[Solved] ISP xDSL lock out

I am using 2 modems to dial in pppoe to my ISP, a ISP provided zyxel VMG3925-B10A and a openreach router I purchased from europe for $20. It has become a revolving door. I will do some testing and inherently drop modem web gui access and need to power cycle the modem. I will attempt to power cycle the device and it will draw a ip and will not get a ip4 dhcp from the ISP. When the link drops, it will not re link, and sometimes I will then have to call customer support and ask them to re link the device as they have some type of remote link which they can alter settings in the zyxel modem.

Now not only are they getting really crappy about it now because instead of simply reauthenticating the link remotely through customer service they opt to send out a trouble ticket which means a service tech will come which takes ~2 days. I made an agreement with them that since the link drops and I have to call in, I would use their modem because it keeps their equipment in and we can be happy because they got smart and stopped relinking me remotely, they would just issue a trouble ticket and I would have to wait. Infuriating.

Now after 30 or so calls back and forth and they issued threats saying things like "I should leave it alone" and 2 customer service reps become extremely rude and attempting to strong arm me through the phone a call came from upper management came and I feel like they can handle the CS part fairly well now that they have compiled their notes and coordinated a little better.

But just as things begin to improve now the foreman and local office thinking they can bully me have now placed a vlan on it because when I attempt to connect without it my openreach will not. I felt that putting the vlans on was really dirty because now I can't use my own equipment to connect. I have a feeling it has to do with some checkboxes within the zyxel which are not available on my openreach modem.

So I called them and told them I need to test more and they start telling me no this no that we can't do back and forth. So they agree to come in and use their "tech login" so that I can login and configure it and then "they will leave and i can't get into it anymore". I also can't have their "tech login" because I will have access to everyones router. They also have chosen to not just simply change the admin password once logged into the router because thats just "a flat out no"

So they have some type of third party config that is engrained over the zyxel which may be mac linked to the device - which may also be the reason when I try to use my openreach it will not connect, perhaps the isp issues to that zyxel mac and if its not matched with the previous mac it will need to be reauthenticated by manually customer service? So it seems if I attempt to reset or hard reset they have to authenticate remotely. It also uses an ISP login so that I cannot just use the default credentials. Now I can reset and then use the default credentials but every now and again that will result in a dropped link, forcing me to call them. Same with my own equiptment, even if I leave my own modem in, I test, and I drop the link, I will have to call again.

Now unbeknowist to them I acquired the tech login and I can login to the modem any time I please, but as soon as I begin any rigorous testing its possible I lose access to the web gui and the whole process starts all over. They have yet to threaten to cancel my service but they did "suggest" I go elsewhere and there is literally 0 other ISPs in the area. We are ~5 years away from fiber it is within 100 miles being dug every 2 or so years but I don't want this to go on and I would like them to figure out their problem fast.

Any recommendations?

it sounds like you have a marginal connection, maybe the lines are a little too long or whatever and this means every so often when the weather is wet or the wind is blowing things stop working... at this point you try to figure it out but that ultimately pisses people off. does that sound about right?

is there no WISP available?

have you got access to connection quality data in your modem? SNR, modulation, CRC errors etc? how about getting the techs to come out and use some kind of connection quality meters on your line and maybe restring or improve connections in some cabinet somewhere?

You're saying that their provided modem does not work steadily? If they're sending a tech they should have traded out the Zyxel hardware at least once by now.

Are you still trying to use your own modem? If you do get your own modem working as a bridge there is still a security concern since any bad actor can come through the modem (without even knowing it is there, since it's a simple bridge) and hit the WAN port of your router. This really isn't much different than having an ISP provided modem that you don't trust. Either way everything beyond the WAN port of the router is untrusted. OpenWrt is built around that assumption.

I mean I have optimized it as far as I could - and they have met me somewhat in the middle but its been me finding what works and what doesn't. 6 years ago there was nothing, then 10/1 for $100 and now 100/25 for $200. So I am on a 50/10 but I have paid $200 a month for services and what not. They have been going through techs and routers so everything is different I understand not to mention everytime I call CS it is a different person some knowledgeable some not. But they don't understand what type of testing has to be doneto figure out if the service is viable or not.

WISP I have not heard of but hughesnet was a total disaster.

I also forgot to mention during one of these service calls I had completely straight wired the line through the phone jack through the box right to the dsl line so there were no copper rj11 connectors it was all spliced and the new tech and foreman that was their first experience with me so they kind of got off on the bad foot but I decided that is not necassary and they of course ripped that line out and ran a new line so they were ticked about that. Then I cut that line accidentally with my mower. I also forgot to mention this past summer they ran me a new line and built me a little mini dslam in front of my house like a connection box or one of those line conditioner deals that looks like a 3 ft high cable box.

But yeah the main point is i'm trying to optimize their line with their equipment so it will be worth using. And yeah one of the issues last year lightening did wipe out a modem they had to replace.

So yeah the line is brand new their dslam looks up to date they do upgrade substantially every couple of years and they will add in fiber but more importantly I want to know if xdsl when optimized can perform identically to fiber in some instances such as packet transfer. What I am looking at is a utilization of less than 1.5 mb so I don't need fiber to play games. There is infact a fiber line 40 meters across the road I can tap into but because they have not begun to bring in the equipment and set up and terminals for residential use "there is no way we are going to dig fiber for just you". So the fiber line they will eventually plug me into in 5 years is 40 meters from my home which runs to a school. I am going to try to pay them $2k to bring me a fiber set up because there is no way they can't dig me a fiber line splice me in and hook me up when they dug me an entirely now dsl line last year.

The line is not interleaved the wire is good I don't have any major buffers or line limiters so I think the line is good its just the way they authenticate and are beginning to restrict my use of a configurable modem in the home. So their line is good I believe and I am aware am about 100 yards from the dslm cabinet and from there its their fiber cable for who knows how many hundreds of miles and given the +40 latency figure urban areas have over me I don't think any of those things play a pivotal role in preventing clean packet transmission. Also I am kind of stuck with the 50/10 and its more like 48/8 with the sqm but I feel like with a clean network clean line which I believe I have things should run smoothly. So for the future I assume it is either fiber or starlink but because I have no other way to test a fiber connection in the area I do not know if my xdsl is comparable in low latency packet transmission. I don't need the vdsl2 to be faster or achieve higher rates than fiber I just need it to be able to compete.

Sounds super frustrating. Is there something technically that we can help you achieve though? For example if you want to know what's going on on the WAN side of your router, we could maybe do some packet captures and look at the vlan tags and things and tell you what you should be doing to make it work?

Or is it already working? I'm not quite clear if you have a question or just wanted rightly to vent :slight_smile:

I think I have the network locked down just in general the route to go next before I get that letter in the mail "you are no longer allowed to use our dsl" or throw my rig out the window

first I need to know how the vlan effects my config - does it change the mpu, mtu, do I have to account for it in the sqm config, basically what parts I have to inject in to my current config

second I wanted to throw it out there as there are a number of users with a diverse set of circumstances and I just wanted to know how any of this can be bypassed or adjusted. Like my modem, when the link drops it doesn't have a modem web gui anymore it takes me to a ISP screen that gives me the ISP server IP then tells me to call CS. It appears they have the ability to create preset configs and then upload then like a settings refresh so I think the modem is okay, as I said I am running into some solid walls now and they are working with me less and less the more problems they encounter. CS can help but they don't, the service guys can help but they don't, and upper managers don't understand any of it. So to create a partnership I volunteered to use their equipment because it has a broadcom chip and I only needed the broadcom chip in the modem to begin with, I am satisfied with that but everytime the link has to be reauthenticated I have to go in and tear down the PTM setup and set it back up bare bones which they are also getting tired of now that they are aware but do not know how I am gaining access to the modem.

Just whatever can be dicussed about their set up, I can probably gain access to their administrative office and have a look around possible have them show me their config why they have to authenticate what it looks like when they do what types of buffers they have in place but I think that might just waste time. Even if I saw something that could be changed I might run into some guy whos favorite word is no. Their network admins are pretty helpful and even disabled then reenabled interleaving for me from 100 miles away so they do pitch in.

so thats the "what can I do about the authenticating" and the "what can I do" about this zyxel "third party" ISP modem I think even if I found out they would upgrade and I'd have something else to deal with.

But yeah I need to authenticate the link myself somehow and just idk serial port through their router?

More concerning is if the same problems occur in the future vlan lock outs/equpment restriction who knows unwillingness to configure their equpment for me it could be bad with a bad fiber setup and they say no we can't configure anything for you sorry.

funny I looked up wisps in the area and one was actually operating here about 8 years ago but has since gone off the map and the other I can't find any information about.

This is a map of the fiber lines run around my area.


There is literally fiber in every county around mine except mine :upside_down_face:

Well, first off, here's what should happen ideally.

