Avoid ISP Routers (2024)

I wish. I own my own modem and router, but Comcast won’t let me use them unless I pay a whole bunch of extra fees or accept a stupidly low monthly data cap. I’ve got my router downstream of theirs which is a bit annoying, especially considering their modem-router combo overheats and needs to be rebooted via unplugging power at least once a month.<p>Sadly I have no other options here in San Francisco. My house is not wired for phone service so I cannot get DSL. The various fiber services that are becoming more available in San Francisco are generally only available downtown or large apartment buildings. My freestanding house can’t get any of that. AT&amp;T‘s new fiber doesn’t connect to me either. And webpass doesn’t have a good line of sight from my location to any of their microwave towers so I can’t get that. It is Comcast or nothing. It always amazes me that San Francisco is supposedly the tech capital of the world but internet connectivity here is worse than rural China. (And that’s not an exaggeration, I’ve spent plenty of time in rural China and in the mountains there, both the cellular and hardline service is infinitely better than San Francisco, aside from the firewall issues of course)<p>…I guess that turned into a bit of a personal rant but holy crap how is it 2025 and this is still a problem in a major tech city?

The part about a cockroach colony is a bit unfair.<p>Insects love electronics, with the heat and noise they generate. And when electronics sit in storage for a long time, the critters can crawl in from neighboring items.<p>This is just as likely to happen with a non-ISP router.<p>Ok, in all fairness I don’t have any stats to back up that claim. But nobody else does either.<p>That open source router you love so much may have been sitting in storage even longer.<p>I have mixed feelings about ISP routers, and ISPs in general.<p>But insect infestation is a serious issue in consumer electronics and has nothing to do with ISPs.

In similar news: The German regulator (BNetzA) just re-confirmed two weeks ago [0] that passive optical networks are not exempt from § 73 (1) of the TKG (Telecommunication law) which mandates that the interface between provider and customer is <i>required</i> to be a passive interface (i.e. mandating an ONT is already in violation of that). And that is fine. The different PON standards are reasonably well standardized and can operate in these standard modes for most equipment manufacturers. The NSP may lose some proprietary features, but the past has shown that equipment manufacturers have adapted for the German market accordingly. The law does allow exemptions, mainly if required for access technology reasons, but clearly states that even in that case the device that connects the end-user devices to the service (i.e. router) cannot be mandated by the ISP. They can provide one, but they cannot prevent you from connecting your own.<p>I do sometimes miss living in Germany.<p>[0]: Press release in German: <a href="https:&#x2F;&#x2F;www.bundesnetzagentur.de&#x2F;SharedDocs&#x2F;Pressemitteilungen&#x2F;DE&#x2F;2025&#x2F;20250122_PON_Glasfaser.html" rel="nofollow">https:&#x2F;&#x2F;www.bundesnetzagentur.de&#x2F;SharedDocs&#x2F;Pressemitteilung...</a>

Some of the comments here about ISP behaviour are crazy. Australia has had our fair share of fucking up the national internet infrastructure but at least I can pick pretty much any ISP and use any router I like. Haven&#x27;t used an ISP supplied router in something like 15 years.

AT&amp;T Fiber&#x27;s routers have, in the past, had a tendency to overheat, offered false promises like &quot;DMZ Plus&quot; mode and have had a host of issues that led to a black market of people selling stolen AT&amp;T certificate files [0] on the internet so you could bypass them, because they use 802.1x between their &quot;Router&#x2F;gateway&quot; combination device and their ONT, when they&#x27;re separate devices. The AT&amp;T XGS-PON network is mostly coupled now, which has led to <i>another</i> group of people now creating compatible SFP+ modules to replace the entire GPON stack because of this.<p>I could be wrong, but I think AT&amp;T Fiber is the only US ISP that doesn&#x27;t even allow you to directly connect to their network. If you use any of their provided routers, they only offer &quot;DMZ Plus&quot; mode that still leaves their router&#x2F;gateway managing state tables, which is vulnerable to hardware and software issues from the ISP. This leads people down the path of programming SFP+ modules and spending a lot more time than they should have learning about ISP networking, just to have a safer router&#x2F;modem.<p>[0]: Due to security issues in the router&#x2F;gateway firmware, various people have published guides and&#x2F;or run actual businesses shucking routers&#x2F;gateways from AT&amp;T by exploiting them, grabbing the certs and private keys, and then re-selling them to people who need them. These don&#x27;t get you free access to the internet or anything, they just let you authenticate to the network with your own device.

Oh, absolutely. Even on just that last issue of cost, buying my own cable-modem paid for itself long ago, compared to the &quot;rental&quot; cost from my ISP.<p>On that note, it&#x27;s better to buy a router separately from the modem. All-in-one devices are harder to diagnose and you can&#x27;t reuse the router with a different connection type.

