(Secret) ISP and routing restrictions, and how to fight them

I feel like I’m at war with the all the ISP and router peddlers of the world. I don’t think you should feel sorry for those working for these outfits, @Toivo. They’re crooks and scum preying on the weak, desperate or just less knowledgeable - no better than televangelist claiming to save people’s souls for money, the effectiveness of which is also very difficult to prove or disprove.

Anyway, I discovered something that feels strange to me. I have a 10 Mb/s cable connection included in the rent of my apartment in Helsinki. Apparently, some apartment building manager has set it up with an ISP by the name of DNA.

The router/modem I’m using is a Sagemcom F-3890v3 that I got for free from DNA. I just started testing it and found that I’m unable to connect more than one computer to it at a time. In fact, even if I disconnect my Librem laptop from DNA’s service, the old desktop I have doesn’t receive a public IP address from DNA. It connects through my phone’s hotspot just fine. The ISP I have for my phone is called Telia.

I also found the following: When my Librem laptop is connected through DNA’s service, if I turn on ProtonVPN, I get a new IP address after a few seconds.
If I then turn ProtonVPN off, I don’t get a new public IP address. To get a connection and a public address, I first have to disconnect from DNA, and then connect again.

DNA markets faster connections as suitable for several computers, but they say nothing about the slow 10 Mb/s connection only being usable on one. In theory, it’s not impossible that I’m doing something wrong, but I’m completely sober and, in this case, I doubt it.

How does this work? Is DNA registering my computers’ MAC addresses or something? I did have to give DNA my router’s MAC address when I first opened the connection, but can/should they be poking around what happens after the modem/router?

My next project will be to try to find a way to do port forwarding while tethering through my phone. Suggestions are welcome. I have an Asus RT-AC68U router that I at some point flashed with an old version of DD-WRT. What would be a good and stable new version?

For some reason I have been unable to reinstall Asus proprietary firmware back onto the router. I thought I’d bricked it yesterday. It came alive again, but it still has DD-WRT on it.

I don’t think there is a version of Openwrt for this router.

Sounds like your router is in “bridge” mode. This means it is not doing any routing but passing through from your computer to the ISP. And of course only one computer can be connected this way.

Thus the ISP sees you computer and of course its Mac address in order to assign an IP address and there could be a delay from switching computers to the ISP recognising it on your link.

The VPN is using the connection to tunnel through to another server which is the exit for you VPN and so will have an IP address

Normally the home router (ISP supplied or not) is set to router mode and it supplies a local address to each computer and there is only 1 public IP address that the router routes to when sending or receiving packets from the internet.

Home ISP connections (usually) do not have multiple public IP addresses. Your post suggests you expected each computer would have its own public IP address.

I’m not expecting each computer to have its own public IP address, not that I really understand what that actually means. But I do expect the connection to work with several machines.

I haven’s set bridge mode myself. I’m looking through the settings now. Is it possible the ISP is blocking router mode for me?

Yes, These routers typically are set by the ISP and special firmware is installed to allow the ISP to lock some features and perhaps even hide the feature.

One solution is to connect your own router to the ISP supplied modem/router and thus get the functionality you want. The ISP will “see” your router instead of any computer

I found the setting. It says bridge mode is off, i.e. router mode is on, but I guess that’s not necessarily true.

Its possible they set the DHCP with only one assignable address. Since typically computers do not set the IP address statically but rely on DHCP to assign them an address this would typically limit the network to have only one computer.

Maybe check the router’s DHCP settings

Yes! That was the problem. I had reserved an internal/private IP address for my Librem laptop. I canceled the reservation, and now I can connect with both machines. I wanted to make sure the addresses don’t change, since I want to do port forwarding. Was I completely wrong in my thinking?

Why is this so? Or would the explanation be too complicated for me to understand?

EDIT: Actually no, that was not it. I had IP address was assigned correctly. I think what got it working was that I connected DNS’s modem to my Asus router.

Yes you need to either reserve in DHCP the IP address for the computer, or just set a static IP address for the computer that lies in the subnet your router is using. Usually this is a 256 address range and usually the DHCP is only assigning IPs from a subset of that.

Reserving the IP address in DHCP is the easiest and safest because it means you laptop can be taken elsewhere and have no issues connecting on other routers.

There should be a table you can assign IP addresses to Mac addresses

The reservation should not stop other computers connecting, if that happened then maybe you used the wrong method to “reserve”

For instance on my home network, I have the computers with DHCP and some using reserved IP addresses in the router. And for my printer, switch, and NAS I use static IP addresses within the subnet but outside the DHCP allocation range.

Reason was the devices only ever lived on that local network and the computers may be connected to another network at some time and so remained as DHCP and let the router assign the IP address.

Sorry about the mess. I edited my post above. It seems you were right about bridge mode being on, despite the router/modem claiming the opposite. I now have both computers wi-fi connected to the Asus router that gets its signal from the fake DNA router/modem.

Its probably for the best anyhow.

Now the issue will be passing Safe Network packets through both the ISP modem/router and the ASUS router.

