Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why does it seem hard to buy an ONT for fiber?
31 points by apollo_mojave 10 months ago | hide | past | favorite | 59 comments
For years, I had cable internet and purchased my own modem to use along with my own router, main reason being I don't trust my ISP to handle my personal information with discretion and I'd like to limit my dependence on their hardware as much as possible.

Now I've moved and I have fiber, which is great, except it seems I have to rely entirely on the fiber equivalent of a "modem," which I believe is the "ONT."

My question is: why? Why was / is there a fairly well-developed market for modems where consumers can choose their own hardware, whereas for fiber there is almost no market for ONTs? Is it for a technical reason? Or do ISPs want to be able to get cheaply manufactured ONTs and pass along "rental fees" to consumers?




I'm not sure where you live (probably the US), but here in Europe you can easily get GPON ONTs from different manufacturers. There even are whole communities dedicated to replacing your ISP's ONT+modem combo: https://hack-gpon.org/quick-start

In some countries (Germany) it's super easy, because there are laws forcing the ISPs to allow customer provided equipment, while in other countries you need to do some hackery with spoofing serial numbers and such of the original modem. People even make utilities to scrape that information via the administrative interface, and make the process semi-automated: https://github.com/StephanGR/GO-BOX

The biggest problem for me about the ISP routers is their sheer size, they probably make them big so that they seem "powerful" to the average person and he chooses that ISP believing that their router provides superior Wi-Fi. New apartments built here (in Poland) even have nice boxes with the incoming fiber and an electrical socket where you are supposed to hide your Router, but the shoebox-sized devices don't fit there and you have to put them on the floor, or somewhere else. I myself have bought a SFP+ GPON (LEOX LXT-010S-H) transceiver, which is the smallest form-factor you can get. It goes inside my Banana-Pi R3 router, together with an LTE modem for backup connectivity. And this setup is still smaller than the box provided by my ISP, which only served as a bridge between GPON and my router.


>The biggest problem for me about the ISP routers is their sheer size, they probably make them big so that they seem "powerful" to the average person and he chooses that ISP believing that their router provides superior Wi-Fi.

Size is not just for fun, if you have mu-mimo capable device with multiple antennas you need distance between them. Same with the spider like gaming routers, its not just aesthetics.


Where I live, I just plug the fiber straight into a Ubiquiti EdgeRouter X. All the setup needed, which was documented on a local forum, was to buy the correct SFP module and to set a specific VLAN tag on the WAN port.


In France there's this forum

https://lafibre.info


When I explored this question a few months back, I initially thought it was to extract rent. It seems though that it comes from concerns of malfunctioning ONUs, ones that perform poorly, or those that color outside the lines of the specs causing problems on the entire PON node. It seems these concerns were originally well-founded, so the advice has been to match OLT and ONU manufacturers. Now XG-PON ONUs that you can buy are all standards-compliant, so this isn’t really a concern. However, organizations that have been burned by something in the past develop scar tissue over certain topics (“policy”), and say “never again.” I believe that’s probably what is happening here.


I don’t know what privacy you think you are gaining with your own modem.

They already have your name, address, and payment info.

If you are concerned about them seeing your traffic, well they are going to see that regardless if you use their modem or your own. They own the public IP you get assigned, all traffic is going through their route tables and equipment and is logged before it hits your home router.

Use DNS over https (not the ISPs DNS), or a VPN if you want to hide your activity from them.

Your own modem gains you little in privacy. At worst they could be tracking a count of your devices and their MAC address, but they probably don’t care to collect that.


For the most part, I believe it is all about the management and troubleshooting ability from the ISP side. You can buy ONT devices, but I think that the OLT device of the ISP must support the one you bought, which really defeats the purpose of buying it. There are even SFP modules that can work as an ONT interface.

Really your best bet is to ask your ISP if they can bridge a port on the ONT so you can use your own router after that without double NAT. In this scenario the ONT will be functioning mainly as a media converter.


My ISP was not willing to do this for me, but they did give me the admin password for the device so I could change the SSID on the integrated WiFi. From there I was able to configure a bridge interface. Everyone is happy with this outcome.

Most of the time in my experience you can’t BYO ONT because it needs to be authed to the network and the ISP won’t do that other than for their own hardware. On the other hand I’ve never heard of being charged rental fees for an ONT.


