This firewall thing.

Apologies that this is work related but it needs to be somewhere google can find it.
Every so often I see someone complaining on one forum or another *cough* *cough* complaining that we do not let customers configure the firewall on their modems. There is a reason for this.

The reason we don’t let customer configure their modems firewall is that it doesn’t do anything. Our modems are not acting as NAT routers / PPPoE Clients. They are basicly switches. This means no layer 3 handling, no need to map ports. So any config a user might apply would be ignored. Also should a user put the modem into routed mode a TV stream or two and it will melt. DSL modems are not exactly high powered. The other reason we do not let users fiddle with the modem is because we have QOS settings to protect both the TV and Voice traffic.

So how does it work: You plug in your PC and it requests an IP address via DHCP. The DLSAM and the provisioning system have a quick conversation and then assign your PC an IP address. A unique Public IP address which supports any application. The only filtering we do on a customers port is some basic stuff to prevent common viruses and spam bots.

If you then plug in another PC, your friends laptop when they are visiting, that new xbox you got for your birthday they will just be assigned an IP address of their own. Magnet’s FTTH and LLU networks have been certified as suitable for use with xbox live. 95% of the tests didn’t apply to our networks because we don’t do things like NAT.

The reason we do not let users configure the firewall is that it has no function.
Anyway here ends the Rant.


  1. Conor says:

    Is there a limit to how many IP’s it will hand out per CPE?

  2. colin says:

    The default limit is 8 per customer port. The is just a default designed to protect against malcious activity.

    If you have a bunch of friends coming to visit or just have a lots of computer devices then you can just ask support to increase the “maxipcount” on your port.

  3. Conor says:

    Interesting way to run the network, people must have no issues trying to get VoIP and the likes to work out of the box.

    Although I’d have to put my windows boxes behind some sort layer of protection.

  4. colin says:

    Well we do a minimal amount in that we filter the common windows ports by default.

    To be honest most attacks are delivered via the browser etc.

  5. Richard says:

    There is stuff to configure in it, the wireless stuff can be configured for one thing.
    At the moment my connection is totally open with no WEP/WPA key. If I had access to the modem I could fix this myself. But since I have no access I have to phone support.
    I supose I just have to accept the fact that I have a ‘Black box’ on my desk that could be doing stuff I don’t want it to do and that I can’t configure it.

  6. colin says:

    It should not have shipped like that.