Fiber optic to pfSense Box

keyser

@demonaii Agree with @stephenw10 - If your ISP box supports/can run in Bridgemode, then use that. Bridgemode means that it will transparantly bridge (switch) from the very complicated GPON setup to standard Ethernet on the inside - to which you can easily connect your pfSense’s WAN interface.

Setting up a GPON SFP directly in your pfSense to work with your ISP can be borderline impossible. It may (probably will) require information/settings that you cannot obtain unless the ISP is willing to assist you and detail EVERY requirement they place on their GPON delivery setup - something I’ll bet they wont :-)

Gblenn

@demonaii said in Fiber optic to pfSense Box:

@elvisimprsntr

I contacted tech support, and they told me that bridge mode is enabled and that the public IP goes to the second router behind my modem. Which will be my future Netgate 2100 .

When it comes to the modem, I am not sure if ISP can provide me with this information.

Have you checked the SFP module in the modem? Can you try to simply move it over to your pfsense box, it may be compatible?
One thing that may be needed is to spoof the MAC from the ZTE unit they have provided.

ISP's are different of course but I have done exactly that with three different ISP's I've had in the past few years, all with their own and quite different equipment installed at my place.

elvisimprsntr

@Gblenn
ZTE devices typically don't have a SPF module. Bridge or pass through mode is the way to go.

Internal photo of the F670E, but can't imagine the F670L is much different.

https://fccid.io/Q78-ZXHNF670E

JKnott

@demonaii said in Fiber optic to pfSense Box:

What should I look for when searching for an SFP module that is compatible with my box and the ISP ?

One factor is the wavelength used for you. With fibre, multiple wavelengths of infrared are used to connect different customers. The ISP can use Coarse Wavelength Division Multiplexing (CWDM) for multiple connections over the same fibre, with a diffraction grating filter to separate them. Your ISP will have to tell you what to use. However, if they already provided a gateway, you may be able to find out by reading the info on the SFP.

demonaii

@keyser

How does it look like from a security standpoint? Am I more or less secure with or without the ZTE, if we assume that I configure the pfSense the right way ?

@Gblenn

Does the module in the modem differ from your usual modules ? I mean, I would have to disassemble the whole router to even see it. I still do not have my pfSense box.

There are three options:

1. Use SFP module by ISP or from a 3rd party vendor
2. To use a media converter, however, I still would be with the same number of devices.
3. Use standard RJ45 cable

@JKnott

From the information I've gathered, I come landed on three different SFP modules.
In my second post I talk about conflicting information between the manual in the box what the internet says about this matter.

keyser

@demonaii From a security standpoint you are as secure as your pfSense config is done - with or without the ISP box in bridgemode.

Getting a GPON SFP module (even if you can get all the relevant info from your ISP to configure it) is exactly the same as running the ISP box in bridgemode.
In fact, a GPON SFP module for pfSense is a small GPON to Ethernet Bridge with a running Linux distro within the SFP module to configure and manage the bridge on it - Exactly like the ISP box in Bridgemode. The only difference is you have to configure it with the relevant ISP settings, and perhaps a slightly lower power consumption.

Gblenn

@demonaii said in Fiber optic to pfSense Box:

@Gblenn

Does the module in the modem differ from your usual modules ? I mean, I would have to disassemble the whole router to even see it. I still do not have my pfSense box.

There are three options:

1. Use SFP module by ISP or from a 3rd party vendor
2. To use a media converter, however, I still would be with the same number of devices.
3. Use standard RJ45 cable

So the ZTE seems to have the media converter built in. So what do you have going into the slot at the bottom right? Isn't that your patch cable/fiber, looking like one of these perhaps?

Then you just need a compatible SFP module, with the correct wavelengths.

Alternative two will, as you say, not save you any equipment, and as others are saying you can always simply continue using the modem in bridge mode.

demonaii

@Gblenn

My optic fiber looks like this :

My biggest concern when deciding on a compatible SFP module is the wavelength. My ISP wont be happy if there is a mismatch in laser wavelength. Probably could burn their equipment, who knows ?

If I understand it correctly, wavelength downstream is RX (1490nm) and wavelength upstream is TX (1310 nm). Am I right?

When I checked the information for the connector type, it looks like this is an SC/APC connector because it is angled, while the SC/UPC is not angled at all.

stephenw10

@demonaii said in Fiber optic to pfSense Box:

My ISP wont be happy if there is a mismatch in laser wavelength. Probably could burn their equipment, who knows

It just won't see any data.

