Optical Network Terminal (ONT) vs Optical Netork Router (ONR). What's the difference?

[psytxtbk4exam]

Bookmarked to study

 

[leechoonhwee]

how much is super internet packages? I didn't see their offer from their site anymore...anyone using their svcs? how's the speed and offering ONT/ONR?

I'm using it now but I don't recommend anyone getting it if they're not 100% sure of what they are getting into.

 

[richard_crl032]

Hi,

Seeing a lot of experts here and hence seek help for my use case.

Me just simple user and ok with ONR amd Airties mesh for ease of usage and thankfully working with 2nd miotv setup box in 2nd storey ... yes, indeed not a power user with special requirement.

Nevertheless, I am an audiophile looking for fiber solution to compare with current airties connection + copper rj45 cable to my hifi system for internet streaming. Rewiring the house via fiber and getting those fiber converter to rj45 at my music system are not my concerns.

As such, kindly advise on the following:

- any available ont/onr in the market with fiber output in addition to rj45 ports that can replace my singtel's onr ?

Many thanks in advance.

Cheers.

Richard

 

[xiaofan]

As such, kindly advise on the following:

- any available ont/onr in the market with fiber output in addition to rj45 ports that can replace my singtel's onr ?

None. It is not possible to replace the ONT or ONR.

What you need is Gigabit Switch with SFP ports to go with Fibre.

ONR -- Switch with SFP port plus SFP Fibre Module - fibre -- Switch with SFP port plus SFP Fibre Module -- your device

But if you just need to link to one device, fibre to copper media converters are pretty cheap in a pair from Shopee (below S$30). Not so sure about the quality though.

 

[oicoic]

Posted this earlier in the Singtel thread. I've taken the trouble to draw the network diagrams for easy understanding. As they say, a picture speaks a thousand words.

Some will hide behind the fallacious statement, "I'm not an important CEO. Why they need to hack me/I got nothing of worth" or equivalent. Think again - it's not about ST. It's about the networking truth: as long as there are no doors open your network is safe. Once there is access open to someone to configure, that open hole is also open to any malicious person on the internet to exploit. We cannot condone such behaviour.

On a practical level, having the stupid ONR breaks a lot of things like VPN tunnels to work.



As the text is a bit small, I shall replicate it. The arrows remain.

TOP Diagram (Arrow pointing to ONR):
SingTel has full configuration access to this one device. By extension, it is open to the Internet and available for public exploitation to configure as they wish. It also means that there is no separation of access, and anyone who is able to access your ONR is theoretically able to access your network.

You are required to grant access permission for this since you have no control over it.

BOTTOM Diagram
(Arrow pointing to ONT):
SingTel has full configuration access to this one device. It means it is exposed to the internet for configuration access.

(Arrow pointing to Network Router/Gateway):
Nobody has access to this unless you specifically grant permission for that. Your network is physically isolated from any potential hackers/exploits.
In the ST thread, it was noted that if you use SingTel issued routers, they still have configuration access. But you have the option to use your own and secure your devices behind it, unlike the ONR.

Do you mean that using an ONR will mean that we can be hacked much more easier? Meaning our bank accounts, crypto accounts or transfer of funds etc are less secure? (I just switched from Singtel with ONT to WhizComms with ONR...)

 

[oicoic]

And I have another question. From what I know, if I have an ONR and I want to connect my PC with an Ethernet cable instead of using wireless, I should connect it to the ONR. However, I found that I can also connect it to the wireless router which I have set as the Access Point. Does not seem to make a difference. If this is the case, why does the user manual say connect the PC to the ONR?

 

[giraffey]

Do you mean that using an ONR will mean that we can be hacked much more easier? Meaning our bank accounts, crypto accounts or transfer of funds etc are less secure? (I just switched from Singtel with ONT to WhizComms with ONR...)

In my opinion, this only applies to expert/power users. Even in an ONT mode, and if one uses his own router, but does not patch regularly or configure it properly, it will be even more vulnerable. In addition, using a router alone isnt sufficient. Firewalls and security gateways would also need to be added.

Most cyber attacks including hacking happen through phishing and the end device getting compromise. And very often, it is due to the user.

 

[xiaofan]

Do you mean that using an ONR will mean that we can be hacked much more easier? Meaning our bank accounts, crypto accounts or transfer of funds etc are less secure? (I just switched from Singtel with ONT to WhizComms with ONR...)

