Cascading routers - to avoid MAC reporting

[ajay11]

Hi,
I have reasons to believe that my ISP provided modem/router reports every connected equipment's MAC to the ISP. This primary router cannot be replaced for several reasons. That's why I would like to know, if I create 2 separate networks using a secondary (cascaded) router, and connect the 2 routers with an ethernet cable can the primary router still see the MAC addresses of PCs connected to the 2nd router ?

primary router : livebox (cannot be changed, no control over flash updates by the ISP)
primary router IP : 192.168.1.1 (standard setting)
secondary router : any brand (e.g. a dlink)
secondary router IP : e.g. 192.168.2.1 (manual)
secondary router mask : ??? 255.255.255.0 or other (not sure)
cable port on 1st router : LAN
cable port on 2nd router : WAN/internet

Any help would be really appreciated !
AJ

 

[Gabriel Pike]

Why are you trying to block access to the MAC address? It is used in the second layer of network connectivity. eg a device says who has this IP at what MAC to send the packet. In other words your IP is directly tied to the MAC. If they are logging the MAC addresses of all connected devices then, yes, adding another layer of NAT should only reveal the router MAC to the gateway.

 

[ajay11]

About the James' answer, that's what I thought too ... but somehow I can't make it work. That's why I provided the config details. Hoping that sb might spot the problem. A PC on the 2nd router's LAN can ping both routers, but it cannot ping say 8.8.8.8 and it can't access the internet.
About the Gabriel's answer, I understand the concept of MACs and IP addresses. And ISP provided routers can (and in my case do) use special firmware to report all MAC addresse ever connected to the ISP (and further). This allows them to locate hardware at home (your ISP provided router) and when you go traveling.

 

[ajay11]

Hi James, did check that the 2nd router knows the 1st router's IP on the WAN side (I entered 192.168.1.1. as gateway and source of DNS, both DHCP running separately in both LANs)
but I stll can't make it work (symptoms as described before). Any other idea ?

 

[DelJo63]

It's very normal to wire Router#1--(lan slot)----(wan slot)Router#2 and result in device on #2 to work correctly.

1) the router addresses MUST be different
2) BOTH routers mush use their internal DCP service
3) all devices to both routers use the DHCP Auto-IP and Auto-DNS assignments.

The number 2 router ONLY needs to set the LAN side configuration for the router address and DHCP range.

If you have messed with other settings, RESET that router and start over.

IMO, if setup correctly, Router#1 should not be able to ping Router#2, but #2 should ping Router#1 (as it traverses that device)

 

[ajay11]

Hi there,
I followed all advice by the dot. In particular on the last comment (jobeard) :
1) done, see my initial post
2) done and it works (if DCP is a typo meaning DHCP)
3) assignments check with ipconfig, they are as expected
3') But the next statement "The number 2 router ONLY ..." I am not sure I can do it. The DIR-615 requires a definitoin of the ISP (meaning WAN) interface. I can choose among several, but only static IP works and here I enter the IP address of the first router 192.168.1.1, netmask, etc.
3'') Resets done, no change.

Result still not satisfactory. Pings from a PC connected to router#2 show both routers connected, but trying to ping anything outside (e.g. 8.8.8.8) and router #1 returns an error message.
Another strange observation. In this setup, not only can't router#2 connect to the internet, but a PC connected to router#1 cannot connect either until the cable between #1 and #2 is disconnected.

Any more ideas? please

 

[ajay11]

I have also disabled the firewalls built into the routers - no change.

 

[DelJo63]

It's not a firewall issue so re-enable that.

The router#2 DOES NOT need a WAN side setting ... when cabled to router #1, that router will configure the WAN side with its DHCP. So only make LAN side settings AND make sure the two routers have different addresses.

 

[ajay11]

Hello (jobeard),
Thanks for trying to help. My options in router#2 WAN side settings are
static IP, dynamic IP, PPPoE, PPTP, L2TP and DS-Lite. There is no way to say "no".

Whichever I choose, the router wants the delays, meaning the router wants a WAN side configuration.
Example, if I choose static-IP I have to enter IPaddress, netmask, gateway etc. The router does not accept that I leave these fields empty.

So how does one NOT config the WAN side on rouer #2 in this case ?
Cheers

 

[DelJo63]

DO NOTHING -- leave all fields as-is (or empty them it you have content now).
If you can't save the settings, then RESET to factory settings and come back to setup ONLY the LAN side

 

[DelJo63]

BTW: I hope you understand that to control the settings (at lest initially), you cable the PC directly to the WAN slot on ROUTER#2, make the changes and save.

THEN you cable Router#1-->Router#2--> whatever devices you choose.