&gt; <i>It may well be cheaper in the long run to buy your own hardware</i><p>That&#x27;s why my ISP forces me to rent theirs!<p>Something something market dominance in one market something something force dominance in another market …<p>In the end, I just treat the network like any other: assume the network is compromised, and security is&#x2F;should be done by the endpoints.

Agreed with the article, but to add to:<p>&gt; The ability to update the firmware may also be locked down. You should have full control over firmware updates.<p>Bizarrely, for DOCSIS modems, even if you buy your own modem, the ISP has control over firmware! They can (and do) push any arbitrary firmware to your modem. The manufacturers go along with this for some reason.<p>So make sure to separate your modem and router too.

Conversely, by using their router and modem you move the demarc to the Ethernet port on the inside of the router, which makes getting support significantly easier. I care about that more than control. And I know damn well they ain’t got time to spy on me. Just because appeals to authority are fun, I spent decades as a network engineer and then architect.

My ISP sent over a Fritz!box (though they offered a &quot;bring your own&quot; option as well). It came preconfigured for my ISP.<p>I turned off remote access and TR-069 through a toggle in the settings, then changed the admin password. Really, that&#x27;s all you need to do to take control of one of these routers.<p>There are good reasons to dislike the AVM routers, but their software is actually pretty solid in terms of customisation and network security. It&#x27;s not a bad device, and the large scales ISPs can order them at they can be had for a significant discount as a rental compared to buying your own in a store.

I run my own homelab and have a Ubiquiti gateway (UDM). I would have loved to have the fibre connection come directly into my box uninterrupted but the ISP&#x27;s modem is required to associate the connection with my account (or something to that effect). Deeply disappointing.

Except as soon as you report some QoS issue and a tech comes out, they&#x27;ll tell you that it&#x27;s your off brand router and you need to rent one from them.

The median consumer for an ISP is someone who pays for a service and asks for the wifi password printed on the back. Thats about it. Maybe they change the password through the app (TR-069) if they want to change it later. Having something like this working 24x7 while also being able to afford to run a cable to the home is quite challenging. I hate pretty much most ISPs for having a good service but terrible equipment. But I know most of my friends and relatives really don&#x27;t care. They just want to use it for work or browsing &#x2F; binging and thats about it. With fiber this is more messed up because now they are being sold gigabit plans when in reality a 100-200mbps connection would be enough if the home was wired correctly and all devices received a good wifi connection with a good router connected to some APs &#x2F; mesh with maybe something like SQM.<p>Getting rid of a GPON router can be challenging now that everyone is moving to fiber.<p>-For one, you could get banned for having a problematic transceiver. -You might be able to spoof the SN and even MAC and PLOAM password but even then there is a GPON ONU and OLT incompatibility problem. Nokia OLT for example can be notorious while some OLTs only work with their own brand ONUs. -Finding the correct VLAN is also tricky and sometimes different VLANs are used for different services like POTS which means your GPON bridge needs to be able to do correct pass through after registering instead of registering on just one VLAN.<p>ISPs should just provide a GPON SFP bridge to consumers with the router it plugs into that has a TR-069 configured so that the ISP can also swap routers as and when they get upgraded while keeping the SFP bridge constant as the cost of router would then decrease without having to need a GPON ONU to be built. Not to mention the software gets less complicated without GPON on the router end.<p><a href="https:&#x2F;&#x2F;hack-gpon.org" rel="nofollow">https:&#x2F;&#x2F;hack-gpon.org</a>

ISP&#x27;s thanks to a bill cannot charge rental fees anymore:<p><a href="https:&#x2F;&#x2F;www.pcmag.com&#x2F;news&#x2F;isps-cant-charge-you-for-using-your-own-router-anymore" rel="nofollow">https:&#x2F;&#x2F;www.pcmag.com&#x2F;news&#x2F;isps-cant-charge-you-for-using-yo...</a><p>Unless they come up with a BS security excuse, like cert based auth to their network, which means they claim they cannot offer people to BYOE. I bought an old DSL modem off eBay some years back and tried to get AT&amp;T to waive the rental fee (honestly thinking I was in the clear).<p>They were not having it. I filed an FCC complaint and in a few days got a call from the office of the CEO saying the equipment was still technically theirs and &quot;gray market&quot; and they could sue me if they wanted. I did get that rental fee waived.<p>I got off AT&amp;T as soon as humanly possible after that. I used to think they were less shady than Comcast, but now I know otherwise. Comcast, for all their egregious nonsense, at least lets you BYOE.

