Why does it seem hard to buy an ONT for fiber?

I'm not sure where you live (probably the US), but here in Europe you can easily get GPON ONTs from different manufacturers. There even are whole communities dedicated to replacing your ISP's ONT+modem combo: https://hack-gpon.org/quick-start

In some countries (Germany) it's super easy, because there are laws forcing the ISPs to allow customer provided equipment, while in other countries you need to do some hackery with spoofing serial numbers and such of the original modem. People even make utilities to scrape that information via the administrative interface, and make the process semi-automated: https://github.com/StephanGR/GO-BOX

The biggest problem for me about the ISP routers is their sheer size, they probably make them big so that they seem "powerful" to the average person and he chooses that ISP believing that their router provides superior Wi-Fi. New apartments built here (in Poland) even have nice boxes with the incoming fiber and an electrical socket where you are supposed to hide your Router, but the shoebox-sized devices don't fit there and you have to put them on the floor, or somewhere else. I myself have bought a SFP+ GPON (LEOX LXT-010S-H) transceiver, which is the smallest form-factor you can get. It goes inside my Banana-Pi R3 router, together with an LTE modem for backup connectivity. And this setup is still smaller than the box provided by my ISP, which only served as a bridge between GPON and my router.

When I explored this question a few months back, I initially thought it was to extract rent. It seems though that it comes from concerns of malfunctioning ONUs, ones that perform poorly, or those that color outside the lines of the specs causing problems on the entire PON node. It seems these concerns were originally well-founded, so the advice has been to match OLT and ONU manufacturers. Now XG-PON ONUs that you can buy are all standards-compliant, so this isn’t really a concern. However, organizations that have been burned by something in the past develop scar tissue over certain topics (“policy”), and say “never again.” I believe that’s probably what is happening here.

I don’t know what privacy you think you are gaining with your own modem.

They already have your name, address, and payment info.

If you are concerned about them seeing your traffic, well they are going to see that regardless if you use their modem or your own. They own the public IP you get assigned, all traffic is going through their route tables and equipment and is logged before it hits your home router.

Use DNS over https (not the ISPs DNS), or a VPN if you want to hide your activity from them.

Your own modem gains you little in privacy. At worst they could be tracking a count of your devices and their MAC address, but they probably don’t care to collect that.

For the most part, I believe it is all about the management and troubleshooting ability from the ISP side. You can buy ONT devices, but I think that the OLT device of the ISP must support the one you bought, which really defeats the purpose of buying it. There are even SFP modules that can work as an ONT interface.

Really your best bet is to ask your ISP if they can bridge a port on the ONT so you can use your own router after that without double NAT. In this scenario the ONT will be functioning mainly as a media converter.

The ONT's job is to translate from (typically) Ethernet to the optical fibre, and nothing else. In networking terms its "Level 1"; concerned only with moving bits from one end to the other. Most ISPs will provide an ONT which does that and nothing else, and then a regular router/firewall that plugs in to the ONT via Ethernet.

Your security barrier is the firewall in the router, plus whatever encryption you apply to comms outside it. As long as you get that right your ISP can't see what you are doing apart from the to/from addresses on your packets (which can't be hidden, obviously).

ISPs generally push their own managed router/firewall at you because that way when something isn't working you don't wind up with arguments about who's fault it is, and the ISP can troubleshoot your router. But in my experience they have no problem with you unplugging their device and plugging your own in instead.

I haven't seen an ISP which does the ONT and the router in a single box. Its theoretically possible, but would be a bad idea for several reasons. One is security, as you say. Another is that the fibre can't be extended with more wire, unlike a copper phone line. So the ONT tends to be a small wall-mounted box with an Ethernet jack in it. That way your Wifi access point isn't stuck low down next to your front door or something.

"Modem" stands for "modulator-demodulator" and it is there to convert the TCP/IP traffic in your house to some sort of non-TCP/IP connection that goes to your ISP. In case of cable provider, I believe the outgoing protocol is called DOCSIS, and in case of a telephone provider it could be ADSL/VDSL etc. (Historically some also used ATM above the physical layer.) The modem is there to do that translation.