Is the WAN IP address of the ASUS router the same as the public IP address of your ISP connection. Google “what is my ip address” and use one of the sites to see you public IP address. Ensure VPN is off

Now is the public IP address of your connection the same as the WAN IP address of the router?

This is what I hate about these businesses. Even if they happen not to lie every once in a while, you can never be sure of what’s really going on. It’s like trying to blindly reverse engineer your own stuff. And if one is not a true expert, which you seem to be, it can be very difficult and frustrating.

When I disconnected from ProtonVPN on the laptop, the connection was broken and did not start until I disconnected and reconnected again. But the firmware on the DNA modem/router is so crappy that I have to keep reloading and rebooting. Now it’s claiming my laptop is in Ethernet when it’s really on wi-fi. It doesn’t even have an Ethernet port.

Apparently I have to connect the DNA modem/router working as a bridge to one of the LAN ports on the Asus router. Is this so? It feels strange to me.

I’m still trying to figure out the IP addresses. It looks like I’m being assigned both IPv4 and IPv6 addresses. Should I disable IPv6 completely somewhere?

Unless you are specifically trying to connect to another WiFi LAN (If router has that feature) you would use the ethernet WAN port.

So the ASUS router’s WAN port is connected to the modem/router’s ethernet port. And the ASUS has to be told that its using WAN to connect to internet and not adsl (if its there) or any other method.

What is happening is the ASUS router is using NAT (Network address translation) to connect any device on its LAN ports/wifi to the WAN port.

There will be a ethernet port on the ASUS router that is designated the WAN (Wide Area Network) port. The other 4 ethernet ports are actually the switch part of the router and for the LAN (Local Area Network).

So i’d expect that there is 4 ethernet ports together (sometimes with yellow plastic surround) and another ethernet port separate to those four (sometimes it has blue plastic surround)

Disable IPv6 unless you need it in the ASUS router. There will be a setting.

Once the ASUS router is connected to the modem/router then the connection with the ISP should remain.

NOW I should have asked before is there any program that has to be run on the PC to connect to the ISP? Or use browser to login to ISP?

Also if you use a VPN then there is no port forwarding that can be done on the router since your internet is effectively through the VPN and the VPN provider may or may not provide a method to port forward since VPN connections are usually shared and using NAT to do that.

I studied computer networks and I have been working about 10 years for cable and ISP companies. I can tell you one thing, sometimes things dont work because some manager wants to squeeze more money from customers, but most of the time it is lack of knowledge (both customer and ISP side) or lack of time to do things right.

Since people discovered IPv4 doesnt have enough addresses for everyone and instead of new protocol went for quick-fix called NAT, it started going downhill. It is quick-fix on quick-fix and all is more and more complicated.

People get often confused because router-modems mix a lot functions in one device:
Modem - converts one type of signal to another, in your case I gues coaxial or fiber optics to RJ45 ethernet
Router - forwards packets between different networks, in your case Internet and home network
NAT - manipulates packets, makes it look like there is only one device with the IP you have been given from ISP
…and some other functions

If router-modem from your ISP is crap-box (most of them are, because if you buy them by thousands, every cent spared saves them a lot) it is reasonable to use your own router. When you put router-modem in bridge mode, you switch of all the functions except the modem. One cable in, different cable out, no IP addresses wifi or anything else.
(There will be management IP, but that is used only to change settins, nothing else)
With this configuration the crap-boxes usually work ok.
Now you have to configure your router to do all the work (routing, NAT, port forwarding, wifi,…). So you connect the RJ45 cable from modem to WAN on your router a basically put in all the configuration that was on the modem-router before you made it modem-only.

IPv6 - It works in parallel with IPv4, it shares same cables but works in separate. It should not interfere with IPv4 if you set it wrong, but to keep things simple you can switch it off and play with it later when everything else works. SafeNetwork (sadly) doesnt support IPv6, so it doesnt matter for testnets.

VPN - It creates virtual wire between your computer and wherever the endpoint is, like your computer had second network card with a wire connected directly to that place. Programs dont know what is physical network card and what virtual, they see two options how to send data and it depends on configuration which route they use.
ProtonVPN is service focused mostly on hiding and protecting your computer, it is the opposite of what you want to do - make your safe node accessible from the Internet.

I realize that. Sorry for blowing up in a general way like I did. I hope you didn’t take offense. I know about quick fixes too. I myself have done some work on e.g. automatic orthography checkers and software localization as a subcontractor for a certain very big and very nasty company. I’m not proud of everything we were forced to do back then, but if the customer demands the impossible, you still have to deliver something. I’ve also done some teaching where I felt I was not really competent, but somebody else sold my services to somebody else on a lie.

It seems like as soon as I try to purchase anything, even freaking potatoes, somebody tries to pull wool over my eyes. Not admitting to one’s own lack of knowledge when asked about something equates to lying to me, which I can’t stand.

The more you know about something, the more depressing and frustrating the various salesmen and low-level help desks are. In this case I know way too little, but even I can see through some of the lies, and I’m weary of being scammed, intentionally or not. I want to be a customer, not a consumer.

