I own a FTTH connection to Telekom since 2018, as the only provider in my street, allowed to install an internet connection (only glass fiber).
Since then, I have always used my own device and I maintain a GitHub Snippet in how to connect OpenWRT modem (and by extension, any other modem that supports pppoe), rather than their Huawei SpeedPort crap or the more expensive Fritz Box). Link to Gist : https://gist.github.com/madduci/8b8637b922e433d617261373220b...
I use PiHole in my own network, circumnavigating the DNS limitations, using Quad9 as my main DNS provider, but Unbound is on my to-do list.
The most concerning limitation in the German market is the unavailability of native Glass Fiber modems, that can accept as input a Glass Fiber connection: at the moment, providers install their own Glass Fiber modem. Without it, you can't actually have an internet connection at home
Here in NL I've been able to replace router (Zyxel in my case) and ONT (Huawei in my case) with one SFP+ (went with some South-Korean one). Only had to register the serial of my SFP+.
It's the same in the US. The ISP fiber network falls inside their security boundary in my experience - you can't BYOD. They install a modem (these days often including an integrated router, switch, and AP) and you receive either ethernet or wifi from them.
I think the only major change in that regard has been that coaxial cable providers here will often let you bring your own docsis modem these days.
I never found any of this concerning until quite recently. With the advent of ISPs providing public wifi service out of consumer endpoints as well as wifi based radar I'm no longer comfortable having vendor controlled wireless equipment in my home.
I don’t have fiber access, but at least for cable, my provider (formerly Kabel Deutschland, now Vodafone) allows me to put the modem/router into "modem only" mode, which then allows me to use my own router. Outside of Fritzbox (which is again a whole integrated thing; with questionable features) there aren’t many DOCSIS modems freely available, and the no-name china devices don’t seem much better than my Vodafone Box.
> allows me to put the modem/router into "modem only" mode, which then allows me to use my own router.
Telekom Speedports also have a modem only mode (the ones for non-fiber, dunno about the ones for fiber, but it looked like those are only modems and not a router as well). I don't make use of it since I manage the wifi for my family, but I do know it exists.
In the U.K. you get a PON which gives you a cat5 gig or mgig port, you then connect your router and pppoe to your ISP. Most ISPs offer a managed router but the ISPs I’ve chosen have always allowed the pppoe option.
Same thing here except when they last upgraded the ONT I had to turn PPPoE off - it's just plain old ethernet service now. But the ONT seems to be performing the equivalent authentication role from what I was able to gather by shoulder surfing the tech.
They had to start offering routers that integrate the ONT because the common consumer gear is 1G or 2.5G ethernet but they sell up to 10G service here.
Supposedly some of the major US providers (at least AT&T) have dropped a bunch of the obnoxious, ineffectual security stuff in the XGS-PON networks. There are plenty of reports online of people quite successfully running an entirely third-party stacks using adorable SFP+-format ONTs without anything that would credibly be called hacking.
I have fiber in the US with just a plain ONT. Still CGNAT but I control my network. My former cable ISP permitted customer modems. It is becoming a challenge to find cable modems without router+wifi.
> The most concerning limitation in the German market is the unavailability of native Glass Fiber modems, that can accept as input a Glass Fiber connection: at the moment, providers install their own Glass Fiber modem.
Im actually quite okay with that. Why should I have to pay for specialized hardware that won't be usable if I move and the new apartment uses DSL or docsis.
Give me an rj45 (or sfp for some fiber connections) and let me put whatever Router I want behind it.
You say "why should I have to pay", but they really haven't said or suggested anything about how they'd rather you paid for anything. They're talking about having an option to supply one's own device, not about requiring so.
The common rationale behind this I'm aware of is that an ONT device is technically a computer with persistence, hosting arbitrary code and data that you cannot (or at least not supposed to) audit or alter, despite being on your premises, operated on your cost (electricity, cooling, storage), and specifically deployed for your use. These properties hold for SFP modules too in general, not just SFP ONTs (they're all computers with persistence).
The catch is that this is further true for all of these kinds of modems.