With fiber, there is TCP/IP traffic within your house and TCP/IP traffic to your ISP. There is no translation to do, so no translator device (modem) is needed. The only thing needed is a physical layer conversion, from 0s and 1s as voltage over copper, to (exactly same) 0s and 1s as light over fiber. This conversion (not "translation") could be done by a stand-alone ONT (a rather uncomplicated, or could I say "trivial" device), but there are several router boxes that have fiber connections — either built-in (on board) or as plug-in modules.

Different ISPs have different offerings, but as you might imagine not many people want to manage their own router. My ISP has provided me with a free ONT which goes into my router, to which I connect my WiFi access points, all of which I manage myself.

> I don't trust my ISP to handle my personal information with discretion

I'll start off by saying I'm not a fan of being forced to use their gateway. It's essentially just superfluous equipment in my network closet and another point of failure in the chain. I'd rather just be able to reliably patch directly in, but such is life.

That said, there's no loss of privacy with the gateway in bridge mode and me patching directly in. In the end they see whatever I expose on my router and they see all my packets. There's no functional difference privacy-wise here, unless they've got microphones or something on the gateway. Maybe they're sniffing wifi, but so can a car driving by.

FWIW, AT&T does this because AT&T does what AT&T does. They were doing it back in the day with their DSL service as well. There's a little more compatibility challenges when it comes to PONs versus DOCSIS modems, but theoretically one could buy an ONT and have it participate on the network. The actual ONT is just a media converter though, and without AT&T's gateway to auth you properly you're not going to be able to send any traffic.

As mentioned elsewhere though, I've been using AT&T's service for a long time. I've never had a modem rental line item in my bill.

I'm in Poland. When I had fiber installed I asked the provider if they could install an ONT. They balked a bit but eventually relented. They provided their own ONT at no extra cost. Orange is the provider, in case anyone is interested.

It's up to the discretion of the installer. I think being able to speak in technical terms and provide a decent argument convinced the installer. I got a feeling that they don't generally do it because for most people, the Orange FunBox is a good enough solution.

A good fibre ISP will have a separate ONT and router, so you can still pick your own router.

The ONT should be considered part of the ISPs network and not tampered with or replaced. Fibre with an ONT (PON) is a shared medium with other customers, and trying to use your own equipment has the possibility of degrading service for other customers.

What personal info does your ISP have access to that they would no longer have if you replaced their fiber optic transceiver/router combo with your own?

In my market you can’t plug into the ONT because it still requires authentication.

The modem the ISP provides has hard coded settings to limit connection counts as well as rate limit and probably other things. There is a reason they sell full duplex gigabit for so cheap, there are gremlins in the hardware.

Mostly because a lot of ISP's serve the ONT as an NTU (IE your network gateway or border) and others use it as CPE.

Here in Aus the (horrifying, terrible) national broadband network uses the ONT as an NTU from which it can split the service out to IIRC 4 ethernet hand offs and 2 RJ11 voip services. And because of this most private fibre providers do much the same. (Although NBN does it in part because their authentication method involves inserting DHCP option 82 into DISCOVER and REQUEST messages) In fact, I am aware of one that has moved to a single port ONT but still provides the customer another router beyond the ONT and keeps the ONT for NTU purposes.

NTU's are good actually, having a device to troubleshoot from inside or very near to the customers premises can keep support costs extremely low. If you have something that can also perform an ethernet cable test so much the better.

That said, there's another possibility. I have seen quite a few ONT's and man the majority of them in the usual price range of a residential ISP SUCK. The interface sucks, the hardware sucks, the software sucks and some of them have a lifespan comparable to a fruitfly. I wouldnt want my customer getting too familiar with devices that look like garbage and can fall over at the drop of a hat. So we just hold on to the password of those and let the customer do whatever they want past the demarc.

