I've been concerned for some time at how difficult it is to securely manage the authentication, remote access, and firewall aspects of combined CPE modem/router devices, and the Zyxel devices in particular since I have several.
I'd prefer to have the VDSL modem separate from the rest of the functionality as was the case with the original Openreach HG612 modem. Unfortunately these combined devices usually have better performing xDSL chipsets.
As I'm currently planning a new installation with multiple incoming VDSL links I decided to spend some time thinking about how it might be possible to create the required isolation on an existing combined modem/router.
Essentially the PPP authentication, firewall, RA/PD/DHCP, and DNS would be done on another (fully open-source) Linux device (RasPi?) as if the modem/router were in bridged mode but on the LAN side the Ethernet ports and WiFi would be used as normal (rather than being redundant as is typical in bridge mode).
This would also allow easy implementation of a VPN server on the 'edge' to prevent ISPs snooping on/mangling/blocking traffic.
My experience with configuring local VLANs on the VMG8{9,3}24 devices made me realise there might be a way to do this by isolating the ATM/PTM interface on a VLAN connected to another device for PPP authentication, etc., and the LAN/WiFi side connected via another VLAN.
So, two questions:
- Has anyone attempted this on any combined modem/router device?
- Is anyone interested in this functionality if I developed a custom firmware?