Functional Home Gigabit with Century Link

TL;DR (skip to the part you care about and not my rambling in boredom)

I’ve been using Comcast (Xfinity) for my home Internet service since 2003, prior to that I lived in a house that had multiple T1s (back when megabits of home Internet was very rare).  It is somewhat hard to imagine that in such a short period of time we went from hardwired home Internet being measured in kilobits to almost every mobile device we own being capable of sustaining 10s of megabits while roaming about.

I had been holding onto my Comcast Teleworker discounted ‘business’ Internet after leaving VMware, waiting for Google Fiber to come to town as Portland was supposed to be on the relatively near future roadmap and I was trying to avoid adding more unsightly aerial cabling to the exterior of my 110 year old house.  As neat as modern technology is, it doesn’t really go well with the architectural detail of an old craftsman home.  Since Google Fiber is now dead I decided to proceed with the next best option, Century Link.

I never thought I’d suggest that Century Link (formerly Qwest, formerly US West, aka US Worst) was a “best” option for anything.  I worked for large national ISPs for my early career, and US Worst was always one of the most problematic carriers to deal with.  I still have flashbacks about the escalations and yelling customers, but best was when their tech and manager didn’t realize they were connected to voicemail while planning how they were going to lie to explain way their fault on a prolonged outage impacting several of our customers.

Fast forward to today, I ordered Century Link Gigabit to be delivered to my house.  I had read many nightmare stories about this on Nextdoor but figured I’d go the lower risk route and order it online where I could have a paper trail, I tend to never sign up for a contract sold by a solicitor that knocks on my door.  The order went smoothly online, and amazingly they were able to install in less than a week later.  The tech arrived at the beginning of the instal window and spent much of the day running the fiber around our house to the only possible entry point.

What didn’t go well is that Century Link forces you to either buy or lease a “modem”, which is their name for a really crappy router.  The only thing special this “modem” does is it supports VLAN tagging on the WAN interface.  This router offers WiFi, but it only supports 802.11n at the fastest…you are reading correctly, you are required to buy a router that has a max wireless rate of around 100 megabit in order to buy gigabit service.

I had found a few blog posts online hinting at how to bypass their router by putting into “transparent bridge” mode, but I didn’t see any reason to even power this crappy device.  The tech hadn’t even finished cleaning up outside before I had converted back to using my Asus router, my 4-year old Asus readily blows away this brand new required POS.

How did I do it?  Its not so bad, there are a few blogs that you’d have to go to get all of the hints but they all leave out how to get the full thing working.  I was able to get better service using my own router than using the one provided, especially when you include IPv6 in the comparison.

TL;DR start here

I’m not going to include screen shots of all of the steps, as I would like to believe that anyone tackling this can figure it out from the high level steps (and I am too lazy to turn the CL router back on in order to document it).  In my case the CenturyLink 2100T  ZyXEL C1100Z was what was “sold” to me against my wishes.

I assume you know what cables to plug into where on your router and that you know you would need to move the WAN link that comes from the ONT from the Century Link router to your own, so I won’t include that detail here.  

I have Internet *only*, if you are also subscribing to PrismTV there may be additional settings required.

Collect PPPoE Details

  1. Login to the web interface of your Century Link router
  2. Skip to the advanced configuration section
  3. Find the remote management portion, enable telnet (likely the only time you will ever hear/see me suggest to use telnet) and set a password
  4. Telnet to your router IP (likely and login as admin with your set password
  5. Type:
  6. Press enter, you are now in a  busybox shell.
  7. Run the command:
    /usr/bin/pidstat -l -C pppd
  8. You will get an output string that includes the runtime values being used too configure PPPoE, the parts you care about will look something like this:
    pppd -u -p TXlQYXNzd29yZAo= -f 0 -M 1492 -D 0 -n 1 -L 0 -e 1 -X 120
  9. You just need to capture username and the encoded password, the username is the “” string and the password is the string after the -p, “TXlQYXNzd29yZAo=” in my example (be sure to include the entire string, including the equal sign as in my example)
  10. You can perform the next step natively on a Mac or you would need to use Linux, I use a Mac so it is easy.  Open a terminal window (aka shell) and run the following command to decide the password:
    echo TXlQYXNzd29yZAo= | base64 --decode
  11. You should get a decoded password back, like this:
    ~# echo TXlQYXNzd29yZAo= | base64 --decode

Congratulations, you now have the PPP info to configure your personal router.  You can proceed to configuring PPPoE on your router WAN link, the only other thing you need to know is that you must tag the WAN with VLAN 201.  On my router’s 3rd party firmware this is under the settings for IPTV.

