SG2100 - Unable to get DHCP WAN IP on GPON interface

keyser

@stephenw10 Nope, if your DHCP frame is not formattted correctly with the required DHCP options to authenticate, then there will be no DHCP reply/offer. So you are unable to verify if traffic actually works or your VLAN tagging is correct.

On top of that my ISP - Orange - requires all DHCP frames to be priority 6 tagged as well. If they are not, no replies are made.

stephenw10

Urgh, well that's not easy then!
#funtimes

keyser

@stephenw10 Indeed - if the ISP is strict like Orange, it will be impossible to to make it work unless you have one of two options:

• Someone inside info from the ISP to be able configure all the right settings.
• Be able to do a packet capture of your original ISP routers DHCP exchange and mimic all settings in pfSense

In Orange’s case there is a large internet forum in france where thousands of people share their findings + a representative (unofficial I presume) from Orange shares the strict requirements their end verifies before passing authentication.

stealthmode

@keyser said in SG2100 - Unable to get DHCP WAN IP on GPON interface:

Be able to do a packet capture of your original ISP routers DHCP exchange and mimic all settings in pfSense

How should I be able to do this? any ideas?

keyser

@stealthmode not really No since your ISP is using GPON. It would require special hardware that can bridge the GPON fiber and give you a capture sitting in the middle.

If your ISP router has another WAN port (RJ45), it might work by linking that to your pfsense while doing a packet capture on the pfsense port. The ISP router might send the same crafted DHCP request on the RJ45 WAN port as it does on the GPON fiber port when linking up/booting.

Alternatively you would need an ISP router that is hacked to mirror packets to a secondary port (if possible at all on that HW).

All you need is a copy of that first DHCP request frame as that shows all options and if needed prioriry settings.

stephenw10

Mmm, but finding someone else who has already done it for your ISP would be easiest. Perhaps there is some local forum for users?

keyser

@stealthmode I’m from Denmark, but my french “connection” required me to find all the info I needed on this french site: https://lafibre.info/index.php

There is a LOT of info sharing on various ISPs on that site. Perhaps someone there have also been working with MEO if they are present in France, or if that someone has remote sites in Portugal.

keyser

@stealthmode I can see there is some discussions about ISP’s in portugal. Perhaps you can find something here:
https://lafibre.info/europe-sud/

stealthmode

@keyser said in SG2100 - Unable to get DHCP WAN IP on GPON interface:

https://lafibre.info/europe-sud/

Thank you very much! I'm enquiring on this forum as well as other forums for this ISP

stealthmode

Great news! I logged into the CLI of the router and was able to capture some additional details on the WAN interface.

Interface:                     erouter0
MAC Address :                  <removed>
Description:                   Interface_erouter0
Type:                          IPoE
Vlan 802.1p:                   0
Vlan Mux ID:                   12
Vlan TPID:                     0x8100
IPv6:                          Enabled
IGMP Proxy:                    Enabled
IGMP Source:                   Enabled
MLD Proxy:                     Disabled
MLD Source:                    Disabled
NAT:                           Enabled
NAT Type:                      Masquerade
Firewall IPv4:                 Enabled
Firewall IPv6:                 Enabled
Force Disable Firewall IPv4:   Disabled
Force Disable Firewall IPv6:   Disabled
ARPPing:                       Enabled
ARPPing timeout(secs):         900
ARPPing number of repetitions: 3
Status:                        Connected
IPv4 address:                  <removed>
IPv6 address:                  <removed>
Enable/Disable:                Enabled
Addressing Type IPv4:          DHCP
------DHCPv4------
Option 60 Vendor ID:           meods00
Option 61 IAID:
Option 61 DUID:
Subnet Mask:                   <removed>
Default Gateway:               <removed>
Option 125:
DNS Servers:                   <removed>
Remaining Lease Time(secs):    <removed>
------DHCPv6------
Type:                          PrefixDelegation
Prefix:                        <removed>/56
Preferred lifetime:            90000
Valid lifetime:                90000
Default gateway:               <removed>
DNS Servers:                   <removed>
----------------------------------------------

Considering the above, I need to set Option 60, and also set the DHCPv6 options. Do you think that there are any other settings I should configure on the WAN interface?

thank you

keyser

@stealthmode VendorID might be the only setting needed - it might not. Sometimes not everything is outputted in Shell command like that. But try

stephenw10

Mmm, what did you run to get that? I can't decide if that's what the server sent rather than the client.

stealthmode

@stephenw10 The router has a banner

"RDK (A Yocto Project based Distro) 2.0 GEN8"

I ran cd wan and then show

I've configured the PFSense wan interface in this way

• On mvneta0.12 WAN interface, enabled Advanced Configuration and Configuration Override
• Set the file as "/root/dhcp-config/dhcp.conf"
• The file contents are the following:

interface "mvneta0.12" {
      timeout 60;
      retry 15;
      select-timeout 0;
      send dhcp-class-identifier "meods00";
}

• Restarted PFsense
• still don't appear to be getting the WAN IP

Do you think my configuration is correct here?

keyser

@stealthmode Probably, but it’s hard to tell if your setup works as intended unless you do a packet capture.

I would instead not enable configuration override, and just insert:

Dhcp-class-identifier “meods00”

In the send options dialog. Then we know it will be included in the standard DHCP process from pfSense (it will also be fully restorable from a config file if you ever reinstall or move to a different device)

stealthmode

@keyser Thank you!

I followed what you said, and the DHCP options are being sent in the request but I still don't get a WAN IP.

So it's back to the drawing board for me :|

login-to-view

JonathanLee

The ISP may require the MAC address of the ISP provided router. This would require you to spoof the MAC address into the WAN interface. Do you know if it is locked down to the original router MAC address?

stealthmode

@JonathanLee Thank you for your reply. I tried that now, and that didn't help either :(

The packet capture shows that I've spoofed the MAC address to that of the ISP router WAN interface

stealthmode

I took the static IP which was assigned to the ISP router and manually assigned it to the pfsense WAN interface. By changing the DHCP to Static.

After that, in "Status > Interface", I couldn't see any increments on the "In" packets counter. The out packets counter was increasing. Basically, I still didn't have internet access via PFsense.

This makes me think that the GPON ONU stick might still not be "fully" authenticated...

keyser

@stealthmode I don’t think the GPON ONU “authentication” is the issue. When you reach state 5 it is connected and accepted into the GPON tree. I’m pretty sure you are not passing authentication with your ISP on the protocol level. IPoE is specifically authentication via DHCP, and if your DHCP request frame does not pass authentication, the other end (ISP ONT) does not open/pass traffic, and to you that seems like a dead link (no traffic seen/passed).
Setting a static IP just makes sure you do not pass authentication - as you are not sending a DHCP frame to Authenticate on :-)

I’m quite sure the problem is you are not providing all the options needed. Usually IPoE also requires options that descibes the FX. The circuitID and a authentication password/code.

In my setup there is specifically two options that sends a deviceID and a anthentication code - which is why you need a capture of the ISP routers DHCP exchange - otherwise it will be impossible to replay the needed settings.

stealthmode

@keyser Thank you very much for your detailed insights... I really appreciate the information that you've provided. It makes sense.