Thank you very much for this detailed and enlightening answer. However, this did not alleviate my confusion about the table or xDSL technology in general.
I know some funtionality will reguire non-free code. I do not plan to use the modem for telephone communication. Thus, I will not need FXS (DECT) blobs. Also TP link devices I listed have atheros wlan hardware running ath9k drivers (I do not think I will need to utilize that additional lantiq wave wireless hardware in TPlink 8980 for example) and u-boot bootloader. So there is no problem in wlan hardware and bootloder too.
I do not really care about speed much. So I think I can wait for VDSL for now. I only care about having completely Foss firmware and a decent internet connection.
I specifically asked for cases 1 and 2 because this is where my problem lies. If I reiterate my problem as a question, it will be the following:
Can I buy lantiq xDSL modem and use it in ADSL2+ Mode with fully open source firmware without using its VDSL capability (because VDSL requires non free blobs and ADSL does not according to that table) ?
Or unfortunately, if the device has xDSL modem, one can not use ADSL or VDSL seperately because the xDSL technology requires one unified closed source binary for all DSL communications. Is this the case ?
You will always need a proprietary firmware blob for using the modem, regardless of ADSL or VDSL (yes, that are basically two blobs in one file, of which the matching one gets used - but it always needs a non-free firmware), the only way to avoid this is not using the modem functionality at all.
The page you're quoting from hasn't been touched (aside from general wiki maintenance) since 2013, at which point there was no VDSL support for OpenWrt. It only covers the kernel-/ userspace situation and ignored the (always necessary) firmware blob for the modem.
The plan of buying xDSL modem, using it in ADSL mode (stripped off firmware) and waiting for VDSL support, is out of the window then. At least because I expect FULLY open source firmware.
I may be bothering you with my stupid questions because I am not fully knowledgable nor experienced about FOSS compatibility of these lantiq soc families ( i.e. VRX200 “VR9”, ARX100 “AR9”, DANUBE and so on..) listed in this page https://openwrt.org/docs/techref/hardware/soc/soc.lantiq . However I would like to end all the confusion and doubt I have.
You said I will always need a proprietary firmware blob for using the modem. Does this statement is for the devices which have xDSL modems ?
You know the table of hardware in OpenWRT page lists modem type for supported devices(full details). Some devices are listed as having xDSL modem, some are listed as having ADSL(with annexes and +2 for some) and some are listed as having VDSL (VDSL and VDSL2 for some).
. From this discretisation, I understand (or assume) some devices can speak ADSL only (due to hardware), some can speak VDSL only, some can speak both (xDSL ones).
With that in mind,
if say I buy a lantiq device which is listed as having ADSL modem in the table of hardware. For example the Netgear DGN3500. It has uboot bootloader, lantiq ARX168 cpu, atheros wlan which runs ath9k and most importantly ADSL2+ modem (therefore neither xDSL nor VDSL).
Can I now have fully open source firmware for the modem part (for Netgear DGN3500) ?
Thank you for this post, it is very instructive. I just wanted to let people here know there was a similar discussion happening on the Turris forums here:
The goal there was to find any modem that would work in OpenWRT (or any Linux kernel really), but it should reach similar conclusions.
ADSL needs a non-free firmware blob.
VDSL needs a non-free firmware blob.
There is no ADSL and/ or VDSL modem on the market (nor has there ever been) that doesn't need any non-free component to function, for lantiq you do at least have completely FOSS kernel- and userspace drivers - for broadcom or mediatek there are only non-free drivers and non-free firmwares (which lock you into ancient kernels and are non-redistributable/ unavailable as well).
