I have considered this with Zuku as well and tried them. Thoughts:

1. Most ISPs do not allow for the first option due to some weird rules they have and it would be completely difficult to get this done. Not impossible, but not worth the hassle .
2. I am currently doing this method. Zuku Router (in bridge mode)> Second router (Netgear mesh setup to act as a second router)> Appliances.
   You can do the exact same order you mentioned but just switch off the wireless connectivity of Saf’s router, and while in the router settings try and get it to bridge mode and then connect your second router and have it do all the pass the heavy lifting.

Hope that helps.

Yeah this is more or less what i was looking for. However there is no option to setup bridge mode on the safaricom router

How did you manage to get Safaricom to give you the router password ?
Incase you do manage to set it to bridge mode .Get a device that can run OpenWRT firmware and will have a better experience compared to the off the shelf routers .With OpenWRT you have QoS control , adblocking at router level and better DNS management. There are hundreds of useful apps available including adguard home , transmission etc
Most ubiquiti routers support OpenWRT and available at jiji at affordable prices. I use Ubiquiti edgerouter lite running OpenWRT 22.03 .

The password is usually provided as part of the installation process to everyone… Though it is not root access…

I already have a Pfsense Router and the bit am stuck on is the Fiber > Safaricom bit…

Apparently as per Sufericon Bridge Mode is exclusively limited to Business Customers

Don’t all these home routers come with default passwords? If you know the model number then google is your friend.

The secondary router is what should be setup in bridge mode. In this case, it makes sense that Safaricom won’t offer support for equipment which isn’t theirs.

Wait isn’t it supposed to be the first router? I want to setup pfsense as follows

Internet> Sufericon Router> pfsense appliance> Home appliances

No, in your setup, the pfSense router will be in bridge mode.

The way these routers work, there are two modes. Gateway mode (the default), which allows you to connect to the internet and bridge mode, which allows you to extend a local network.

So your setup will be:

Internet → Safaricom router (gateway mode/ default) → pfSense (bridge mode)

This is similar to my setup at home, so I can vouch that it does work.

have you tried using one of the lan ports from the safaricom router as the gateway for the pfsense box or is there a specific reason you want to use bridge mode? if you must use bridge mode, not sure if you have the nokia or huawei router, but on the nokia router(G-140) you can go to the LAN settings and change the individual ports to either bridge mode or route mode. I havent tried it myself so i dont know if it works as intended but you can give it a try and see

Using the second option. The first option is out of bounds because ISPs need to have direct access to your router whenever problems arise.

Loll I know. I sort of got it to work.

But why would they need access to my router… To snoop! To better support customers yada yada… Once I was dealing with customer care and I realized basically they have unfethered access, I was bewildered.

I would prefer it if they simply had access up to the main junction box to confirm and troubleshoot network issues.

Let the router be mine to do however I wish…

Sort of? What challenges are still there?

Not everyone is a tech expert. It’s easier for them to offer customer support in that way.

But those who don’t need their support should be allowed to also have their way…

When was the last time you interact with support and they accessed your router?

I see you want to “get rid” or put the #Safaricom router back in it’s box? …well I’ve never heard of them give a customer PPOE passwds + it’s not like you’re paying a “rental” fee like in some extreme capitalistic countries + do you have an SFP(SFP+) ports + transceiver modules to connect their LC Fiber connector?

If you’re successful report back(also interested) and spot check …
Disable any WLAN(ensure all connections go through your pfsense box), port-forwadings(I’ve detailed better ways to share or get back to your home network on a post on “Overlay” networks) etc you’ve modified on the #Safaricom router. In fact factory reset it!

Wouldn’t Advise on 2…

but on the nokia router(G-140) you can go to the LAN settings and change the individual ports to either bridge mode or route mode

Can confirm on the Huawei you’re SOL on this …

From this point assume and handle the #Safaricom box like an external(and hostile) device on the webs of the internet…

Yeah. Just wishful thinking… Why should someone else have control to my Personal Space considering nowadays everything is online… I would love some form of privacy/ control. However am fully aware this is simply wishful thinking and big brother knows what is good for me…

In the end I set DMZ on the WiFi Router…

Well, it’s their network and strictly speaking their router. Totally understandable from a customer support perspective.

Which Huawei router? Safaricom Home’s bone stock router doesn’t need any configuration changes to support a secondary bridge router.

People are daft out here. It’s necessary to reduce all the headaches that come with requesting customers to fix stuff by guiding them.

I’m not sure but changing the administrator details restricts access to your router. I realized that after the support staff asked for the login credentials for my router to offer assistance. Before that, they were doing it without hassle.