Streetfighter 'vs' screen between PPPoE vs DMZ.

TL;DR

If you’re looking for easy, do Advanced DMZ. If you’re looking for stable, do PPPoE.

If you’re feeling adventurous, you may attempt a complete bypass at your own discretion.

Intro

Minimum topo needed for this setup.

If you’ve been doing any networking at all outside of the basic functionality that your Bell Home Hub 4000 (HH4K) provides, you’ll quickly notice that while there are options, they’re not great ones.

For the advanced user, the Bell HH4K in its base configuration doesn’t quite cut it. You can’t specify a DNS server that exists within your LAN, and DHCP configuration is limited to basic leases and reservations. These are dealbreakers for anyone who wants to run a DNS ad blocker, host local services, or deploy network boot infrastructure.

Running a third-party firewall allows you to tweak things to your heart’s content—from a bare-minimum install all the way up to redundant, high-performance production setups. With that in mind, let’s discuss the available options for doing this without having to upgrade to Bell’s business plan just to get more customizable hardware.

The following are the methods one can use to run a third-party router or firewall with Bell Fibe service. Today, we’ll go over the connection methods, their pros and cons, and a few things I wish I knew before undertaking this journey.

Connection Methods

The options available to Bell Fibe customers are limited, in that the HH4K does not ship with a true bridge mode; a functionality that Rogers bundles with their units.

This leaves us with two viable options short of a complete bypass:

  • Advanced DMZ
  • PPPoE Passthrough

Finally, there is the nuclear option. This method completely bypasses the ISP hardware and comes with its own set of problems:

  • Complete HH4K Bypass

Advanced DMZ

The Advanced DMZ on the Bell HH4K is a strange beast. Performance-wise, speed is fine. For many users, it may be a perfectly acceptable route if you don’t intend to tinker too much.

Pros

  • Easy
  • No overhead on router

Cons

  • Unstable
  • Does not properly survive HH4K reboot
  • Routing weirdness

Does not survive reboots

I use my lab quite a bit for day-to-day functionality. That means everything from my password manager to file storage and document management is accessed over VPN when I’m away.

As life goes, there are days at a time when I may be away from home. On multiple occasions, either someone reboots the HH4K or a power outage causes a reboot. Once it comes back up, my router is left in limbo.

The HH4K refuses to hand out an IP address to the router, and the only way to bring things back online is to disable Advanced DMZ, save, wait a bit, and then re-enable it.

To counter this, I would need to do one of the following:

  • Install a jump box on the network outside the DMZ, log into it remotely, and fiddle with the HH4K; risking making things worse.
  • Go home and plug an Ethernet cable directly into the HH4K to perform those same steps.
  • Script the above steps in Selenium and hope I don’t break things further.

None of these are particularly attractive options. Manual intervention is the last thing I want when I rely on this infrastructure to function while I’m away.

Routing Weirdness

The HH4K has one of the strangest route advertisements I’ve ever encountered.

I first noticed this while setting up more advanced lab networking, including VPN access. For context, my IP schema at the time was 10.100.0.0/24.

I attempted to access my network via VPN on pfSense. I followed all the necessary tutorials, yet none of my traffic ever made it to my devices.

To test further, I spun up a virtual machine, installed wg-easy, and port-forwarded it. To my great confusion, that worked. What gives?

Notice the pattern: in this case, you’re not interacting with the routing table of the firewall.

When I checked the routing table on pfSense, can you guess what I saw? It advertised the following route:

0.0.0.0/1

Anything in the first half of that IP block is considered external traffic and shipped off to the internet somewhere. That included my VPN traffic destined for 10.100.0.0/24.

This blew my mind, as RFC 1918 explicitly marks 10.0.0.0/8 as private address space.

At this point, I’m confident this is not a hardware issue; I’ve reproduced it across multiple devices with the same result. Shortly thereafter, I switched to a 192.168.x.x schema.

PPPoE Passthrough

PPPoE passthrough is more laborious to set up initially and, by its nature, requires more from your hardware. For many, this will be the only viable option due to the brittleness of Advanced DMZ during reboots and the routing issues mentioned earlier.

Pros

  • Stable
  • Effectively bypasses most HH4K functionality
  • Can use all private IP address space
  • Survives reboot of HH4K or your router

Cons

  • More effort to set up
  • More overhead on router hardware

My primary concern with switching to PPPoE was the potential performance hit. I was under the impression that PPPoE required a beefy processor with strong single-core performance to maintain throughput.

I was half-expecting to lose more than half my bandwidth, as my server is specced for lots rather than fast. Thankfully, that wasn’t the case.

Short of running your traffic through a slow consumer router with a weak processor, a Raspberry Pi, or an old laptop with an Intel Atom, the performance hit will be minimal if your speeds are ≤ 1 Gbps.

My secondary concern was that logging in via PPPoE would kick off the original device, breaking the other services my family relies on.

This also turned out not to be true, as the authentication happens further down the stack on the HH4K.

You can review this post for more details on that behavior.

Complete Bypass

A complete bypass sounds attractive on the surface—but only if internet is your sole Bell service.

For TV and landline traffic, it is theoretically possible to replicate Bell’s IGMP snooping, VLAN tagging, and QoS setup on your own router. That is a significant amount of work for services I don’t personally use.

This option isn’t in the cards for me at the moment, as my family stubbornly refuses to give up their landline. If this is something you’re interested in, browse to pon[dot]wiki. There, you can search for the HH4K and see what’s required to get internet working.

Be aware that this involves spoofing your own SFP module to appear as the Bell HH4K. This carries its own risks, and you’d be wise to research them thoroughly before attempting it.

In Conclusion

The options, as they exist today, are full of compromises. The lack of a true bridge mode on the Bell HH4K leaves much to be desired.

Personally, I’ve chosen PPPoE passthrough due to the fact that I share this infrastructure with others. If I were on my own, I’d likely attempt a complete bypass.