Now you just need to configure your router, I will include screen shots to help you on this portion.  Your settings may be called something different than what is shown, but there should be a functional equivalent.  If you do not have the ability to configure VLANs on your router you have two options, installed 3rd party firmware or just accept using the Century Link router in “transparent bridge mode” (as set on the WAN configuration under protocol settings).

Configure Your Router

On my Asus this is what I configured (obviously without quotes):

  1. WAN Connection Type: “PPPoE”
  2. PPPoE & MAN access: “DHCP or Static”
  3. Get MAN IP Automatically: “Enabled”
  4. PPP VPN Client Settings (PPPoE settings):
    1. Username: “”
    2. Password:  “MyPassword”
    3. Authentication Algorithm: “Auto”
    4. MTU: “1492”
    5. MRU: “1492”asus-pppoe-settings
  5. Ports Isolation and VLAN Filtering:
    1. Choose IPTV STB Port: “No”
    2. VLAN Tagged Traffic Filter: “Enabled”
    3. VLAN CPU (Internet): VID “201”, PRIO “0”
    4. VLAN CPU (IPTV):  defaults

That should get you up and running on the Internet, however I wanted IPv6 support as I use it for some work projects.

Configure IPv6

I tried to guess at this but realized the best plan was to reconnect the Century Link router, go into the advanced settings and enable the IPv6 network features and capture the details for re-use.  I don’t know how generic these values are, some of them could be region specific or they may use any cast addresses allowing them to be universal.  Based on the Century Link support pages I assume these are universal.

Asus IPv6.png

You may need to reconnect your clients so that they get new DHCP info after making these changes, if you use static IPs on your workstations you will need to do your own magic to get them to also work with IPv6.  I use static IPv4 addresses on some devices, but just leave IPv6 configured for DHCP.

After making these changes I am able to score 19/20 on the IPv6 test, only lacking inverse DNS which I can’t do much about.  I did have to also enable “Respond Ping Request from WAN” on the firewall pages, as IPv6 requires more ICMP control messages than IPv4.

IPv6 Test Results.png

If you hit a wall you can drop a comment and I’ll try to fill in any details I missed.  If I end up swapping to a different router (e.g. something running pfSense) I will post an update, but the settings should be the same regardless it is just a matter of translating them to a specific configuration nomenclature.


44 thoughts on “Functional Home Gigabit with Century Link

  1. I’m also in Portland with CL fiber since September. I have a Tomato flashed Asus that I’m trying to use to replace it but not having much success so far. I contacted CL to get my PPPOE creds but the Asus just hangs in Connecting state forever. While trying to follow your instructions to decode the PPPOE credentials today, thinking maybe CL gave me the wrong ones, I didn’t even see a pppd proc running on the modem. I also noticed the modem was running IPOE and not PPPOE. I’m going to try and connect with IPOE in a bit. Its interesting you’re also in PDX and on PPPOE. I would think we’re all setup the same.

    Regardless, your post has given me some things to try. I appreciate you taking the time to doc everything.

    1. Did you set the WAN VLAN to 201? They sold be the C1100z, which is way worse than the C2100. Either way they should both be using PPPoE, I was able to get it to work on ASUS routers with Padavan firmware, ASUS WRT firmware and Merlin firmware. The most important piece is the IPTV/WAN VLAN 201, nothing else will work without it…unless you leave the 2100T in place in transparent bridge mode, and then it is doing the VLAN piece.

      I’m not using the Century link hardware at all, i am 100% using only my hardware. Currently an ASUS N56U with padavan firmware on it.

      I am in NE Portland and might be able to lend a hand if you can’t get it.

      1. Ok so I just plugged the cat5 coming from the ONT to the wan port on the Asus (running Tomato). VLAN is set to 201. Changed the WAN connection settings on the Asus to plain old DHCP. Rebooted and it is magically working with the C2100T not on the wire at all. Eureka! 🙂

        I’m actually out by Mall205 so you’re likely not too far away. I am definitely not on PPPOE. Wondering if its because I was originally installed with Prism when I bought the house in August?

