this post was submitted on 16 Mar 2026
74 points (97.4% liked)

Selfhosted

57595 readers
2093 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
74
Self Hosting for Privacy - Importance of Owning your own Modem/Router? (lemmy.blahaj.zone)
submitted 1 day ago by bmebenji@lemmy.blahaj.zone to c/selfhosted@lemmy.world
51 comments fedilink hide all child comments
 

Hi there, I’m looking to get into self-hosting for privacy reasons and I wanted to ask y’all: how inadvisable is it to utilize an ISP-owned router/modem? I feel like they’re able to track everything I do online with their more than likely integrated spyware.

top 50 comments
sorted by: hot top controversial new old
[–] mko@discuss.tchncs.de 6 points 6 hours ago* (last edited 6 hours ago) (1 children)

A router provided by an ISP is not your hardware, thus any network behind it is by definition not controlled by you. There have been numerous cases where they have backdoors or known admin passwords. In cases where there is a wire type transition (for example incoming over coax or fiber) it might be necessary to use it though. Same if it is necessary due to your contract.

In my cases I always turn off the wireless antennas and switch it to bridge mode, then place my own router/firewall device behind it.

Edit: still learning to spell.

[–] partofthevoice@lemmy.zip 2 points 5 hours ago* (last edited 5 hours ago)

As I’ve grown older, I’ve realized that I care a lot less about whether I own the device or the ISP. I’ll happily root the fucking thing. What are they going to do, send me to a competitor? I have 3 different networks I can connect from at any moment (including hotspots), so I’m not worried about a minor lapse due to ISP temper tantrums.

I will tell them casually too. I don’t want their support. I pay for internet access, it’s their problem if they try to make my access conditional beyond that.

[–] magic_smoke@lemmy.blahaj.zone 1 points 5 hours ago

Your router is an important security device that you should own and control your self if you want any semblence of ownership over your network.

Your modem is remotely controlled by the ISP even if you own it, and is mostly there to demodulate from the medium installed by your ISP (usually cable, or fiber but those are called ont's not modems) to a standard cat. 6 Ethernet connection you can plug into most routers.

The main benefit of owning your own modem is not having one with a router built in and not having to pay an equipment fee.

[–] imetators@lemmy.dbzer0.com 3 points 11 hours ago (1 children)

Router provided by my ISP is just garbage. The settings are so scrace, I might as well just connect my PC directly (if I could, cause cable is DOCSIS). Had to buy 10yo DOCSIS router that actually is usable.

If your router is fine in settings, maybe changing it won't be necessary. As for ISP spying on you - probably possible but certainly is not likely.

[–] speculate7383@lemmy.today 1 points 4 hours ago

Had to buy 10yo DOCSIS router that actually is usable

Alternatively, you don't have to be restricted to a 10-year-old router just because of DOCSIS.

You could change the router to bridge mode , effectively making it just an external modem for any ethernet-to-ethernet router of your choosing.

[–] glitching@lemmy.ml 2 points 12 hours ago* (last edited 11 hours ago)

I gave up on mine for a privacy unrelated reason: they often reboot the thing remotely, for updating or whatnot. not a big deal per se, the problem - my local network stops working, and that I will not abide. so once I stopped using it, the rest (pihole, unbond, etc) came on its own and now I'm not going back.

[–] IsoKiero@sopuli.xyz 50 points 1 day ago (2 children)

ISP can see your traffic anyways regardless if their router is at your end or not. In here any kind of 'user behavior monitoring' or whatever they call it is illegal, but the routers ISPs generally give out are as cheap as you can get so they are generally not too reliable and they tend to have pretty limited features.

Also, depending on ISP, they might roll out updates on your device which may or may not reset the configuration. That's usually (at least around here) made with ISPs account on the router and if you disable/remove that their automation can't access your router anymore.

So, as a rule of thumb, your own router is likely better for any kind of self hosting or other tinkering, but there's exceptions too.

