Question Can VPN prevent router monitoring for privacy?

[avg9956]

Hello
I have a specific case where the ASUS BRT828 AC2600 router has the traffic analyzer feature in its dashboard. I find this feature very intrusive of privacy. From this feature, it appears to be able to track what websites you visit on a web browser (see pic here:

https://imgur.com/OtouD7V

View: https://imgur.com/OtouD7V
). I am also not sure if it can also track ANY application that establishes an incoming or outgoing connection, but if it does - i would be pressed to use a VPN. Can using a VPN encrypt my traffic and help stop this sort of tracking? (I don't mind if the router is able to track my data usage, i just mind the router being able to know the destination of my data - i.e. youtube, etc.)

 

[nigelivey]

Yes a VPN on the host would make this impossible but if only you have this information does it matter?

 

[avg9956]

but if only you have this information does it matter?

That is not the case unfortunately. Me and one other network admin should and will have access to this device. It will be the default gateway/modem that is connected towards the internet. However, he can log-in at any time just as I do have access to this device. Either of us can see what either of us are doing through that traffic analyzer. It is a feature in the router that I do not desire and I believe he too will, not desire it but he was the one who made the purchase of that device. Perhaps he is unaware of such a feature. He just bought the device because our current modem is incapable of port forwarding (ISP locked the super admin account that has the port forwarding feature)

Anyhow I am asking before I make an investment on acquiring a VPN just to make sure it would work. What's also interesting is that this particular model of router has also VPN on it, but I believe it would not be able to hide the traffic before it reaches to the device.

 

[nigelivey]

That is not the case unfortunately. Me and one other network admin should and will have access to this device. It will be the default gateway/modem that is connected towards the internet. However, he can log-in at any time just as I do have access to this device. Either of us can see what either of us are doing through that traffic analyzer. It is a feature in the router that I do not desire and I believe he too will, not desire it but he was the one who made the purchase of that device. Perhaps he is unaware of such a feature. He just bought the device because our current modem is incapable of port forwarding (ISP locked the super admin account that has the port forwarding feature)

Anyhow I am asking before I make an investment on acquiring a VPN just to make sure it would work. What's also interesting is that this particular model of router has also VPN on it, but I believe it would not be able to hide the traffic before it reaches to the device.

As a "network admin" surely you would want to see who is doing what on the network? What are you administering?

 

[avg9956]

I know this is going off-topic already but,

I have to port forward an application so I can access it remotely as well. Me and the other network admin are in the same level of authority. We did not necessarily delegate any responsibility as to what specific tasks should I or he administer. And as I said earlier, i don't know yet what to what extent exactly that router can monitor because we haven't installed it yet (and as such, the more detailed it can monitor, the more privacy intrusive it is), but it is a planned replacement for the one that we currently have and the purchase has been made. The network btw is home-based but there is also a business side that is using it within the same building. Any activities that occur in the network after business hours is done, should remain private. We don't necessarily want to have another second internet connection for private use just so privacy can be maintained as it will increase our costs - hence we manage only one connection.

Now if only the traffic analyzer feature of that router can be disabled after business hours is done, then that would be better than me trying out a vpn. Surely should I or he be snooping around network activities of the router monitoring after work hours? There is a cause for concern

 

[USAFRet]

This is a system and network at work?
And your employer is OK with using this after work, for personal use?

Then it is no business of his what you do and what sites you go to.
Almost any router keeps at least a rudimentary traffic log. It may not display in fancy graphs like that one, but its there.

Yes, a VPN can shield your after work use. But I'd absolutely get a second connection. If your enterprise is large enough to warrant 2x network admins, you need a connection just for that.

 

[avg9956]

Basically we're business partners. Its like a work-at-home setup. We have an office, but our living residence is just a few floors above. I probably spilled too many beans already lol.

I do have a back-up, separate internet connection however compared to our fiber optic one that we currently use (its monthly paid), my back-up charges based on per data usage. In the future we would consider getting a second connection if it becomes cheaper as fiber becomes the norm. But as of now, fiber connections on our place still relatively costs high.

But now as I've come to think of it, I am not sure if it may work.
That ASUS BRT828 router does not have a fiber optic port for fiber connections unlike the modem we are currently using has. He plans to connect it in this way which I am not entirely sure off:

ISP's Distribution Box---> Fiber optic cable -> ISP provided modem with Fiber Port -> ASUS BRT828 Router (server connected to this device with RJ45 cable)

He wants to make the ASUS BRT828 Router as the default gateway (192.168.1.1) instead of the ISP-Provided modem, and will make the ISP-Provided modem a bridge instead. He has a server that he plans to connect with the asus router and wants to port forward so he can remotely access it away from the office.

However as far as I know, the ISP-Provided modem needs to be able to port forward, and with that being incapable of being configured then his plan wouldn't work? He has requested an ISP technician to come in a couple of days time and the ISP said he needed to buy another router so he bought this asus one. It's my first time seeing this kind of network setup (where the device connected to the fiber optic cable will be set as a bridge), I am not entirely sure if he would still be able to port forward his server if the device connected to the fiber optic cable is incapable of port forwarding, not unless that is - if the technician will bring a new modem that can do so.

And so I am thinking instead to ask the ISP to replace our modem that is able to do port forwarding. Anyways the modem they provided only has 1 working LAN port for reasons i will never know why, so i plan to ask from them another model with all ports that actually do work.

