...and that's why my ISPs router is running in modem mode with a non-ISP-controlled router from Ubiquiti behind it - which I may replace with a pfSense box in the future.
I'm pretty happy that my cable ISP is allowing this mode so I don't have to double-NAT in my setup.
You're lucky your ISP's router offers you that option. My ISP's VDSL2 router would require "unlocking" in order to get bridge mode and it can't be easily replaced.
I recently upgraded my internet speed and my pfSense box was limiting my top download speed. So, I just went from pfSense to a Ubiquiti Secure Gateway. There are pros and cons of each, but I couldn't find any trustworthy pfSense hardware with the performance of a USG for anywhere near the same price. I do miss the configurability of pfSense though so I might switch back some day. That said, the ubiquiti interface and provisioning model is really slick.
This is why, in my case, the ISP's router (that awful box Verizon provides with FIOS) is sitting, beside the DMARC, unplugged and powered off.
My DMARC has a hot ethernet jack, and my firewall (PC running Linux) that I control is connected to that ethernet jack. No ISP shenanigans (other than what they can remotely do to configure the FIOS DMARC itself).
I'd be grateful for guidance eg a link to a writeup of recommended hardware and config for a reasonably technical audience, eg "Given a Verizon FIOS G1100, put it in bridge mode and connect hw that supports software X"...
If you just have internet service from Verizon, and your router is already hooked up to the ONT by Ethernet, you can pretty much just pull the cable from that and hook it up to any Ubiquiti unit. I have a USG 3 and it works swimmingly.
For those who also have TV service, it’s more complicated, since the STBs talk TCP/IP over MoCA for various services (I believe including the program guide and DVR functions). The Ubiquiti forums have lots of posts on people trying (and succeeding) to get their gear working with FiOS.
most of the time you only require PPPoE or DHCP as you practically speaking get a ethernet tunnel to your ISP using that bridge. Some ISPs additionally segment this network by VLANs so your list of required features is probably already complete here.
If your ISP didn't have that feature, could you just replace the cable modem too? My ISP's router is running EuroDOCSIS 3.0 and I'm wondering if I could replace the router with a modem + router of my own.
if you happened to live in Germany there is a law in place that force ISPs to allow that. But if you would live in Germany you would probably know about this. That said there is no technical reason making it impossible. If you connect an unknown device here, you get access to the customer web panel only and can register your device using it. Afterwards it gets provisioned as usual (with caveats [no PacketCable for example])
practically though what is the difference between having the endpoint in a shaft by the elevator or in your apartment or even down the street? in all scenarios i'd put my own router behind the ISP equipment and run my local network however i want.
the only issue is with getting a public ip address for inbound connections.
here we are not getting public ip addresses anyways, so the point is moot for me. but if you do get one, then all they need to do is configure their router to forward the public ip to yours.
in my case the ISP even installed two routers. one was theirs that i had no access to and one was "ours" that i was able to configure as i liked or replace with my own. both routers had their own wifi, but i don't use the one from the ISP endpoint router
I have been so disappointed with my ubiquiti hardware. That UI is gorgeous, but lacks some real functionality that I need. I can’t block BitTorrent (see forums). And I can’t see a detailed traffic log; only the categories. Plus, those pretty graphs that tell you how much data you’ve used doesn’t give a time frame. I have no idea if it’s a week or a month.
I'm pretty happy that my cable ISP is allowing this mode so I don't have to double-NAT in my setup.