General consensus on ISP-side enabled firewall settings?

Masters

For the sake of discussion, I was just curious of others experience with ISP, modem side enabled basic firewall settings. For instance, I typically disable any modem based firewall settings thinking I'll get more accurate reporting on real threats targeting our clients.

However, would it make sense to have that additional, thin layer of security enabled? Maybe reduce the workload of smaller table top model firewalls?

james.carson

Hi @Masters
We generally recommend disabling any ISP side firewall. There's quite a few reasons, but it generally boils down to the ISP device acting as a NAT device (in addition to the firewall also NATing your traffic.) This will quite often cause issues with VPNs that terminate at the firebox. We've even run into a few instances where ISP initiated firmware updates have disabled previously working VPN tunnels due to these firewall settings being on.

It's usually best if the ISP device is acting as nothing else that a termination point for the public IPs. Most ISPs will refer to this as something like "bridge mode" or "transparent bridge mode."

There are of course, exceptions. If you have a specific reason to keep it enabled, we can usually work around those constraints. I've seen, for instance, customers keeping the ISP device enabled as it offered a different termination and completely separate path for guest wireless that may not count towards a data cap.

Thank you,