Opening a can of worms

Been holding this back for almost 2 years, looking for somewhere to ask about it.
Moved to a small retirement village about 2 years ago. They provide internet and VOIP phone service. No other fibre, cable, or copper installed in village.
Soon after moving in, I decided to test my OpenDNS filtering I use when visited by young, internet savvy grandchildren for US summer period (but not at that time). Not sure why I went back and looked 4 days later, but found numerable blocked site requests (which no one in our house ever visited) over the weekend. So, investigated quietly, turns out everybody in this village appear on the internet on a single IP address, and when I turned on OpenDNS filtering, I blocked all traffic to “Adult Content” sites.

So, what concerns do I need to have knowing we are on such a network. I have used a VPN at times since discovering this, but that almost renders our internet unusable at times. And, besides trying to get some sort of wireless internet connection, what options do I have to protect us.

You can get a router for your own devices. That should function as a firewall between your devices and the rest of the traffic on the network. A good VPN (and you can configure many routers to use VPN so that you don’t have to do it per device) shouldn’t slow down your connection to unusable speeds, not unless it’s a slow connection to begin with, which I’m guessing may be the case as it’s shared throughout the village.

Each occupant has a modem/router connected via ethernet to village network. So you are saying I have no more privacy and security concerns then If I was using a normal ISP?
As for VPN speed, I have to disagree. I do a speed test without the VPN and get 30-50mbps. Using ExpressVPN, and going to several different exit points, I get speeds well below 3mbps. And I go back and forth several times with and without the VPN and get the same results. I also go between VPN/broadband and VPN/mobile broadband, and get same results. So my take from that is using the VPN is having an effect on the speed.

No, there are definite security concerns, but you can get some protection from a router, but a VPN on top of that would definitely help (as might a true firewall like pfsense, but that’s an added layer or complexity and cost) as it will encrypt all of your traffic.

I haven’t tried ExpressVPN, at least not recently, but that’s low speed. I would try connecting to a different server in their settings (preferably once close to your location), and if that doesn’t help, I would consider looking at other VPNs. A good VPN won’t cut your speed by more than half, let alone to 1/10th.

EDIT: missed that you said you tried different exit points. I would try another VPN provider.

Likely carrier grade NAT. Do they not offer IPv6? Any service provider using a CGN should be offering IPv6.

Wonder if someone could expound a bit more on the actual security issues this network presents, knowing my devices are behind a personal router. Keep in mind the residents are for the most part, casual internet users. I am not concerned so much about the NSA or ASD watching me. I am concerned about being a “good neighbour” and not allowing my devices to be used by others for nefarious purposes. I already learned the lesson not to set up DNS filtering. What else to I have to be careful with to not effect my neighbours?

The issue is that we can’t really know what your network configuration is. All we can do is guess at it a little.

One possibility is that your ISP is very small. v4 IPs cost money because there are none left, so they are, by the law of supply and demand (being in low supply and high demand,) going up in cost to acquire. So your small ISP has likely bought a small pool of IPs… maybe as small as 1 but depending on the number of customers being supported, more like 8 or 16 or 32. They probably therefore use carrier grade NAT to dynamically map customer’s requests to IP:PORT combinations. There are a fixed number of ports and a typical PC uses many of them at a time, so it is highly unlikely that they could service many more than a half dozen active customers with just one IP address.

As for whether you are at any risk, that depends entirely on topology. If your line to their head end gear (router) is solely in use by you, then it would be marginally the same as a traditional ISP. If it’s on a shared medium like cable, then you could theoretically see other customer’s traffic, but even then, modern equipment usually encrypts each customer’s traffic to the head end.

If you’re all sharing a few IP’s and all your traffic merges together coming out of them, then it technically offers you more privacy than if you had your own IP for longer periods of time. It makes it harder for the advertisers to pin something direct to you (not to say it is impossible, because they use other techniques such as browser profiling and cookies.)

TLDR; Unless the mini-ISP is completely incompetent you’re probably not at more of a security risk. If you are at all concerned with privacy, a quality VPN is a valid option to enhance your privacy.

1 Like

He’s living in the wrong country. My wireless provider uses NAT gateways in a load balancing configuration. The static IPs are then no longer an issue. It just looks weird to website operators.

Legally speaking, the only thing I could suggest is asking the provider if they have another option for you or if there is an option to bring in another provider. You could then contest with state or capital officials on the agreement.