The counter-catch is that despite that, for DSL specifically, you could absolutely bring your own modem, hw and sw both.
The counter-counter-catch is that with DSL, you were not connecting to a shared media, but point-to-point. This is unlike DOCSIS and GPON, where a misconfigured endpoint can disrupt service for other people, and possibly damage their or the provider's devices and lines.
Very much indeed, a 'rogue ONT' can screw another nearly 63 users' acess in my area. Oversubscription is very noticeable, but just not problematic. 10G FTTH delivering 60~70% of the bandwidth is enough I guess. And latencies or jitter aren't a thing either.
The "glass fiber modem" is an inherent part of the GPON network. These are complicated. The "P" stands for "passive". Yours and and up to 127 other houses are all on the same "light domain" i.e. the downstream is passively split, and the upstream is passively combined, in optical boxes that don't even have electrical parts.
This needs crazy accurate timing for the upstream. The head end needs to know the exact delay to your particular box to give it a "grant" to transmit at exactly the right time so transmit bandwidth is not wasted by idle time or multiple boxes transmitting at the same time and corrupting each other.
You don't want brand X modems with dodgy configurations in this. Of course as a consumer you'd want "as little modem as possible" i.e. just give me an ethernet port running DHCP or PPPOE and let me do the rest.
They are complicated, but standardised and commoditised. Ubiquiti, for example, sells an ONT (fibre modem) in a SFP form factor for US$39 [1], or a little standalone unit with an Ethernet port for US$49 [2].
For comparison: you can bring your own DOCSIS modem to a cable network, even though all the houses on the street are connected to the same cable and you could jam it, or send a voltage spike to break everyone's modem.
Not very familiar with DOCSIS and cable; the story I'm getting from my nearest friendly LLM is that while you could bring your cable modem, it'd have to be a pre-approved model, and that the firmware and configuration would be under ISP control, unlike with DSL modems. Is that wrong?
By law the demarcation is a passive one; the provider is not allowed to mandate you operate ANY of their active hardware. If they want to sell you internet only via e.g. RJ45 Ethernet they better consider asking your landlord to rent them space and power and Cat.5(+) wiring access to put a switch/router, because by law they can't dump that on you the residential apartment renting customer.
You may either rent/buy a device from your ISP, or you may bring your own, at your discretion. ISPs are required to accept all devices, of course if your device kills the network segment, they will kill your connectivity. But they can't refuse to let you connect.
You get taken to court and sentenced to pay the damages? Same thing that happens with the TV cable that runs through the whole street. Or the cars parked openly along the road. If you damage it, you pay for it.
Controlling your hardware without consent that they legally can't ask for would be illegal hacking.
They do however have the right to mandate certain configuration parameters just how they are allowed to mandate you connect something that isn't a noise generator to e.g. a cable TV outlet. Well, being able to limit you to connect devices that conform to some spec.
Is it possible to use a media converter from glass fiber to RJ45/Ethernet? Those are commonly available and then you can use whatever modem/router you like.
I don't know if it's the case in Germany, but here in France consumer FTTH networks are of the GPON persuasion. These need to handle encryption and be able to properly register on the tree, so I'm not completely shocked they require some form of ISP-provided device to terminate the fiber connection.
There's also a EU law which says that users should be able to bring their own modems / routers, so AFAIK providers say that this particular terminal device is still "on their side of the network".
I've seen such devices come in two varieties.
One is a separate device which plugs on the optical network, does the encryption and stuff, and then exposes an ethernet port which is connected to the actual router which does wifi, etc. With SFR and Bouygues, it was trivial [0] to replace the ISP-provided router with one of your choosing. You get the normal external IPs and you do your thing. The ISP router sleeps in its box in storage. This was my setup up until a few years ago, with both these providers. Now SFR has moved to CGNAT, but the setup is the same, so I expect users to still be able to switch routers (but I haven't tested, since I'm not a client anymore).
Then there's Free, who provides a single device that connects to the fiber, does routing, wifi, etc. In this case, it's possible to flip a switch in its settings for it to act as a bridge (don't know how wifi behaves in this case, if it stays on). It then only accepts a single downstream client, which gets the external IP. SFR had a similar setup for DOCSIS.
