The Calix Gigahub 813G FTTH ONT router is complete rubbish

With my 50Mbps fibre installation I received a Calix Gigahub 813G FTTH ONT (ONT = Optical Network Terminal) or in short a fibre router:

As the end-consumer you do not really have much choice as ISPs prescribe what client devices can be used and in almost all cases, the on-premise device needs to match the network infrastructure. The Calix seems to be a popular device, but having worked with the router over the last 4 weeks, I can honestly declare that Calix GigaHub is complete rubbish for the following reasons. Let’s not forget that even the most basic R600 / USD30 router will have more advanced features than the Calix device and it seems to make no difference what model in the Gigahub range is used.

No end-user support

There is absolutely no way to get end-user support from Calix. This means you can not download an electronic copy of your manual, submit bug-reports, make product recommendations or check what the latest firmware version is. Calix has suggested that any end-user device support needs to be channeled through your ISP – so you have to open a support ticket with your ISP in order to get a product manual:

In many cases ISPs will actually lock down the Calix device and a consumer has zero access to the device – meaning that you can not configure QoS, DMZ, WiFi settings etc. I find this highly irresponsible from ISPs as it literally shifts some accountability for security breaches to the ISP and places additional burden on the end user to provide additional equipment to secure their home-network (let’s not forget that the majority of end-users can barely configure two-factor authentication or change the factory password on their WiFi router)

Horrible WiFi

I picked the Calix Gigahub 813G which features a 2.4Ghz b/g/n WiFi module as I mostly use WiFi for mobile devices. As I am typing this blog, I am literally sitting 3 metres away from the Calix 813G and from the graph below you can see that it only has 28% signal strength. My Apple Airport Express which sits 10 metres away in another room (separated by a 40cm thick wall) has stronger signal strength than the Calix:

Quality of Service does not work

Remember when I said earlier that you need to file a support ticket with your ISP in order to get the product manual? Even with it you will struggle configuring QoS as none of the QoS settings are actually properly explained in the manual and are still a mystery to me. Since the Calix has no real-time monitoring, I had to rely on 3rd party tooling to measure if QoS works, and I found it does not:

Based on the explanation from a Calix engineer, all Gigahubs have 9 QoS classes as depicted above. In my configuration case I wanted to add my PS4Pro into the highest class (EF), my Synology NAS into AF11 and all other devices stay with the default (Best Effort). The idea was that a download on a tablet (Best Effort class) would throttle back if my PS4Pro or Synology started downloading data – this never worked and QoS seemed to only work on a “first come” basis.

Absolutely no logging / monitoring

Even the most basic ADSL modem-router has device logs, real-time statistics and in many cases even SNMP logging to remote devices. The Calix has none of it other than this one screen which shows packets sent/received:

The System log never shows anything else other than this:

The firewall log does not show any sorts of attacks (I ran through a number of vulnerability tools, but none of my attacks against myself showed up in the Firewall log):

The Calix Firewall is useless

For the regular user the firewall might just suffice (when you overlook the fact that there is no transparency/logging in the firewall logs), but the options are really limited and technically it is more of a choice of “Firewall ON” vs “Firewall OFF”:

You can pick from 4 security settings as explained in the above screenshot. With each pre-selected settings the “Traffic In / Out” options under “Blocked Services are either ticked or unticked. There is literally no option to define a custom service with custom ports. It is for example also not possible to block port 20 for FTP service and only leave port 21 open. Even the cheapest and most basic firewall device will allow you to configure custom services.

Remember the part about support? Yes, I have filed a support ticket with my ISP 2 weeks ago asking the question how I can configure custom firewall services. Eventually they will revert with the answer I already know “Custom Services are not supported”.

What is the alternative?

I doubt that Calix will be able to fix the WiFi issues through a firmware upgrade. I also doubt that they will introduce Custom Services into the firewall configuration as this type of functionality should have been part of the very first release of their firmware (and it is technically not difficult to do this). Since Calix “gateways” end-customer queries through ISPs they will either never know about issues or have done this deliberately to shield them from end user feedback (example: Why on earth would you not even allow the download of product manuals?).

In my case I will turn the Calix 813G into a true “dumb” device and turn off all features (WiFi, firewall, QoS etc) and then use Ubiquiti devices to manage my network properly.