[–] Bazoogle@lemmy.world 2 points 11 hours ago (1 children)

The ISP wouldn't see your self hosted traffic. Not to mention many people don't encrypt it if it's on their own local network. And ISP tracking is becoming less successful with QUIC, Encrypted Client Hello, and DNS over HTTPS or DNS over TLS.

[–] IsoKiero@sopuli.xyz 1 points 8 hours ago

ISP obviously don't see the traffic inside your own network, regardless of the router used. But as soon as you open any kind of connection over the internet, incoming or outgoing, your ISP has to have some information about it to route the traffic. DNS over TLS doesn't hide that your browser opens connections to servers, they can see if you use wireguard to access your services (not which ones, just in general that there's traffic coming and going) and even if you use VPN for everything they can still see the encrypted VPN traffic and, at least technically, apply pattern recognitions on that to figure out what you're doing. And if you use VPN then your VPN provider can do the same than your last-mile internet provider, so you'll just move the goal by doing that.

Last-mile ISP is going to be a middleman on your network usage no matter what you use and they'll always have at least some information about your usage patterns.

[–] Cobrachicken@lemmy.world 13 points 1 day ago (1 children)

Honest answer, why tf would s/o vote this down?

[–] irmadlad@lemmy.world 19 points 1 day ago (2 children)

I've often wondered about down votes as well. It's not the points, as I care nothing about that. However, if you're going to down vote something, have the balls to explain why. Maybe the down voter knows something that we all can learn from. It just seems like a common courtesy to do so.

[–] BagOfHeavyStones@piefed.social 11 points 1 day ago (1 children)

It might just be an error. It's not too hard to hit one by mistake when scrolling on a touch screen device.

[–] irmadlad@lemmy.world 2 points 23 hours ago

Could be. Not ruling that out. It seems to pile up tho on certain comments tho. Makes me wonder. I'm always down to be schooled. Shit son, ring the bell! Ahhh the internet.

[–] Telorand@reddthat.com 4 points 1 day ago (2 children)

However, if you're going to down vote something, have the balls to explain why.

This is why downvoting is fundamentally flawed. It could be "I don't like it" all the way up to "I know for a fact that's wrong," but nobody else will ever know the rationale.

I don't even see downvotes on my instance, and I never want to, because it just raises questions and confusion.

[–] IsoKiero@sopuli.xyz 3 points 7 hours ago (1 children)

I've always liked the way slashdot handles comment rating. It's a bit complicated, so maybe that's why it's not adopted elsewhere, but it gives a much more fine grained options instead of just up/downvote.

[–] Telorand@reddthat.com 2 points 7 hours ago

Oh, that's an interesting way to do it. You'd probably have to have a handful of moderators each for the various comms, but it sounds like it would at least resist lazy engagement.

[–] irmadlad@lemmy.world 3 points 23 hours ago

because it just raises questions and confusion.

This. I think, waay back in the day, down voting was a way to filter bad information. Whenever I see a down vote on something I've said, I'm always left wondering if I gave erroneous information, was I out in the weeds smokin' crack? I'm always down for being educated.

[–] ultranaut@lemmy.world 27 points 1 day ago (1 children)

Regardless of whether your ISP is leveraging their ownership of your router to violate your privacy, they are using it to exploit you financially. Owning your own equipment is always going to save you money compared to what an ISP will charge you in rent.

[–] chisel@piefed.social 2 points 23 hours ago (1 children)

Well, AT&T for example requires that you use their provided modem+router combo, which they provide for free (unless you include their plans being generally more expensive than their competitors as an extra fee). They do try to sell you on range extenders for, what I assume to be, the shit router they give you.

Their router gives you less control than you'd get with your own router, helps with lock-in because it makes it harder to change providers, and allows AT&T full root access to your network, so I wouldn't recommend it for self-hosters. However, it is the cheapest option since you're requited to use it anyway. Besides, of course, using a different ISP, which saves me tooons of money over AT&T.

[–] BromSwolligans@lemmy.world 4 points 22 hours ago (1 children)

AT&T fiber does allow IP passthrough mode though so if you want to run your own hardware you can.

