Static WAN IP Question

Has anyone else tried to get a static WAN IP for their home? I tried, but I was not allowed to have control of the IP myself. The IP had to remain on the ISP’s router, and they would forward me the traffic. Obviously, this is insecure, and not private. I’ve worked in IT for decades, and corporations have control over their public IPs. Hopefully its just my ISP. Has anyone else had this problem?

Does the ISP provided router have a IP pass through mode? If all else fails you could put the private IP you have with the router you want to use that is behind your ISP router in a DMZ to deal with the double NAT issue.

ISP router ——DMZ——pfsense router

I’m in the UK & have had a /29 netblock here at home for 2 decades so yes, it is possible; my ISP is great & don’t do any sort of restricions or bandwidth throttling. In the UK it’s very ISP dependent and I’ve never come across a “home” version of supplying netblocks; a single static IP is more possible on a home account. Mine have always been the “business” version which also gives you the ability to control the rDNS for your IPs.

Are you sure you have to use the ISP’s router? I’ve successfully ditched the ISP router before simply by cloning its MAC address onto the pfSense WAN interface. Something to try…

My concern is primarily with privacy. If I want to do encryption to my static WAN IP, I want it to be on hardware that I own. I don’t want the ISP to be a man in the middle.

Def something to think about, and study up on. I canceled the service when he told me that I would have to use their router, so I didn’t get it installed.

@witzendcs I’m in the UK too, which ISP are you using ?

By far the best ISP in the country. Not the cheapest but you do get what you pay for!

Thanks, not come across Zen before, I’ll keep an eye on them.

We use Zen for our clients,

All depends on the service. Some static IPs cost an extra $5 a month, but doubt you have control. I priced out a 200/200mbps service for business with static IP and it was going to be $35,000.00 per year.

What do you mean by that? TLS, SSH and VPN protocols are all end-to-end encrypted. What kind of encryption are you talking about that would be terminated at the ISP-provided router (or any router, for that matter)?

IPSEC, SSLvpn, are a few examples. I feel the type is irrelevant. As an american I should have the same rights as a corporation (or more). Are you suggesting that they aren’t important? I remember when IT used to be a bit more punk. Guess I’m old school.

IPsec and SSL VPN are also end-to-end encrypted, though. If you operate a VPN server, it doesn’t matter how many routers or NAT devices traffic traverses, it will be encrypted all the way to your server. My point is: Why do you feel there is a reduction in privacy by using an ISP-provided router? Your ISP is always going to be the MITM, that’s what you’re paying them for.

Am I saying you should trust your ISP? Hell no.

Am I saying it’s good practice that ISPs only offer a subset of service to residential customers that they offer to corporate customers? Also no. German ISPs are the same in this regard and I am frequently bothered by that as well.

I’d argue that the devices behind the double NAT’d router is secure. The first router is just another hop that it takes to get out and things like DNS over TLS, https, ssh, IPsec and so on cannot be captured because the termination is done on the secondary router.

The first router isn’t aware and just pass the traffic on. The secondary would be upholding the security for inbound and outbound.

Ok, maybe I’m missing something. How do you build an IPSEC tunnel to the public facing WAN IP (on ISP router), but still have it maintain encryption past the ISP router to my LAN?

Ok, I may be missing something. How can I build inbound connections (to the public static IP on ISP router), and have it maintain encryption to my equipment?

With protocols that operate at the transport layer, you would use port forwarding. But I’ve never used IPsec and from what I’ve read, it seems to operate at the network layer. So I concede that it may not be as simple to forward as other VPN protocols, especially given a restrictive ISP-provided router. This post seems to suggest that it can be done. Using the DMZ or Exposed Host option of the router may also be effective, if it exists.