You can still request WhizComms to configure the ONR to ONT if you are worried, for a fee probably since you did not request it prior to installation time.

If you are really worried, put another router behind the ONR and live with Double NAT. That is even more secure than if you switch to ONT.

What is Double NAT.
https://kb.netgear.com/30186/What-is-Double-NAT

I also do not like ONR, but less on the security front, but rather it has limited features and limit your freedom to use your own router with better features.

 

[giraffey]

And I have another question. From what I know, if I have an ONR and I want to connect my PC with an Ethernet cable instead of using wireless, I should connect it to the ONR. However, I found that I can also connect it to the wireless router which I have set as the Access Point. Does not seem to make a difference. If this is the case, why does the user manual say connect the PC to the ONR?

You can connect as many wireless routers/APs, computers after the router (in ONT) or after the ONR. You just need a switch/wireless router/ap to keep adding more lan points

 

[xiaofan]

And I have another question. From what I know, if I have an ONR and I want to connect my PC with an Ethernet cable instead of using wireless, I should connect it to the ONR. However, I found that I can also connect it to the wireless router which I have set as the Access Point. Does not seem to make a difference. If this is the case, why does the user manual say connect the PC to the ONR?

Both are okay. No need to worry about what the user manual says.

 

[Henry Ng]

You can still request WhizComms to configure the ONR to ONT if you are worried, for a fee probably since you did not request it prior to installation time.

If you are really worried, put another router behind the ONR and live with Double NAT. That is even more secure than if you switch to ONT.

What is Double NAT.
https://kb.netgear.com/30186/What-is-Double-NAT

I also do not like ONR, but less on the security front, but rather it has limited features and limit your freedom to use your own router with better features.

Not recommended to use Double NAT and it will be better to ask ISP to change the ONR to ONT.

 

[bert64]

And I have another question. From what I know, if I have an ONR and I want to connect my PC with an Ethernet cable instead of using wireless, I should connect it to the ONR. However, I found that I can also connect it to the wireless router which I have set as the Access Point. Does not seem to make a difference. If this is the case, why does the user manual say connect the PC to the ONR?

Connection to the ONR directly should *always* work. If your access point is configured in routed mode, then plugging in there might be slightly slower or might not work at all.

If your access point is configured in bridged mode (which i strongly suspect it is), then the ethernet ports on it are just acting like a switch - transparently extending the ports present on the ONR's built in switch.

 

[bert64]

In my opinion, this only applies to expert/power users. Even in an ONT mode, and if one uses his own router, but does not patch regularly or configure it properly, it will be even more vulnerable. In addition, using a router alone isnt sufficient. Firewalls and security gateways would also need to be added.

Most cyber attacks including hacking happen through phishing and the end device getting compromise. And very often, it is due to the user.

The original terms have become somewhat confused over time... What's typically called a router today is actually acting more like a firewall, in that it will usually be providing access control and address translation facilities.

Traditionally (and still often the case on corporate setups) you would have a router which *only* routes, and then one or more firewalls behind it which provide access control and/or address translation facilities.

The last point about phishing is also true. Most "routers" intended for home use do not expose any services which are directly reachable from the outside by default, but they allow any devices behind them to make unrestricted outbound connections. Once an internal device becomes compromised, wether by phishing or drive by exploitation etc the device is able to make outbound connections to retrieve instructions from the attacker. In corporate networks, outbound connections are usually also restricted.

That said, modern devices are generally far more resilient against external unsolicited attacks over the network than the ones from 20 years ago. A modern operating system or mobile device, or at least the well known ones do not expose services to the network by default, so there is nothing to attack. Even placed on an internet connection allowing unrestricted inbound connectivity, not much is likely to happen. Any successful attacks are far more likely to be the result of user interaction, such as falling victim to phishing.

It's also worth considering that every time you connect to a public wifi network, you are potentially placing your device on a connection which allows unrestricted inbound connections at least from the other users connected to the same wifi. The devices of 20 years ago would be easy prey on such a network, today's devices not so much.

 

[trenzterra]

Does double NAT Work with ipv6? that time I tried before with two routers but couldn't get ipv6 working.

 

[hereiam7788]

The original terms have become somewhat confused over time... What's typically called a router today is actually acting more like a firewall, in that it will usually be providing access control and address translation facilities.

Traditionally (and still often the case on corporate setups) you would have a router which *only* routes, and then one or more firewalls behind it which provide access control and/or address translation facilities.

