Daniel sent us this one — and it's a question about fiber internet in Israel that I think a lot of people run into but nobody really talks about in plain language. Basically, the standard fiber setup here uses GPON, and most people just take the ISP's all-in-one box that handles everything. But if you're running your own firewall appliance, your own access points, your own switches — that combo unit in bridge mode is basically a compromise. The real question is: what do you actually ask the ISP for if you want a pure modem, the kind of thing they deploy in business setups? And then separately, for renters — can the ISP put a second fiber point in a different room?
This is a fantastic question, and it gets at something that's genuinely frustrating about the Israeli fiber market. The default assumption from every ISP is that you want the all-in-one device. That's what their support scripts are built around, that's what their technicians are trained to install, and if you deviate from that script, things get confusing fast. So let's map out what's actually available.
I think the first thing to establish — because the prompt mentions GPON specifically — is what that actually means for the hardware you can use. Because it's not like you can just buy any SFP module off the shelf and plug it into your OPNsense box. There's a lock-in mechanism here that's worth understanding before we even get to the conversation with the ISP.
So GPON stands for Gigabit Passive Optical Network. It's the standard that Bezeq, Hot, Partner, Cellcom — basically every fiber provider in Israel — uses for residential and most small business deployments. The key word there is "passive." Between you and the ISP's central office, there are no powered components. A single fiber strand comes into your apartment or house, and it terminates at a device that converts the optical signal to something your equipment can understand.
That device is the ONT — the Optical Network Terminal. This is the bit that people confuse with the router, but it's a separate function. The ONT is the modem. It takes light and turns it into Ethernet. Everything else — routing, Wi-Fi, the firewall, the switch ports on the back — that's all extra stuff that gets crammed into the same plastic box because ISPs decided consumers want one appliance.
And here's where it gets specific to Israel. The ONT isn't a generic device. In a GPON network, the ONT has to be registered with the OLT — the Optical Line Terminal on the ISP's end. And each ISP maintains a whitelist of ONT models and serial numbers they'll accept. You can't just buy a random GPON ONT and expect it to work. The ISP has to provision it. So the question "can I get a pure modem" really translates to: will the ISP provide an ONT that does nothing but bridge the optical signal to Ethernet, and nothing else.
Which is what they do in business deployments. So what's actually available if you ask for that?
There are effectively three tiers of what you can get. Tier one, which is what ninety-something percent of homes have, is the all-in-one. Bezeq typically ships a combination ONT-router-access point — often a model like the Nokia G-240 or similar, depending on what they're deploying in a given region. Hot Fiber uses a similar approach, though their CPE choices vary. These devices do ONT, routing, NAT, Wi-Fi, and sometimes VoIP, all in one box. You can put them in bridge mode, and that's what the prompt mentions doing now. But bridge mode on these consumer combo units is often not a true layer-two bridge. Some of them still do NAT in weird ways, they have small NAT tables that choke under load, and they introduce a hop you don't need.
The "bridge mode that isn't really a bridge" problem. I've seen this on a few consumer devices. It's bridge mode the way supermarket sushi is sushi. Technically meets the definition. Spiritually, something else entirely.
And when you're running OPNsense or pfSense or any real firewall appliance, you want the ONT to hand you a public IP directly on your WAN interface, with zero interference. No double NAT, no hidden stateful packet inspection, no tiny connection tracking tables that fall over when you're running torrents or a VPN server or anything that opens a lot of concurrent sessions.
Tier one is the combo unit in compromise mode. What's tier two?
Tier two is what the prompt is actually asking about — a standalone ONT, sometimes called a "fiber modem" or "GPON terminal.Bezeq, for example, has deployed standalone ONTs in business installations and occasionally in residential setups when specifically requested. The most common model I've seen referenced is the ZTE ZXHN F600 series, or similar compact ONTs that are essentially just a media converter. Fiber in, gigabit Ethernet out. No routing, no Wi-Fi, no DHCP server. It takes the optical signal, hands you Ethernet with your public IP on it, and that's the end of its job.
The ISPs actually sell these or provide them?
They provide them, but this is where the conversation gets tricky. The technicians who do residential installs are not necessarily familiar with standalone ONTs. Their van is stocked with the all-in-one units. Their tablet has a workflow for the all-in-one unit. The standalone ONT may require a different provisioning process on the backend. So even if the ISP officially supports it — and they do, because they use these for business customers — getting one in a residential install often means escalating past the first line of support.
It's not a technical limitation. It's a process and training limitation. The glass can do it. The equipment exists. The ISP owns it. But the residential install workflow is a conveyor belt that only handles one shape of box.