  1. You put your authentication info into their modem gui, and then place it in bridge mode.
  2. The modem does PPPoE for you, and just provides a port into which you can send ethernet packets and out of which ethernet packets come...
  3. You put your OpenWrt device with its WAN port plugged into their modem/bridge and talk to the internet.

So, how different is the real setup from that setup? Where does it diverge?

After a few times of me testing and knocking it out and having to reauthenticate either by CS or service tech they came up with the idea that they will just "prebridge" it for me and give it to me. They even went so far as to have the config available so that CS can do that remotely, or maybe they just play in the modem im not sure. In anycase when they give it to me prebridged I can't access it then they try to feed me "well because its bridged you dont have access to it".

So after having enough of that I decided well everytime they give it to me like that I want to make sure its bridged properly so I reset it only this time because they are being so delicate I decided to let them come and watch me bridge it or give me access to bridge it, they opted to come and watch me bridge it.

Now I would normally delete all PTM links and only add a bridge and dial in through openwrt pppoe-wan. The way its configured now it has 3 configured interfaces, a ptm-pppoe, a bridge, and a mgt-ptm. The way they have it to work is that I am supposed to just plug in and it configures itself to either bridge or as a router itself.

I think the issue I was running into was that was just the way I got it to work I didn't really research how to get the bridge set up properly or dial pppoe properly I just wanted it to work so I would setup the x86 to dhcp plug into modem no net that doesn't work bridge modem set up x86 to pppoe. So that's how I got into that configuration which is probably wrong but I just understood it get into bridge mode and get that modem out of the way just an open link for the sake of that modem being a tool I didn't want functioning in my firewall/network to cause unnecessary delays. So that's the reason why I said I don't mind the zyxel it is pulling in better rates and has a broadcom chip fine i'm happy with that but it is delicate and likes to lose web access then I have to call in and reauthenticate ugh

Yes, that's right. If they're just giving you a PURE bridge, then you won't have access to it, because everything you send will bridge over onto their network, rather than being examined or heard by the modem itself. that is actually just fine too. Then it's up to them to make sure their modem hands you a bridge, and it's up to you to do the rest. which is where we can help you out here... But it means your router needs to do pppoe and / or handle the VLAN tags, which is very doable if we figure out what is needed.

So. When they do this pre-bridged thing, they expect you to use your router to do pppoe is that correct? And maybe to use a VLAN? Did you ever get that to work?

I did not get an opportunity to bridge>set up pppoe and input vlan info I do not believe.

Basically I was in agreement that I would use the default config but I accessed it and I probably wiped out all interfaces and left the bridge in - or maybe I tried that and it wouldn't draw an ip so I had to leave the ptm-pppoe.

I do not think I attempted to bridge the ptm-pppoe interface with the checkbox - I usuallu created a single bridge interface which is what I suspect they were doing and possible why I lost connection to it a time or two, but it would just be like intermittent it would just not allow web access.

Also I can't remember if both the ptm-pppoe and bridge interfaces have to be there for the bridge to work. But I usually would just reauthenticate, wipe all the interfaces and create a single bridge interface dial in x86. Now when they added the vlan I noticed it was added to the ptm-mgt section so I was running into an issue where they would bring it to me bridged and it wouldn't link so I wouldn't know and just reset it. But the whole time they put that vlan in there and it probably got set up on their side of the link and wouldn't let my openreach modem link or my x86 because they didn't tell me they put the vlan on. So basically as a bridge it was useless - it wouldn't authenticate my openreach modem and I didn't know I had to put the vlan on my x86.

So just going onward I didn't think about it then I started to think about it and didn't want it that way I wanted it bridged. It was basically, it has this config now just the default config of 3 interfaces. I don't think its bridged but I am dialed in through my x86 pppoe-wan. So I'm not sure which device is doing the pppoe because I am sure they are both set up to dial so it must be bridged? Who knows. They are set to come and watch me configure it, so should I just go in and delete that bridge interface when they do so i'm sure it's not trying to bridge? I would like the zyxel to be set up as you said, just as a firewall-less port, and just draw the dhcp with the x86.

But even then - when I tried to put the vlan stuff into openreach where it should go it still wouldn't link. Now I don't know if that has to do with them having to reauthenticate while the modem is hooked up maybe it authenticated with the zyxel MAC and wouldn't take it but by that time they were past just doing the authentication through CS they would send out a tech out of frustration.

I will log into both modems and get screens.