My ISP here in the UK is pretty good, they have fibre going into a little box on the wall which has an ethernet port on the bottom, I&#x27;ve got a Ubiquiti Dream Machine Pro connected to that on the WAN port and it&#x27;s worked solidly for years.

I had to fight with Cox (Fiber to the home) to be able to use my own router, if I wanted unlimited data for free.<p>To my understanding this is partially for them to push their crowdsourced WiFi, and maybe an easier way to sell you an all-in-one security&#x2F;internet&#x2F;TV package.<p>When I explained that I would just their device as a passthrough, and that it would be a waste to have the device here, she removed it from my account.<p>Now, what I don&#x27;t know is HOW they check whether I&#x27;m using their device. MAC? Easily copied. Them sending some commands that only their devices can respond to? Yea, that&#x27;s a bigger problem.

Xfinity (Comcast) is uploading their own firmware to my netgear which I have purchased on amazon. So one may (rightfully) assume that they have their own backdoors there too; otherwise why would they bother doing that.

Related:<p><i>Avoid ISP Routers</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41092571">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41092571</a> - July 2024 (26 comments)

I’m quite happy with the openreach setup in the UK - using a very simple ONT and whatever you want going into it router wise. They’re very close to just being a media converter, and the ONT SFPs are basically the same thing in a different form factor. I understand why they’re controlled given the topology of gPON.<p>If you’re worried about security of the device on the WAN side, then you’ve got bigger issues.

Verizon&#x27;s FiOS routers have been decent. I used theirs when I last moved, and it automatically setup a separate IoT network, in addition to the normal and guest networks.<p>I&#x27;ve been meaning to buy and setup a mesh, but they sent me an extender for free, and they haven&#x27;t charged a modem rental fee either like Cox&#x2F;Comcast did, so I&#x27;ve been living with &quot;free&quot; for awhile until I see a good mesh router on sale.

Yes. Avoid their name servers, too - I was surprised how many weird connectivity issues went away years ago when I manually configured DNS.

Owning your own router also helps avoid lock-in. I just switched ISPs and it was relatively painless since I could just plug my router into the new box, maintaining all my config. (At least in theory; since all ISPs are terrible, they misconfigured their own modem, so I had to figure out how to log in and switch it to bridge mode. But after that, painless...)

What&#x27;s the ISP&#x27;s motivations towards preventing BYOD?<p>If they&#x27;re desperate for the $10 per month box rental, I&#x27;m sure they could just levy a $10 per month BYOD &quot;support fee&quot; to make equal, but it sounds like in some places they&#x27;re charging way more as a penalty.<p>I know some of them were very aggressive about using home routers to provide coverage for roaming Wi-Fi, but that doesn&#x27;t seem as big a push as it was. I suspect this corresponds with a lot of them getting into the MVNO business lately.<p>Do they result in a disproportionate volume of support inquiries, or maybe ones that they can&#x27;t just dispatch by trying to send a remote-reboot signal down the line? I could see addressing that by moving towards a fee-for-service-call model if you need to call the &quot;custom configurations&quot; hotline.

Any desktop computer + Intel dual GB NIC + opnsense and you have an amazingly powerful router. Add in a Raspberry Pi running the Omada controller software and some Omada access points and you have an inexpensive and very robust WiFi network. Don’t forget to turn on auto updates for opnsense.

At home I go from the modem to a Firewalla and then break out to the WiFi. Our needs at home are pretty simple though.<p><a href="https:&#x2F;&#x2F;firewalla.com" rel="nofollow">https:&#x2F;&#x2F;firewalla.com</a><p>I have been quite happy with the experience.

Here in the UK, I&#x27;m using VirginMedia, but have been running my own router for ages. Unfortunately I still have to keep their router powered and connected to access the internet, but it has a &quot;modem&quot; mode where it just provides a dumb connection to one port and disabled WiFi.<p>My current router is a NanoPi r6c which is a marvelous piece of hardware - stick in an nvm drive and it&#x27;s more than happy running a bunch of containers. (It&#x27;s running FriendlyWRT at the moment though I think the next release of openWRT will support it).

As someone who just switched from an IPoE internet service to PPPoE, just make sure your device can cope. I have been using a trusty Ubiquiti Edgerouter Lite 3 for many years without issue. Unfortunately, the Cavium cpu does not support hardware offload for both ipv6 vlan and ipv6 pppoe at the same time.<p>If you do go down the general-purpose cpu (x64&#x2F;arm) route and your ISP uses PPPoE, you may need to tweak so that the rx queue is handled by multiple cpu cores as they will default to the first core by default.

Not too many Fiber-PON routers out there that we can drop Linux OS into.