  > Really your best bet is to ask your ISP if they can bridge a port on the ONT so you can use your own router after that without double NAT. In this scenario the ONT will be functioning mainly as a media converter.
An ONT is already a bridge - those are for the cases when you have integrated ONT in a router provided by your ISP.

If you are provisioned with ONT, you can connect your own router to it


The ONT's job is to translate from (typically) Ethernet to the optical fibre, and nothing else. In networking terms its "Level 1"; concerned only with moving bits from one end to the other. Most ISPs will provide an ONT which does that and nothing else, and then a regular router/firewall that plugs in to the ONT via Ethernet.

Your security barrier is the firewall in the router, plus whatever encryption you apply to comms outside it. As long as you get that right your ISP can't see what you are doing apart from the to/from addresses on your packets (which can't be hidden, obviously).

ISPs generally push their own managed router/firewall at you because that way when something isn't working you don't wind up with arguments about who's fault it is, and the ISP can troubleshoot your router. But in my experience they have no problem with you unplugging their device and plugging your own in instead.

I haven't seen an ISP which does the ONT and the router in a single box. Its theoretically possible, but would be a bad idea for several reasons. One is security, as you say. Another is that the fibre can't be extended with more wire, unlike a copper phone line. So the ONT tends to be a small wall-mounted box with an Ethernet jack in it. That way your Wifi access point isn't stuck low down next to your front door or something.


One point of correction...

> In networking terms it's "Level 1"

What, I think, you mean to say is "Layer 1" of the OSI model, which is still incorrect. An active device, even when "dumb" is a "Layer 2" (Data Link) device. Ultimately a "bridge" networking device. The device is doing local media conversion which can't be accomplished by physical media interconnects alone. Even if the data link protocol is the same on both sides bridging the media types often requires a conversion. But in the case of ONT it's not going to be Ethernet on the WAN / carrier side. Not sure of the setup here but the PON is usually a very "dumb" last mile as it's often some sort of DWDM driven headend that's splitting out wavelengths for downstream consumption by the PON via the OLT and then broken out to Ethernet on the CPE, which is an ONU in this case.


It is not quite as simple. The ONT also maps services to ports. Take for instance an ONT with 4 ethernet ports and 1 FXO port. The FXO port can be mapped to a SIP service, and each ethernet port can be mapped to a different network service. They can even have multiple tagged VLANs. Multi-port ONT's are often used to deliver services to multiple businesses sharing a premesis, or those that want an equivalent to a leased line in combination with an internet service.


In Portugal you have at least two ISP’s that do ONT and router in the same device (MEO and Vodafone).


"Modem" stands for "modulator-demodulator" and it is there to convert the TCP/IP traffic in your house to some sort of non-TCP/IP connection that goes to your ISP. In case of cable provider, I believe the outgoing protocol is called DOCSIS, and in case of a telephone provider it could be ADSL/VDSL etc. (Historically some also used ATM above the physical layer.) The modem is there to do that translation.

With fiber, there is TCP/IP traffic within your house and TCP/IP traffic to your ISP. There is no translation to do, so no translator device (modem) is needed. The only thing needed is a physical layer conversion, from 0s and 1s as voltage over copper, to (exactly same) 0s and 1s as light over fiber. This conversion (not "translation") could be done by a stand-alone ONT (a rather uncomplicated, or could I say "trivial" device), but there are several router boxes that have fiber connections — either built-in (on board) or as plug-in modules.

Different ISPs have different offerings, but as you might imagine not many people want to manage their own router. My ISP has provided me with a free ONT which goes into my router, to which I connect my WiFi access points, all of which I manage myself.


This is not entirely true with PON (passive optical networks). The ONT is more than a media converter (optical -> copper), it facilitates the conversation with the OLT (Optical Line Terminal) further upstream. That connection is not an ethernet connection and needs specialized hardware that can communicate using the PON protocols.

The ONT is managed by the service provider and provisioned with their tooling. It typically holds the user profile of the customer, and contains information about the subscribers service level. It is not something that can reasonably be replaced by the end user with their own hardware.


This could be true in the general case, but in my specific case I was provided with the username/password combination that I fed into the PPPoE configuration page of my router.


Because the xPON ONT was provisioned to setup ethernet over PON for you, which in turn was used to setup PPPoE session to actual internet.