And this brings us to tier three, which is worth mentioning even though it's probably overkill for the use case in the prompt. Tier three is where you get a business-grade ONT that also supports a static IP block, SLA-backed uptime, and potentially symmetric speeds — because GPON is asymmetric by default. The standard GPON split is something like two point five gig down and one point two five gig up, shared across up to sixty-four subscribers on the same splitter. Business services sometimes offer dedicated splits or XGS-PON, which is symmetric at ten gig. Bezeq Business and Partner Business both offer these, but they come with contracts, higher monthly fees, and minimum terms. Not what a home user with OPNsense needs.
Unless you're running a homelab that's gotten completely out of hand, which — I feel seen, honestly. But for the actual prompt here, the sweet spot is tier two. The standalone ONT. So let's talk about the conversation you need to have with the ISP to actually get one.
The key is to use the right terminology so you get routed to someone who understands what you're asking for. When you call the ISP's support line, the first person you reach is reading from a script. If you say "I want a modem, not a router," they'll tell you the combo unit is a modem. Which it is. It's just also everything else. So you need to be more specific.
What's the phrase that actually works?
The phrase is "standalone ONT in bridge mode" or "ONT that outputs raw Ethernet with a public IP." You can also say "fiber terminal only, no router, no Wi-Fi." But the magic words that tend to get you escalated to someone who knows the equipment catalog are usually: "I need the same setup you'd give a business customer who's bringing their own firewall." That last part — "bringing my own firewall" — signals that you know what you're doing and that the all-in-one won't work for you.
That's good. It frames the request as a known use case rather than a weird edge case. "I'm doing what businesses do" is a much easier sell than "I have Opinions about network architecture.
And when you do get to the right person — typically a technical support tier two or a business sales rep who handles sole proprietorships — you can ask specifically: do you have a standalone GPON ONT like the ZTE F600 or equivalent? Can you provision it to hand off a public IP via DHCP or static assignment, with no NAT, no firewall, no DHCP server on the ONT itself? And can the technician test that my equipment gets the public IP directly before they leave?
That last point is important. If the tech leaves and your OPNsense box isn't getting an IP, you're stuck.
It's critical. And here's a detail that trips people up. In many Israeli fiber deployments, the WAN connection uses DHCP — your router gets a public IP via DHCP from the ISP's network. But some ISPs use PPPoE over the fiber connection. Bezeq, for instance, has historically used PPPoE on some of their fiber plans, though they've been moving toward DHCP in newer deployments. Partner Fiber tends to use DHCP. Hot Fiber also DHCP, with some variation by region. You need to know which one your ISP uses, because your OPNsense WAN interface needs to be configured accordingly.
If it's PPPoE, you need the credentials. Which the ISP should provide, but sometimes the tech doesn't have them handy because the all-in-one comes pre-provisioned with them baked in.
The combo unit has the PPPoE credentials embedded in its firmware or auto-configured via TR-069 — that's the remote management protocol ISPs use to configure CPE. A standalone ONT doesn't do PPPoE. It just bridges. So your firewall has to initiate the PPPoE session. You need the username and password. And the ISP's support staff might not immediately know what you're talking about when you ask for them, because in the standard residential workflow, nobody ever sees those credentials.
"Just give me the PPPoE credentials" — and then silence on the line. I've had that exact silence. It's the sound of someone scrolling through a knowledge base article that doesn't exist.
The workaround is to ask for "the PPPoE username and password for manual router configuration." That phrasing sometimes triggers the right script. Alternatively, if you have the combo unit already and it's working in bridge mode, you might be able to extract the credentials from its web interface or configuration backup. Some ISP devices let you view the PPPoE password in the WAN settings page, though others hide it behind asterisks and disable the inspect-element trick.
To summarize the configuration side: you get the standalone ONT installed, it gives you an Ethernet handoff, you plug that into your OPNsense WAN port, and then you either set the WAN interface to DHCP or configure PPPoE with the credentials the ISP gave you. And then your firewall gets the public IP directly. No double NAT, no bridge mode compromises, no hidden limitations.
That's the ideal setup. And I want to emphasize — this is not exotic. This is how basically every business with more than five employees connects to fiber in Israel. The ISPs do this every day. The challenge is purely about getting the residential support pipeline to route your request to the right team.
Let's talk about the renter-specific part of the prompt. Can the ISP put a second fiber point in a different room?
This is a more complicated question than it sounds, because "a second point" can mean two very different things. Option one: you want a second Ethernet jack in another room, connected back to wherever the ONT or router lives. That's not really an ISP job — that's an electrician or low-voltage cabling job. The ISP is responsible for getting the fiber to one point inside your apartment. Everything after the ONT is your network.