The last point about phishing is also true. Most "routers" intended for home use do not expose any services which are directly reachable from the outside by default, but they allow any devices behind them to make unrestricted outbound connections. Once an internal device becomes compromised, wether by phishing or drive by exploitation etc the device is able to make outbound connections to retrieve instructions from the attacker. In corporate networks, outbound connections are usually also restricted.

That said, modern devices are generally far more resilient against external unsolicited attacks over the network than the ones from 20 years ago. A modern operating system or mobile device, or at least the well known ones do not expose services to the network by default, so there is nothing to attack. Even placed on an internet connection allowing unrestricted inbound connectivity, not much is likely to happen. Any successful attacks are far more likely to be the result of user interaction, such as falling victim to phishing.

It's also worth considering that every time you connect to a public wifi network, you are potentially placing your device on a connection which allows unrestricted inbound connections at least from the other users connected to the same wifi. The devices of 20 years ago would be easy prey on such a network, today's devices not so much.

For windows devices, ever since windows defender built in to the system, the security risks have significantly reduced comparing to the past.

 

[bert64]

You can still request WhizComms to configure the ONR to ONT if you are worried, for a fee probably since you did not request it prior to installation time.

If you are really worried, put another router behind the ONR and live with Double NAT. That is even more secure than if you switch to ONT.

What is Double NAT.
https://kb.netgear.com/30186/What-is-Double-NAT

I also do not like ONR, but less on the security front, but rather it has limited features and limit your freedom to use your own router with better features.

NAT is not a security feature. It is a dirty hack required to allow multiple devices to share a limited number of IP addresses. Implementing NAT requires a stateful firewall.

The stateful firewall is what provides security, not NAT. It's possible to have a stateful firewall without NAT, where routable addresses are in use on both sides of the firewall. The firewall still controls wether access is allowed or not. This routed setup is simpler, faster and more secure because you just have allow/deny rules and not the additional overhead of translation or the complexity introduced by now having multiple addresses for the same thing.
This is how IP networking is designed to work, and it's vastly preferable to operate in this way if you can.

NAT breaks some protocols, increases administrative overhead, complicates firewall rules, complicates logging, reduces performance and introduces other undesirable limitations.

Practically these days you are forced to use NAT with IPv4, because IPv4 was always an experimental protocol that was never intended to be used on a network as big as the internet has become, there are simply not enough addresses available.
With IPv6, everyone can use a proper routed subnet with stateful firewall. Having the same setup with IPv4 is possible, but is likely to be extremely expensive.

Most attacks these days do not occur due to an external attacker making unsolicited inbound connections to your machines. Modern operating systems used on end user devices simply don't expose vulnerable services by default, and it is common for people to connect their devices directly to hostile networks outside of their control (eg public wifi). Connections initiated by external parties to your machines if not blocked by your router, will be blocked by the firewall on your computer, or rejected by your phone because it simply isn't running anything for them to connect to.

The exception to this, is the cheap and poorly designed IoT devices out there...

Most attacks occur against connections which the user has initiated, eg by visiting a malicious website, or through actions such as phishing. A typical home router wether using nat or not, or wether operating a firewall or not will do nothing to stop such attacks because the default configuration of virtually all home routers is to allow unlimited connections to be initiated from the inside to the outside.

Every time you connect your phone or laptop to a public wifi network, you are placing it on a potentially hostile network to which anyone can connect, and on which there is no router or firewall sitting between you and other users. If another user is hostile or their device is infected with malware, there is no intermediate device restricting what traffic it can send to your device.

 

[bert64]

Does double NAT Work with ipv6? that time I tried before with two routers but couldn't get ipv6 working.

NAT is undesirable, and IPv6 almost never uses NAT because it doesn't need to. Most routers are not capable of doing NAT for IPv6 for this reason.

IPv6 usually uses valid routable addresses both sides, and the router acts as a stateful firewall controlling access, which is a separate function from NAT.

That said, it's still possible to route IPv6 through two (or more) routers in several ways, if you know how to set it up.

You can use IPv6 NAT (not recommended, not supported by most devices etc).

You can directly route if you have a sufficiently large IPv6 allocation (many ISPs will provide customers with a /56 allocation which allows you to create and route several /64 networks as you see fit) - you split out another /64 block from your /56, put it behind the second router and from the first router you add a route to that /64 using the second router as the gateway.