Again, I'm not certain of the entire stack beyond my house, but the device they brought for installation was sealed in the box that said "Media Converter" (not "ONT") on the box. It could still be the case that they somehow set it up remotely, or it could be that no setup was needed. For all I know, I tested my connection with PPPoE.


Yep, that's ONT.

They are provisioned remotely over network from controller run by ISP, which sets up appropriate timeslots (xPON is a time-division multiplexed network in practice, though DWDM - wavelength modulation - is also used).

  Internet -> ISP network -> PPPoE -> OLT (head unit) -> passive fiber network (and/or DWDM) -> passive splitter close to home (often in inside appartment buildings) -> ONT ->  ethernet to your router for PPPoE -> your systems


Can you please expand on how much of that chain can be qualified as "Ethernet" (or "TCP/IP") and how much is "neither at all", and how different that is from e.g. a classic "DSL with ATM" chain?


From OLT to ONT, and everything in between, is handled by non-ethernet/non-IP protocols over which you can tunnel whatever higher level protocol you want.

Technically that can continue to whatever hosts PPPoE gateway. Ultimately, OLT is "root node", and ONTs are "leaf nodes" of a passive optical network tree. What is distributed over it is less of interest to it. But that's why you often have ONTs called "media converters" - though they aren't exactly that. A typical ONT also includes xPON MAC component as well as all management functions necessary to login into xPON network, establish session, etc. and demux transported protocol to whatever is delivered on the other side (nearly always ethernet)


Calling something a modem is more about what the signal looks like on the wire and not about translating anything.


> I don't trust my ISP to handle my personal information with discretion

I'll start off by saying I'm not a fan of being forced to use their gateway. It's essentially just superfluous equipment in my network closet and another point of failure in the chain. I'd rather just be able to reliably patch directly in, but such is life.

That said, there's no loss of privacy with the gateway in bridge mode and me patching directly in. In the end they see whatever I expose on my router and they see all my packets. There's no functional difference privacy-wise here, unless they've got microphones or something on the gateway. Maybe they're sniffing wifi, but so can a car driving by.

FWIW, AT&T does this because AT&T does what AT&T does. They were doing it back in the day with their DSL service as well. There's a little more compatibility challenges when it comes to PONs versus DOCSIS modems, but theoretically one could buy an ONT and have it participate on the network. The actual ONT is just a media converter though, and without AT&T's gateway to auth you properly you're not going to be able to send any traffic.

As mentioned elsewhere though, I've been using AT&T's service for a long time. I've never had a modem rental line item in my bill.


AT&T Fiber in bridge mode is not actually bridge mode. It's some weird 1:1 NAT if I recall, and buggy in certain conditions.

You can get the 802.11x certificates off the gateway itself and auth via your own equipment though if you are sufficiently motivated[0].

I believe there are some newer methods as well, but I haven't kept up on it since I've luckily been able to get a different provider since that doesn't play games with the gateway devices. RCN at least lets you BYOD and is an ONT only.

[0] https://github.com/owenthewizard/opnatt


I'm aware of how the AT&T bridge mode works, it makes no functional difference to my security argument. The only issues I've personally seen is overloading the NAT state table, largely from running multiple crypto wallets or multiple torrent clients with wide open connection settings.

You can get the 802.11x certificates off the older gateway for now older firmware versions, but newer hardware doesn't have the same exploits.


I'm in Poland. When I had fiber installed I asked the provider if they could install an ONT. They balked a bit but eventually relented. They provided their own ONT at no extra cost. Orange is the provider, in case anyone is interested.

It's up to the discretion of the installer. I think being able to speak in technical terms and provide a decent argument convinced the installer. I got a feeling that they don't generally do it because for most people, the Orange FunBox is a good enough solution.


Just for the record I've seen other providers giving routers with GPON SFP/XGS-PON SFP+ modules, which act as an ONT (see eg. https://www.play.pl/pomoc/naprawa-i-konfiguracja/telewizja-i...).

I'm not sure if they could be inserted into own equipment, though.


In practice, it's a matter of region (for Orange Poland). For various reasons (supply chain?) they prefer to keep ONT only for particularly motivated business clients, or mostly further away from cities.


A good fibre ISP will have a separate ONT and router, so you can still pick your own router.

