Why Your Router Cannot Just Switch ISPs

                
                    Christian Lehnert •
                
                2026-04-30 •
                ~7 min read

The folk theory of "switching ISP" is that you cancel one contract, sign another, plug a different cable into the same router, and carry on. This works exactly never. It does not fail at the IP layer. It does not fail at PPP. It fails at the silicon, and it fails again at the certificate store, and it fails a third time at the operator's provisioning database — three independent boundaries before any packet ever reaches a routing table.

What follows is the autopsy, layer by layer, across the three access technologies you are likely to meet in Europe: VDSL2 on copper, DOCSIS 3.1 on coax, and GPON / XGS-PON on fibre. The point is not that one is better. The point is that they are not interchangeable, and pretending otherwise costs you a router and a weekend.

Layer 1: three different physical worlds

A "router" labelled for one access technology contains a transceiver — a physical-layer chip — designed to talk to that technology and no other. Swap the cable, and you are firing the wrong waveform at the wrong receiver.

VDSL2 runs DMT (Discrete Multi-Tone) on a single twisted-copper pair. Its modern incarnations are profile 17a — using the spectrum up to 17.664 MHz, ~100/40 Mbit/s — and profile 35b (also called Vplus / Supervectoring), which extends the band to 35.328 MHz for ~300/50 Mbit/s on short loops. Both rely on G.993.5 vectoring, which kills far-end crosstalk between pairs in the same cable bundle by precomputing inverse interference per line. Vectoring's price: every pair in the bundle has to terminate on the same DSLAM, because the maths can only cancel what it can see. This is also why local-loop unbundling is, in the strict sense, incompatible with vectoring deployments — and why your VDSL CPE only works on the operator who owns the cabinet.

DOCSIS 3.1 runs OFDM downstream and OFDMA upstream on a hybrid fibre-coax (HFC) plant. The cable modem is a tuner-and-amplifier shooting into a shared RF bus on which dozens or hundreds of other modems also sit, time-division-multiplexed by the CMTS (Cable Modem Termination System) at the head-end. The PHY chip is fundamentally different from a DSL transceiver: think tuner front-end and DAA-style upstream burst transmitter, not DMT modem.

GPON is a passive optical network: one fibre out of the OLT (Optical Line Terminal) at the central office is split passively — typically 1:32 or 1:64 — to that many ONUs/ONTs at customers. Downstream is broadcast at 2.488 Gbit/s (1490 nm); upstream is TDMA-multiplexed at 1.244 Gbit/s (1310 nm), with each ONU granted timed transmit windows so its bursts arrive at the OLT without colliding with anyone else's. The CPE is an optical transceiver with burst-mode laser drive — there is no electrical PHY here at all.

A box engineered for one of these has the wrong silicon for the other two. Universal SoCs exist (the Broadcom BCM63158 famously combines G.fast/xDSL/GPON on a single die), but vendors populate one PHY path per SKU because the analogue front-end, optics, and RF stages are mutually exclusive on the PCB.

Layer 2: three different ways the network learns who you are

Suppose, for the sake of argument, you got the right PHY. You still have to register.

VDSL2 registers the line, not the box. Authentication happens implicitly — the copper pair lands on a specific DSLAM port assigned to a subscriber. On top of that physical fact, the operator usually layers PPPoE (or IPoE) over a tagged Ethernet/ATM transport. Move the pair, change the cabinet, and the line identity changes; the CPE is incidental.

DOCSIS is the most cryptographically rigorous of the three. Every cable modem ships with a device certificate — an X.509 certificate burned in at manufacturing, with the modem's MAC address and serial number in the subject DN, signed by the manufacturer's CA, which in turn chains to the CableLabs DOCSIS Root CA (or, historically in Europe, the Excentis-managed EuroDOCSIS root). On registration, the modem presents its cert chain to the CMTS via BPI+ (Baseline Privacy Interface Plus); the CMTS validates against its installed root, and only then negotiates session keys for encrypted traffic. DOCSIS 3.1 introduced a second-generation PKI with stronger keys, and modern modems carry both sets of certificates so they can register on legacy and current head-ends. The takeaway: a DOCSIS modem the operator's CMTS does not trust does not get on the network. Period.

GPON authenticates the ONU at the optical layer. During the activation state machine — the famous O1 → O2/O3 (Standby/Serial-Number) → O4 (Ranging) → O5 (Operation) sequence specified in ITU-T G.984.3 — the OLT discovers the ONU's PON serial number (a four-character ASCII vendor ID followed by an eight-hex-digit device ID, e.g. HWTC12345678) via PLOAM messages. The OLT compares the SN against a list of expected ONUs configured by the operator's NMS. Optional credentials layered on top: a PLOAM password, a Logical ONU ID (LOID), or SN+Password. Once authenticated, the OLT opens an OMCI channel (ONU Management and Control Interface, ITU-T G.988) and pushes the service profile into the ONU's MIB — VLANs, T-CONTs, GEM ports, IGMP, voice, the entire thing. The ONU does not configure itself. The OLT configures it, on every boot, over OMCI. This is why GPON CPE swaps require either an ONU pre-registered by the new operator or — more commonly in the wild — cloning the previous ONU's serial number, vendor ID, and PLOAM password into the replacement, which is precisely what the SFP-stick-ONU community does for sport.

Layer 3: the binding is operator-specific by design

Stack the three layers and the picture sharpens. The CPE is bound to the operator at:

Layer 1, by which transceiver silicon was soldered to the board;
Layer 2, by what credential the access network expects to see at registration;
Layer 3+, by the configuration the operator pushes down — DSL profile and rate cap on a DSLAM line card; CMTS DOCSIS config file delivered via TFTP at registration; OMCI MIB on a GPON ONU.
None of these three layers is software. Or rather: the software exists, but on the operator's side of the link, controlling a piece of physical infrastructure you do not own. Your CPE is the supplicant. The network is the gatekeeper. Switching ISPs means convincing a different gatekeeper, with a different challenge protocol, on a different physical medium.

This is why European "router freedom" rules — Germany's Routerfreiheit (TKG §41b), the corresponding regulations elsewhere — only ever refer to the post-modem router. The modem, the ONU, the DOCSIS gateway: those remain effectively operator-bound, because the operator-side state cannot be eliminated by legislation. You can put your own router behind the operator's box. You cannot replace the operator's box with a GPON ONU minted for somebody else and expect it to come up.

The challenge

So before the next "I'll just switch providers and keep the hardware" temptation:

Which PHY does your existing CPE actually contain — DSL transceiver, DOCSIS tuner, or PON optics? (The new operator's access medium is what your next box's silicon must match. Not approximately. Exactly.)
What credential does the new operator's access network require — a PPPoE username, a CableLabs-rooted device cert, or a registered PON serial number? Do you possess one?
Is the provisioning surface (DSL profile, DOCSIS config file, OMCI MIB) something the operator pushes to your hardware over a channel you cannot disable, or have you misclassified your "router" as a device you control?
If the honest answer to that last question is "I had not thought about it," you do not have a connectivity problem. You have a layering problem. Fix the model first. The cabling will follow.

Why Your Router Cannot Just Switch ISPs

Layer 1: three different physical worlds

Layer 2: three different ways the network learns who you are

Layer 3: the binding is operator-specific by design

The challenge

Further reading