Most VDSL routers don't have any decent support on DD-WRT or OpenWRT due to the proprietary firmware blobs required for all the DSP algorithms inside the modem.
Sadly, that means a massive chunk of the world connected by ADSL/VDSL can't use this advice.
You can but you need your own device that supports an open source firmware. The ISP provided modem you can potentially put in modem mode at which point its just the interface to the wire and you can then run your own router in PPPoE mode to interface to it and out to the internet. If the ISP provided device can't do that then turn off its NAT, firewall and wifi and just configure it to connect to the internet and plug into anetwork port just your router from the routers WAN port and then use DHCP WAN configuration. Then all your devices only go into your device. The only device exposed by the poor security of the manufacturer is the modem itself and your network is defended by your personal device.
There are a bunch of other ways to do it but you can absolutely have your network defended by your own device running open source firmware and still use the device the ISP has provided mostly as a modem. I use a DHCP WAN on my router which outputs to the ISPs provided router which is just a modem at this point and not a lot else. It still runs DHCP and DNS and all that other junk but my home network doesn't use any of it. I use Virtual LANs internally for some development services I use so the default ISP routers are useless to me and after issues with various routers with VDSL modems I gave up and have used openWRT ever since. I also use separate access points for wifi since its another area openWRT is a little behind just due to how long drivers take to come out.
And then you have fun with the fact the ISP resets all the devices back to defaults once a week... And if you have to live with it in its default config you have double-NAT and games and web conferencing stuff doesn't work properly.
I wrote this up the other day. Mine is still super flaky, but I am going to be trying closer servers. I think, ideally, you want your game console on the DMZ of the router with wireguard.
Just don't NAT again, but simply firewall. That's what I do. Luckily the days of routers crashing when there are more than 15 TCP sessions are over, even with the cheap ISP routers. But Wifi usually still sucks with those, plus security concerns, so I like to isolate it from the rest of my network with OpenWRT.
You could do what I do and run your own router on PC hardware and get a separate DSL modem. There aren't a lot to choose from, but you should be able to find one at least.
Sadly, that means a massive chunk of the world connected by ADSL/VDSL can't use this advice.