        Now I just have to figure out why my IPVanish/OpenVPN connection is so slow.

        Thanks again!

      2. Interesting. I will have to try not having PPPoE turned on, as it is the weak link in performance for a lot of routers. Glad to hear you got it working.

        I had been with Comcast since 2003, most of the time on a business line through work…when our hopes for Google Fiber went up in smoke i decided to try CL. $10 more per month for 20X the download and 100x the upload.

        One thing you can try is to login to your router through SSH and run ‘top’ while you test your VPN. Most routers don’t do encryption very well, some have very specific cryptographic offloads for specific types…otherwise you might just be maxing out the little CPU.

        I’m waiting for my new router (Mikrotik) to arrive as my old ASUS isn’t adequate anymore and the new one I bought was worse.

      3. I am guessing that you are getting IPoE instead of PPPoE due to having had Prism, which is interesting. I really wish I didn’t have the added overhead/complexity of PPPoE, however I can’t find any details for how I would get converted to native IPoE instead…I have seen discussions where even people with Prism had PPPoE. I don’t see Prism in my future, we cut cable almost 2 years ago and haven’t missed it. I did try out DirecTVNOW, which was entirely horrible and a waste of money and have since canceled it.

  2. Top results don’t show anything close to being capped except the nic.

    [H[JMem: 49460K used, 206172K free, 268K shrd, 6356K buff, 15908K cached
    CPU: 1.5% usr 1.1% sys 0.0% nic 96.7% idle 0.0% io 0.0% irq 0.4% sirq
    Load average: 0.08 0.06 0.10 1/50 18388
    2001 1 root S 3460 1.3 0 0.0 /etc/openvpn/vpnclient1 –cd /etc/
    1949 1 root S 2820 1.1 0 0.0 httpd
    972 1 root S 1672 0.6 0 0.0 nas
    1049 1 root S 1672 0.6 0 0.0 nas
    2184 1 nobody S 1616 0.6 0 0.0 dnsmasq -c 4096 –log-async
    1 0 root S 1608 0.6 0 0.0 /sbin/preinit
    736 1 root S 1596 0.6 0 0.0 blink_5g

    Speedtest without the vpn running returns 100/50 while with it running I’m only getting 20/20ish. I tried servers in San Jose and Seattle. Both returned similar results. San Jose had faster ping times but only by a small margin.

    I picked up this Asus RT-AC68U off Craiglist last week. It was already flashed with Tomato and I was looking for a recent router with either tomato or DD-wrt. I already had an RT-N66W I’d bought when I was on Fibersphere. Oh how I miss them and Condonet. The downside of home ownership is you end up stuck with the worst ISPs..

    I work from home and CL seemed like the slightly lesser of the two evils.

  3. Thanks so much for all this information! I’ll be using this hopefully on my ASUS router (the 8 port version of the AC3100, AC88u) tomorrow after my fiber install and want to skip whatever modem CenturyLink will give me. I’m in Foster Powell so not far from Laura James, hoping for a nice, easy install in my old house. I do have one question, did you use hardware acceleration or NAT acceleration on your ASUS router? I know it is an option on the stock Asus firmware as well as the modified Merlin firmware that I’m using. Unsure of when they started to do that. I had trouble with it on my Comcast connection which is why I ask, it slowed everything down to a crawl for some reason. Thanks again!

    1. I did use HW accelerated NAT, though I was using different hardware. The new Asus I bought to test with was the RT-AC68U, but it was slower than my old RT-N56U so I returned the new one. My old RT-N56U offered more hardware acceleration than the 68U did, which is why it was faster…but still wasn’t fast enough for my wishes. I have since switched to another device entirely (Mikrotik) as I wanted hardware that would fully support the symmetrical gigabit speeds. The RT-AC88U is only tested to about 1406Megabits bidirectional traffic, which may be adequate for your needs:

      When I get time I plan to write an article about configuring my Mikrotik, they are far more advanced and thus more complex than any Asus product.

      1. Thanks for that information. I looked up the Microtik, a very interesting device. As an IT guy in work life, definitely up my alley. Maybe I’ll return the AC88U and get that instead! But so far it’s been solid and I like the Merlin firmware and the 8 gigabit ports. More speed is always good of course, but I’ve been very happy with 100 Mbps for a while now so I’ll see how this pans out. Guessing in a couple of years I’ll be playing with pfSense and building my own router, using the ASUS as an access point only for the wireless devices. Hopefully tomorrow goes smoothly! (this is CJ by the way, WordPress weirdness changed the name on me).