I'm not familiar with how Orange, the biggest operator, functions. But I understand they have a general tendency to be a PITA so YMMV with them.
---
[0] For Bouygues, this device only talked on a tagged VLAN100 for some reason. On the SFR, the network expected you to send a client id in the DHCP request.
This is the physical boundary of a network, in telecommunications. This is the junction where the service provider can point and say "that's our equipment on this side". So it helps to narrow down the troubleshooting.
Often, if you have a telephone landline, you will see your demarc take the form of a gray RJ11 box with a small self-plug in it. It would be common practice to plug a phone into that box directly, then you've eliminated the "inside wiring" in the house.
I've seen things about this, but I'm not convinced there's enough value in going to great lengths to replace that particular piece of equipment.
In the case where the terminating equipment is a small box that exposes ethernet, with no routing or otherwise interfering the function of my own router, I think it's good enough. An argument could be made for the all-in-one devices, like saving some power.
I get the geek factor, and it's one of the reasons why I run my own router, but for this specific bit, which needs to be fairly well integrated with the ISP's network, combined with their usual abysmal support, I think it's a better bet to just leave it alone.
For me the issue would be that they mandate the user traffic to be vlan tagged but their modem only exports 1000BASE-T so it's physically impossible for me to get the full gigabit of Internet they sold me.
They most probably sold you 'up to 1 Gb' bandwidth, not just '1 Gb'. Overhead is about the same in these cases. Your losses are negligible. It's more painful having 4-5 (on worst time periods/peers) or 6-7 (on best) of the 'up to 10 Gb' (clearly sold as such) fiber access I have.
Legally they are physically unable to provide the gigabit they claim I could get.
That's the problem here.
Sure, due to the shared medium nature they do not promise to always have even particularly close to a full gigabit available for me, but that's documented according to the 3 residential internet SLA thresholds the BNetzA (Germany's FCC; except they also regulate power and gas grid) defines and that a provider has to cough up numbers in an info sheet at the time of sale.
The issue is that if they are physically incapable of delivering the up-to they sell and it's not due to the unpredictable nature of e.g. radio reception strength or POTS wiring quality (ADSL), this very quickly very strongly reeks of fraud.
Even just a little bit is fraud, just as systematically under-delivering e.g. gasoline would be. Think if you bought that in cans and they say they're e.g. 5 gallon (or 20 liter) each, and at nominal temperature, none of the cans you can actually find for sale end up having the full quantity, always being at least an ounce (~30ml) short.
Can confirm you can still replace the ISP provided router from SFR with your own, even if you're on IPv4 CGNAT in France. You do still need to configure the DHCP client ID.
My connection has been very reliable since ditching the SFR box. My own router plugs into the separate ONT.
You’d need to be able to replicate whatever configuration the ISP provided device has, and they won’t give you that.
FTTH here in Australia is the same, you’re stuck using the network providers device, which just provides an Ethernet port, and a POTS port if you’re in to that sort of thing, with your LAN device connected behind it.
There was fierce lobbying back in the day (shout out to Simon Hackett / Internode) for our national broadband network to be simple dark fibre and that ISPs could build on top of that to provide innovation and differentiation.
Instead what we got was a bunch of ISPs that resell the National Broadband Network’s expensive wholesale plans with little in the way of either differentiation or innovation.
FWIW, the incumbent ISP in Switzerland, Swisscom, tried to roll out XGS-PON but our "Internode", Init7, fought them in court on the grounds that it was anticompetitive, since it locks every provider into a single technology. They won.
Now customers can choose. Nearly every ISP chooses the easy way and has the customer connect through Swisscom's XGS-PON but Init7 in particular has instead built out their own routers in POPs around Switzerland so that customers can have a physical fibre directly to their network. It's just plain ethernet with DHCP so you can use whatever equipment you want. It's also allowed Init7 to do something none of the other providers can do: offer 25Gbps symmetric service at no extra cost (beyond a one-off installation cost for the more expensive SFP modules).