[–] MuttMutt@lemmy.world 3 points 6 hours ago* (last edited 6 hours ago)

That or you can double NAT if an ISP doesn't allow passthrough. It makes self hosting tougher but if you can port forward on the provided device and just forward everything it's basically passthrough mode.

[–] haroldfinch@feddit.nl 19 points 1 day ago (1 children)

Recently, a major ISP in the Netherlands was determined to be streaming metadata from within their customer's networks to Lifemote, a Turkish AI company.

Here's a report in Dutch: https://tweakers.net/nieuws/245620/odido-router-stuurde-analyticsdata-naar-turks-ai-bedrijf.html

This is just the latest one to get caught doing it, but determine how comfortable you are having your internal network exposed to a 3rd party.

I've used personal/non-ISP modems and routers for 25 years because I'm not comfortable with it it. At all... But hey, you do you.

[–] SirHaxalot@nord.pub 12 points 1 day ago

While I would say sending MAC Addresses and Wi-Fi names is very far from tracking everything you do on the internet, this highlight another very important point: The routers that provided by ISPs are usually very cheap and crappy, and this in itself security implications.

Like this example of pulling a script from an unverified HTTP source and executing it as root 🤯.. Not to mention that firewalling and port forward configuration options may be pretty simplified and limited.

[–] cenzorrll@piefed.ca 6 points 23 hours ago (1 children)

You're ISP probably provides some overpriced really crap hardware that they probably have a back door to, that I'm also not about to screw around with. I've always had a router behind their modem/router combo for many reasons, the first being that I have had a 100 ft Ethernet cable since 2005 that let's me put my router where I want, I can place my wifi where it works best, not just within 6-10 feet of wherever someone 20 years ago decided to drill a hole. Second is because a ddwrt router is so much better than anything you'll get from your provider, and you can find pretty good compatible ones on eBay or at your local thrift store for cheap.

I've always begrudgingly purchased rather than rented from my provider because after a year or so it is usually paid for. So far I've purchased four modems over almost 20 years so it's worked out for me. As for the device itself, I don't trust it, but I'll still set some firewall rules just because. I have my router behind it where I do the real stuff. If I'm ever given a device that I need to connect for some sort of monitoring, like my solar panels or something like that, it can connect to my ISPs crap and do whatever sketchy shit it's gonna do.

[–] scrubbles@poptalk.scrubbles.tech 1 points 22 hours ago

Each of these points makes it worth it. Price is always overlooked. Renting is same as a subscription. If you buy your modem it's more expensive, but at the end you still have a modem. Renting at the end you have nothing.

[–] Semi_Hemi_Demigod@lemmy.world 15 points 1 day ago

This is why I got a mini PC with five Ethernet ports and configured it as a router/pihole.

Everything goes through a WireGuard VPN, and I have DNS that’s private.

And I know it’s secure because I wrote the iptables myself.

[–] MuttMutt@lemmy.world 3 points 20 hours ago

Most ISP's in the US are always looking for a government handout. When the government decides to tie that handout with a backdoor attached you will never know about it. If they control the router you don't get a choice.

Not to mention they buy the cheapest POS they can get to do the job. Then when the wifi sucks they will rent you some mesh nodes. And you can only hope they update them if there is a flaw.

I run OpnSense and have for about 10 years now. I've considered using a gPON sfp module so I can get rid of the ONT.

[–] irmadlad@lemmy.world 10 points 1 day ago

Owning your own modem/router gives you full access to security features. It gives you opportunity to install custom firmware. If you can spring for the $$, I think it would be advisable. That way, the only thing you need from your ISP is the cable/delivery device piping internet into your house.

[–] versionc@lemmy.world 9 points 1 day ago* (last edited 1 day ago) (1 children)

I would get a router that supports an open source firmware or operating system like OpenWRT. Which one depends entirely on your use case. Getting a router from your ISP is fine if you're allowed to and capable of flashing it, and if you trust them (I'm lucky that I have an ISP with a track record of fighting for their users' privacy and integrity).

[–] melfie@lemy.lol 2 points 8 hours ago

In addition to not trusting the privacy of stock firmware, OpenWRT provides a lot of useful features for self-hosting like local DNS for your services and a feature-rich firewall to, for example, block devices you don’t trust from phoning home.