      2. I had considered using pfSense, but the hardware to run it to actually support a symmetric gigabit connection was expensive or extremely power hungry (aka expensive over time). I settled on the Mikrotik HEx 750gr3, it uses <5watts and can pass full bidirectional wire speed based on my actual testing. I don't know what I would ever gain by using pfSense, other than something that requires more maintenance and ultimately cost far more. The HEx 750gr3 is available for $50, you would have to spend 4X or more to get hardware to run pfSense that won't even compare to this for performance.

        So I am using the HEx as a pure router, and then I am using 2 dual-band Mikrotik WAP ac RBwAPG-5HacT2HnD-US (~$70 each) units for my access points…the Asus I returned was $150, I have $190 invested in Mikrotik and have full house coverage of WiFi and a superior router with infinitely better control over firewall policies, especially as it relates to IPv6, which Asus fails miserably at. I did add a $70 VLAN capable PoE switch to power everything too, which simplified my network greatly as now I only have to have 1 UPS to keep the entire network functional with power glitches…and as someone that works from home frequently that is critical. I have the UPS (which is monitored by the HEx), the HEx router and PoE switch in my utility closet…and that powered the 2 remote access points and a remote PoE powered switch in my office.

        The Mikrotik definitely takes a bit more time to setup than the Asus, but that is because it can do so much more…likely similar in setup complexity to pfSense, however the fact that I can run the same OS for my router and access points is great…and I can manage the access points from one place via policies. I have 4 virtual access points on each physical access point providing full traffic isolation using VLANs to protect my network from rogue devices (e.g. ill-maintained IoT devices) with bandwidth limits on any untrusted devices. You would have to spend thousands of dollars to get these features from a big name vendor (e.g. Cisco/Meraki).

        Additionally you can leverage complex overlay networks if you want, they also offer full VPN support including MPLS and full routing protocol support. Since these are carrier focused they offer some amazing features. I had thought about buying one of the CCR1009 routers but the refreshed ones weren't available yet, so I went with the HEx 750gr3 expecting I would just upgrade later if it wasn't powerful enough for my gigabit services…however it has proven that it will pass full wire speed 1900megabits of traffic even with my paranoia level firewall rules.

      3. That is super cool. I might be looking into that at a future date. I also looked into Ubiquiti’s EdgeRouter and their wireless access points, but of course, then I’d be wiring my whole house with Cat 6 or Cat 7, access points in every room for blanket AC wireless, etc, etc. Right now, after my fiber install, I’m enjoying the glorious speeds! Cheers.

      4. I’m also a CenturyLink fiber subscriber in Portland. I have already removed my C1100z and replaced it with a UBNT Edgerouter Lite. This worked well for a while, but the Edgerouter Lite apparently has a firmware bug that occasionally crops up and necessitates turning off hardware offloading for the PPPoE connection (which CenturyLink uses). When hardware offloading is turned off, the ERL only gets about 100M up and down…not good.

        I decided to jump into a Mikrotik CCR1009-7G to make sure that I would be future proofed to some degree, but I am having trouble setting the router up. I would greatly appreciate any help you can provide on configuration.


      5. I had thought about going with the CCR1009, but I decided to just get the hEX. The CCR1009 doesn’t use a “switch chip”, so that means you have to decide how you want your interfaces configured. You need to decide which interface goes to the Internet, lets say eth1. You then configure that interface with a VLAN and configure it for the PPPoE, I prefer using the CLI via SSH and not the UI as it is easier to give exact configuration via CLI.

        Add VLAN 201:
        /interface vlan add comment="CenturyLink WAN" interface=ether1 name="vlan201 WAN" vlan-id=201

        You then need to configure your PPPoE Client:
        /interface pppoe-client add add-default-route=yes comment="Century Link" disabled=no interface="vlan201 WAN" name=pppoe-wan password=PASSWORD

        At that point your router should be connected to the Internet, you then need to configure the LAN side. This part is a bit of guessing based on my understanding of RouterOS, the model I have uses a switch chip to just switch packets between the interfaces. If you want all of the other interfaces to act like a “switch” you need to bridge them together.
        /interface bridge add name="LAN-Bridge"
        /interface bridge port add bridge=LAN-Bridge interface=ether2
        /interface bridge port add bridge=LAN-Bridge interface=ether3
        /interface bridge port add bridge=LAN-Bridge interface=ether4
        /interface bridge port add bridge=LAN-Bridge interface=ether5
        /interface bridge port add bridge=LAN-Bridge interface=ether6
        /interface bridge port add bridge=LAN-Bridge interface=ether7

        I refuse to use Century Link’s ad driven DNS service, if you mistype a domain it goes to some search engine of theirs that is entirely annoying rather than just giving an invalid domain error. FTN, so add DNS servers:
        /ip dns set allow-remote-requests=yes cache-size=4096KiB servers=,2001:470:20::2,,,,,,

        At that point you then need to configure the LAN network, so you need to add an IP address to ether2 (or whatever interface you prefer):
        /ip address add address= comment="Primary LAN Gateway" interface=ether2-master network=

        Then configure your DHCP servers (I just use the Mikrotik’s built in DNS to keep things simple):
        /ip dhcp-server network add address= comment="Primary Network" dns-server= gateway= netmask=24
        /ip dhcp-server add add-arp=yes address-pool=primary-dhcp disabled=no interface=ether2-master lease-time=2w name=lan-default

        I use interface lists to simplify some of the configuration steps, so lets create those:
        /interface list
        add name=WAN
        add name=LAN
        /interface list member
        add interface="vlan201 WAN" list=WAN
        add interface=pppoe-wan list=WAN
        add interface=ether2 list=LAN
        add interface=ether3 list=LAN
        add interface=ether4 list=LAN
        add interface=ether5 list=LAN
        add interface=ether6 list=LAN
        add interface=ether7 list=LAN

        Now you need to configure NAT so that your private IP addresses can talk to the Internet:
        /ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-wan

        Then create some common lists to blacklist unusual traffic from being allowed on the Internet side:
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon
        /ip firewall address-list add address= list=Bogon

        And now for some sane firewall rules:
        /ip firewall filter
        add action=drop chain=input comment="Drop invalid" connection-state=invalid log-prefix="Drop Invalid Input"
        add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix="Drop Invalid Forward"
        add action=drop chain=output comment="Drop invalid" connection-state=invalid log=yes log-prefix="Drop Invalid Output"
        add action=drop chain=input comment="Drop Bogon -> WAN" in-interface-list=WAN log=yes log-prefix="Bogon Input Drop" src-address-list=Bogon
        add action=fasttrack-connection chain=input comment="Accept established/related Input" connection-state=established,related
        add action=accept chain=input comment="Accept established/related Input" connection-state=established,related
        add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=established,related
        add action=accept chain=forward comment="Forward related/established" connection-state=established,related
        add action=accept chain=input comment="Accept broadcast from self" in-interface=!pppoe-wan src-mac-address=E4:8D:8C:C2:47:2F
        add action=accept chain=input comment="Accept DHCP" dst-port=67 protocol=udp src-port=68
        add action=fasttrack-connection chain=input comment="Allow anything from LAN " in-interface-list=LAN src-address=
        add action=accept chain=input comment="Allow anything from LAN " in-interface-list=LAN src-address=
        add action=fasttrack-connection chain=forward comment="Accept LAN to any" in-interface-list=LAN src-address=
        add action=accept chain=forward comment="Accept LAN to any" in-interface-list=LAN src-address=
        add action=accept chain=input comment="SSH for secure shell" dst-port=22 in-interface-list=WAN protocol=tcp
        add action=accept chain=input comment="Allow limited pings" limit=50/5s,100:packet protocol=icmp
        add action=drop chain=input comment="Drop excess pings" protocol=icmp
        add action=drop chain=input comment="Drop all other Input" in-interface-list=WAN log=yes log-prefix="Drop all input"
        add action=log chain=input comment="Log everything else" log=yes log-prefix="Undropped Input"
        add action=drop chain=forward comment="Drop everything else" log=yes log-prefix="Forward Drop"

        During this process you may get disconnected from the router due to IP address changing, but the default IPs should stay in place as we aren’t removing them…we are only adding new ones. If you do the configuration of the serial port you won’t get disconnected, the other option is to use winbox by MAC address and open telnet in there (I think it will work by MAC). This should get you started, there are a lot of blogs out there with more firewall rules to tighten it up more. IPv6 is another configuration process entirely, I use a tunnel from Hurricane Electric as I find ipv6rd (from Century Link) derived addresses annoying as every time your public address updates all of your IPv6 addresses change, I wanted them to be more permanent as I use IPv6 within my LAN. If you do configure IPv6 make sure to actually add firewall rules for the IPv6 too!