*Avoid ISP Routers wherever possible.<p>Sometimes they just don&#x27;t allow you to use it. In the past I&#x27;ve had ISP router that had a heavily restricted custom firmware on it and a &quot;hidden&quot; username password setup for authorizing with the ISP. I couldn&#x27;t use my own.<p>In that situation I had to aim to use it as the modem and have a second router it unloaded to. Not ideal.<p>Now I can freely pick hardware with my current ISP. Just need to find the time&#x2F;money to upgrade to fibre everywhere to capitalize on the 10Gb&#x2F;s.

&gt; Backup: an ISP will give one device. Should it fail at an inopportune time, you will be off-line until you get them to issue a replacement. When you own your own hardware, you can buy a second modem and&#x2F;or a router for emergency backup.<p>This is nicer than it seems because &quot;I&#x27;ve already tried a completely different modem&quot; is a good way to short circuit ISP troubleshooting scripts IME.

Sadly I am not able to outright get ride of my ISP router. I am here in Canada on Shaw, well it recently was taken over by Rogers, and we can not just use our own. We can put the modem into bridge mode and connect to it but not get ride of it completely. I am not sure if bridge mode would stop much of the security concerns but my gut says no.

What about: I use the ISP router for support convenience then I turn off its wifi and daisy chain a second router I set up?

Bit difficult to reconcile with reality in case you e.g. have to use the ISP&#x27;s router or even just their SFP modules, which are really like a router in your router in a sense, and are common in fiber installations to my knowledge, as using a different one can cause issues for other subscribers on the same passive connection.

This is all well and good but unless you have networking experience and know what makes a good router you&#x27;re still stuck.<p>What router should I be using in place of the ISP one? Can I trust it&#x27;s manufacturer? How can I make sure it definitely is a one to one replacement and I don&#x27;t need to use my isp router as a bridge?

My ISP does this as well, provides Huawei modems with hardcoded backdoor passwords that can easily be found online. So yup, I&#x27;ve got a dedicated firewall between my networks and the modem. With slow updates and backdoors, I&#x27;d include any ISP modem and networks as part of my personal threat model.

Often hard to use your own stuff with fiber systems. I get AT&amp;T fiber which is pretty good service but no way to use your own “modem” (optical network terminal). I think their gateway suffers from some kind of buffer issue which affects me even w&#x2F; “ip pass through” to my own Synology router.

Yep, I just run my own Linux build on any SBC with at least a single gigabit port, currently that&#x27;s Quartz64-A. I&#x27;ve never been happier with my home router and flexibility of configuration&#x2F;what I can do with it, than just running a regular fully fledged Linux distro on it.

The average consumer who uses teh internetz probably isn&#x27;t all that savvy<p>So when an ISP borders (and often more than that) on criminal practices or being malicious - which is a lot of them - they&#x27;re laid prone to all the upstream garbage<p>(Defaults matter)

If you have a LAN cable, or fiber for WAN it can be done, but with cable modems it&#x27;s not always possible to use your own device. I got a device which hasn&#x27;t been updated since 2019 . :(

My ISP requires me to use their router, but I just put my own behind it.

OPNsense DECISO router on 2 Gbps symmetric Google Fiber for $100&#x2F;mo. works great. Anywhere without GF, I&#x27;d look for co-op municipal fiber consortiums before megacorps.

if you live in “the hood” the lan is nuts and you can get by by just treating your local network as completely untrusted, which I personally believe is good practice anyway.

Comcast charges me $119 for 1.2gbps with a cap. If I want to remove the cap it&#x27;s an additional $30. Highway robbery with these assholes

Cox only allows their whitelisted routers. Otherwise, I would use a Nokia Modem&#x2F;router combo. ATT may be installing fiber soonTM.

I have my own, because the idea of paying $5&#x2F;month at the time seemed silly. It does seem like more and more, ISPs are trying to make it harder to bring your own modem, which feels like a cash grab.<p>Even 10 years ago with Comcast I’d have to call them and challenge their gaslighting to get it working. The model I had was listed on their website, but they would tell me it wasn’t supported. About once a year they would kill it and I had to call to get it working again, where they would again tell me it wasn’t supported, but with persistence on my part, they’d eventually register it and get it working again. I haven’t had as many issue with this recently with Comcast, but I figure it’s only a matter of time.

Things are hardware locked where I live. It is possible to root some of the ISP devices, but not all

Can anyone suggest a good modem for DSL Fiber? I have CenturyLink&#x2F;Quantum.

Always treat hardware you get from someone else as not just untrusted but hostile until proven beyond any reasonable doubt otherwise.<p>Put an OpenBSD machine to act as a router&#x2F;firewall between supplied devices and your own network to keep things clean.