DEV Community

ZeroTrust Architect
ZeroTrust Architect

Posted on • Originally published at cacheguard.com

Your ISP Box Was Never Designed to Protect You — Here's What We Did About It

#networking #security #opensource #beginners

We talk to a lot of small business owners. And when we ask them what's protecting their network, we get the same answer almost every time.

They point at the box their internet provider gave them.

That box. The one blinking in the corner. The one nobody ever touches.

Here's the thing nobody tells them: that box was never designed to protect you. It was designed to connect you. Two very different jobs.

🧑‍💻 Experienced with networking? The basics are covered in the first two sections — feel free to jump straight to So we put ourselves in the chain.

ISP Router without Protections

What the ISP box actually does

Your router forwards traffic. That's it. When you visit a website, it passes the request along. When the response comes back, it delivers it to your device. It does this for everything — legitimate requests, malware callbacks, phishing traffic, all of it — without asking a single question.

It's not a flaw. It's by design. ISP routers are built to be universal and simple. Security is simply not their job.

So if something on your network gets compromised — a laptop, a phone, even a printer — your router will happily forward whatever traffic that device generates. Nobody's watching.

Two concepts that unlock everything

Before we built CacheGuard, we spent a lot of time figuring out how to explain the problem to non-technical people. We landed on two ideas that make everything else click.

1. An IP address is a postal address for a device

Every device on your network has one. Your laptop, your phone, your printer — each has a unique number like 192.168.1.42. When your laptop sends a request to a website, it includes that address so the network knows where to deliver the response. That's all an IP address is.

Two flavours matter here:

  • Private IP — used inside your office. Devices talk to each other, but the internet can't reach them directly.
  • Public IP — the address your ISP assigns your router. It's how the outside world sees your entire network.

2. A default route is just a rule: "when in doubt, ask the gateway"

When a device wants to reach something on the internet and doesn't know the exact path, it follows its default route — a rule that points it toward a gateway device. The gateway figures out the next step.

In a typical office:

Your devices → Router (ISP box) → ISP → Internet
Enter fullscreen mode Exit fullscreen mode

Every device in the office has a default route pointing at the router. The router has a default route pointing at the ISP. Simple chain.

Here's the insight: whoever controls the gateway controls the traffic.

So we put ourselves in the chain

That's exactly what CacheGuard does. It inserts itself between your devices and your ISP router:

Your devices → CacheGuard → ISP Router → Internet
Enter fullscreen mode Exit fullscreen mode

Your devices' default route now points to CacheGuard. CacheGuard's default route points to the ISP router. The chain still works — but now there's a checkpoint in the middle that can:

  • Block malicious domains and malware
  • Filter content by category
  • Cache web content to speed up browsing
  • Log and monitor all network activity
  • Control access by device or user

Network Gateway for Small Business with CacheGuard
And the ISP router? It needs zero changes. It keeps doing what it always did.

What the setup actually looks like

CacheGuard runs on any standard PC or virtual machine. It needs two network interfaces:

  • WAN — connected to your ISP router
  • LAN — connected to your office switch 
[Internet]
    |
[ISP Router]        ← e.g. 192.168.1.1  (unchanged)
    |
[CacheGuard]        ← WAN: 192.168.1.2 / LAN: 10.0.0.1
    |
[Office switch]
    |
[All your devices]  ← default route: 10.0.0.1
Enter fullscreen mode Exit fullscreen mode

At the IP level:

  1. CacheGuard WAN gets an IP on the ISP router's subnet (e.g. 192.168.1.2). Its default route points to the ISP router (192.168.1.1).
  2. CacheGuard LAN gets an IP on a separate subnet (e.g. 10.0.0.1). This becomes the gateway for all office devices.
  3. Your devices get their default route updated to 10.0.0.1 — easiest done by letting CacheGuard act as your DHCP server.

💡 You don't need to reconfigure your ISP router at all. CacheGuard simply inserts itself and the router carries on as before.

Implementing a Network Gateway with CacheGuard

Why free and open-source

A small dental practice faces the same phishing attacks as a large corporation. A five-person agency is just as vulnerable to ransomware. The difference is resources — and we think that's the wrong reason for someone to go unprotected.

CacheGuard is free, open-source, and built to be deployed by someone who isn't a network engineer. The web-based admin interface walks you through configuration, and the defaults are sensible and secure out of the box.

Where to go from here

👉 Full plain-English setup guide
📖 CacheGuard Documentation
💬 Community forum

Also worth reading if you want to go deeper on network architecture: What is a DMZ network?

Top comments (0)