8

I live in a flat where Fibre to the Home (FTTH) is used for Internet access. The wireless router is positioned away from the FTTH modem to optimize coverage and connected by a single twisted pair cable. The modem has multiple LAN ports.

To integrate all devices into the same LAN and use the wireless router as the PPPoE client, the following configuration was implemented:

  1. The FTTH modem was set to bridge mode, and its DHCP server was disabled.
  2. The wireless router was set to PPPoE mode with its DHCP server enabled.
  3. A short cable connects the WAN and a LAN port of the router, and another cable connects another LAN port to the modem.

This configuration has been functioning well for over a year. Why does it work? Are there any potential drawbacks?

Improve this question
3
  • 2
    It works because the ISP modem is in Bridge mode.
    – Ramhound
    Commented May 15 at 19:55
  • Also, it works because that is how it is supposed to work: wan -> [modem] -> lan -> wan -> [router] -> lan ports -> [devices]. This setup makes it so that the router creates a new network.
    – LPChip
    Commented May 15 at 20:02
  • To add to @Ramhound's statement: when a modem is in bridge mode, it will disable its routing functions and its WAN connection is bridged directly to one of the LAN ports. All ports are open (eg. no portforwarding needed), DHCP and WIFI are turned off. This makes it so the router part can be a separate device. You always connect the 2nd router by its WAN port.
    – LPChip
    Commented May 15 at 20:04

3 Answers 3

Reset to default
11

A short cable connects the WAN and a LAN port of the router, and another cable connects another LAN port to the modem.

All the 'LAN' ports are connected internally like an Ethernet switch: what goes in through one port, leaves through another. (It does not have to go through the router first.) In effect, it's almost as if the modem is connected directly to the LAN port.

In many cases this would create a huge mess, because the same ethernet would then be receiving DHCP offers from the router and from the ISP (via modem) – as, again, the LAN ports are pretty much pass-through – but in your case it just happens to work fine because there is no DHCP from the ISP; it's all encapsulated in the PPPoE tunnel. (And for the same reason, the ISP's own network or other customers aren't bothered by the DHCP garbage that your router tries to offer.)

So the result is that there are two independent networks (the IPoE-based LAN and the PPPoE-based Internet access) running over the same ethernet, and it works fine as long as they're based on different protocols.

Are there any potential drawbacks?

If your ISP ever switched from using PPP to straight IP (which is always a possibility!), you'd have the kind of mess described above. Devices would randomly get public IP addresses straight from the ISP instead of getting private ones for the LAN. If the ISP limits the number of addresses – one device could "steal" the router's WAN DHCP lease at random.

Improve this answer
2
  • 5
    "In effect, it's almost as if the modem is connected directly to the LAN port." should say "... WAN port", no?
    – Bergi
    Commented May 16 at 13:34
  • For anyone helping in the review queues (as I was), Stack Exchange erroneously has this marked as a bad answer, so if you upvote it or approve it as a quality answer, you will fail the review test. This continues to be a common problem on SuperUser and the issue was reported by others in the past.
    – End Antisemitic Hate
    Commented May 23 at 5:50
1

PPPoE works by transferring PPP packages over Ethernet, as the name implies. This "over ethernet" is literal - your FTTH modem is a media converter and passive Ethernet switch and whatever device on your side which talks PPPoE talks with some device in a junction box of your provider. This would be a large gray box at the side of the street (for my house), or some box inside your building, belonging to your telco company, gathering all the connections from the individual flats.

Wifi is the same - there is no cable, but on a topology level, the Wifi is a media converter, and on top of it there sits regular Ethernet.

Also, in the usual home Wifi routers that I have experience with, the Wifi devices are by default (and often this cannot even be changed) on the same network as the physical LAN ports of the Wifi router.

Long story short, Ethernet is Ethernet is Ethernet. By connecting the FTTH modem to a LAN port of your Wifi router, and connecting all other devices in your home to the LAN port of your Wifi router, or adding Wifi devices, all these devices (or rather, network interfaces), including the PPPoE upstream of your provider, sit on the same Ethernet.

It does not matter that there are three different physical media here (the FTTH line; the Wifi; and the physical Ethernet cables you might or might not have). All these are Ethernet; all devices have MAC addresses, there is no routing on this level, everything can see everything (assuming no MAC filters in any of the devices, which there usually are, at least for even home-use Wifi routers, in my experience).

If you do nothing else, then all these devices can communicate with each other, all devices will specifically receive all broadcasts, and you can set up IP on top of it via your DHCP server, or static IP setup; but you have no Internet/upstream connectivity yet. This is where PPPoE comes in. Any device on your combined Ethernet can talk PPPoE with your provider. Your provider has no clue whether it is the FTTH modem, the Wifi router, or a little Raspberry Pi Linux box sitting in a corner.

Whatever is your PPPoE "client", will have a virtual or physical Ethernet interface as well. Traffic to/from the upstream Internet will go through this interface. In case you configure the PPPoE manually on a Linux box, you can see this interface in the list of interfaces; it is by default not the same interface as the LAN, and it is then up to you to set up routing (not switching) between your LAN interface and the PPPoE "Internet" interface (you would, for example, define the IP address of this interface as gateway in your DHCP or static configs; you would set up NAT there, and make sure that incoming TCP/IP connections are blocked, and so on and forth; all your security measurements go into this routing).

Finally, the WAN port of your Wifi router has the special semantics that if the Wifi router acts as PPPoE client, it will route the PPPoE connection through this port, and this port only; also this WAN port would usually not be switched with your LAN. This is a default configuration which works well in this scenario, as it separates your LAN Ethernet from the Ethernet that is used for the PPPoE traffic. By connecting the WAN and LAN ports on your Wifi router, you combine the two Ethernets into one. The most interesting implication is that some technician having access to the upstream device (the PPPoE server) could use a packet sniffer to see your LAN ethernet packages, or do further shenanigans (i.e., add his own devices to your LAN).

(Note that modern switches will, as soon as they know which of their LAN ports has a certain MAC address connected, will usually only send packages destined to that MAC on that port - so in practice the above scenario of the technician listening to your LAN would only happen if you have incredibly dumb, outdated switches; but always for Ethernet broadcast frames. Adding new LAN devices on their site should still be possible, you have to decide for yourself if this security implication bothers you.)

Improve this answer
0

I'm having a bit of a hard time understanding what your setup is exactly. A diagram/drawing could help.

Based on my assumption of what your setup might look like, one setup I can think of is one I used to have in the past.

Modem/router from ISP replace with a "modem-only" and my own router/firewall installed behind it. Managed switch (UniFi) was also involved.

  • Modem WAN (coax) plugged into ISP signal booster
  • Modem LAN plugged into port 1 of switch on a "VLAN-only" segment*
  • Router WAN plugged into port 2 of switch on VLAN-only
  • Router LAN plugged into port 3 of switch with "All VLAN"
  • TV decoder of the ISP went into any port but on the VLAN-only segment
  • Other devices were also plugged into the switch on the VLAN of your own choosing

The reason for this setup was that the TV decoder of the ISP has to be directly connected to the ISP's network. So it also had to be connected to the "VLAN-only" segment. It would fail to function if you put it behind your own router. Another solution would be to put a dumb switch between the modem and your router and hook up the decode to that switch.

I believe the ISP implemented some monitoring to ensure those decoders were put in a different network segment that wasn't internet accessible.

* UniFi has a different terminology wrt VLAN. By default their VLAN are open to each other, but they have a special "VLAN only" option that creates an isolated VLAN without DHCP.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .