Good VDSL modem for NBN in .au? Also, LEDE + fail2ban?

My area is scheduled for FTTC NBN (i.e. VDSL2) around March next year, so I need to find a good VDSL modem. I don't trust vendor-supplied firmware in devices like that, so I want to be able to install LEDE on it.

I'm looking at buying something like one of the following (or slightly better/more expensive - I'm willing to spend up to $200-$250 AUD if I have to - that's around $150-$200 USD):

• TP-LINK TD-W9977 ~$80 AUD
• TP-LINK Archer VR200v, VR400, or VR600 ~$140-$165 AUD
• ASUS DSL-AC52U ~$140 AUD
• ASUS DSL-AC56U ~$175 AUD
• Netgear D6220 ~$180 AUD

These all have roughly similar CPU speeds, and range from 64MB RAM to 256MB. WiFi varies from N300 to AC1200, but I don't really care too much about WiFi (my house is wired for ethernet), although I do run hostapd with an AR9271 802.11n USB stick to provide internet access for phones, tablets, laptops etc.

The two most important things to me are VDSL2 support and being able to run an authoritative DNS server. Working WIFI would be nice too. Anything else is just a bonus.

So, my questions are:

1. Which (if any) of the above have working VDSL and wireless in LEDE?
2. Has anyone got direct experience with any of them?
3. Are there any that I should avoid, or that are highly recommended?
4. Is it worth spending the extra for a model with 512MB RAM and/or faster CPU?

I'm currently connected via ADSL2 in bridged mode, with pppoe (and dns, and dhcpd, and squid, and iptables and fail2ban and lots of other stuff) running on my AMD64 gateway/server/workstation box running Debian.

I could just buy the TD-W9977, configure it for bridged modem and not have to change anything else. I'll probably even get slightly better ADSL2 sync speeds from it (my ADSL2 modem is about 10 years old) until the switch to VDSL....but I'd like to move gateway functions like PPPOE, DNS (bind9 or nsd+unbound, preferably as all my domains have bind-style zone files), dhcpd, hostapd, iptables firewall rules, openvpn etc off of my server/workstation box and onto a VDSL+WiFi router running LEDE. I'll install snmpd too, for monitoring, if it's not installed by default.

i.e. all the relatively "lightweight" gateway-related stuff - "heavier" stuff like web servers, postfix, squid etc will remain on my amd64 server.

I know that 128MB or even 64MB should be more than enough for all that - but is it enough for running fail2ban? I routinely see f2b using 1 or 2GB RSS on my amd64 box. Is there even a fail2ban opkg for lede? Or am I better off just setting up the router to do remote syslogging to the server and continuing to run fail2ban on the amd64 box?

I don't really have a good feel for what these ~500Mhz CPUs are capable of, what their limits are. I know they're all much more powerful than the internet gateway boxes I was building back in the early 90s with 40MHz 80386 CPUs and only 4MB of RAM (that's 4 megs, not gigs) and I used to run similar stuff on them...but that was with 28 or 56Kbps modems, not 50-100Mbps VDSL, and they weren't under constant attack by bots and script-kiddies back then, so there wasn't the packet filtering load on the CPU.

BTW, even if I just set it up in bridged mode, I'd still like to install LEDE on whatever I buy. Vendor "firmware" is rubbish, or a security hazard, or both.

Thanks,

Craig

https://lede-project.org/toh/views/toh_modem_supported?dataflt[Modem*~]=vdsl

General advice: Get a separate modem, and a separate router.

Don't want to, and doing so would defeat my purpose in running a LEDE router. If I'm going to do that, I'll just get a modem, configure it for dumb bridged mode, and keep everything on my amd64 server. i.e. same as now but with a new modem.

The whole point, for me, is to offload the router functions onto a separate device - one that can function as both my DSL gateway and wireless AP (my main server is currently doing both). Partly so that the net stays up for other machines on the LAN even if I have to reboot the server for a new kernel or something (currently it doesn't because the server IS the router - it's not a huge problem, I don't reboot it very often, but I'd rather that it didn't happen at all).

That's not an unreasonable workload for the hardware in modern router/modem boxes....I can do that on even an ancient P4 or Celeron, or an Atom, with a NIC, a USB or PCI-e WiFi adapter, and a pppoe connection. Current model routers have CPUs at least as powerful as those.