Thanks. I have an ISP provided media converter with my own router behind that, using the correct VLAN was enough to get it working. I thought those media converters were pretty dumb devices but it seems they are not.
They are not dumb but are very standardized. Unless they are issuing and verifying device certs you can almost certainly use your own PON equipment with very little effort.
If they are using certs youd have to extract it. The vast majority of ISPs don't bother or care.
They most likely use GPON so the optic is going to see return traffic for your neighbors. So they make it hard (but not impossible) to bring your own optic or media converter.
AFAIK GPON uses encryption, so you actually get the traffic intended for all your neighbors but can't do anything with it. If you bring your own converter, you wouldn't be able to handle your own traffic either.
Also the authentication might rely on weak secrets. I know my ISP provided FTTH router has a six letter password and a guessable username (derived from my last name), and I can't change either.
Though the research is quite old now. Couldn't find anything recent specifically for DT.
At least for Germany, you can buy the Digitalisierungsbox Glasfasermodem or any other modem. You just have to register it with the DTAG via their hotline.
If I recall, for something like GPON or XGS-PON, you end up having to clone the various attributes of the original for it to work properly. This typically includes serial number, hardware id, firmware identifiers, etc.
For most it is just serial number. The 8311 folks have scripts that will fully automate the cloning for most common devices. This is not like a "break open your hardware and attach wires" type thing.
There are some ISPs issuing and verifying certs for GPON, which are more annoying to extract. I'm not aware of anyone (even those same ISPs) doing it for XGS-PON. It seems they all decided maintainimg their own CA infrastructure for millions of customers was not worth it ;)
Question out of curiosity. I once swapped a TPLink media converter between two homes, both using the same ISP, to debug internet issues and to see if that would improve the situation. Did I do something incredibly illegal? And did my ISP get confused seeing my media converter on the other side of town?
When I was a kid I used to pack my house's cable modem in a backback and bring it to my friend's house a couple miles away when I'd visit to play Xbox Live. My dad had a back-up dial-up connection for emails and mom didn't use the internet very much so usually wouldn't mind unless he needed to work. I remember this working at greater distances in other places occasionally too.
Earlier, in the dial-up era, my dad didn't feel like paying for internet at home and work, so after school I would call his office and ask his secretary if he had left for his evening meetings yet. If so, she'd disconnect his dial-up connection and I'd get a couple hours to myself after school.
We didn't have two phone lines at home so I'm not sure what happened if he needed it unexpectedly. I think he also had a by-the-minute service as a backup or maybe his partner in the office had a separate plan? This was all done under agreed rules I only vaguely remember so must not have been a frequent problem.
Always funny to think back to that era when internet wasn't assumed to be a 24/7 thing and losing internet for a day wasn't the end of the world...
This wouldn't be criminally illegal anywhere unless done with some sort of fraudulent intent, but maybe in some places the ISP could make you swap them back.
Sorry to say but how you are framing things is simply not true anymore.
You are not required to buy their "Glasfaser Modem 2" you can buy any ONT Modem.
You are not required to use any of their equipment, they give you the data to connect via PPPOE directly.
I bought a house with FTTH in 2023 and never used any Telekom hardware. Nobody forces you to use the peer DNS. The telekom DNS isn't complying to https://cuii.info/anordnungen/ because they want to but to avoid being sued everytime some company wants to block an illegal streaming site.
For practical purposes there's the problem (at least a few years ago?) though that Akamai in particular uses DNS to steer you to the correct portion of its CDN and the default IPs returned by independent DNS resolvers tended to have relatively abysmal peering with the Telekom network that was getting completely overloaded at peak times.
Unfortunately "use <insert favourite DNS provider here> everywhere except for Akamai CDN, for which use the Telekom DNS" isn't something that consumer routers support, so you'd have to start running your own custom DNS resolver to work around that problem…
Honestly, in all my life I've never seen the Pi being sold in EU for €35. The min. price I've found has always been around 45/50, with Pi5 never under 75, because of scalpers
I use Terraform with the Kubernetes Provider, which is also actively developed by HashiCorp itself.