If you're running pppoe on your side of the modem it's (for practical purposes) bridged. You should have a public IP address on your pppoe interface and no blocking of incoming connections from the Internet. When they're providing a modem that can be bridged there's not much need to bring your own. When performance issues crop up they can't blame your modem.

A VLAN just means that the pppoe packets are tagged with a vlan when they leave the modem and enter the router. If you know what the VLAN number is it is very easy to set up OpenWrt to do that.

The modem may be holding a second connection open for use in the router mode. In other words both bridge and router are up at the same time, but you're only using one. The internally terminated connection is a different IP address and that is how they remote into the modem. You may have a choice of which one to use based on which port you plug in to.

If you're not running a conventional server that requires unrestricted incoming connections it is OK to have the modem routing.

If they can remote to the modem when you seem to be completely disconnected, the DSL line isn't actually completely disconnected.

The signal status screen is really all you need to see inside the modem. To rule out wiring issues use the shortest possible cable from the NID (box on the side of the house where your wiring ends and theirs begins) direct to the modem. This should be cat 5e cable, only use one pair. Put a RJ11 on the modem end (actually you can do this on both ends, plug the outside end into the "test" jack on the NID) and plug in directly.

Interesting thought with the remote link. So I attempted to reset the zyxel and log in using the tech login I acquired a while back. So not only did they vlan my line preventing personal modem use but they have managed to lock out all web GUI access. So now when I reset it there is no web GUI. So I spent the last two hours on the phone with them and apparently all customer service has is this program where he puts the pppoe info back in and that’s. He also mentioned it had been down an hour and he brought it back up so I’m not sure what he meant by down. The modem must be linked with their program and it must have diagnostic logging.

So he links it back up I ask him if I can try to get my modem up while he’s on the line he gives me this line of oh idk I can’t really do anything with your modem. I mainly wanted to see why my modem fails to pull an ip as it used to. Same deal - down the link, they bring the link up, I plug the line into my modem and it worked, the vlan stopped that. So I am not sure maybe I will plug it in and just mess with it until it goes down and call them 50 times.

So now he gets it back up I hang up and plug my x86 in to dial pppoe. Nothing, try dhcp client nothing. So yeah I can’t even route through their junk equipment or connect to its WiFi because it reverted to some stock WiFi password

Total headache

Here's what you need to do....

  1. get yourself wireshark
  2. turn off their modem
  3. Plug your computer into their modem
  4. Turn on wireshark and capture packets on your computer
  5. Turn on their modem
  6. Collect a packet capture for about 30 seconds
  7. Turn on whatever you think your computer should be doing (DHCP or whatever)
  8. continue to collect for another 30 seconds...
  9. Kill the packet capture and turn everything off...

This will let you see what actually is happening on your link. You may find that you have VLAN tagged packets, in which case you just VLAN tag your router... no big deal. You may find you need to do pppoe... in which case you do that... you may have to do both... you might just need to do DHCP but using the VLAN tags... who knows.

Ah I see, I do have wire shark but I have no set up oepnwrt for a vlan and only have seen it on my linksyswhich had a switch tab - will I be adding a package?

Are you running openwrt on the x86? or is it just a desktop machine like Windows or a full Linux distro?

If you have wireshark on a machine, just plug it in and capture... the capture gets raw packets, you can look at the ethernet info and see if it has a vlan tag or not. You'll learn a lot from a raw packet capture... assuming you can get them to send you something :wink:

So, let me start by being a tad direct here, but I think step 0) needs to be become friends with your ISP, especially it's front-line hotline and tech staff. Think coffee and cake when they come to your premises or when you visit their office. Internet access is typically a high volume, low margin kind of business, and ISP tend to account the internal costs of tech support against the revenue generated by each line, and if I understand your description correctly, by that logic your account is deep in the red already...
About the technical issues, maybe you could remind us what you want to achieve and what the current situation is, in regards to accessing the internet?
And then as a secondary issue remind us what you want to achieve with the modem access in itself?


This is, as always, very good advise. One potential issue is that even in bridge mode there might be a VLAN tag on the DSL/PTM link that is not visible on the LAN-facing port of the modem (I know this as this is how I configured my modem like that on purpose).
I have a hunch that potentially the best option might be to first make a plan what should be achieved and more importantly what can by achieved configuration wise and then "wine and dine" the ISP's techs to help implement that and then keep a low profile for a while, "let some grass grow over it" as I crudely translate from German...
I would not be amazed if the ISP's default end-user configuration might not be decent enough, given that IIUC, most of the experimentation on the line did not yield a vastly superior configuration, using the default config allows to blend in again with the normal users customers?

this is a great phrase. with OpenWrt on the router, and any config at all that is viable, we should be able to get connected, and let the grass grow... the key is identifying what is required by whatever they've done as of now.

