

    Every Metro-Ethernet provider is using switches on the "WAN."

    Every switchport going into a core router on the internet is a switch on the "WAN."

    I guarantee they also have management VLANs.

    Switching on the "Internet" side is unavoidable. How else do you think internet packets get delivered to/from you?

    You will also see me saying "Don't use VLAN 1 - Pretend it no longer exists when you start trunking." and "Don't mix tagged and untagged traffic on the same switch port.  If you must, don't use VLAN 1 as the PVID."



  • @Derelict:

    I believe switches, and their code, have gotten better since 2002.

    I agree

    Every Metro-Ethernet provider is using switches on the "WAN."

    Every switchport going into a core router on the internet is a switch on the "WAN."

    I guarantee they also have management VLANs.

    Switching on the "Internet" side is unavoidable. How else do you think internet packets get delivered to/from you?

    You will also see me saying "Don't use VLAN 1 - Pretend it no longer exists when you start trunking." and "Don't mix tagged and untagged traffic on the same switch port.  If you must, don't use VLAN 1 as the PVID."

    No one likes admitting they have been hacked, its bad for business, if they even know they have been hacked.



  • I would not do it, but that is just me.  Why would you want to do that anyway, you're just adding another device in the path, technically another hop as such.

    If it is because your Ethernet cable is too short, buy some new cat 5/6 off eBay or something and terminate it yourself.



  • @Derelict:

    OP didn't say he was connecting LAN and WAN to the same switch.

    @Towawi:

    …then plug it into both the LAN and WAN port on my pfSense box...

    Don't do that!
    Better use the doc.pfsense article chpalmer linked.
    Consider Wan dirty and separate it as good as can be from your Lan.