BTW, I don't have a typical home user NAT setup. I have my own /24 networks routed to my pppoe connection...which is why I was asking about fail2ban. My iptables rules need to adapt to whatever is happening, e.g., to block spammers and web-trawling bots based on what appears in the mail & web server logs. Not because I'm terribly worried about the machines or VMs on my LAN being compromised but because all that extra traffic causes the loadavg to shoot up when under heavy attack, and causes the kernel's ARP table to overflow....but if I block that unwanted traffic at the pppoe interface, it's as if it never happened. It would be even better to block it on the ISP side of the link, but that's not a service they offer.

BTW, none of those models are available in Australia.

I've also noticed several inaccuracies in that ToH - e.g. it says that the TP-Link VR200v only has an ADSL2 modem, but it actually has VDSL2 - the same as the other devices with the Lantiq XWAY VRX288 SOC.

I'm not sure if that's just faulty data in the entry, or if it's because LEDE only supports ADSL2 on that model. My guess is that it's faulty data.

If you can track one down on eBay, the BT OpenReach ECI EchoLife VDSL modems are good, and you can either flash LEDE to one (if you're handy with a soldering iron) or buy one pre-flashed.

You can then bung it into bridge mode and connect lan port 1 to the WAN port on any wireless router you'd like that also supports LEDE and be done. Sure, it's a two box solution, but the only VDSL modem/router combo I know of that works with LEDE is the BT HomeHub 5, and installing LEDE on it is NOT for the faint of heart.

The other option is grabbing a DrayTek VDSL PCIe card for your router computer, but that essentially runs its own firmware and shows up as an ethernet port in your computer IIRC.

Edit: OK, one more option, the NetGear D7800 (not R), the VDSL part is not supported by LEDE, however Netgear provide a fully working version of OpenWRT AA on myopenrouter website.

TP-Link W8970, W8980, W9980. Rock solid devices, too. Downside is that the WAVE300 chipset isn't supported in LEDE, so no 5GHz Wifi on the W9980. (And from what I gather that also means no 2.4GHz Wifi on a VR200.)

Sorry, should have expanded on that, only working fully

If you value your home phone, stick with the vendor supplied hardware.
None of them release enough info to configure the phone on another device or through bridge etc at present.

I currently am double NATing my FTTN via vendor supplied hardware + secondary router w/ LEDE.

@philjohn thanks for all that. Unless the BT is available in .au, it's not an option...and while I'm OK with a soldering iron, I'd rather the re-flashing be software-only. I already run a tftp server for network installs of debian on new machines, and netbooting stuff like clonezilla and gparted, so tftp is no problem.

A two box solution is also no good for me. It's no better, and unnecessarily more complicated, than just using a bridged modem and running pppoe on my server. I'm beginning to think that this will be my best or only option - like the last time i looked into using openwrt, the biggest difficulty is finding a model that has FOSS support for both wifi & dsl that's actually available for purchase in Australia. I could order from overseas but Australian consumer protection law is quite good and (unless I actually modify the hardware by soldering a serial port to it), I have a good chance of being able to return a device that isn't fit for the purpose I purchased it for. In particular, re-flashing a device does not necessarily void manufacturer warranty and certainly not the australian statutory warranty.

Does LEDE not support USB wifi sticks? If I can find a supported modem, is there any reason I couldn't just remove the ath9k USB wifi from my server and plug it into the modem? Or some other, better, usb wifi adapter if I want an upgrade.

I've seen the Draytek PCI-e cards. nice idea...but really no better than a bridged modem. and many times the price. I can buy a bridgeable modem for <= $80. IIRC, the draytek PCI-e card is around $600.

I also started reading about the D7800 last night. Thanks for the warning about the VDSL - I thought it was supported. At ~$400 it's more than I wanted to spend, but I found someone selling one on gumtree for $250, still in its shrink-wrap. AFAICT myopenrouter has supported it since early 2016 and it's still not been ported to openwrt or LEDE so it seems unlikely that it ever will be.

All this is enough to make one really hate and despise embedded device manufacturers...pushing shonky crap out the door as fast as they can and randomly changing the specs without changing the model number to save a few cents (or as a bait-and-switch by starting off with a good chip than changing to something crap later). and a product life-span of about 6 months before the next model is out.

@takimata the 8970, 8980, and 9980 seem to have vanished from the market here in .au. WD-9977 is readily available for around $80. It's my fallback option to just use it as dumb bridged modem and continue to run pppoe on my server. I know that will work (it already does with my ADSL modem), but I want to shift the gateway stuff to a little router if I can. The TP-Link WD-9977 seems to be completely unknown to openwrt, LEDE, or wiki-devi. It's a replacement for the WD-9980, but that's no guarantee that it has even a similar chipset.

@lantis1008 I run asterisk on my server, which already connects to my ISP's VOIP server (iinet) and another VOIP provider as well (faktortel). I'm not planning to change that (although if asterisk can run on LEDE I may move eventually that too if I can get everything else working). I'm not NATted at all, I have my own /24 networks routed to my pppoe link (one of the benefits of being an internet geek in the 90s when it was still possible to get "class C" networks without being a mega-corporation)

Retail perhaps. Ever considered second hand? I have yet to make a single bad experience with second hand routers, generally they are built to last, and people don't tend to abuse them.

It honestly looks like you've got quite specific requirements and aren't willing to be flexible, in which case, stick with stock firmware.

The 2 box solution is rock solid, and actually preferable to a combined unit as every time you need to reboot your router it's going to affect the DLM in the VDSL service and possibly shove you onto an interleaved path, or cap your profile, which are things you definitely don't want. As I've pointed out, there are VDSL modems that run LEDE, so that ticks one thing off your list.

Don't forget that if you ever get FTTH (rather than FTTC) you'll need an external ONT (unless you get something like the Turris Omnia and use the SFP port), so will be back to a 2 box solution.

I honestly think you need to compromise somewhere.

I'm running a Huawei HG612 VDSL modem in bridge mode, sadly using their stock firmware, but modified to remove TR-069 and the agent British Telecom install to remotely monitor you - I've got that next to the master socket, then a Cat5e cable running from there to my R7800 which is under the stairs near the centre of the house, and that's running LEDE.

In your original post you mentioned you wouldn't mind putting something in bridge mode if you could at least run LEDE on it, which you can, with an ECI EchoLife - sure, you can't buy one brand new, but they're simple pieces of kit and very little to go wrong.

Hello,
The BT Home Hub 5A (aka HH5A) is a good ADSL/VDSL2 all in one solution, you can find them already flashed with LEDE on ebay for 25€.
They use a Lantiq SOC, which support SNR adjustement. All the hardware is fully supported, also the wifi 802.11 a/b/g/n+ac 1600.

The other good solution is the Combo Huawei HG612 modem (unlocked firmware, very easy to do) that you can find for 28€ on ebay too, + any LEDE router.
you can consider buying a cheap Xiaomi WiFi Router 3G (Gigabit ports + WIFI AC 1200Mbits) for 33€ on Gearbest.
There is a tutorial here in the forum about how to install Lede on it.

The HG612 with a Broadcom 6368 usualy sync better than the HH5A with its Lantiq soc, lets say 3 to 4Mbits higher in VDSL2.

After working in the last couple years with different combinations I decided on the next:

• VDSL\ADSL Moded(brdige mode) Draytek is one of the expensive but works like a charm, I am using DLINK 225 Router in Bridge mode and it works great for a long time.
• Use some good router that will not consume too much Watts which you can rely on.
  Currently I am using: EdgeRouter Lite and MikroTik RB750Gr3.
  The EdgeRouter has some nice features in terms of enterprise products cli compatibility but the MikrtoTik just does what it is supposed to do.
  The only reason I am using the EdgeRouter is since it has Deep Packet Inspection analysis logs and technically I would have switched long ago to MikroTik RB750Gr3 if I did had any abusive clients on the network.

Everything you need in the software level such as DNS or other things just run on a simple tiny low Watts consumption device.
If you need wifi then use a good wifi Access Point.
I am using Ubiquiti AC LITE and Mikrotik RB951G-2HnD which are both amazing.
From experience I believe that such a setup:

• Good VDSL mode
• Good Router(maybe with AP internally)
• Good Access Point
• Tiny server(AMD64 or else)

Is the combination for a good and stable service.

With LEDE firmware how can you ensure the VDSL connects with G.INP and vectoring enabled?? is there an option within the config?

There are dsl CLI commands which gives you all the infos regarding Ginp, vector, etc etc...
For Lantiq soc it's dsl_cpe_control and dsl_control