        This isn’t my full firewall rule set, I have a lot more filters in there and auto-generating filter lists based on unauthorized activity. I have at least 65 firewall filters, and ~8000 black listed IPs or subnets.

  4. By the way, I did have trouble getting my router to work with the VLAN tag so currently I have the crappy C1100Z that they also gave you running in bridge mode to do that. They gave it to me for free so it isn’t a big deal but I read on a different site that if you call CenteryLink, they can take the VLAN tag off your connection. Might give that a shot so I can pop this thing in a closet.

    1. Wow, they gave you the C1100Z for free? I got totally ripped off as they made me pay $100 for the stupid thing…are you sure they aren’t charging you a monthly lease fee for it? Did you buy a bundled service promo with a contract? I am really curious, so far the only thing about CTL service that truly bothers me is that they forced me to buy this antiquated hardware.

      1. Well, as they say in the parlance of politics, “I know a guy”. I was extremely unhappy with Comcast’s data caps (I got a 4K TV this month and the Ultra HD streaming ate into my data cap in three weeks!) and was complaining about it at work, and a coworker has a friend who works for CenturyLink. I was skeptical because of all the bad stories I’d but I called him up and it’s really been a very stellar experience. It’s unfortunate that’s not how it is for everyone and I wish it was. The install guy did offer me the better router but since I was planning on skipping over it anyway, I took what they gave me. And yes, I do have a contract, for two years. My Asus router, while causing me some grief, has now finally decided to work with the VLAN tag so I have no real need for the C1100Z but will probably hold onto it just in case I need a router in an emergency.

  5. I was able to get my PPPoE password on my Technicolor C2100T a lot easier. I just logged in to my router ( and went to “Quick Setup” where my credentials were already prefilled (though hidden). Then, from my browser’s web inspector console, ran:


    which output the unhidden, unencoded password to the console. After copy + pasting and applying, I verified that it worked.

  6. FYI for C2100z users….

    Just got the C2100z (tried to get T… tech had none) and it came with latest firmware…. Busybox now walled off with a password not given. Found some threads online about people able to get past the randomly generated (per device it seems) password, but still having difficulty getting credentials for PPPoE. Am attempting to get credentials from CLink today. *fingers crossed* This thing is garbage. Even fewer options/menus to use. PPPoE section has a “Show password” option which just shows a hidden password. Tried to use some injection through console with no success.

    1. Also dealing with the same crap. Want to ditch this router and use my own, can’t access shell or find any other way to find the password. Let me know if you have any success in getting the PPPoE info. I’m not even having success getting them to upgrade my speed.

    2. Did CTL provide you with the password when you asked them? I have read elsewhere that they will, it is likely a good thing they are locking down these devices…however I fear they are still leaving their own backdoor accounts in place, so whatever system they use to manage the client devices is a single target to own all of their customers…or they are using passwords which can be brute forced, and not using pre-shared keys as that would require effort from them.

      I don’t really have any interest in dealing with their crappy router again, or I’d install it and see if it upgraded to try to research a new work around…but again, I am too lazy and I really enjoy my reliable/fast Internet I get without their hardware.

      1. I was able to get the PPPoE credentials. It ended up being pretty straight forward. I just gave ’em account info (which was a big pain, but that’s another story). She was a little hesitant at first but once I explained I knew I need to do the VLAN tagging, her attitude changed and she helped me out.

        I can confirm the credentials work, but I’m having some issues getting the tagging to work right. Using their router in transparent bridge mode until I can get the settings right.

        I’m using an Asus RT-N66U with Tomato Shibby on it.


        That’s what my settings look like. If I set to tag WAN and save it, the router reboots and the setting is cleared. I’m wondering if I’m missing the setting or not doing this right.

      3. Technician was clearly in a big rush and not the most personable, but he did a great job with my old house and keeping the wiring clean. Called the fiber support line since speeds were not right after a few days. They quickly got ONT restarted and PPPoE handed over no questions asked. Getting through support lines was a pain, but once I got someone good, this was easier than ever dealing with comcast. Waiting for router to show up any day now to roll my own setup! Thanks for following up guys!

