Comment by madduci
17 hours ago
I own a FTTH connection to Telekom since 2018, as the only provider in my street, allowed to install an internet connection (only glass fiber).
Since then, I have always used my own device and I maintain a GitHub Snippet in how to connect OpenWRT modem (and by extension, any other modem that supports pppoe), rather than their Huawei SpeedPort crap or the more expensive Fritz Box). Link to Gist : https://gist.github.com/madduci/8b8637b922e433d617261373220b...
I use PiHole in my own network, circumnavigating the DNS limitations, using Quad9 as my main DNS provider, but Unbound is on my to-do list.
The most concerning limitation in the German market is the unavailability of native Glass Fiber modems, that can accept as input a Glass Fiber connection: at the moment, providers install their own Glass Fiber modem. Without it, you can't actually have an internet connection at home
You have the right to router freedom even with FTTH. And fortunately, with DTAG FTTH, you can also book 1und1 with good peering (:
router freedom yes, but the Telekom Black Box that takes as input the Fiber cable is still a real "black box" that needs to be installed
Here in NL I've been able to replace router (Zyxel in my case) and ONT (Huawei in my case) with one SFP+ (went with some South-Korean one). Only had to register the serial of my SFP+.
nope, just remove the Telekom Black Box/ONT and get a GPON SFP (Like Luleey or FS) and register that mac.
> providers install their own Glass Fiber modem
It's the same in the US. The ISP fiber network falls inside their security boundary in my experience - you can't BYOD. They install a modem (these days often including an integrated router, switch, and AP) and you receive either ethernet or wifi from them.
I think the only major change in that regard has been that coaxial cable providers here will often let you bring your own docsis modem these days.
I never found any of this concerning until quite recently. With the advent of ISPs providing public wifi service out of consumer endpoints as well as wifi based radar I'm no longer comfortable having vendor controlled wireless equipment in my home.
I don’t have fiber access, but at least for cable, my provider (formerly Kabel Deutschland, now Vodafone) allows me to put the modem/router into "modem only" mode, which then allows me to use my own router. Outside of Fritzbox (which is again a whole integrated thing; with questionable features) there aren’t many DOCSIS modems freely available, and the no-name china devices don’t seem much better than my Vodafone Box.
> allows me to put the modem/router into "modem only" mode, which then allows me to use my own router.
Telekom Speedports also have a modem only mode (the ones for non-fiber, dunno about the ones for fiber, but it looked like those are only modems and not a router as well). I don't make use of it since I manage the wifi for my family, but I do know it exists.
US ftth in my experience (att + gfiber) are ONT and router/wap as separate boxes and you are free to byo routerbox but have to use their ONT.
Supposedly some of the major US providers (at least AT&T) have dropped a bunch of the obnoxious, ineffectual security stuff in the XGS-PON networks. There are plenty of reports online of people quite successfully running an entirely third-party stacks using adorable SFP+-format ONTs without anything that would credibly be called hacking.
In the U.K. you get a PON which gives you a cat5 gig or mgig port, you then connect your router and pppoe to your ISP. Most ISPs offer a managed router but the ISPs I’ve chosen have always allowed the pppoe option.
Same thing here except when they last upgraded the ONT I had to turn PPPoE off - it's just plain old ethernet service now. But the ONT seems to be performing the equivalent authentication role from what I was able to gather by shoulder surfing the tech.
They had to start offering routers that integrate the ONT because the common consumer gear is 1G or 2.5G ethernet but they sell up to 10G service here.
I have fiber in the US with just a plain ONT. Still CGNAT but I control my network. My former cable ISP permitted customer modems. It is becoming a challenge to find cable modems without router+wifi.
Faraday fabric is inexpensive, you can use ethernet to your own router and wrap the isp's in it.
> The most concerning limitation in the German market is the unavailability of native Glass Fiber modems, that can accept as input a Glass Fiber connection: at the moment, providers install their own Glass Fiber modem.
Im actually quite okay with that. Why should I have to pay for specialized hardware that won't be usable if I move and the new apartment uses DSL or docsis. Give me an rj45 (or sfp for some fiber connections) and let me put whatever Router I want behind it.
You say "why should I have to pay", but they really haven't said or suggested anything about how they'd rather you paid for anything. They're talking about having an option to supply one's own device, not about requiring so.
The common rationale behind this I'm aware of is that an ONT device is technically a computer with persistence, hosting arbitrary code and data that you cannot (or at least not supposed to) audit or alter, despite being on your premises, operated on your cost (electricity, cooling, storage), and specifically deployed for your use. These properties hold for SFP modules too in general, not just SFP ONTs (they're all computers with persistence).
The catch is that this is further true for all of these kinds of modems.
The counter-catch is that despite that, for DSL specifically, you could absolutely bring your own modem, hw and sw both.
The counter-counter-catch is that with DSL, you were not connecting to a shared media, but point-to-point. This is unlike DOCSIS and GPON, where a misconfigured endpoint can disrupt service for other people, and possibly damage their or the provider's devices and lines.
That's all the lore I'm aware of at least.
Very much indeed, a 'rogue ONT' can screw another nearly 63 users' acess in my area. Oversubscription is very noticeable, but just not problematic. 10G FTTH delivering 60~70% of the bandwidth is enough I guess. And latencies or jitter aren't a thing either.
The "glass fiber modem" is an inherent part of the GPON network. These are complicated. The "P" stands for "passive". Yours and and up to 127 other houses are all on the same "light domain" i.e. the downstream is passively split, and the upstream is passively combined, in optical boxes that don't even have electrical parts.
This needs crazy accurate timing for the upstream. The head end needs to know the exact delay to your particular box to give it a "grant" to transmit at exactly the right time so transmit bandwidth is not wasted by idle time or multiple boxes transmitting at the same time and corrupting each other.
You don't want brand X modems with dodgy configurations in this. Of course as a consumer you'd want "as little modem as possible" i.e. just give me an ethernet port running DHCP or PPPOE and let me do the rest.
They are complicated, but standardised and commoditised. Ubiquiti, for example, sells an ONT (fibre modem) in a SFP form factor for US$39 [1], or a little standalone unit with an Ethernet port for US$49 [2].
1. https://store.ui.com/us/en/category/fiber-gpon/products/uf-i...
2. https://store.ui.com/us/en/category/fiber-gpon/products/wave...
9 replies →
I cloned mine into an SFP+ for a handful of microseconds of latency improvement.
1 reply →
Is it possible to use a media converter from glass fiber to RJ45/Ethernet? Those are commonly available and then you can use whatever modem/router you like.
I don't know if it's the case in Germany, but here in France consumer FTTH networks are of the GPON persuasion. These need to handle encryption and be able to properly register on the tree, so I'm not completely shocked they require some form of ISP-provided device to terminate the fiber connection.
There's also a EU law which says that users should be able to bring their own modems / routers, so AFAIK providers say that this particular terminal device is still "on their side of the network".
I've seen such devices come in two varieties.
One is a separate device which plugs on the optical network, does the encryption and stuff, and then exposes an ethernet port which is connected to the actual router which does wifi, etc. With SFR and Bouygues, it was trivial [0] to replace the ISP-provided router with one of your choosing. You get the normal external IPs and you do your thing. The ISP router sleeps in its box in storage. This was my setup up until a few years ago, with both these providers. Now SFR has moved to CGNAT, but the setup is the same, so I expect users to still be able to switch routers (but I haven't tested, since I'm not a client anymore).
Then there's Free, who provides a single device that connects to the fiber, does routing, wifi, etc. In this case, it's possible to flip a switch in its settings for it to act as a bridge (don't know how wifi behaves in this case, if it stays on). It then only accepts a single downstream client, which gets the external IP. SFR had a similar setup for DOCSIS.
I'm not familiar with how Orange, the biggest operator, functions. But I understand they have a general tendency to be a PITA so YMMV with them.
---
[0] For Bouygues, this device only talked on a tagged VLAN100 for some reason. On the SFR, the network expected you to send a client id in the DHCP request.
The term you're looking for is "demarc" or: https://en.wikipedia.org/wiki/Demarcation_point
This is the physical boundary of a network, in telecommunications. This is the junction where the service provider can point and say "that's our equipment on this side". So it helps to narrow down the troubleshooting.
Often, if you have a telephone landline, you will see your demarc take the form of a gray RJ11 box with a small self-plug in it. It would be common practice to plug a phone into that box directly, then you've eliminated the "inside wiring" in the house.
> I'm not familiar with how Orange, the biggest operator, functions. But I understand they have a general tendency to be a PITA so YMMV with them.
I can only attest how they work here in Spain: They're not the best in terms of the 'openness' of their hardware: (in Spanish, feel free to us a translator) https://bandaancha.eu/articulos/router-pone-orange-jazztel-s...
The 8311 discord is a great source of technical info and help on using your own PON equipment of various sorts with providers
3 replies →
You’d need to be able to replicate whatever configuration the ISP provided device has, and they won’t give you that.
FTTH here in Australia is the same, you’re stuck using the network providers device, which just provides an Ethernet port, and a POTS port if you’re in to that sort of thing, with your LAN device connected behind it.
There was fierce lobbying back in the day (shout out to Simon Hackett / Internode) for our national broadband network to be simple dark fibre and that ISPs could build on top of that to provide innovation and differentiation.
Instead what we got was a bunch of ISPs that resell the National Broadband Network’s expensive wholesale plans with little in the way of either differentiation or innovation.
Edit to add: what the sibling comments said too.
FWIW, the incumbent ISP in Switzerland, Swisscom, tried to roll out XGS-PON but our "Internode", Init7, fought them in court on the grounds that it was anticompetitive, since it locks every provider into a single technology. They won.
Now customers can choose. Nearly every ISP chooses the easy way and has the customer connect through Swisscom's XGS-PON but Init7 in particular has instead built out their own routers in POPs around Switzerland so that customers can have a physical fibre directly to their network. It's just plain ethernet with DHCP so you can use whatever equipment you want. It's also allowed Init7 to do something none of the other providers can do: offer 25Gbps symmetric service at no extra cost (beyond a one-off installation cost for the more expensive SFP modules).
Thanks. I have an ISP provided media converter with my own router behind that, using the correct VLAN was enough to get it working. I thought those media converters were pretty dumb devices but it seems they are not.
1 reply →
They most likely use GPON so the optic is going to see return traffic for your neighbors. So they make it hard (but not impossible) to bring your own optic or media converter.
AFAIK GPON uses encryption, so you actually get the traffic intended for all your neighbors but can't do anything with it. If you bring your own converter, you wouldn't be able to handle your own traffic either.
1 reply →
You can bring your own modem. You just have to register it.
2 replies →
If I recall, for something like GPON or XGS-PON, you end up having to clone the various attributes of the original for it to work properly. This typically includes serial number, hardware id, firmware identifiers, etc.
For most it is just serial number. The 8311 folks have scripts that will fully automate the cloning for most common devices. This is not like a "break open your hardware and attach wires" type thing.
There are some ISPs issuing and verifying certs for GPON, which are more annoying to extract. I'm not aware of anyone (even those same ISPs) doing it for XGS-PON. It seems they all decided maintainimg their own CA infrastructure for millions of customers was not worth it ;)
Question out of curiosity. I once swapped a TPLink media converter between two homes, both using the same ISP, to debug internet issues and to see if that would improve the situation. Did I do something incredibly illegal? And did my ISP get confused seeing my media converter on the other side of town?
3 replies →
Yes, with right kind of PON SFP stick this is possible.
Most kinds of PON sticks are still in the $150-300 range though for XGS-PON
(I use an XGS-PON stick with AT&T instead of their modem)
As a fellow OpenWRT user who tried many DNS solutions including unbound, also consider NextDNS. They are pretty awesome.
For PONs you can get a programmable SFP+ and clone the manuif, devid, and password into it.
You might be able to switch to a different ISP, e. g. 1&1. They rent the line from Telekom but you still get their peering.
Sorry to say but how you are framing things is simply not true anymore.
You are not required to buy their "Glasfaser Modem 2" you can buy any ONT Modem.
You are not required to use any of their equipment, they give you the data to connect via PPPOE directly.
I bought a house with FTTH in 2023 and never used any Telekom hardware. Nobody forces you to use the peer DNS. The telekom DNS isn't complying to https://cuii.info/anordnungen/ because they want to but to avoid being sued everytime some company wants to block an illegal streaming site.
> Nobody forces you to use the peer DNS.
For practical purposes there's the problem (at least a few years ago?) though that Akamai in particular uses DNS to steer you to the correct portion of its CDN and the default IPs returned by independent DNS resolvers tended to have relatively abysmal peering with the Telekom network that was getting completely overloaded at peak times.
Unfortunately "use <insert favourite DNS provider here> everywhere except for Akamai CDN, for which use the Telekom DNS" isn't something that consumer routers support, so you'd have to start running your own custom DNS resolver to work around that problem…
Don't you have the small black glass fiber box that takes as input the fiber glass cable and outputs a rj45 port?
>The most concerning limitation in the German market is the unavailability of native Glass Fiber modems,
This is not true for everwhere. You can totally use your own ONT or fiber modem with DTAG.
> I use PiHole in my own network, circumnavigating the DNS limitations, using Quad9 as my main DNS provider, but Unbound is on my to-do list.
Why is PiHole necessary to dodge DNS limitations: can't you just put Quad9 as the DNS in your router/FritzBox?
Now I switched from PiHole to running unbound on a... Pi! I did that years ago: do it, you won't be disappointed.
I don't have the shiny PiHole UI anymore but I don't care: unbound supports wildcards to blacklist domains and that's what I care the most about.
So a Pi with unbound then dnsmasq on my Linux desktop: this makes for very speedy lookups (as most queries are hitting the cache).