You can split a single /64 into multiple smaller networks and route them if that's all you have, but this will break IPv6 autoconf and you'll have to use DHCPv6 or statically assigned addressing.

You can use NDP proxying.

 

[firesong]

Do you mean that using an ONR will mean that we can be hacked much more easier? Meaning our bank accounts, crypto accounts or transfer of funds etc are less secure? (I just switched from Singtel with ONT to WhizComms with ONR...)

The answer, it depends. What you have in a ONR setup is the absence of a secondary physical layer in between your network devices and the ONT/gateway.

When you realise that by design, the ONR must be open and remote configurable (meaning, someone on the internet - supposedly your ISP - has configuration level access to your device). A general security rule is, if you open for one, it is open for all on the internet to exploit. If you don't want exploitation, remove it from the network - or close it off completely.

The ONT - Router setup fulfils the removal from the network somewhat. Your ISP does not have the passwords to your personal router (unless of course you left it with the defaults, which a quick google will throw up) so in theory no one on the internet can go in and configure it. This of course assumes that you secure it appropriately.

However, if you use their supplied ONR, you cannot change the password. So they have your password (and it's the last 10 digits of your serial number, backwards). Anyone who has one of these can easily generate the other passwords and brute force attack (ie, write a script to keep trying password1...password2...password3 and so on). It won't take long to enter the router configuration and enter your network in the process.

On the level of patches and exploits, that's a secondary situation. Primarily, the fact that you have a device that you cannot secure that is open to the internet for configuration - this is the real problem with the ONR implementation.
===

To address the question, at application level - it is not so likely you would be hacked that way. User engineering attacks are the usual exploits here. However, in theory, if your router can be remotely reprogrammed (eg, a firmware update pushed) by a malicious user since it is openly accessible and vulnerable because a user cannot secure it, it is not impossible to have the router as the MIM agent that can do everything from keylogging to packet intercepting. So the ONR implementation does expose users to this potential exploit, and it is all too easy to do. Singtel's IP blocks are public information anyway. Just deploy a botnet to brute force whole IP blocks over a period of time, and you should eventually unlock enough ONRs to do some damage.

===
A final aside, I don't believe it's a "power user" issue. Again, this user created label is offensive because an informed user is not a power user. it creates an artificial divide and justifies and promotes ignorance. We are all normal users. Don't advocate for lesser than standard service and call it "normal" - do not lower the bar of what is acceptable practise.

 

[xiaofan]

Does double NAT Work with ipv6? that time I tried before with two routers but couldn't get ipv6 working.

No problems based on my tests.

Double NAT for IPv4, no NAT for IPv6
Main router: SingTel Mesh Router, ipv6 set to 6rd manual configuration

Secondary router: Huawei AX3 Pro, ipv6 set to auto

From SingTel IPv6 thread.
Step 2 is the secondary router
Step 3 is the main router

IPv6

traceroute -6 tserv1.sin1.he.net
1?: [LOCALHOST] 0.027ms pmtu 1500
1: no reply
2: 2400:d803:xxxxxxxxx 19.980ms
3: 2400:d803:xxxxxxxxx 7.271ms pmtu 1480
3: no reply
4: 2400:d800:a::1 18.046ms
5: 2400:d800:8::1:400d 12.320ms
6: 2001:c10:80:2::2dd 14.271ms
7: 2001:c10:80:1::2e 208.427ms
8: 30gigabitethernet2-1.core1.pao1.he.net 204.556ms
9: 100ge9-2.core1.sjc2.he.net 198.774ms
10: 100ge5-2.core1.sea1.he.net 217.342ms
11: 100ge11-1.core1.sin1.he.net 306.783ms asymm 13
12: 100ge11-1.core1.sin1.he.net 290.771ms asymm 13
13: tserv1.sin1.he.net 234.242ms reached
Resume: pmtu 1480 hops 13 back 14

 

[richard_crl032]

None. It is not possible to replace the ONT or ONR.

What you need is Gigabit Switch with SFP ports to go with Fibre.

ONR -- Switch with SFP port plus SFP Fibre Module - fibre -- Switch with SFP port plus SFP Fibre Module -- your device

But if you just need to link to one device, fibre to copper media converters are pretty cheap in a pair from Shopee (below S$30). Not so sure about the quality though.

Hi Xiaofan,

Many thanks and quite surprised that there is none since incoming data is via fiber and there are many switches with optical.

Do not wish to have this fmc for more complication and conversion ... hope someday there will be one.

Cheers.

Richard