      4. Hey Michael, I’ve never used Tomato so I’m not familiar with it at all. Did you try to do a “factory reset” before hand, perhaps something is out of whack from the upgrade if you hadn’t ever done a factory reset after installing Tomato. Your problem looks like this though:

        Good luck, part of the reason I skipped these overpriced Asus things was to get away from annoying firmware packages. When I was using my RT-N56U I had been running the padavan firmware package for it, but they don’t have one for the N66U.

  7. Thanks for the link, I’ll look into it this weekend. Yeah, I did some hard resets on it. Right now I’m back on the stock Asus firmware which is working perfectly so far.

    1. I get 940+megabits upload and download concurrently. You can’t always get that speed with a single speed test as their side may not be able to actually keep up consistently. You have to find a few fast sites and run them at the same time.

  8. WoW! I’m sold! I’ve been reading your blog yesterday and today. Great forum. I’m not a tech pro, just some tech classes while was still in college but been very enthusiastic about new things in communications. Is there any chance you could cover in full how you set up your whole system (along with the Mikrotik WAP ac RBwAPG-5HacT2HnD-US units)? With great appreciation, Inkaopal

  9. Just wanted to say thanks for this great article! I just had to figure out the location of the some of the settings and it worked like a charm. For reference I’m using and Asus RT-AC87U with the merlin firmware.

    * The vlan 201 setting goes into Lan -> IPTV. Change setting to manual and enter 201 under Internet VID
    * IPV6 seems to mostly work, the trick was to disable DHCP option to get access to some of the settings.

  10. Ditto to all the kudos and on inkaopal’s request to document system setup. I would gladly help. I’m in Seattle. I think I’m getting close to setting up my MikroTik hex using WebFig on my PC, but missing a setting somewhere.

  11. After finally discovering that my net cable randomly died in the middle of configurating, I supplanted the CL router with the MikroTik hEX. My problem now is I’m still throttled at 40M up/5M dn. Just set up the absolute minimum. What’s the magic setting to take advantage of the fiber speed?

    1. There are a lot of details to determine where the performance issue is, are you connecting to the Mikrotik directly with an Ethernet cable or via wireless? Switches? Did you try other cables? How are you running the speed test? Have you looked at the Mikrotik community forums to make sure you are leveraging hardware acceleration (Fasttrack in the Mikrotik UI). You will never see gigabit speeds on current WiFi, regardless of how your WiFi vendor lies to you.

      Just to confirm, I ran a speed test and just saw 815 down, 557 up with my local CL speedtest server. If I use multiple tests concurrently I can easily hit 940+/940+.

      1. ONT->Mk->PC
        It would appear I wrongly interpreted that the router does the throttling when CL does it upstream so I will never exceed 40M until I subscribe to Gig service, right?

      2. Correct, you cannot get higher performance than you are subscribing to just by changing the router. In the case of those of us paying for Gigabit, the hardware CL provides isn’t always capable of actually delivering it.

      3. Nothing should prevent Mikrotik from working with Xfinity, reality is that more router options should work with Xfinity as they normally don’t require PPPoE. PPPoE is the choke point for a lot of the hardware in the consumer market, it seems. You will still need the cable modem, obviously, whereas CenturyLink fiber uses an ONT to convert from the carrier network to an RJ45.

      4. Thank you. My time ran out and CL offered me $40.00 price for life for 40M, a pretty good price for the lesser of two evils, so sticking with that for now.

  12. I too jumped on the offer from Century Link 1 gig ,65$ for life ,Free modem and installation. They are now giving out C3000A as the modem . However i dont get past 400 mbps(wired) being the max on download and 800+ on the upload .
    And wifi on mobile devices or laptop doesnt go above 50-60 mbps.which is very weird ( 1gbps vs 60mbps on wifi). going through the articles on how to ditch the century link modem. I do have google wifi ,i bought it when it was released but still unopened . I was with xfinity before and was getting good wifi coverage , but their prices kept increasing .

    pretty confused whether to use g-wifi and but a switch to enable VLAN or buy a Asus router which makes the jon easier . Im not tech savvy ,just learning from online articles.