The ONT should be considered part of the ISPs network and not tampered with or replaced. Fibre with an ONT (PON) is a shared medium with other customers, and trying to use your own equipment has the possibility of degrading service for other customers.


In a DOCSIS network the coax is a shared medium with other customers and at least in the US you largely could bring your own modem, within approved device lists.


Ah ok, in the UK our only widespread DOCSIS network strictly forbids 3rd party modems for the same reasons I mentioned.


The same can be said of cellular networks where in most part of the world connecting your own equipment is accepted and expected.


It grew out of many countries licensing the specific devices at national/trans-national level, not telco level.

Though there were throwbacks, like early iPhone, with special tariffs, but those were 95% for business reasons not explained to end buyer and 5% for marking the terminal in network as "the one that is slightly out of spec and remember to special case call redirection"


True I guess, although one would perhaps expect a fibre network to be more reliable and stable than a cellular network.

Why would a large ISP allow customers to bring their own ONT if it means higher chance of problems on the PON? It doesn't seem worth the reputational risk. Allowing customers to bring their own router doesn't affect other customers.


What personal info does your ISP have access to that they would no longer have if you replaced their fiber optic transceiver/router combo with your own?


In my market you can’t plug into the ONT because it still requires authentication.

The modem the ISP provides has hard coded settings to limit connection counts as well as rate limit and probably other things. There is a reason they sell full duplex gigabit for so cheap, there are gremlins in the hardware.


Mostly because a lot of ISP's serve the ONT as an NTU (IE your network gateway or border) and others use it as CPE.

Here in Aus the (horrifying, terrible) national broadband network uses the ONT as an NTU from which it can split the service out to IIRC 4 ethernet hand offs and 2 RJ11 voip services. And because of this most private fibre providers do much the same. (Although NBN does it in part because their authentication method involves inserting DHCP option 82 into DISCOVER and REQUEST messages) In fact, I am aware of one that has moved to a single port ONT but still provides the customer another router beyond the ONT and keeps the ONT for NTU purposes.

NTU's are good actually, having a device to troubleshoot from inside or very near to the customers premises can keep support costs extremely low. If you have something that can also perform an ethernet cable test so much the better.

That said, there's another possibility. I have seen quite a few ONT's and man the majority of them in the usual price range of a residential ISP SUCK. The interface sucks, the hardware sucks, the software sucks and some of them have a lifespan comparable to a fruitfly. I wouldnt want my customer getting too familiar with devices that look like garbage and can fall over at the drop of a hat. So we just hold on to the password of those and let the customer do whatever they want past the demarc.


There are, undoubtedly, many reasons for justifying not having to use their equipment. Besides rental cost, having extraneous hardware which is unused functionality at least raises the probability that there could be something which goes wrong due to added complexity. The most compelling reason being if I insist on using bridge mode(on such a gateway), and then, after some unforseen firmware upgrade, that setting is reset, then my entire network becomes unreachable. Or at least as unreachable as it once was before the update. Having a simple bridge device like a pure modem or plain old ont, there can be no functionality to reset which would potentially alter the state of the netowrk. It either passes as a bridge or it doesnt. A lot of the friction though, at its core is the result of either, drumroll, having full access to the device providing layer 3 NAT or not. As ISPs want to smush together their on premises equipment they, due to the nature of the stack need to take control of the NAT to do so. At that point users who would like to open ports or do anything more than request a connection from the insdide are, out of luck, and it shoulnd't be accepted, as ISPs dont NEED gateways to make thier network work. Illustrated by the many smaller ones who do just fine without.


> main reason being I don't trust my ISP to handle my personal information with discretion.

Surely if the ISP wanted to do something nefarious, they could do it in the next equipment in line that doesn't sit in the customer's house. Anything before the customer's own router is the Internet where nothing should be trusted. Whether the modem belongs to the customer or the ISP doesn't really change that.


When I had AT&T fiber, they had an ONT and a Modem, the ONT was installed outside the house, styled like the NIDs for POTS. There was no fee for the ONT, but there was a rental for the "modem". Afaik, all the modem did was run 802.1x auth and do crappy NAT.

I understand that ATT has moved towards combining the ONT and Modem into a single piece of equipment.