Maybe large scale honest business where everything is presented and done properly isn’t even possible nowadays. Maybe it never was. I just keep picturing this Viking selling rotten oars that break in the middle of the Atlantic, and wonder what would have happened to such a businessman. But that’s for a different topic.

Your description of the various parts these boxes contain is very good and informative. Your post actually already helped me a lot. My situation is made a bit more difficult by the fact that I spend time both in our capital city Helsinki and out in the middle of nowhere where even electricity is a relatively new luxury. I’m a city boy originally, but I feel more comfortable out in the woods with my chickens, as long as it’s not too cold.

I just ordered this router a couple of days ago.

At least the build quality looks good, and the software should contain no secret ingredients, so I have a chance of actually learning what it does. As you can see, I’m pretty lost when it comes to modems, routers, ports and whatnot, so I appreciate any help I can get. But obviously I have to do quite a bit of reading myself. It’s not just for connecting to the Safe network. I really want to understand this stuff as well as I can. It’s just not my original field at all.

Out in the woods I have to use a wireless connection with a sim card. In Helsinki i have a coaxial antenna jack sitting on the wall, and I would like to use that when I can. What would be the absolute minimum in terms of hardware that I have to have for connecting the new router to the wall? Is that thing called a modem? Or can I get away with something even simpler called and adapter or something?

To the best of my knowledge you have to use a ISP supplied modem (or 2nd hand one if they allow it) because for cable they have to enable the MAC address of the modem to connect.

The signals out of the jack on the wall are specific for cable HFC (High frequency cable). HFC is a “broadband” cable, actual numerous signals of differing frequencies and allocated bands. Broadband originally meant one signal using a very broad band

So the modem takes signals from channels used for internet traffic and decodes them into a digital connection and in your case a 10Mb/s data stream. And the reverse for your uplink.

As @peca so well said, putting your modem/router into bridge mode is best since this eliminates the router portion of the modem/router. In my experience the router part is usually the worse part of the modem/router in terms of quality and workmanship. The modem part is mostly the manufacturer and should be of decent quality.

If you were to use your new router with its 4G then in the city you need to reconfigure it to use its WAN for internet and 4G for the countryside. Simple configuration change typically.

Although here 4G is typically faster than 10Mb/s in the city.

Here I can get a 4G dongle that will plug into my router but never done it. Maybe @peca can comment on it if you were thinking of going down this path.

You said you already had an ASUS router, so you should be able to use that in the city and the 4G router for the country and save transporting a router. Is the ASUS router less than 5 years old and working?

I’m pretty sure they do allow it. Things have gotten better here in terms of less lock-in. It may have something to do with EU anti-monopoly laws.

I can easily get 1000 Mb/s in the city through DNA cable, but I don’t really need that, and I spend most of my time in the country anyway. Out there 10 Mb/s is about what I get over 3/4G.

I thought about that, but doesn’t that mean there will be no antennas to capture the 4G signal? I’m pretty sure I need antennas.

I think the Asus is more than 5 years old, but I believe the hardware works. It’s the software part that’s been iffy, but I don’t actually remember what my original problem or reason for installing DD-WRT on it was.

My intention is to have the Asus in the city and the GL-inet in the country, but this is expensive stuff to me, so I want to have everything working everywhere and be able to switch easily, if something breaks. I believe in backups. I really dislike buying new gadgets all the time. I want to buy once, and be happy for a long time. I’m not an obedient “consumer”.

My previous desktop worked fine for about 8 years until some parts physically broke down. As you know, Linux doesn’t require new hardware for every software update.

I’ll have to take deep breaths and count to ten many times today, as I’m forced to visit a supermarket because I’m all out of potatoes…

For dongles the antenna is built in like it is in a phone.

If you are unsure your ASUS router is working properly then typically you’d need to try it and see if it works. If it does not work quickly then you most likely need to have someone test it for you who has the capabilities to test it for you. Testing routers you suspect are bad without the knowledge is a very time consuming task and little guarantee of success, sometimes easier to let someone who knows what they are doing to hands on test it.

I’m sure you’re right. I think the main problem is my own lack of knowledge. I need to study this stuff so that I truly know and understand what it is I want. This takes time, but I’m in no great hurry. I have backup solutions like my phone’s hotspot. Running nodes on Safe is really just what inspired me to start studying this more seriously now. It’s not something I desperately need.

Then there is the problem of finding a person who can actually set things up for you properly. I hardly know anybody in the field. The ISP people I’ve been able to reach know even less than I do about their stuff. I really don’t know where to turn, except for internet forums. I have nothing against paying a professional, but I want them to be true professionals, and not just sit around googling stuff that I can google myself.

(I’ll skip the supermarket and its peddlers for now. I still have beans and buckwheat that I can eat with my pig’s heart. What do you call those people stopping you in malls and trying to sell you magazines or cosmetics or whatever when all you really want is potatoes anyway? Personal marketers? In Asia I’ve just called them “helloers”, but I’m sure there is an official term for them.)