Some ISPs will do it if you ask and pay for it. Bezeq, for instance, has historically offered internal wiring services, though the quality and willingness vary enormously depending on which technician shows up.
They do, but here's the thing about renting in Israel. Most rental contracts say you need the landlord's permission for any structural modifications, and running Ethernet through walls counts. If you're not allowed to drill, you're looking at surface-mounted cable channels or flat Ethernet cables that run along baseboards. It works, but it's not elegant. Some technicians will do it, some won't touch it because they don't want the liability if the landlord complains.
Then there's option two, which I think is what the prompt might really be getting at. A second fiber point. As in, another ONT, another fiber drop, another active connection in a different room.
That's effectively a second fiber subscription. The GPON splitter that serves your building or neighborhood has multiple ports, and in theory, yes, the ISP could run a second fiber drop to a different room and provision a second ONT. But you'd be paying for a second internet plan. It's not an extension — it's a separate service. For a renter who wants wired connectivity in a room far from where the fiber enters, the much more practical approach is to either run Ethernet yourself, use MoCA if the apartment has coax outlets, or deploy a mesh system with wired backhaul if you can get one Ethernet cable to a central location.
MoCA is underappreciated. If your apartment has cable TV outlets in multiple rooms — and a lot of Israeli apartments do, even if nobody uses them anymore — you can get gigabit-speed Ethernet over that coax. It adds a bit of latency, but for most use cases it's invisible.
MoCA two point five adapters can do two and a half gigabit with latency in the single-digit milliseconds. It's good. And for a renter, it's the least invasive option — you're using existing wiring, no drilling, no cables along the floor. Just plug in an adapter at each end and you have a wired backhaul for your access points.
The practical answer to the second-point question is: the ISP probably won't give you a second fiber drop without it being a whole new account, and even then it might not be in the room you want. The real solution is internal wiring, and MoCA is the renter's best friend if coax is available. If not, flat Ethernet and cable channels.
One more option worth mentioning: powerline adapters. I'm generally not a fan because Israeli electrical wiring is inconsistent — some apartments get great speeds, some get terrible speeds, and it depends on which circuits the adapters are on. But if MoCA isn't available and you can't run Ethernet, it's worth trying. Just buy from somewhere with a good return policy.
Powerline is the "maybe it'll work, maybe it won't, let's find out together" solution. It's the network equivalent of adopting a feral cat.
not entirely unfair. But let's circle back to something I think is important for anyone going down this path. When you're running your own firewall and access points behind a standalone ONT, you're taking on responsibilities that the ISP normally handles. If your internet goes down, the ISP's remote diagnostics will see the ONT as online — because it is — and they'll conclude the problem is on your end. You need to be prepared to troubleshoot your own equipment.
That's the trade-off. You're trading the ISP's support umbrella for control. For someone running OPNsense, that's probably a trade they've already made peace with. But it's worth being explicit about. When the ISP says "we've run our tests and everything looks fine on our end," you need to be able to say "I've checked my firewall logs, I've tested with a laptop directly connected to the ONT, and here's what I'm seeing.
That direct-to-ONT test is your most powerful diagnostic tool. If you plug a laptop directly into the standalone ONT's Ethernet port and you get a public IP and internet access, the problem is your firewall or something behind it. If you don't, the problem is the ONT or the fiber or the ISP's network. Having that clean demarcation point is actually one of the hidden benefits of the standalone ONT setup — there's no ambiguity about where the ISP's responsibility ends and yours begins.
The demarc is clean. With the all-in-one in bridge mode, there's always this gray zone where you're not sure if the combo unit is doing something weird. Did it lose bridge mode after a firmware update? Is its NAT table full even though it's supposedly bridged? With a pure ONT, it's either passing Ethernet or it isn't.
Let me lay out what a typical successful setup looks like, end to end, for someone following this path. Step one: you call the ISP, use the phrases we discussed, get escalated to someone who knows the equipment. Step two: you confirm they can provide a standalone GPON ONT — a ZTE F600 or equivalent — and you ask whether your connection uses DHCP or PPPoE. If PPPoE, you get the credentials. Step three: the technician arrives, installs the ONT, and you test it with a laptop before they leave. Step four: you connect your OPNsense WAN port to the ONT, configure DHCP or PPPoE, and you're online with a public IP on your firewall. Step five: your access points and switches hang off the LAN side of OPNsense, and you have full control over your network.
Step six: you resist the urge to check your latency and packet loss stats every five minutes because now you can actually see them.