That "modem" is usually just called a router or residential gateway, as it is just plain Ethernet, WLAN tied together with some low cost SoC running Linux, in other words just like any other Wifi router you can pick up at a big box store. In AT&T's case, the keys were a cinch to pull from the device and you can run openwrt or pfsense or whatever on your own hardware, you don't even need to use it. Calling it a modem confuses the issue.


You can extract the certificate from the bgw210 and put it on a third party router. Then you don’t need the ATT modem at all. I did that last summer using this: https://github.com/mozzarellathicc/attcerts


If their ONT and gateway are a single device it's not the BGW210. AT&T has been rolling out a newer gateway for over a year now.


BGW320 is what I got a year and a half ago, a single box.


I've been on AT&T's internet for well over a decade and I've never had a rental cost line item on my bill for their gateway. Don't get me wrong I'm sure it's modeled into their pricing, but so is the ONT and all the rest of their hardware. It's never been a line item in my bill.


I've been on AT&T's internet for several decades (going back to ISDN), and although my current fiber internet service shows no device rental fee, for many years before that, I had a monthly "Internet Equipment Fee" of $7. This was for the 2Wire 3801HGV router (the AT&T specific model).


I had AT&T Fiber installed last year, for me at least it was still two separate boxes.

But you have me curious now to see if I can get it as a single piece of equipment. Especially since I have my ONT installed inside the house (which is less common as you indicate).


Telecom legacy, probably. The ONT is seen more like the old "demarc" / "network interface device" from the copper days. You didn't install your own demarc: that was done by the telephone company. Everything after the "demarc" is customer operated, everything before the "demarc" is telco operated.

Operationally, it also simplifies things having a relatively uniform set of ONTs. With cable modems, there are 100's (1000's?) of models that have to be evaluated, tested, certified. Cable companies often do their own firmware updates.


I seem to remember that a long time ago, a single 2.5Gbit fibre was split across 32-64-128 households. The GPON’s job was thus to only decrypt the traffic meant for your connection.

It may be wrong information, or it may be completed outdated and irrelevant, but I remember that this was a reason why it was difficult to use your own ONT.

But seeing as the ONT is just a reframing/medium converter, I’m not sure I’d care enough, as long as the one provided by the ISP is reliable and performs well (those old black Alcatel ones were terrible).


ONTs use a passive transport (PON). ONTs are assigned time frames where they can send to the OLT (ISP equipment) that facilitates the connection. Incorrect equipment will cause that PON to become saturated by the ONT who decides to be malfunction and become a chatterbox. The OLT needs to be able to speak to the ONT to tell it to correct itself or shut up. Drift windows and Rogue ONTs are an issue.


There are reasons to want your own modem, to avoid overpaying via rental fees, for example, but what security or privacy do you imagine you're getting by buying your own modem?

You're literally plugging it into their network and they can see everything that goes on the pipe whether they are on the LAN side of it or the Cable side.

There's a stronger privacy argument for using your own WiFi access point though.


For me, it’s a provider installed ONT on the side of the house. This converts fiber to Ethernet that runs inside my house. I then have just a port to plug my router into.

Now, the provider trying to bundle a router is another question… but the ONT isn’t something I’d like to buy. And on my invoice, it isn’t even listed as something that I rent.


Jimminy crickets this thread reveals how much I have forgotten about networking. Ive been a tech for 33 years... I forgot how much I used to know about fiber.

Is this what getting old looks like?


Even the router I still use fios Quantum because I suspect fios configures it from time to time. Am I wrong? I'd prefer to have my own but it works well enough.


On Frontier and when it was previously Verizon I have only used my own router plugged into ONT via Ethernet cable. This has been 11 years now.


Right, I always used my own router when I had cable, I just thought fibre would be more complex.


Get a business line and you can do whatever you want after the demarc. Unifi probably sells a decent prosumer ONT.


AT&T effectively has two levels of "business line", largely based on the local infra deployment. In a commercial building you'll often be able to just get a fiber drop you can plug into your own SFP, set your IP info, and go. If you do "business line" in a residential area, it's practically the same service as residential Internet with their 802.1x-locked gateways just with static IPs as an option and an actual SLA. Unless you want them to run a fiber from their business service area all the way to your home, but be prepared to spend many thousands more.


For fiber you can make your own. The modem transforms the light signal into electric, the protocols are open, routing is also an solved problem.the biggest problem are the isps themself that hide credentials and any self serving method away.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: