SG2100 - How do I connect to GPON ONU interface?

stephenw10

Ok try this. Add an IPAlias VIP to the WAN as 192.168.1.100/24.

Then try to ping 192.168.1.10 from pfSense directly.

It will use the VIP as source directly. I would expect the GPON interface to respond to ping.

If that works try Diag > Test Port to 192.168.1.10 on port 80 and/or 443 and see if it's listening.

If both those work then you just need a NAT rule to allow access from the LAN.

stephenw10

What module are you using out of interest? I got one for testing but it doesn't respond at all for some reason.

stealthmode

@stephenw10

Thank you for sharing these steps

I changed the LAN IP back to 192.168.1.1 instead of adding a VIP

I tried to ping 192.168.1.10 from pfsense and that failed

I tried test port to port 22 to 192.168.1.10 and the connection failed

Only port 22 is opened as per the manual

The module is https://www.fs.com/de-en/products/133619.html

stealthmode

Here is what the connection looks like

IMG_4587 (1).jpg

stephenw10

@stealthmode said in SG2100 - How do I connect to GPON ONU interface?:

I changed the LAN IP back to 192.168.1.1 instead of adding a VIP

Ok that won't work.

The LAN interface must remain in a different subnet to the gpon module management otherwise it can't route to it. It will only work with a VIP on the WAN so it routes the traffic out to the GPON module.

You could set the WAN directly to 192.168.1.100 but I assumed you want that as DHCP so it pulls a public address once the fibre is connected. Using a VIP allows that.

stealthmode

@stephenw10

Thank you, sorry about that.

I reverted the config, assigned the LAN IP as 192.168.2.1

Assigned an IP alias VIP for the LAN interface to 192.168.1.100 / 24

Tried the Ping test and ensured that the source interface was set as 192.168.1.100, the ping failed

Tried port test on 22 and ensure that the source interface was set as 192.168.1.100, the connection to port 22 failed

stephenw10

@stealthmode said in SG2100 - How do I connect to GPON ONU interface?:

Assigned an IP alias VIP for the LAN interface to 192.168.1.100 / 24

The IPAlias VIP has to be on the WAN, where the GPON module is.

stealthmode

@stephenw10 Damn it... thank you...

That worked, the ping worked finally :D

stephenw10

Nice! Ok so if it works from pfSense itself it can also work from a LAN client if you have the right outbound NAT rule. I would try to make the rule as specific as possible so it never over-matches. So probably from LANsubnet to 192.168.1.10 address.

stealthmode

@stephenw10 Thank you for all your help... can you please let me know if something is wrong with my NAT configuration?

I tried setting the interface as both LAN and WAN but not able to ping from my laptop... sorry for the trouble

IMG_4594 (1).jpg

stephenw10

Ok I would use hybrid mode rather than manual. Otherwise you will need to add NAT rules for all other traffic.

The one user rule should be on the WAN interface. It translates traffic as it leaves the WAN.

The translation (NAT) address should be the VIP. If that's 1.15 that should be OK.

stealthmode

@stephenw10 Awesome, that worked, thank you thank you thank you so much.... how can I buy you a beer/coffee?.... thank you so much

stephenw10

No worries, glad to help.