Don't let perfection be the enemy of the (pretty) good. With lantiq devices you do at least free drivers and aren't locked to a specific, ancient kernel. Unless you're caught by RMS' reality distortion field -and claim that a firmware blob you don't see/ can't upgrade somehow wouldn't be a problem, while the very same hardware without the identical firmware in persistent/ hidden away flash, but uploaded as-is by the host kernel into the hardware, somehow would be a major problem- this gets you very far (and many lantiq devices are cheap, not very fast, but cheap and as free as it gets, in terms of ADSL/ VDSL modem capability). Would it really be preferable to buy a completely proprietary device, running a GPL violating ancient kernel (often 2.6.x based) without source, which loads proprietary firmware blobs into the modem ASIC hardware and comes with a completely locked down/ proprietary userspace - instead of an OpenWrt compatible device running kernel 4.14 (and 4.19 is already under development) with full source for kernel- and userspace available?!
Do they qualify for the FSF endorsement criterias? No, but you do get full source for kernel- and userspace under FOSS licensing terms.
@anarcat those VDSL modems in SFP+ form factor also run a proprietary firmware, with the only difference that you can't upgrade the firmware yourself (which would make them o.k. in RMS' view…), but need to send them to the vendor for upgrading (as many of the early turris omnia adopters of that hardware had to find out, when interoperability with ISP vectoring didn't quite work). Aside from that, they're quite power hungry (borderline too much for normal SFP+ ports) and run very hot (due to their tiny size), both of which creates quite some problems.
I fixed the wiki page, as it was not very clear in what is FOSS and what is not. That table was about support in OpenWrt (and Linux in general), through open source drivers. The modem hardware itself still needs a firmware to operate, which is not FOSS and will probably never be.
No modem hardware (the actual component talking with DSL infrastructure) is FOSS, be it DSL or fiber or 3G/LTE. I think it's pretty much impossible to get actual low-level network hardware certified if you are using an opensource firmware.
Technically speaking you would have a hard time getting any modern wifi card (wifi ac for example) to run without a firmware blob too, but it's tangential.
Anyway, the best thing you can do is to get a commercial (non-FOSS, off-the-shelf) modem that can be configured to run in full bridge mode, https://openwrt.org/docs/guide-user/network/wan/bridge-mode and buy a modem-less router device that can be truly FOSS.
This way you are isolating the proprietary infrastructure upstream to your actual router and reducing the modem's job to just dumb modem (i.e. just converting to/from DSL to ethernet), no firewall, no vpn, no dhcp no access to your actual LAN network.
The same goes for cable/ DOCSIS (which even needs a public key certificate infrastructure to authenticate the device's firmware integrity to the infrastructure).
The main difference here (and the reason why I recommended an external modem) is that all-in-one devices share the same RAM between the CPU and the modem and the wifi and anything else, (i.e. the modem has DMA, direct memory access) and afaik there is no true hardware-level sandboxing like with IOMMU or VT-d on AMD/Intel hardware (there is something also for ARM but I don't know if it is even built in SoCs for routers) that makes sure that even if they share the RAM they can't just go and do stuff everywhere if they feel like it.
This means that if the integrated modem is compromised by exploiting some decade-old well-known bug that you can't fix since it's not opensource, it can freely wreak havoc on your router.
A separate modem in bridge mode can't do much more than just screwing with raw upstream network traffic before it reaches your router's firewall, as gigabit ethernet does not allow DMA. That's a very big difference in attack surface right there.
That's the path of network traffic coming from the WAN (or going to the WAN), that has to go through another controller.
But look at the large light grey rectangle encompassing all components, and the double arrow in the middle called "system bus". That's the SoC interconnect bus that joins all controllers (and the CPU) so they can communicate with each other and with the RAM to use as work area for their tasks (and to share data with each other). The "DSL engine" is still inside the rectangle, so it still has access to everything else.
At least in theory anyway, they might or might not have placed limits on what and how it can access things.