1 Like

As of right now I used WIN10 cmd prompt to write the 18.06 x86 onto an ssd so its just a tower and 4790k booting the ssd, which is set to boot from a gigabyte bios. But I hope to put debian on that ssd and run 18.06 from debian in the future. I also wireshark from my pc. It is normally pc>tplink switch>x86>zyxel but now since I don't know how to draw a link from the zyxel with the x86 using dhcp/pppoe it is pc>zyxel. And the zyxel I am completely locked out of - zero web gui.

I would ask if there is any info on how they can restrict me from just inputting pppoe and dialing in as I used to, and you may have answered they could have some type of vlan that they put on my line to restrict it on their side that I don't see, it seems they do most of this work from the office and I imagine have spent a good deal of time excluding me from the system. It is especially sketchy as they program the modems and bring it to you and if they need to do something usually they will take the modem and figure it out(as when I started talking about bridging and they offered to bridge it for me)

I just want to be able to switch out their modem with mine for network testing and eventually use theirs for the sake of simplicity - they have access, can log what they want, or use mine if the zyxel does not benefit my network. Like I said the network, line, and zyxel is clean with the broadcom chip but its hardware I am not so sure. This is why I purchased the openreach modem from europe because in europe they are mostly copper making it a solidly accepted device i.e tournaments, lans, urban areas. So I just need the modem, the actual device to be solidly built, good hardware so that I know it is not creating any lag or not widely accepted hardware i.e microtek in my $300 european asus dsl modem.

Okay and in the zyxel I may need to serial in if it were to come to a point where they didn't let me use my openreach modem and said they will not change the config of the zyxel. I don't want to serial in or any of that I would rather like you said sit down, talk it out, play fair. Not that I would want to serial in anyhow.

So normally with the ISP it has been good I began accessing the modems just to try to sqm on the stock firmware and included the techs discussions. Then I asked about interleaving and they were happy to help at the network admins. Then I used tomato then switched to openwrt. Then I brought in my own modem and began to question the line which led to me straight wiring the line from my modem to the NID. Then they put the vlan on and locked out modem web gui. Then they ran me a new line. In between I get yelled at by CS and a call from upper mgmt inquiring about what the needs are which led to me speaking with the network admin and coming to agreement that I would use their equipment if it was suitable.

The only thing that I can access is my pppoe info which they give to me. So I understand that they just want less service calls or less CS calls but when network testing is done we all know everything goes wrong. I just reassure them that it is better for all of us to troubleshoot the issues together. I do not think it is bad customer bad ISP but there are new workers that come in and out of habit say no to something simple like modem web gui when the modem comes with all the login info and how to get in it stickied on the modem, then they say no you can't have access or start saying no to cooperating altogether which is becoming increasinglyfrustrating. So it came to they would include a service charge, which I agree to pay, or try to put a service charge which I do not agree to pay. This was where an upset CS rep got out of hand and told me I will be charged for a service visit, I think he assumed I was playing around and knocked the link out but I think that particular time the power went out and it reset to the bridge mode and I could not pppoe through it because the way they bridged it with the vlan I could not get a link through the x86 and I could not reset it because they have to basically default the zyxel and put the link back up. So he decides he will not put the link up and instead send a tech out and charge me. So I called them and explained that the way they fixed that up I could not make that work. Now that I know that I could packet sniff and potentially get dhcp from it I could have made that work but I do not do too well with network configuration.

So that's where it came to be no mans land. They set up a vlan, locked me out web gui, threatened with fees. Call from upper management. CS, net admins, local service guys, they just all have their own idea of how to handle it so really it is them who create the problems within their own departments then it affects the company and people become upset. So I understand that and understand they can pull my service especially from entering their NID or even entering the zyxel. I just assure them it takes time and we will get there.

ok so let's not make every post a small novelette... right now, what did they tell you to do? pppoe through their device? what happens when you ask OpenWrt to pppoe? I assume you aren't connected. so we want to see in a packet dump what kinds of packets come from them during the process. can you connect with a device and packet capture during an attemt to pppoe?
how about during an attempt to simply DHCP. perhaps their modem is handling the pppoe. you need to try those things and see what comes back from them.