root@LEDE:~# /etc/init.d/dsl_control status
ATU-C Vendor ID:                          Broadcom 164.115
ATU-C System Vendor ID:                   Broadcom
Chipset:                                  Lantiq-VRX200 Unknown
Firmware Version:                         5.8.1.8.1.6
API Version:                              4.17.18.6
XTSE Capabilities:                        0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2
Annex:                                    B
Line Mode:                                G.993.2 (VDSL2)
Profile:                                  17a
Line State:                               UP [0x801: showtime_tc_sync]
Forward Error Correction Seconds (FECS):  Near: 0 / Far: 145186
Errored seconds (ES):                     Near: 0 / Far: 1039
Severely Errored Seconds (SES):           Near: 0 / Far: 92
Loss of Signal Seconds (LOSS):            Near: 0 / Far: 43
Unavailable Seconds (UAS):                Near: 30 / Far: 30
Header Error Code Errors (HEC):           Near: 0 / Far: 0
Non Pre-emtive CRC errors (CRC_P):        Near: 0 / Far: 0
Pre-emtive CRC errors (CRCP_P):           Near: 0 / Far: 0
Power Management Mode:                    L0 - Synchronized
Latency / Interleave Delay:               Down: Fast (0.18 ms) / Up: Fast (0.0 ms)
Data Rate:                                Down: 76.626 Mb/s / Up: 14.752 Mb/s
Line Attenuation (LATN):                  Down: 17.4dB / Up: 20.4dB
Signal Attenuation (SATN):                Down: 17.5dB / Up: 20.2dB
Noise Margin (SNR):                       Down: 7.5dB / Up: 7.9dB
Aggregate Transmit Power (ACTATP):        Down: -3.2dB / Up: 14.6dB
Max. Attainable Data Rate (ATTNDR):       Down: 75.115 Mb/s / Up: 14.682 Mb/s
Line Uptime Seconds:                      2389
Line Uptime:                              39m 49s

And this is all the console commandes available !

root@LEDE:~# /sbin/vdsl_cpe_control --console

DSL_CPE#>help
   acog,          AutobootConfigOptionGet
   acos,          AutobootConfigOptionSet
   acs,           AutobootControlSet
   alf,           AutobootLoadFirmware
   asecg,         AutobootScriptExecuteConfigGet
   asecs,         AutobootScriptExecuteConfigSet
   asg,           AutobootStatusGet
   aufg,          AutobootUsedFirmwareGet
   alig,          AuxLineInventoryGet
   bpstg,         BandPlanSTatusGet
   bpsg,          BandPlanSupportGet
   dbgmdg,        DBG_ModuleDestinationGet
   dbgmds,        DBG_ModuleDestinationSet
   dbgmlg,        DBG_ModuleLevelGet
   dbgmls,        DBG_ModuleLevelSet
   dsmcg,         DSM_ConfigGet
   dsmcs,         DSM_ConfigSet
   dsmmcg,        DSM_MacConfigGet
   dsmmcs,        DSM_MacConfigSet
   dsmstatg,      DSM_STATisticsGet
   dsmsg,         DSM_StatusGet
   dsnrg,         DeltSNRGet
   dmms,          DeviceMessageModifySend
   dms,           DeviceMessageSend
   esmcg,         EventStatusMaskConfigGet
   esmcs,         EventStatusMaskConfigSet
   fddg,          FilterDetectionDataGet
   fdsg,          FirmwareDownloadStatusGet
   fpsg,          FramingParameterStatusGet
   g997amdpfcg,   G997_AlarmMaskDataPathFailuresConfigGet
   g997amdpfcs,   G997_AlarmMaskDataPathFailuresConfigSet
   g997amlfcg,    G997_AlarmMaskLineFailuresConfigGet
   g997amlfcs,    G997_AlarmMaskLineFailuresConfigSet
   g997ansg,      G997_AttainableNdrStatusGet
   g997bang,      G997_BitAllocationNscGet
   g997bansg,     G997_BitAllocationNscShortGet
   g997cdrtcg,    G997_ChannelDataRateThresholdConfigGet
   g997cdrtcs,    G997_ChannelDataRateThresholdConfigSet
   g997csg,       G997_ChannelStatusGet
   g997dpfsg,     G997_DataPathFailuresStatusGet
   g997dfr,       G997_DeltFreeResources
   g997dhling,    G997_DeltHLINGet
   g997dhlinsg,   G997_DeltHLINScaleGet
   g997dhlogg,    G997_DeltHLOGGet
   g997dqlng,     G997_DeltQLNGet
   g997dsnrg,     G997_DeltSNRGet
   g997fpsg,      G997_FramingParameterStatusGet
   g997gang,      G997_GainAllocationNscGet
   g997gansg,     G997_GainAllocationNscShortGet
   g997lstg,      G997_LastStateTransmittedGet
   g997lacg,      G997_LineActivateConfigGet
   g997lacs,      G997_LineActivateConfigSet
   g997lfsg,      G997_LineFailureStatusGet
   g997lisg,      G997_LineInitStatusGet
   g997lig,       G997_LineInventoryGet
   g997listrg,    G997_LineInventorySTRingGet
   g997lis,       G997_LineInventorySet
   g997lsg,       G997_LineStatusGet
   g997lspbg,     G997_LineStatusPerBandGet
   g997ltsg,      G997_LineTransmissionStatusGet
   g997lpmcg,     G997_LowPowerModeConfigGet
   g997lpmcs,     G997_LowPowerModeConfigSet
   g997pmsft,     G997_PowerManagementStateForcedTrigger
   g997pmsg,      G997_PowerManagementStatusGet
   g997racg,      G997_RateAdaptationConfigGet
   g997racs,      G997_RateAdaptationConfigSet
   g997rasg,      G997_RateAdaptationStatusGet
   g997sang,      G997_SnrAllocationNscGet
   g997sansg,     G997_SnrAllocationNscShortGet
   g997upbosg,    G997_UsPowerBackOffStatusGet
   g997xtusecg,   G997_XTUSystemEnablingConfigGet
   g997xtusecs,   G997_XTUSystemEnablingConfigSet
   g997xtusesg,   G997_XTUSystemEnablingStatusGet
   help,          Help
   hsdg,          HybridSelectionDataGet
   ics,           InstanceControlSet
   isg,           InstanceStatusGet
   lecg,          LastExceptionCodesGet
   lfcg,          LineFeatureConfigGet
   lfcs,          LineFeatureConfigSet
   lfsg,          LineFeatureStatusGet
   locg,          LineOptionsConfigGet
   locs,          LineOptionsConfigSet
   lsg,           LineStateGet
   llsg,          LoopLengthStatusGet
   llcg,          LowLevelConfigurationGet
   llcs,          LowLevelConfigurationSet
   meipocg,       MEI_PllOffsetConfigGet
   meipocs,       MEI_PllOffsetConfigSet
   nsecg,         NotificationScriptExecuteConfigGet
   nsecs,         NotificationScriptExecuteConfigSet
   osg,           OlrStatisticsGet
   pmcc15mg,      PM_ChannelCounters15MinGet
   pmcc1dg,       PM_ChannelCounters1DayGet
   pmccsg,        PM_ChannelCountersShowtimeGet
   pmcctg,        PM_ChannelCountersTotalGet
   pmcg,          PM_ConfigGet
   pmcs,          PM_ConfigSet
   pmdpc15mg,     PM_DataPathCounters15MinGet
   pmdpc1dg,      PM_DataPathCounters1DayGet
   pmdpcsg,       PM_DataPathCountersShowtimeGet
   pmdpctg,       PM_DataPathCountersTotalGet
   pmlesc15mg,    PM_LineEventShowtimeCounters15MinGet
   pmlesc1dg,     PM_LineEventShowtimeCounters1DayGet
   pmlescsg,      PM_LineEventShowtimeCountersShowtimeGet
   pmlesctg,      PM_LineEventShowtimeCountersTotalGet
   pmlic15mg,     PM_LineInitCounters15MinGet
   pmlic1dg,      PM_LineInitCounters1DayGet
   pmlicsg,       PM_LineInitCountersShowtimeGet
   pmlictg,       PM_LineInitCountersTotalGet
   pmlsc15mg,     PM_LineSecCounters15MinGet
   pmlsc1dg,      PM_LineSecCounters1DayGet
   pmlscsg,       PM_LineSecCountersShowtimeGet
   pmlsctg,       PM_LineSecCountersTotalGet
   pmr,           PM_Reset
   ptsg,          PilotTonesStatusGet
   quit,          Quit
   rccg,          RebootCriteriaConfigGet
   rccs,          RebootCriteriaConfigSet
   rusg,          ResourceUsageStatisticsGet
   se,            ScriptExecute
   sicg,          SystemInterfaceConfigGet
   sics,          SystemInterfaceConfigSet
   sisg,          SystemInterfaceStatusGet
   t1413xtuorg,   T1413_XTUO_RevisionGet
   t1413xtuovrg,  T1413_XTUO_VendorRevisionGet
   t1413xturrg,   T1413_XTUR_RevisionGet
   t1413xturvrg,  T1413_XTUR_VendorRevisionGet
   tcpmistart,    TCPMessageInterfaceSTART
   tcpmistop,     TCPMessageInterfaceSTOP
   tmcs,          TestModeControlSet
   tmsg,          TestModeStatusGet
   vpcg,          VdslProfileConfigGet
   vpcs,          VdslProfileConfigSet
   vig,           VersionInformationGet

DSL_CPE#>

About the BT home Hub 5A on LEDE, here is the corect forum to find all answers to your questions :
https://openwrt.ebilan.co.uk/viewforum.php?f=7

the HH5A with Lede already flashed can be found on Ebay for a less than 30 euros.
https://www.ebay.co.uk/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313.TR0.TRC0.H0.Xhh5a+lede.TRS0&_nkw=hh5a+lede&_sacat=0