That's the curse of visibility. Once you have a real firewall with proper monitoring, you become acutely aware of every microsecond of jitter. It's a burden.
Speaking of visibility — one thing that sometimes catches people off guard with a standalone ONT setup is that the ISP loses remote management of your router. With the all-in-one, they can push firmware updates, change settings, and sometimes even reboot your device via TR-069. With your own firewall, they can't touch it. That's the point, of course, but it means you're responsible for keeping your OPNsense updated and secure.
From the ISP's perspective, this is why they prefer the all-in-one. It reduces their support costs. When every customer has the same device running the same firmware, troubleshooting is predictable. When a customer shows up with their own firewall, the support script breaks. That's why framing it as "I want the business setup" works — business support teams are trained for this variability.
There's also a pricing question that the prompt didn't ask but that's probably relevant. Does getting the standalone ONT cost more?
Usually not for the hardware itself — the ONT is part of the installation, same as the combo unit would be. But some ISPs charge an installation fee for non-standard setups, and you might find yourself paying a "professional installation" fee instead of the free standard install. Bezeq has been known to waive it if you're firm but polite. Partner and Hot are case by case. The key is to get confirmation of any fees before the technician shows up.
If the first person you talk to can't confirm, get a reference number for the call and ask to be transferred to someone who can. The "I was told there would be no additional charge" conversation with a technician standing in your living room is not a conversation you want to be having.
That's just good life advice, honestly. Get it in writing. But let me address one more technical detail that's specific to GPON in Israel. The fiber that comes into your home — that single strand — carries both downstream and upstream on different wavelengths. Downstream is 1490 nanometers, upstream is 1310 nanometers. If there's also RF overlay for cable TV, which Hot Fiber uses, there's a third wavelength at 1550 nanometers. The ONT handles separating these. When you're using a standalone ONT, you don't need to think about any of this — it just works. But it's worth knowing because it explains why you can't just plug a generic SFP GPON module into your switch and call it a day. The SFP module would need to be on the ISP's whitelist, and it would need to be configured with the right serial number and provisioning data.
ISPs in Israel are not in the business of whitelisting customer-provided SFP modules. That's a nonstarter for residential service. Some business plans might allow it, but for the use case we're talking about, the standalone ONT is the practical ceiling of what you can reasonably ask for.
The standalone ONT is the right tool for this job. It's available, it's supported, and it cleanly separates the ISP's responsibility from yours. The challenge is purely about navigating the ISP's support structure to get it.
To wrap up the how-to part of this: when you're framing the conversation with the ISP, you're not asking for something weird. You're asking for the business customer setup. You want a standalone GPON ONT that outputs Ethernet with a public IP. You're bringing your own firewall. You need to know if it's DHCP or PPPoE, and if PPPoE, you need the credentials. The technician should test with a laptop before leaving. And for the second room question — that's an internal wiring problem, not an ISP problem, and MoCA over existing coax is probably the cleanest solution for a renter.
That's the summary. And I'll add one thing: don't let the ISP talk you into the all-in-one "just for now" with the promise that you can switch later. The provisioning change from combo-unit-in-bridge-mode to standalone-ONT is a backend process that might require a truck roll. It's better to get it right from the start.
The "we'll fix it later" promise from an ISP. I'd rank that somewhere between "the check is in the mail" and "I'll still respect you in the morning.
Somewhere in that neighborhood, yes. But to be fair to the ISPs, once you do get the standalone ONT installed, it tends to be rock solid. These devices are simple. They have one job. They don't have Wi-Fi radios to misbehave, they don't have routing tables to fill up, they don't have firmware updates that reset your bridge mode setting. They just convert light to Ethernet and sit there for years.
The elegance of doing one thing well. It's the Unix philosophy in hardware form.
That's really what this whole setup is about. You're removing unnecessary complexity. The all-in-one is a compromise designed for the broadest possible user base. It does everything adequately and nothing exceptionally. When you split the functions — ONT here, firewall there, access points over there — each component can be excellent at its specific job.
There's a broader point here about how ISPs think about their customers. The default assumption is that you want the internet to be like electricity — you flip a switch and it works, and you never think about voltage or amperage or phase. That's fine for most people. But there's a growing segment of users who want to be able to see the panel, flip the breakers, and choose their own wiring. The ISPs are slowly catching up to the idea that "prosumer" networking isn't just a business thing anymore.
The pandemic accelerated this massively. Suddenly everyone had a home network that mattered. Video calls, remote work, kids doing school online. The difference between a good network and a bad one became painfully obvious. And a lot of people who'd never thought about networking before found themselves researching access points and mesh systems and wondering why their ISP's combo unit couldn't handle thirty devices without choking.
