The provider modem can be a problem if the network you want to connect to is behind another router downstream. Some have the option to set a passthru for VPN but not all. You can configure the modem as a bridge which disables the modem as a network controller. This may work for some cases but needs careful planning if you have an existing network using the default modem governed network.

I’ve found both Verizon and Comcast business modem/routers have a DMZ option which exposes one internal machine to the public network and this works to put the router on the external network interface. However, the T-mobile 5G home connection will not connect in this configuration even though Verizon home Fios and many others work just fine.

The best option I’ve found is to forward ports 500 and 4500 to the internal Edge X router. I found these using Wireshark. I’m sure they are documented somewhere. Port 500 is initially used when connecting to the Edgerouter thru the firewall but shifts to port 4500 after initial contact. Forwarding eliminates the killer conflict between T-Mobil and Comcast modems when using the Comcast option to expose an internal machine.