 

[USAFRet]

Additionally:

i just mind the router being able to know the destination of my data - i.e. youtube, etc.

This is what routers do. That is their prime function.
To know where to go to retrieve data, and which system to deliver it to.

 

[bill001g]

Not sure about that router since it is not one of asus routers I follow but asus router generally can run third party firmware. I know asus runs asuswrt from asus and asuswrt-merlin. It also can load dd-wrt and some other firmware.

So if you really are concerned these distributions have the source code available. You can go in remove the feature you do not want and relink the image. It is mostly a matter of following instructions, dd-wrt is a little harder since it runs many platforms.

I would use that method rather than deal with the issues and costs of VPN. There are many sites (ie netflix) that will prevent you from using a vpn. Google will at time constantly make you run captcha stuff to prove you are not a bot.

 

[ex_bubblehead]

I am also not sure if it can also track ANY application that establishes an incoming or outgoing connection

As stated above, that's what routers do. And, as a "network admin" I would think that you would want to have the tools to be able to track the when/where/how much, etc. That's part of what an administrator does. And, I wouldn't be using consumer level equipment for the job.

 

[nigelivey]

Basically we're business partners. Its like a work-at-home setup. We have an office, but our living residence is just a few floors above. I probably spilled too many beans already lol.

I do have a back-up, separate internet connection however compared to our fiber optic one that we currently use (its monthly paid), my back-up charges based on per data usage. In the future we would consider getting a second connection if it becomes cheaper as fiber becomes the norm. But as of now, fiber connections on our place still relatively costs high.

But now as I've come to think of it, I am not sure if it may work.
That ASUS BRT828 router does not have a fiber optic port for fiber connections unlike the modem we are currently using has. He plans to connect it in this way which I am not entirely sure off:

ISP's Distribution Box---> Fiber optic cable -> ISP provided modem with Fiber Port -> ASUS BRT828 Router (server connected to this device with RJ45 cable)

He wants to make the ASUS BRT828 Router as the default gateway (192.168.1.1) instead of the ISP-Provided modem, and will make the ISP-Provided modem a bridge instead. He has a server that he plans to connect with the asus router and wants to port forward so he can remotely access it away from the office.

However as far as I know, the ISP-Provided modem needs to be able to port forward, and with that being incapable of being configured then his plan wouldn't work? He has requested an ISP technician to come in a couple of days time and the ISP said he needed to buy another router so he bought this asus one. It's my first time seeing this kind of network setup (where the device connected to the fiber optic cable will be set as a bridge), I am not entirely sure if he would still be able to port forward his server if the device connected to the fiber optic cable is incapable of port forwarding, not unless that is - if the technician will bring a new modem that can do so.

And so I am thinking instead to ask the ISP to replace our modem that is able to do port forwarding. Anyways the modem they provided only has 1 working LAN port for reasons i will never know why, so i plan to ask from them another model with all ports that actually do work.

If the ISP modem is just a modem all ports will pass through it, modems are not aware of ports!

 

[avg9956]

Ok thank you for all the educated replies

I am familiar with dd-wrt however when i look at their router supported list, it does not mention specifically the asus brt 828 router. There is a chance that if i install it, i could brick the router permanently.

But now me and the other network admin settled to basically just replace the modem instead to one that is capable of port forwarding without too much explicit detailed monitoring in its dashboard like the asus one. I informed him that the asus router had such a feature and he too said to me he overlooked it and regret having such a feature. Wasted money but what's done is done.

 

[bill001g]

It depends why you want that particular asus. There are other models that support asus-merlin firmware and that is simpler to change than dd-wrt.

Port forwarding is supported on almost all models of routers even ones you can get for $25.

 

[avg9956]

Actually i think it is a ISP modem with built-in router features, my mistake.

I have never seen a setup yet where the device directly connected to the isp's distribution box via fiber will be setup as bridge mode instead of a default gateway, while the router connected to it will be setup as the default gateway, dhcp server and still be able to port forward the server connected to it. I always thought that the device directly connected to the isp's distribution box has to always be the default gateway and be configured to be able to port forward for it to be successful.

Can the modem with built-in router features still be able to port forward despite it being set to bridge mode? (Not sure if this makes any sense)

 

[bill001g]

If it is in bridge mode it is acting as a media converter it does not do much if any processing of the data.

If you were to run the ISP router as a router it likely have port forwarding abilities. So are a pain to configure but port forwarding is one of those feature that I think every router has.

 

[failboat]

Most businesses get more than 1 public ip. You can plug multiple routers into it.

 

[avg9956]

I did some quick googling, and from it i see a lot of people encountering issues trying to port forward a modem with in-built router features while it is in bridge mode. Yes, definitely almost all routers now adays have port forwarding feature.

So I managed to log-in to the admin page of my ISP's modem, it has port forwarding but I cannot find any configuration whatsoever to set it to bridge mode. I already called the ISP technician, he'll be coming in a few days to visit my place. I'm hoping they could give me a new device that is able to port forward and also have more than 1 working LAN port, so I don't need to set it to bridge mode. With more than one LAN port working, the other network admin can connect the asus brt 828 router while I can connect my devices to another router without it passing through the privacy intrusive asus brt 828 router, if it makes any sense.

(Edit): I see DMZ mode available but that may expose my entire LAN network. I don't know exactly how to separate the LAN subnet from the DMZ subnet so if an attacker breaches the device, he won't be able to reach the LAN subnet. The only fields present is the Enable/Disable for DMZ and DMZ Host IP