I recently received a (genuine) email from Virgin warning me about a "Open DNS Resolver Vulnerability" on my network. It turns out that if you disable the firewall on the Hub (because NAT suits me fine, and the firewall was interrupting Teams) the Hub will open its port 53 to the internet and answer queries from anyone, and then Virgin will tell you off for it.
Would it be too much to ask for Virgin to fix the router so that even with the firewall disabled it still acts like every other consumer router on the planet and still opens its ports to the internal network only?
To make things even more fun, you can't actually port forward port 53 (which is how I know 100% that it's the Hub4). I've got round this for now by setting up a DMZ to an IP address that doesn't exist on my network, so the traffic is effectively blackholed.