There are, undoubtedly, many reasons for justifying not having to use their equipment. Besides rental cost, having extraneous hardware which is unused functionality at least raises the probability that there could be something which goes wrong due to added complexity. The most compelling reason being if I insist on using bridge mode(on such a gateway), and then, after some unforseen firmware upgrade, that setting is reset, then my entire network becomes unreachable. Or at least as unreachable as it once was before the update. Having a simple bridge device like a pure modem or plain old ont, there can be no functionality to reset which would potentially alter the state of the netowrk. It either passes as a bridge or it doesnt. A lot of the friction though, at its core is the result of either, drumroll, having full access to the device providing layer 3 NAT or not. As ISPs want to smush together their on premises equipment they, due to the nature of the stack need to take control of the NAT to do so. At that point users who would like to open ports or do anything more than request a connection from the insdide are, out of luck, and it shoulnd't be accepted, as ISPs dont NEED gateways to make thier network work. Illustrated by the many smaller ones who do just fine without.

> main reason being I don't trust my ISP to handle my personal information with discretion.

Surely if the ISP wanted to do something nefarious, they could do it in the next equipment in line that doesn't sit in the customer's house. Anything before the customer's own router is the Internet where nothing should be trusted. Whether the modem belongs to the customer or the ISP doesn't really change that.

When I had AT&T fiber, they had an ONT and a Modem, the ONT was installed outside the house, styled like the NIDs for POTS. There was no fee for the ONT, but there was a rental for the "modem". Afaik, all the modem did was run 802.1x auth and do crappy NAT.

I understand that ATT has moved towards combining the ONT and Modem into a single piece of equipment.

Telecom legacy, probably. The ONT is seen more like the old "demarc" / "network interface device" from the copper days. You didn't install your own demarc: that was done by the telephone company. Everything after the "demarc" is customer operated, everything before the "demarc" is telco operated.

Operationally, it also simplifies things having a relatively uniform set of ONTs. With cable modems, there are 100's (1000's?) of models that have to be evaluated, tested, certified. Cable companies often do their own firmware updates.

I seem to remember that a long time ago, a single 2.5Gbit fibre was split across 32-64-128 households. The GPON’s job was thus to only decrypt the traffic meant for your connection.

It may be wrong information, or it may be completed outdated and irrelevant, but I remember that this was a reason why it was difficult to use your own ONT.

But seeing as the ONT is just a reframing/medium converter, I’m not sure I’d care enough, as long as the one provided by the ISP is reliable and performs well (those old black Alcatel ones were terrible).

ONTs use a passive transport (PON). ONTs are assigned time frames where they can send to the OLT (ISP equipment) that facilitates the connection. Incorrect equipment will cause that PON to become saturated by the ONT who decides to be malfunction and become a chatterbox. The OLT needs to be able to speak to the ONT to tell it to correct itself or shut up. Drift windows and Rogue ONTs are an issue.

There are reasons to want your own modem, to avoid overpaying via rental fees, for example, but what security or privacy do you imagine you're getting by buying your own modem?

You're literally plugging it into their network and they can see everything that goes on the pipe whether they are on the LAN side of it or the Cable side.

There's a stronger privacy argument for using your own WiFi access point though.

For me, it’s a provider installed ONT on the side of the house. This converts fiber to Ethernet that runs inside my house. I then have just a port to plug my router into.

Now, the provider trying to bundle a router is another question… but the ONT isn’t something I’d like to buy. And on my invoice, it isn’t even listed as something that I rent.

Jimminy crickets this thread reveals how much I have forgotten about networking. Ive been a tech for 33 years... I forgot how much I used to know about fiber.

Is this what getting old looks like?

Even the router I still use fios Quantum because I suspect fios configures it from time to time. Am I wrong? I'd prefer to have my own but it works well enough.

Get a business line and you can do whatever you want after the demarc. Unifi probably sells a decent prosumer ONT.

For fiber you can make your own. The modem transforms the light signal into electric, the protocols are open, routing is also an solved problem.the biggest problem are the isps themself that hide credentials and any self serving method away.