Sorry for the dumb question and hopefully this is relevant enough to the sub. I have my own firewall and right now it connects to my ISPs provided home router over rj45, their router gets a fiber hookup to their network and it’s the only ISP device in my home. If I have a firewall with a fiber port, can I take the fiber to the modem and hook that straight to my firewall, or is there a reason I need their device?
You must log in or # to comment.
I guarantee your ISP’s router has some sort of Network Access Control (either Certificate or MAC addressed) based authentication that controls access to the ISP’s network. The ISP would be crazy to not do that.
It is an easy test. Just by-pass the router and see if it works.
The worse that can happen is your personal devices get denied access.
Some ISPs will also let you switch to your own modem if you call them and set it up with them. Have done that for years with my ISP as they otherwise charge a rental fee for their modem that pays for a completely brand new modem after only 6 months.
As others mentioned, it depends. Germany has freie Routerwahl by law and ISPs have to allow you using your own router. They won’t offer support configuring it if course but they usually provide you with some credentials to properly authenticate.
I was kind of expecting something like that. If I wanted to do the test, would I just set the wan side of my firewall to dynamic and see if it picks up an address?
Yeah the ISP will have to give you an address. The headache might be finding out DHCP server’s hostname. You may be able to find that out from the IP information on the ISP Issued router you have.
So everyone else has good points but there’s one other part I don’t think was mentioned.
Most ISPs use a PON based network. This lets them connect one fiber in their network and “split” that to up to 128 (or more, depends on the OEM) customers. You need a either GPON (Gigabit passive optical network) or XGS-PON (10 gigabit symmetrical passive optical network) SFP module and usually the ISP has to get a serial number off of that module to provision the proper data service.
This is contingent upon the ISP being willing to do that. The one I currently work for, we really don’t do that except for businesses.
Got it, thanks. I was thinking it can’t be as simple as plugging my firewall in and it just pulling an address
No, you are likely looking at an ONT (optical network terminal), and it is not a router. Even with a port that accepts the fiber (sfp or sfp+ for 10g) on your equipment, the OLT (optical line terminal) likely will not provide you with service.
If you were to match the wavelengths the ISP is using you are likely to become a “rogue” on their PON that can knock out service for other customers that share the same passive network as you.
I make assumptions about you being on PON since you say AT&T, generally all I have ever seen from them are passive networks (one fiber with splitters for 1 port to many customers) unless you are paying extra for “dedicated” ($$$$$) internet.
If they are using a ONT with an “RG” (residential gateway) which is the typical “all in one” you can request the gateway service can be removed and replaced with a layer 2 bridge, where you’re router/firewall gets the “external” addressing and there is nothing being done by the ISP equipment other than sending you traffic and OAM (operations, administration, and maintenance; usually check or alert for light levels, software status, if a part of the ONT fails etc).
It depends on their policies. Some ISPs allow you to purchase your own router. Some don’t. As long as their device supports bridging or in some cases DMZ you can just bypass their device to use your own. That is what I did when I switched to AT&Fee fiber.
Yeah I have at&t and currently using bridge mode, but I want to rip out their device completely if possible
Nope. I looked at it and couldn’t come up with a way to do it. Please ignore that though. I would love to eliminate their device but so far I haven’t been able. If you figure it out I would be happy to give it a try. I’m using the passthrough method on my att router. My router does have a public IP on the wan and I shut IPV6 down completely.
I have quite a bit of experience with the tech. I’ve worked for several ISPs over the years. My last gig was sysadmin for a small four town ISP.
You could see if you could swap to the 8311 WAS-110. It’s not the cheapest but it can entirely mimic a ONT and be the new gateway for your ISP.
I don’t know where you are and it probably matters, but in France you would need to suscribe to an enterprise contract to use your own gear, or smaller ISPs. At best, we can put them in bridge mode. You need to look out for your ISP for that.
Actually, there are ways for home customers to replace their XGS-PON to use your own hardware (Orange, Free, SFR…) And some other cool stuff and very helpful info at lafibre.info forum !
It depends, and without knowing your ISP I’m not sure there is a way to tell you for sure. I know for example Comcast gigabit Pro has been known to directly connect to an ISP SPF module in your firewall/router, but Verizon FiOS (and most FTTP that I know of) provide an ONT that converts the fiber to Ethernet which you would then connect directly to your hardware.
I would verify if the ISP router you refer to is not really an ONT in which case you are directly connected to the ISP functionally and there isn’t really an advantage to getting an SPF and getting the fiber directly connected if you even can.
ONT SFPs exist, but they’re prohibitively expensive. And hard to find.
Verizon and ATT just rebrand nokia ONTs and roll some of their own software that is mostly enhanced or changed encryption at L1. Can’t speak for Comcast, I only know about the other two as I’m in a smaller ISP that competes with them.
They use have L2 onts that don’t have any gateway functions, just fiber to ethernet with some extra overhead to monitor the connection between the hose and shelf.
The ONT-on-a-stick units do the same thing, just a more compact and expensive interface that doesn’t have great support, unless comcast or running all home run fibers where they can just provide a straight SFP instead of doing any optical splitting.
I kinda hate Verizon, but I didn’t realize there were these other gotcha that I’m avoiding by using Fios hardware. The hardware itself has actually been pretty good. I can’t imagine paying for internet and not being able to just plug in my own router.
I mean you can, an ONT is not a router, it’s essentially a media converter. I use my own router (and have for many years) and had no issues. The FiOS tech even ran a long Ethernet run in my basement to connect the ONT and my router in my rack when they installed service.
Is getting an ONT with Ethernet output normal? The comments were making me think that’s more of best case but maybe not standard.
It wasn’t standard previously, and if you have TV service I think it’s still inconsistent but the past ~5 years it seems to be more common that they are setup that way from the start. If you have internet only service, and a newer ONT (like less than 10 years old) it is the standard configuration and is how the self install guide tell you to hook up the “quantum gateway” router from Verizon.
You can always call and ask to have your ONT converted to Ethernet output if it isn’t already and as long as it supports it I haven’t heard reports of much trouble there. The very early ONTs though don’t support it though IIRC but those should be being replaced at this point anyways.
You might be able to do mac address cloning for fiber ports, if you have openwrt or similar it usually offers it.
A firewall may not offer full routing and NAT though for ipv4 devices, or wifi if you need it, or ipv6, or many other features. I’ve also used a cable modem and stuck the router in the dmz which essentially makes it a passthrough device also in the past
Basically, play with it and good luck!
deleted by creator