[–] hendrik@palaver.p3x.de 8 points 1 day ago* (last edited 1 day ago) (1 children)

Even if you control your router/modem, they still control the other end, it connects to. And some more infrastructure along the path. So i think it depends a bit where you're going with this. If you're worried about them doing packet inspection, or logging IP numbers you connect to, I don't think there's a big difference. They could do it anywhere. And they'll likely do it in some datacenter.

A router interfaces with your local network, though. So in theory a router can be used to connect to your internal devices and computers and maybe you have an open network share without password protection or something like that. But we're talking violating your constitutional rights here. It's highly illegal in most jurisdictions to enter your home and go through your stuff.

I'll buy my own router because I can then configure it to my liking. And my ISP charges way too much for renting one. And what I also do is not use my ISP's DNS service. That'd just send every domain name I open to their logfiles. Instead I use one from OpenNIC

[–] irmadlad@lemmy.world 2 points 1 day ago (1 children)

Instead I use one from OpenNIC

Fast? How would it compare to the evil Cloudflare?

[–] hendrik@palaver.p3x.de 2 points 1 day ago* (last edited 1 day ago) (2 children)

I did one DNS query and it took 22 msec with the nearest OpenNIC server and 24 msec with Cloudflare's 1.1.1.1
So dunno... roughly same responsiveness? Maybe OpenNIC is a tad faster? For a proper answer we'd need to do more measurements, though. And with OpenNIC you definitely need to pick a good server, not just any random one. They'll have different locations, different policies and they're in widely different datacenters.

[–] non_burglar@lemmy.world 2 points 23 hours ago (1 children)

That makes sense, since you're in EU and opennic is in DE.

[–] hendrik@palaver.p3x.de 1 points 23 hours ago* (last edited 23 hours ago) (1 children)

Isn't it a global effort? According to what I see, they list a bunch of servers in all Europe, USA, Canada, Australia, ...Japan?!

[–] non_burglar@lemmy.world 2 points 22 hours ago (1 children)

Of the tier 1 servers, 2 are in DE and 2 are in USA.

You won't really hit tier2 unless you're trying to hit very specific records.

[–] hendrik@palaver.p3x.de 1 points 22 hours ago* (last edited 12 hours ago) (1 children)

I think the Tiers work the other way around. But I keep forgetting how DNS and recursive lookup works and I might be wrong.
I don't think you're supposed to query Tier 1 servers as a client. The Tier 2 servers would be what people connect to and who do the heavy lifting. The Tier 1 just do the root, authoritative stuff and their custom TLDs for the following network. So we're not worried about where those are located.

[–] non_burglar@lemmy.world 2 points 5 hours ago (1 children)

You might be thinking of PKI and certificate trusts.

Tier 1 in DNS terms are high-level peered (peered with other tier 1 servers in major network segments) and just refer requests either downstream or to other tier 1 servers. This is no longer as necessary with CDNs everywhere, and DNS infrastructure no longer has to mirror routing landscapes, but it seems that opennic.org is still organised in this way.

Anecdotally, I switched a small network to use opennic in 2019 and it was a disaster, never again. I see that the DE servers are still being recommended to me in Canada, so I guess nothing has changed. Opennic is an example of a good idea with terrible execution.

[–] hendrik@palaver.p3x.de 1 points 1 hour ago* (last edited 1 hour ago)

Interesting. Thanks for the info. I'll re-think whether I recommend it to random people around the world, then.

In Germany it's great. I've been using it for many years now. But we have some good/strong hacker organizations, digital sovereignty and privacy groups, nonprofits and some generous IT companies. Maybe it's random private individuals in other countries and they're not as reliable.

Seems right now there's something going wrong anyway. I don't think the amount of "offline" servers is normal. And a good amount of them isn't even offline, but still answer my DNS queries.

[–] irmadlad@lemmy.world 2 points 23 hours ago

I'll have to check it out. Thanks.

