If you must use your ISP's ONT, have it set to bridge mode. And then use whatever router you're comfortable administrating. Open WRT is perfectly good for this.
The benefits of bridge mode are that your routing device has the public IP address. And controls everything. Some of the more evil ISPs won't let you set bridge mode on their device unless you open a support ticket it's worth it to do so.
I would suggest using Piholes regardless of your routing strategy. They can help improve the web browsing experience by improving load times, can capture stuff missed by browser ad blocks, and work as an adblocker for devices that don't have browsers, like Apps and smart tvs.
Thanks, I will definitely keep this in mind. Currently using OpenWRT with LuCI-adblock, which is not quite as extensive as a PiHole, but gets the job done. I have three RaspberryPi 3's just collecting dust so I may as well switch at some point.
If you already happen to have a generic server in your house, you can run it in a docker container. Since I already had a file server in my basement, I threw the pihole image on there, directed my router to use my server for dns and done! It took like an hour and most of that was just reading the instructions. Actually setting it up was stupidly easy.
And I love it. My smart tv no longer shows ads in the sidebar. All my devices load websites faster...
The only downside is sites that refuse to load if I refuse to watch their ads. No great loss.
You should never be required to use your ISP provided all-in-one/router/modem box thing. You can always switch to a decent modem (Motorola makes decent/cheap ones for residential network at the speeds you will likely need), and put your own route behind it. As far as what your ISP can control/see they are limited to the interface device between your network and their network. If you intentionally make it a brain-dead modem then they cant see your router at all and your free to do what ever you want with no oversight.
Why would you be forced to use your ISP router? Anyways, you can probably configure that. Look up the model, find out the login URL and default user/pass, and see if you can log in and make changes.