Templating / injection of values has been much better, skipping the Helm Templating madness and relying on a set of tools that allow perform minting, security scans, generation of docs, unit tests and establish clear dependencies within Terraform, thanks to the graph model.
Helm Charts are a nice idea, but mistakes can happen really easy
This is the way. Remove Helm and Argo from your IaC entirely and manage as much as possible via Terraform with the hashicorp/kubernetes provider. It's simpler (fewer tools), and you also get:
- Clarity re: destruction of obsoleted/destroyed resources (rather than kubectl's "won't do it", Helm's "it depends on ten settings", and Argo's "I'll try my best but YMMV").
- Control over apply ordering if the k8s/tf default doesn't do it for you.
- Resource control as granular (or not, if you just want to write big multi-resource "kubernetes_manifest" blocks) as you want. You can move around, case-by-case, on the spectrum between "templated raw YAML copied from somewhere else" and "individual resources with (somewhat) strong typing/schema-awareness in code". As a bonus, if you do it fully granularly, there's no indirection via YAML happening at all, just per-resource Kubernetes API calls.
- A coherent story for moving ownership/grouping of k8s resources between different logical groups of stuff via terraform import/moved blocks.
- Vastly more accurate proposed-changes diff than Argo, Helm, or even Kubernetes itself can provide: tTerraform's core execution model is plan-as-canonical-changelist, while k8s/helm/argo added noop/proposed diffs as ancillary features of variable quality.
- The ability to mix in management of non-k8s resources (AWS/GCP/Azure/etc. stuff that k8s resources talk to), which is often simpler than deploying complex Kubernetes controllers that manage those same external resources. Controllers are great if you need lots of complex or self-serve management of external resources, but if you are only ever managing e.g. load balancers in one way in a few places, a big controller might be overkill versus doing it by hand.
The only big drawback of this approach is with CRDs. There's no way to have Terraform that deploys CRDs in the same plan as Terraform that refers to resources of those CRDs' types--not even if you conditionally "count = 0" deactivate management of the CRD resources based on variables or whatnot. To cope with this, you either have to get very good at targeted plan/applies (yuck), or plan/apply multiple Terraform modules in order (which is simple and a good practice, but results in more code and can be unwieldy at first).
All the other drawbacks I've heard to doing it this way are pretty silly, and boil down to:
1. "but everyone uses Argo/Helm!" Okay, lots of people smoke cigarettes too--and if you're deploying charts complex enough that you're having to get into the weeds with 'em, you've already gotten enough familiarity to easily port them into kubernetes-provider HCL anyway.
2. "I don't like Terraform/HCL". You do you, I guess, but 90% of the reasons people hate it boil down to either "you're using Terraform like it's 2016 and a lot of massive improvements were released circa 2018-2020", or "the Terraform model forces you to be rigorous and explicit rather than approximate and terse you're mad about it".
Relatedly, I was not impressed with the hashicorp/helm provider and routinely push for folks to go back to the regular Kubernetes provider instead. Architecturally the Helm provider is bad (let's indirect the already-too-complex templating constructs through another templating language! What could go wrong?), and its implementation is also not great--getting diagnostics/log output is harder than it should be, whether old resources are destroyed/replaced/updated-in-place is left left up to Helm itself in complex ways that break with the usual Terraform assumptions, and getting meaningful diffs is tricky (the "manifest" provider experiment exists but is experimental for a reason and causes terraform crashes--not just erroneous diff output--often).
Since then, I have always used my own device and I maintain a GitHub Snippet in how to connect OpenWRT modem (and by extension, any other modem that supports pppoe), rather than their Huawei SpeedPort crap or the more expensive Fritz Box). Link to Gist : https://gist.github.com/madduci/8b8637b922e433d617261373220b...
I use PiHole in my own network, circumnavigating the DNS limitations, using Quad9 as my main DNS provider, but Unbound is on my to-do list.
The most concerning limitation in the German market is the unavailability of native Glass Fiber modems, that can accept as input a Glass Fiber connection: at the moment, providers install their own Glass Fiber modem. Without it, you can't actually have an internet connection at home
reply