[mindslight]

Wat? If PPPoE is running on the router, then how is the ONT meddling with TCP connections? Is PPPoE being run on the ONT rather than the router? I guess PPPoE isn't encrypted and the ONT could be deencapsulating and reencapsulating frames, but that seems unlikely?

[loeg]

I don't know what the ONT is doing. PPPoE is definitely running on the router, not the ONT. The ONT could be doing some sort of DPI.

[mindslight]

That's weird! I don't know much about PPPoE but I wonder if it would be possible to mess with the framing so that the specific DPI/modification wouldn't work. Like add some nonstandard options to the header, and hope the ONT used fixed offsets for getting addresses.

Given that ONTs probably aren't subject to too much hardware security research, maybe it would be possible to hook up a debugger and NOP out the connection tracking hooks.