But if we look at smartphones or any other device with a 3G/LTE modem, then we clearly see none did make any such separation, and a 3G/LTE modem is a much more complex thing than a DSL modem, to the point of running a real-time proprietary OS like VxWorks. (so if they actually cared about making something safer they would have likely done some sandboxing)
That was my original plan. However, I wanted to make sure I buy a modem or modem+router device which have either completely open source firmware NOW or at least have the possibility in near future. But from what you shared in this topic, I regret I will not have this possibility in near future (never maybe). Nevertheless, I still want to invest to a modem which is supported by OpenWRT (truly FOSS userspace+kernel, but no foss DSL firmware). I am assuming lantiq "VR9" devices will be the correct choice because:
Also, I believe lantiq VR9 devices do have the highest chance (among others) of becoming truly FOSS firmware after the open DSL firmware comes out (if ever). Since the rest of the firmware is already open i.e.
uboot bootloader
ath9k wlan
and completely open source kernel+userspace with OpenWRT
(I assume I will never need telephone firmware FXS,DECT in a modem)
Am I correct on that belief ?
I have read the page you shared about the bridge mode https://openwrt.org/docs/guide-user/network/wan/bridge-mode . And now that is my only concern. I know you can not know for every device but do you have any idea for the devices I have listed in the first topic ? Meaning, do they have Full Bridge mode ?
Also if the device I buy happen to have no full bridge mode (the case of half bridge mode or no bridge mode at all), does installing OpenWRT can make the device go into full bridge mode ?
Bridging is done by the Linux firmware on the main CPU of the device, as long as the modem works at all you can do the bridging.
But of course the manufacturers may or may not have implemented it in their stock firmware.
You should always be able to do it in OpenWrt on "Lantiq" devices, but you may need to edit some text file configuration manually through ssh. I never did it so I can't say "it works for me", but there is some info in the device page of a popular modem-like device https://openwrt.org/toh/netgear/dm200
And this is a thread where people were doing it and posting their configs and they say it works for them, so you can see and decide for yourself. LEDE device as ADSL bridged modem
A word of advice, since you want your device to last, please make sure it has AT LEAST 8MB of flash and 64MB of RAM. Devices that have less than that are becoming too constrained for newer OpenWrt firmware. https://openwrt.org/supported_devices/432_warning
While its specs are ok the bootloader as-is will not boot a kernel bigger than 2MB, so if you buy it and you plan to eventually update the firmware to the next OpenWrt version you will need to connect the serial console and change the uboot configuration to correct this, as said in the device page that I just updated.
Thank you for valuable advice and warning. I read the mailing list. This is an important problem and made me hesitate to buy the DM200 due to possible support problems in future (one guy has proposed to drop the support in the mailling-list). Aside from the kernel size problem, I understand that people who choose DM200 are those who do not want a radio interface in their modem device. I believe they think radio make the device less secure.
Can I not simply make modem+wifi-router device not use any radio peripheral when in full bridge mode by configuring the OpenWRT in them ? Does it really make my network more secure if I choose a modem-only device (for ex. DM200 (no wifi hardware)) for full bridging ?
One guy recently asked in this forum for VDSL modem+wifi-router and got adviced by @slh to buy BT HomeHub 5.0 Type A as the best device to buy for OpenWRT in there:
I was leaning towards these:
TP-link wd8970
TP-link wd8980
TP-link wd9980
but seeing @slh recommending BT HomeHub 5.0 Type A as the best device made me think again. What arguments would you tell me for choosing BT HomeHub5.0 over TP-link devices ?
For example:
BT HomeHub seem to have more flash and ram
TP-link being a Chinese company (like Huawei devices are known to be doing surveillance through backdoors in firmware and hardware for chinese government) ???
(As an antithesis: Installing OpenWRT may nullify the surveillance technique (if there is any) like libreboot nullifies intel management engine in some thinkpad computers.)
Looks
....
I know I am now overkilling it, but you may be aware of issues I am obviously not aware of
The reason for recommending the BT Home Hub 5 Type A in that thread is mostly down to the wlan cards in there (which was listed as part of the desired feature set). Lantiq and good dual-band/ dual-radio wlan cards are a rare combination among the supported devices (most others use cheaper wlan cards, less stable driver support, often single band, no 802.11ac, ...); flash and RAM sizes also make this a good option - and this is a good device(!).