 

[ajay11]

Hi again,
it was your clarification above (6:34pm, do a reset, then don't touch the WAN side settings) which finally solved the problem. Just opening the dialog already screwed it up, which I wouldn't have figured out without your clear advice!! Many thanks

 

[DelJo63]

You're welcome.

Now that you're up and running, let's get back to the original issue: Mac address tracking.

First, ever think of HOW and ISP validates that you are a valid customer vs some hacker accessing their gateway? It's done with your first-time connection of the modem to the gateway and capturing the modem's MAC. The other possibility is to capture the Mac of the router connected to it. It's called Hardware Provisioning.

That's the only mac address they need and track. Perhaps you've read sufficiently to know that TCP traffic is routed via the MAC at the lowest level and this is what started your concern.

The reason we need routers with NAT, is to insert the mac of a specific LAN device into a specific slot in the packet to create an association of Your Public IP address -> a specific Lan attached device mac. Without NAT, we could never have multiple devices being serviced on one ISP connection.

This will occur regardless of how many routers you daisy-chain together. Don't get paranoid on the issue as the ISP is not going to be scanning packets to find every mac - - enjoy what you have and surf the net to your heart's content.

 

[ajay11]

Now let us check if this is may be a misunderstanding on one side or the other. First the network layers. While not a programmer I think I understand the ISO model and the role of IP and Ethernet. My working hypothesis is this : the ISP provided modem/router can see any equipment connected to it via ethernet (LAN1), and so it "knows" all the MAC addresses. It can also see the MAC address of the 2nd router because the two are connected through the same LAN1. It can also communicate with any equipment installed on the separate LAN2 (created by router 2), but it cannot see their MAC addresses (their MAC addresses are generated / inserted by router 2).
If this is correct so far, then here is the catch: some special piece of firmware on router 1 (not needed for normal functioning of the router) could record and transfer all unique MAC addresses to the ISP (or the man behind) - but only the one's it knows, those on LAN1 and router2's MAC. Is this still correct ?

Next, my router2 does certainly not have that firmware, meaning that the MAC addresses of any equipment connected to router2 remain private - in theory. Packages go forth and back between router1 and 2, but no MAC addresses float around. Still correct ?

Next, why do I care ? Very simple. People worry about being tracked in shops and anywhere else. The drawbacks of this have been discussed widely. Such a piece of firmware would add one vital piece of information for the trackers : my home address, and possibly whether I am at home or not. Regardless of whether my identity is already known or not, this matters. Before the firmware update the ISP does of course know my name and address, but not which devices I use. And the trackers in a shop or elsewhere know part of my geo profile, but (hopefully) not my identity. That little piece of software can nicely nestle it all together. Paranoia ? I don't think so.

If this is ALL correct (please confirm) then using cascading routers will complement my other attempts for some privacy ...
Thanks again for all of your comments.

 

[DelJo63]

Now let us check if this is may be a misunderstanding on one side or the other. First the network layers. While not a programmer I think I understand the ISO model and the role of IP and Ethernet. My working hypothesis is this : the ISP provided modem/router can see any equipment connected to it via ethernet (LAN1), and so it "knows" all the MAC addresses.

FALSE

It can also see the MAC address of the 2nd router because the two are connected through the same LAN1.

The ISP Public side of the router normally does NOT perform NAT TRAVERSAL to access the LAN side. That would take a HACK on the firmware and the ISP itself is not interested.

Assuming the primary router#1 is 192.168.1.1 and the router#2 is at 192.168.2.1, unless YOU fool around and create a route, there is no path from #1 -> #2 Two can get out with a new connection and the reply can get back because the path is embedded in the packet(s), while there is no path for a new connection from the Internet into Lan1 --> Lan2. This is really cool as all devices on Lan2 are protected EVEN W/O firewalls.

 

[ajay11]

Thank you for that insight.
Now there is one caveat. If you live in a country that is paranoid about terrorism, and where even every single public hot spot (incl. the free Wifi on campings run by the local muni) uses login jscripts to find and report your phone's or Ipad's MAC ... THEN the HACK may not be in the interest of the ISP but it is enforced by a bigger player.

That aside, would you agree (you didn't respond) that router1 in this scenario does not have access to the MAC addresses of equipment in LAN2 ?

 

[DelJo63]

Thank you for that insight.
Now there is one caveat. If you live in a country that is paranoid about terrorism, and where even every single public hot spot (incl. the free Wifi on campings run by the local muni) uses login jscripts to find and report your phone's or Ipad's MAC ... THEN the HACK may not be in the interest of the ISP but it is enforced by a bigger player.

That aside, would you agree (you didn't respond) that router1 in this scenario does not have access to the MAC addresses of equipment in LAN2 ?

YES, it has the MAC of the WAN side but nothing on the LAN side

BTW; I hope you're aware, that you MUST change the ADMIN pwd AND disable remote admin via port 8080