The ISP combo unit is the beige Corolla of networking. It'll get you there. You won't enjoy the ride. And if you try to put a trailer hitch on it, it'll buckle.
That's a generous comparison. I'd say it's more like the plastic spork of networking. It technically performs multiple functions, but it does none of them well enough that you'd choose it if you had other options.
A spork that occasionally needs to be rebooted for no discernible reason.
The inexplicable monthly reboot. A universal constant of consumer networking equipment. But on that note — one of the quiet benefits of the standalone ONT plus OPNsense setup is uptime. OPNsense on decent hardware will run for months or years without a hiccup. The ONT itself is a solid-state device with no moving parts and minimal software. The days of "have you tried turning it off and on again" become a distant memory.
Until the power goes out, at which point your UPS starts beeping and you remember that you're still subject to the laws of physics.
That's a separate problem. But that's also why you have a UPS.
Look at you, assuming I have a UPS.
You run OPNsense. You have opinions about GPON wavelengths. You have a UPS.
...fair.
Let's touch on something we haven't addressed yet. What if the ISP simply refuses to provide a standalone ONT for a residential connection? Some support reps will just say no, it's not available, end of conversation. What's the escalation path?
First, ask to speak to a supervisor. The phrase "I understand this isn't the standard residential setup, but I know this equipment exists because you use it for business customers" tends to reset the conversation. Second, if the phone support is a dead end, try the ISP's business sales line. Explain that you're a sole proprietor working from home and you need a business-grade handoff. You might end up on a slightly more expensive plan, but the difference is often small — sometimes as little as twenty or thirty shekels a month — and it unlocks the right equipment and support tier.
That's a good strategy. The "I work from home and my employer requires a direct Ethernet handoff" angle also works. It frames the request as a requirement rather than a preference, and support staff are trained to accommodate business requirements even on residential accounts.
The "my employer requires it" is the networking equivalent of "my doctor says I need this." It short-circuits the script.
It's often true. A lot of employers do have VPN requirements or security policies that don't play nicely with double NAT or consumer router firewalls. If you're connecting to a corporate VPN through OPNsense, you do need a clean public IP and an unfiltered connection.
One more thing about the rental situation. The prompt mentions being a renter and wanting a second point in a different room. We talked about the technical options, but there's also a landlord-negotiation aspect. If you're willing to pay for professional low-voltage cabling — and you present it as an improvement to the apartment — some landlords will approve it. A properly installed Ethernet jack in a bedroom or home office is a value-add for the next tenant.
If you frame it as "I'd like to add an Ethernet port, I'll pay a licensed electrician to do it properly, it'll increase the apartment's value" — some landlords will say yes. Get the approval in writing, though. WhatsApp message at minimum. And take photos of the before and after so there's no dispute when you move out.
The WhatsApp approval is the renter's shield. "You said I could" in a message thread has saved more security deposits than any amount of spackle and paint.
Spackle and diplomacy. The twin pillars of renting.
To land this: the standalone ONT exists, it's the right tool for someone running their own firewall, and getting it is mostly a matter of knowing what to ask for and being persistent. For the second room, MoCA is the elegant solution, Ethernet over coax using wiring that's probably already there. And if that's not available, flat cables and cable channels, or a professional electrician if the landlord approves.
I'll add one final thought. The fact that we're even having this conversation — that someone with a home firewall appliance has to strategize about how to get a basic fiber-to-Ethernet bridge from their ISP — says something about where the consumer networking market still is. The ISPs have built their entire residential service model around the assumption that you don't know what an IP address is. For the growing number of people who do know, and who want to control their own network, the process is still harder than it needs to be.
It's the "we know what's best for you" model. And to be fair, for most of their customers, they're right. The all-in-one is fine for streaming Netflix and checking email. But the prompt comes from someone who's running OPNsense. That's not the average user. And the ISPs do have the right equipment — they just need to be reminded that it exists and that residential customers can use it.
The equipment is there. The knowledge is there. It's just in the wrong department.
Story of modern customer service, really.
Now: Hilbert's daily fun fact.
Hilbert: In the ancient Nepalese kingdom of the Kirat dynasty, around 400 BCE, it was believed that wrestling a bear coated in mustard seed oil would transfer the animal's strength to the wrestler. The bears, unfortunately, were not consulted on this arrangement.
...right.
This has been My Weird Prompts. Thanks to our producer Hilbert Flumingtop. If you enjoyed this episode, leave us a review wherever you get your podcasts — it helps other people find the show. I'm Herman Poppleberry.
I'm Corn. Back with more soon.