A much bigger issue is that the ISP has to accept 3rd party GPON devices on to their network and, AFAIK, most do not.

keyser

@demonaii Yeah - please make sure you understand that GPON is NOT Ethernet. So we are not talking a traditional Ethernet SFP module here. You need a GPON to Ethernet Bridge SFP module. I use this model in my Netgate 2100 in France:

https://www.fs.com/de-en/products/133619.html

Works like a charm, but let me assure you - that is only the case because there are hundreds of frenchmen doing reverse engineering on how Orange (ISP) have setup their GPON infrastructure - AND - still - It’s only possible because Orange also have a “leak” through one of their technicians, and he provides important needed information for actually passing authentication with a non-orange GPON unit.
Without the leaked information from him it would be impossible.
It requires a lot of SPECIAL DHCP config and DHCP options in pfSense along with a little config and MAC addr./device ID cloning from a Orange router to the Linux running within the SFP module.

JKnott

@demonaii said in Fiber optic to pfSense Box:

Probably could burn their equipment, who knows ?

It wouldn't burn the equipment but it could interfere with another customer. The wavelength could be any of several. Also, sometimes the same wavelength is used for both directions, with a duplex fibre. Other times it's two wavelengths with simplex fibre.

And yes, I do have hands on experience with this stuff with a telecom company.

Gblenn

@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.

Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode.

keyser

@Gblenn said in Fiber optic to pfSense Box:

@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.

Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode.

The module I suggested uses the LC connector of the fiber the OP has. The other modules you are referring to as bidirectional is not GPON modules, they are BiDi Ethernet modules and has nothing to do with GPON.
GPON is a single fiberstrand passive optical multiplexing technology - something completely different than optical Ethernet - both in specs, transport framing and signaling.

Regarding the MAC address cloning - doing it in pfSense does not help as it is the GPON interface in the SFP that logs into the GPON tree. So you need to clone the MAC address to the GPON interface of the SFP which is controlled by the built in Linux inside the SFP. After that has logged in to GPON, then it enters bridge mode so the pfSense Ethernet frames are bridged to the GPON transport by the SFP module. Here it may or may not be nescessary to have the same MAC address in pfSense as The GPON module used for login (Depends on the ISP)

Gblenn

@keyser said in Fiber optic to pfSense Box:

@Gblenn said in Fiber optic to pfSense Box:

@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.

Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode.

The module I suggested uses the LC connector of the fiber the OP has. The other modules you are referring to as bidirectional is not GPON modules, they are BiDi Ethernet modules and has nothing to do with GPON.
GPON is a single fiberstrand passive optical multiplexing technology - something completely different than optical Ethernet - both in specs, transport framing and signaling.

Understood, and of course the fs.com site and others will list all the info on their sites and let you search by category. But it's quite the jungle and a lot of data that fits in the "headline/name", where most of it will actually be the same.
But good that you clarified!

Regarding the MAC address cloning - doing it in pfSense does not help as it is the GPON interface in the SFP that logs into the GPON tree. So you need to clone the MAC address to the GPON interface of the SFP which is controlled by the built in Linux inside the SFP. After that has logged in to GPON, then it enters bridge mode so the pfSense Ethernet frames are bridged to the GPON transport by the SFP module. Here it may or may not be nescessary to have the same MAC address in pfSense as The GPON module used for login (Depends on the ISP)

Ah yes, and most likely (or hopefully) the ISP will not bother locking MAC at the GPON level, as it would just complicate things. Then again, who knows...
But it's not impossible that they have registered the ethernet MAC of the Router, which my ISP does for example. In which case cloning in pfsense will of course work.
But then again, I suppose that would have come up already when setting the modem in bridge mode wouldn't it?

keyser

@Gblenn Yeah, the fact that they offer bridgemode likely suggests that they do not care about the actual router MAC address.

But they might care about the GPON logon MAC address - to make sure it's their box that connects to the GPON tree.
So the OP should probably expect to be required to clone the MAC to the GPON part of the SFP.

Gblenn

@keyser Hmm, and I suppose not all modules allow changing MAC and/or serial number? So best bet might be to buy one that does...

keyser

@Gblenn Yes - exactly. That is one thing you need to consider. The FS module I suggested allows you to change the MAC address.

stephenw10

But that still may not help if the ISP doesn't allow unregistered GPON devices to connect. It's possible (but shouldn't be!) to get gpon modules you can reprogram to match your existing device. But that's a deep rabbit hole!

keyser

@stephenw10 True - The FS module I linked to allows vendor and regID customisation as well.
So if you can get all the needed details, you can have that GPON SFP look exactly like your ISP provided GPON device (typically the router with integrated GPON).
The problem is getting the needed info as you might not have a login to the ISP box that can reveal all this info.

Like I said in my first comment: If the ISP box does Bridgemode, then use that. Doing GPON directly in a GPON SFP is a rabbithole and could require you to configure settings/info that you cannot get unless the ISP is ready to assist you.

demonaii

@keyser

I understand that I am looking for a SFP module that is optic to digital and not digital to optic. Like this one, as you suggested.

https://www.fs.com/de-en/products/133619.html

Is this my only choice ?

I would have to connect to the module through my Netgate via LAN and configure it . I saw there is a bit of information written down under the ISP modem/router like MAC, GPON SN and so on.

What kind of information are we talking about ?