[–] Decronym@lemmy.decronym.xyz 8 points 1 day ago* (last edited 1 hour ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNS Domain Name Service/System
HA Home Assistant automation software
~ High Availability
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAS Network-Attached Storage
NAT Network Address Translation
PiHole Network-wide ad-blocker (DNS sinkhole)
RPi Raspberry Pi brand of SBC
SBC Single-Board Computer
SSD Solid State Drive mass storage
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
XMPP Extensible Messaging and Presence Protocol ('Jabber') for open instant messaging

[Thread #172 for this comm, first seen 16th Mar 2026, 17:50] [FAQ] [Full list] [Contact] [Source code]

[–] Nighed@feddit.uk 7 points 1 day ago

Depends entirely on the ISP

[–] SirHaxalot@nord.pub 6 points 1 day ago (1 children)

It's extremely unlikely that they are going to do any kind of deep traffic inspection in the router/modem itself. Inspecting network traffic is very intensive though and gives very little value since almost all traffic is encrypted/HTTPS today, with all major browsers even showing scare warnings if's regular unencrypted HTTP. Potentially they could track DNS queries, but you can mitigate this with DNS over TLS or DNS over HTTPS (For best privacy I would recommend Mullvad: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls)

And of course, make sure that anything you are self-hosting is encrypted and using proper HTTPS certificates. I would recommend setting up a reverse proxy like Nginx or Traefik that you expose. Then you can route to different internal services over the same port based on hostname. Also make sure you have a good certificate from Letsencrypt

[–] comrade_twisty@feddit.org 6 points 1 day ago (1 children)

Many German providers have hardcoded DNS servers in their rental routers though and they block everything from torrent directories to iptv sites.

[–] Ooops@feddit.org 3 points 1 day ago (1 children)

The only thing they can realistically harcode is the DNS server their router's DHCP provides.

Just configure devices to not use that setting, also use DoH or DoT (which you should do anyway, not just to circumvent your router's settings).

[–] comrade_twisty@feddit.org 2 points 1 day ago (1 children)

I haven’t used such a router in decades, I just know from doing IT support at friends homes. These people have no clue how to get around these DNS filters.

[–] Ooops@feddit.org 4 points 1 day ago* (last edited 1 day ago)

These people have no clue how to get around these DNS filters.

But not thanks to the virtue of some effective blocking but just a lack of knowledge of the average user...

I have used several of those cheap routers over the years. And they simply can't block you from using encrypted DNS (unless they want to create giant blocklists and want to play wack-a-mole with DNS servers...).

So all they usually do is very low tech like ignoring the DNS you set in the router configuration and reroute it (or not providing such configuration in the first place). But they can effectively ony do so with unencrypted DNS.

With encrypted DNS they could at best try to block the default port used by DNSoverTLS but that still leaves DoH. And they can't block that because it's just regular encrypted HTTPS traffic (with the DNS quesry inside).

Iirc even Windows allows easy configuration of DoH nowadays (and for much longer if you were ready to edit the registry) where you can simply chose between unencrypted, DoH only or encryption preferred if available.

[–] Alvaro@lemmy.blahaj.zone 3 points 1 day ago* (last edited 1 day ago) (1 children)

It's pretty simple if you don't own the router you don't own the Wi-Fi. You can treat your home Wi-Fi a little bit like a public Wi-Fi and just make sure all of your devices are secure using encrypted DNS and encrypted traffic and overall not open on any unsecured ports and you should be fine.

Personally, all of my services on my home server are only available through my WireGuard VPN, so it doesn't matter what Wi-Fi I'm using, it's always going to be encrypted peer-to-peer.

[–] Ooops@feddit.org 3 points 1 day ago

make sure all of your devices are secure using encrypted DNS and encrypted traffic

Which is so easy it really should be the default nowadays yet sadly isn't.

[–] cmnybo@discuss.tchncs.de 3 points 1 day ago (1 children)

Most ISPs have remote access to their modems. You should use your own if possible. If you can't, then put it in bridge mode and connect your own router to it.

load more comments (1 replies)
load more comments
view more: next ›