PLDT Home Fibr router superadmin and AP isolation UPDATED FEB 2020
NOTE: THIS IS AN UPDATED VERSION OF OUR OLDER POST WITH NEW USERNAMES AND PASSWORDS UPDATED FOR FEBRUARY 2020.
We’ve written this in order to help out fellow users of PLDT Home Fibr internet connections here in the Philippines, following our own extremely frustrating experiences with this provider.
PLDT Router AP (Access Point) Isolation
The standard PLDT Home Fibr ONU (modem/router) – see image above – implements access point isolation, which means that while it has 4 LAN ports as well as both 2.4GHz and 5GHz wifi, any device connected via wifi cannot communicate with a device connected to a LAN port, and vice versa. Apparently this is done for “security reasons” (in other words, PLDT views its users as stupid and is looking for ways to minimise the time it spends on technical support).
What this means in practical terms is that if you have a home server (e.g. a Synology Diskstation or something like it that connects to the LAN via an ethernet cable), your wifi-connected devices cannot see it on the network, rendering it useless. Needless to say, PLDT do NOT warn you about this when you sign up for a two year contract, which in our view is negligent bordering on breach of contract, so we have no qualms offering this information online.
- Add a USB wifi adaptor to your server, if you can (only certain adaptors will work and it will also depend on your server operating system)
- Put your PLDT Home Fibr modem/router into bridge mode, so it just acts as a modem, and connect another wifi router to it via an ethernet cable – this involves getting the configuration of the second router just right in order for things to work, and makes it harder to access the admin screens of your PLDT box
- Find a way to turn off the access point isolation
We decided against solution 1, since getting the configuration right will still depend on having a second router set up in order to talk to the server while setting up the USB wifi adaptor, and tutorials showing exactly how to sort it out seem hard to find.
On researching solution 2 it seems that putting the PLDT modem/router into bridge mode can cripple the throughput speeds, so we’ve decided not to mess with that.
That leaves solution 3 – finding a way to turn off the AP isolation, and after several hours of googling various relevant-sounding phrases we found an article that linked to another article that linked to another article that linked to a Discord chat room where a search of the chats revealed a way to do it. Then we had to go to a different source, also challenging to find, in order to get the latest superadmin username and password. Phew.
The only trouble is, whenever you restart your router (or there is a power cut, which can be quite frequent here in the Philippines) you have to repeat the process of disabling the AP isolation. Still, it’s better than no solution at all, and it actually only takes a few seconds to do.
Disabling AP Isolation
Note: this works on our new firmware version (RP2646). We’re told it also works on RP2684. If you have RP2631 please see our older post.
- First you have to enable the Telnet interface on your PLDT box.
Go to http://192.168.1.1/fh (bookmark it) and log in with the following details:
THIS WILL ONLY WORK IF YOU USE THE /FH URL
- Once logged in, select ‘Debug Switch’ on the sidebar menu
- Enable the Telnet switch and click Apply (if you also enable the web admin switch you’ll be able to log in with the adminpldt account – see below)
- Log out
- Open a terminal window or command prompt
- telnet 192.168.1.1 and use gepon as the login and as the password
- When it says ‘User’, type enable and press Enter, then enter gepon again as the password
- Type cd switch and press Enter
- Type control port_fw_eligiblity_switch disable and press Enter (no that’s not a typo in the word eligiblity!)
- Done. Close the command prompt window.
This worked a treat and we were instantly able to see and connect to our Synology Diskstation (hooked up to the PLDT box via LAN cable) from a Mac via wifi, without using an extra router.
We’ve heard that if you submit a support request to PLDT, explaining why you need AP isolation permanently turned off, they may do it for you (emphasis on may and you’ll probably have to escalate through several levels of staff). That would save having to follow this process after each power cut.
Alternatively you may decide (like us) that PLDT support is so clueless and inflexible that it’s not worth the hours you’ll lose off your life.
The adminpldt account
If you enable the web admin switch when logging in as superadmin, you will also be able to log in to your router using the adminpldt account, which means you can enable LAN ports 2 and 3, disable remote access (so PLDT can no longer push firmware updates to your router), etc etc. The new password for the adminpldt username is z6dUABtl270qRxt7a2uGTiw (if that doesn’t work try 1234567890 or pldt1234). Have fun and be careful!