Taking Control: Completely Removing My Dhiraagu Router
TL;DR — I replaced the Dhiraagu ONT/router combo with a GPON SFP module and a firewall running OPNsense, removing all ISP hardware from my network entirely.
The Origin Story
Growing up, as many of you from the Maldives might relate, I had terrible internet - overpriced and sub-par.
Back when I was a kid and used to play games like Call of Duty: Modern Warfare and Black Ops, I would almost always have the worst connection in the lobby. My ping would always be red (1 bar), and if I was lucky, it would be yellow (2 bars). Meanwhile, it wasn’t uncommon for me to see other Maldivians enjoying a smoother connection with 3 green bars, and sometimes even 4.
At the time, I didn’t complain much. Just being able to play games at all felt like a privilege.
But as I got older, I started noticing something strange. Whenever I checked my connection on my PlayStation, it would say things like “NAT Type 2” or “NAT Type 3.”
I just knew that Type 1 was the best, which I was never able to achieve — not that I knew what that meant.
This was back when we had ROL, 16 years back, but this didn’t change when we switched to Dhiraagu. Our setup had two separate devices — one box that brought in the internet, and another that shared it around the house. It worked, but clearly not very well.
The NAT Problem
I would spend hours on the internet trying to figure out how to fix this connection. One thing I read is that having too many devices between the connection to my console could be a reason for this. I tried everything — UPnP, port forwarding, DMZ — even though I didn’t really know what I was doing.
Even after our internet was upgraded from a painfully slow 2 Mbps to a much faster 100 Mbps connection, the issues didn’t fully go away. Games would still struggle to connect, and sometimes I’d see messages like:
NAT TYPE: Closed or Moderate
As a kid, I always thought the solution was pretty simple — my parents obviously had to buy an expensive gaming router for me. But that never happened. Heck, I could never find a router that would take in a connection for the fiber so that I can have one device to do everything.
The Search for a Solution
Even after moving on from console gaming to PC gaming, the question really never left me.
Could I have really done better? Why does the internet have to go through 2 boxes just for it to work?
I always had the thought — what if I could completely remove the ISP’s devices and run everything myself? Obviously back then this was more of a childish thought, mostly driven by my frustration of bad pings in games.
Enter the SFP ONT
Much much later, when I had a better understanding of computer networks, I decided to revisit this curiosity. I remember stumbling across a YouTube video throughout my research that did exactly what I wanted. It was specifically this one
I didn’t understand 90% of what he was talking about. But from that video, I knew that what I was trying to achieve was possible — and that is when I knew I would get this done eventually.
I started learning about optics and how the fiber world works — FTTX, OLTs, and everything in between. How authentication works, and how data actually gets from my ISP to my home.
So after I got was done with uni and got my own internet, I went ahead and bought an SFP ONT module which cost around 1000 MVR with a media converter, and tried to figure out how to get this working.
Key Internet Infrastructure Terms
PON (Passive Optical Network) is a type of fiber optic network used by ISPs to deliver internet to multiple users from a single fiber. It’s the means to bringing WAN to your home.
The key components:
| Component | What It Does |
|---|---|
| OLT - Optical Line Terminal | The ISP-side gateway that connects their network to yours |
| Splitter | Splits a single fiber from the OLT into multiple fibers, one for each household |
| ONT - Optical Network Terminal | Converts optical signals into electrical (1s and 0s) |
| Router | Provides routing between hosts |
| Switch | Provides more physical ports to the local network |
| Access Point | Wireless connectivity into the local network |
The “router” provided by Dhiraagu is actually a combination of all of the last 4 in one locked-down Huawei box — and none of it is easily modifiable.
The splitter splits the fiber signal across multiple fibers (up to x32) each of which goes into a different home. Downstream (ISP -> Home), PON packets are broadcasted to all of the PON subscribers, but only readable by the intended recipient. Upstream (Home -> ISP), each ONT has an allocated time which they can use to send traffic upstream, as otherwise the signals would collide with each other at the splitter.
This is why rogue ONTs are especially harmful to the whole PON subscription area. If one ONT tries to use a time slot allocated to another ONT, there would be collisions upstream as they share one fiber to the OLT. This is one reason why I would advise against doing something like this if you aren’t aware of what you’re doing.
Fun fact: GPON (Gigabit Passive Optical Network) has a standard of 2.5G downstream but only 1.25G upstream — this is defined by the ITU-T G.984 standard, not hardware limits. This is why most ISP packages offer higher download than upload speeds. Above 1G, the protocol used — XGS-PON — supports 10G symmetric, so you’ll tend to see equal upload/download at the higher end of packages. (Obviously not in the Maldives though.)
Also your connection isn’t just yours. The 2.5G bandwith is shared with sometimes upto 32 other homes, so when everyone is online at the same time - especially during the night, speeds can dip because the connection upstream is getting saturated.
The SFP I bought replaces the ONT functionality only. It has the capability of authenticating to the PON network and can be assigned an IP address for management. From the management interface, you can set various authentication fields such as SN number, MAC Address, LOID/Password, Vendor ID etc. The fields actually used for auth vary depending on the ISP.
The Result
After configuring all the necessary fields, I successfully got my SFP ONT to authenticate with the OLT. I was connected at the PON level, but since I’m not using the Dhiraagu router, I still needed a device to handle routing and WAN authentication.
Dhiraagu uses a Layer 2 protocol called PPPoE for WAN authentication. I installed OPNsense — an open source firewall/router — on a spare computer and configured its interface with PPPoE. After that, I was able to successfully authenticate and obtain a public IP address.
Success. I have completely gotten rid of any ISP-provided hardware. Could I have just put the Dhiraagu router into bridge mode? Yeah, I could’ve, but that’s no fun.
What do I gain from this? I don’t know. I end up with an OPNsense firewall that I need to learn how to configure. Am I able to get a NAT Type: Open, or Type 1? I don’t know — I don’t even have a PlayStation now. But I’ve learned a lot about how the networking behind the internet actually works, so that’s something :)
If anyone wants more technical details on how this was done, you can read the technical guide here — Taking Control: Technical Guide to Replacing a Dhiraagu Router
Disclaimer: This was purely an academic exercise conducted in a controlled lab environment for educational purposes only. The Dhiraagu router is safely plugged in, exactly where it belongs, faithfully serving my home network as intended. I would never dream of replacing ISP-provided equipment. That would be wrong. I love my ISP-provided hardware.