If you don't intend to (ever) use wlan, wlan quality doesn't matter (although having the option never hurts, as requirements may change over time, especially as the price delta compared to other devcies is low - the only part that 'hurts' relative to the median price of other options are the shipping costs from the UK…) - and a wlan that's unconfigured (= switched off) isn't a security problem.
Using a lantiq device with OpenWrt as pure modem in bridge mode should be possible with any supported device (some with complex switch configurations, e.g. Easybox 904 xDSL (not recommended, unless you know what you're doing), might make this a little harder though).
The wifi interface is disabled by default so unless you specifically configure it and enable it, it's not doing anything.
You can even delete the wifi driver package if you want to be sure that it never comes up, no problem.
The only thing is that if you plan to use it only as a modem then there is no point in buying a bigger, more expensive device you will never really use to its true potential.
But still, decent devices with a supported modem in OpenWrt aren't particularly common so you don't have much choices.
For your main usecase (bridged modem) the only thing that really matters is the brand of the actual modem hardware itself and the basic hardware specs I mentioned above that won't obsolete the device within a few OpenWrt releases.
Different modem brands have different performance and strenghts/weaknesses, which may be useful or not depending on your DSL line's characteristics, but if you want to run OpenWrt in the device you can only chose one brand (XWAY/Lantiq), so that's a choice you don't need to make.
Embedded devices have no BIOS/UEFI you can replace with Libreboot. Linux runs raw on them, either the stock firmware or OpenWrt.
Any backdoor or vulnerability present in stock firmware will not affect the device if you install OpenWrt, as the stock firmware is erased and replaced whole with OpenWrt. The only thing that is left is the modem firmware.
OpenVPN performance of BT Home Hub Type A is 9 Mbps according to this table of hardware which I find very slow.
Will VPN performance increase if I configure BTHH5 to run in full bridge mode (dumb modem) and run the OpenVPN in a more powerful router such as WNDR3800 or even R7800 ?
Will BTHH5 remain as a bottleneck in this configuration ?
Also, as of May 2020,
Is ath10k driver fully open source ?
Is DSL modem of Netgear D7800 supported ? (If not, Is there any chance in near future ?)
The VPN performance will increase if you run it not on BTHH5, but on some other device behind it. However, I would suggest that you try some other VPN type (e.g. Wireguard or, if you are more conservative, StrongSwan IPSEC) first and maybe thay would save you from the need to buy a new router.
The ath10k driver itself is open-source, but it needs to copy "firmware" to the card's memory at startup. The firmware is closed-source.
The DSL modem of Netgear D7800 is not supported yet, and nobody is working on it.
As of May 20, which of the following wlan hardware (wifi chipset) have open-source "firmware" or does NOT require non-free firmware to function ?
Qualcomm Atheros QCA9880 (Home Hub 5 Type A)
Qualcomm Atheros QCA9980 (Netgear D7800)
Qualcomm Atheros QCA9984 (Netgear R7800)
Lantiq XWAY WAVE300 (td-w9980, td-w8980)
Atheros AR9223 (Netgear WNDR3800)
Atheros AR9381 (td-w8970)
May be some of them contain firmware on the device (wlan hardware) at all times, some require non-free firmware which will be handed by a free driver, some require free "firmware" which will be handed by a free driver (like AR9223 maybe - not sure).
Can you suggest a list which contains these kind of data, like a list of completely free wifi chipsets (FOSS driver+FOSS firmware) ? Is there any ?
The only fully FOSS WiFi drivers which also do not need non-free firmware loaded on the card are ath9k (no firmware needed at all, except what's already in the ROM of the device) and ath9k-htc (free firmware available). AR9223 is handled by the ath9k driver. See https://wireless.wiki.kernel.org/en/users/Drivers/ath9k for the list of other chipsets supported by this driver.
in the mailling-list). Aside from the kernel size problem, I understand that people who choose DM200 are those who do not want a radio interface in their modem device. I believe they think radio make the device less secure.