    1. Seems one option would be to try placing your C3000A into “bridge” mode, that would allow it to do the VLAN conversion and then you can use your Google Wi-Fi router for everything else. No investment, so if it doesn’t work you aren’t out anything. This will let you at least investigate if the Google devices do PPPoE and give you full speed or not, and if not then you can decide if you want to try to pursue a different router. and you can find the options for “Transparent Bridging”.

      Good luck!

  13. I just ordered a Mikrotik hEX for my CenturyLink connection. I appreciate the tutorial! Any idea where one would start if they did want to configure it to work with CenturyLink’s 6RD?

    1. I had tried to work this out, but gave up. I was using the free IPv6 tunnel service from Hurricane Electric, but it breaks Netflix. One work around is to block your Netflix clients from getting IPv6, but at some point that breaks the reason to have IPv6 enabled at all.

      You essentially have to write a script that is similar to those for updating the Hurricane Electric tunnel end point, or dynamic DNS…but a lot more complicated. You would need to script the conversion of your public IPv4 address into a IPv6 address. I attempted it, but gave up…and I only had to do it one time after work required I get a static IP address anyhow.

      On Linux it isn’t entirely difficult, but getting the scripting to work on RouterOS was a chore and I gave up. Sadly Mikrotik doesn’t seem to care if you can actually use 6rd or not, they just claim it is “supported” because they don’t do anything to prevent you from doing it. I would imagine it would only take someone that is fluent in their scripting a short time to create a script that would calculate and set the IPv6 addresses.

      In theory this is a hint, but good luck:
      :set WANaddress ($WANaddress . “.”)
      :local IP6prefix “2002:”
      :local num
      :local tn
      :local hi
      :local lo
      :local ar
      :local pos
      :local IP6part

      :for i from=0 to=1 do={
      :set IP6part “”
      :for j from=0 to=1 do={
      :set pos [:find $WANaddress “.”]
      :set num [:pick $WANaddress 0 $pos]
      :set WANaddress [:pick $WANaddress ($pos + 1) 99]
      :set tn [:tonum $num]
      :set hi ($tn / 16)
      :set lo ($tn – ($hi * 16))
      :set ar [:toarray ($hi . “,” . $lo)]
      :foreach val in=$ar do={
      :if ($val < 10) do={
      :set IP6part ($IP6part . $val)
      } else={
      :if ($val = 10) do={ :set IP6part ($IP6part . "a") }
      :if ($val = 11) do={ :set IP6part ($IP6part . "b") }
      :if ($val = 12) do={ :set IP6part ($IP6part . "c") }
      :if ($val = 13) do={ :set IP6part ($IP6part . "d") }
      :if ($val = 14) do={ :set IP6part ($IP6part . "e") }
      :if ($val = 15) do={ :set IP6part ($IP6part . "f") }
      :set IP6prefix ($IP6prefix . $IP6part . ":")

      :foreach i in=[/ipv6 address find] do={
      :local addr [/ipv6 address get $i address]
      :local cmnt [/ipv6 address get $i comment]
      :local name [/ipv6 address get $i interface]
      :if ($cmnt = $PubAddrComment) do={
      :local newaddr ($IP6prefix . ":1/16")
      /ipv6 address set $i address=$newaddr
      :log info ($LogPrefix . "Changed address of interface " . $name . " from " . $addr . " to " . $newaddr)
      :if ($cmnt = $SubnetAddrComment) do={
      :local tmp $addr
      :for j from=0 to=2 do={
      :set pos [:find $tmp ":"]
      :set tmp [:pick $tmp ($pos + 1) 99]
      :if ($j = 2) do={
      :set pos [:find $tmp ":"]
      :local newaddr ($IP6prefix . [:pick $tmp 0 $pos] . "::1/64")
      /ipv6 address set $i address=$newaddr
      :log info ($LogPrefix . "Changed address of interface " . $name . " from " . $addr . " to " . $newaddr)

  14. Hi! do you think the Mikrotik hEX RB750Gr3 would work for 940/940 Bell Fibre? or should i go for a HaP AC 2? Thanks!

    1. Either are likely fully adequate for what you are seeking, the RB750Gr3 is a router only and would require a separate device for Wi-Fi. I personally prefer separate devices as my access points are located where it makes sense for access points to be, rather than where my Internet service was delivered. I have no experience with the HaP AC 2, but according to the MikroTik published benchmarks the HaP AC 2 is more powerful for routing/firewall purposes so it shouldn’t be any problem.

Contribute to the discussion

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s