Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fiber optic to pfSense Box

    Scheduled Pinned Locked Moved General pfSense Questions
    82 Posts 8 Posters 9.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gblenn @keyser
      last edited by

      @keyser said in Fiber optic to pfSense Box:

      @demonaii This particular SFP comes preconfigured with the IP address 192.168.1.10.
      There are multiple ways to access it, but if you have LAN running on your pfSense and it is using the 192.168.1.0/24 network, then you need to resolve the conflict first. If you have any other subnet as LAN, you can simply create a your WAN interface in pfsense using your SPF NIC port. You can then create a VIP address on WAN and give that IP 192.168.1.1/24. You need to create a VIP because the actual WAN IP address will be the one learned using DHCP from your ISP (Unless of course your ISP uses a VLAN which mine does)

      I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?

      And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @Gblenn
        last edited by

        @Gblenn said in Fiber optic to pfSense Box:

        I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?

        Yes, that would work to.

        And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...

        You cannot connect from LAN without a NAT rule as the GPON module does not have a default gateway. So i can only respond to IPs in the same 192.168.1.0/24 subnet. Hence the need to have pfSense NAT and source packets from the VIP address (or WAN IP if you configure it directly there).

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 1
        • D
          demonaii
          last edited by

          I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @demonaii
            last edited by

            @demonaii said in Fiber optic to pfSense Box:

            I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.

            Just to clarify: I'm not recommending going down this rabbithole. Use your ISP box in bridgemode - it's much better and will require no additional support.

            I have not checked if my suggested SFP fullfills all the requirements/wavelengths and so on you might need, so that's up to you to do that. I just suggested it because it works for me, and it seems our situation is somewhat similar.

            Be advised I cannot do support on configuration of the SFP - you will need to search the internet for that. There is no real deep usable manual on the product from FS.

            Love the no fuss of using the official appliances :-)

            D 1 Reply Last reply Reply Quote 1
            • D
              demonaii @keyser
              last edited by

              @keyser Well, it's not my first or last rabbithole that I've entered.

              When it comes to the SFP requirements, with the known parameters/requirements that I found, I land on these to options on fs.com

              https://www.fs.com/de-en/products/133619.html
              https://www.fs.com/de-en/products/192476.html

              The worst thing that can happen is that I would have to return the item.

              I contacted Support, and they told me that the cable is configured to the ISP modem/router, and they told it is" impossible" . I asked them why is it impossible, but I remain unconvinced. Either they don't know or don't want to tell me.

              keyserK 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                It's not impossible, nothing is. 😉

                However it may be very difficult!

                The ISP support probably has no idea though. Either they can't support it so.....

                1 Reply Last reply Reply Quote 0
                • keyserK
                  keyser Rebel Alliance @demonaii
                  last edited by

                  @demonaii If they are like most ISPs (read: all), they just will not help you, and they prefer not to have any other equipment than their own on the infrastructure - which is very understandable.

                  About the GPON SFP - I think you need to use the first option (the one I linked to), because the generic ones are not customizable. I'm not saying they won't work, but they will only work if your ISP has no GPON device filtering measures in place (such as MAC address, Device Vendor and such).

                  Love the no fuss of using the official appliances :-)

                  1 Reply Last reply Reply Quote 0
                  • keyserK keyser referenced this topic on
                  • C
                    claferriere @Gertjan
                    last edited by

                    @Gertjan I have been using a Media converter box in which my gpon is placed in the SFP port and then the RJ45 into the 6100. Works fine, I was just wondering how to cut out the "middleman" so to speak. i.e.: replace. the media conversion box with a SFP GPON OTN that does what the media conversion box does. It can't be that outlandish to think this can be don no ?

                    keyserK 1 Reply Last reply Reply Quote 0
                    • keyserK
                      keyser Rebel Alliance @claferriere
                      last edited by

                      @claferriere If you are using a ethernet media converter now that has a GPON Bridge SFP module from your ISP in the SFP port, there should be no issues in just plugging that GPON SFP into the SG-6100.
                      If it’s not a Ethernet media converter but a GPON to Ethernet media converter (no Ethernet SFP port) then you would need to to embark on the adventure this thread is all about.

                      Love the no fuss of using the official appliances :-)

                      D 1 Reply Last reply Reply Quote 1
                      • D
                        demonaii @keyser
                        last edited by

                        @keyser

                        Hello again !

                        I received my Netgate device and SFP module as you recommended.
                        However, when I try to connect to the SFP module I receive the message " connection timed out " . I tried fixing it by changing the IP of the router and PC, but then I get the message " destination unreachable".

                        What am I doing wrong?

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by stephenw10

                          You are using that in a 2100?

                          Can you access the module to configure it? Does it show as linked? Edit: I see you can't.

                          How are you trying to access it? How is the 2100 configured to allow that?

                          D 1 Reply Last reply Reply Quote 0
                          • D
                            demonaii @stephenw10
                            last edited by

                            @stephenw10

                            Yes, I use FS GPON-ONU-34-20BI on 2100.

                            Yes, pfSense shows that it is detected .
                            The manual says that the IP for the module is 192.168.1.10

                            I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.

                            keyserK 1 Reply Last reply Reply Quote 0
                            • keyserK
                              keyser Rebel Alliance @demonaii
                              last edited by keyser

                              @demonaii said in Fiber optic to pfSense Box:

                              @stephenw10

                              Yes, I use FS GPON-ONU-34-20BI on 2100.

                              Yes, pfSense shows that it is detected .
                              The manual says that the IP for the module is 192.168.1.10

                              I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.

                              You cannot have pfSense have the 192.168.1.x/24 subnet on LAN when you are trying to reach 192.168.1.10 on WAN. You need to reassign a different subnet to LAN and fx. Give WAN 192.168.1.1 to be able to connect to it.
                              You need to read up on other similar threads on how to acomplish this as using such a GPN module requires quite a lot of networking experience/understanding. That was my other reason for not recommending you attempt this :-)

                              PS: Please read the configuration guidelines I posted/exchanged earlier in this thread. Like I said - I cannot guide you through all of this, so you need to search the net and this forum for everything related to this experiment of yours.

                              Love the no fuss of using the official appliances :-)

                              1 Reply Last reply Reply Quote 1
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Yup that^.

                                It's probably a subnet conflict. If you're using 192.168.1.X on LAN the traffic for the module is being sent there instead of via the WAN NIC.

                                D 1 Reply Last reply Reply Quote 0
                                • D
                                  demonaii @stephenw10
                                  last edited by demonaii

                                  Hello again !

                                  I managed to gain access to the SSH to the device.
                                  I started configuring it, and then I lost access to the SFP module because I unknowingly changed the IP of the module.
                                  I regained access again to the SFP module.

                                  I know my MAC ,GPON SN and D-SIN data.

                                  When I look at my ISP router, I got this crazy idea .

                                  It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.

                                  The problem is that I do not have access to the ISP router.
                                  In this case I have two options either

                                  A: I somehow hack myself into the router
                                  or
                                  B: I reset the device to its factory settings. The problem is that if I reset it, I could lose that secret information.

                                  What's interesting is that when I plugged the fibre back into the ISP router, my browser instantly opened and asked for authentication of the device, as if it knew that I was messing with the fibre . It was a web page of the ISP / router.

                                  GertjanG keyserK 2 Replies Last reply Reply Quote 0
                                  • GertjanG
                                    Gertjan @demonaii
                                    last edited by

                                    @demonaii said in Fiber optic to pfSense Box:

                                    I managed to gain access to the SSH to the device.
                                    I started configuring it, and then I lost access to

                                    You've figured out reason number one why the console access is useful 👍

                                    @demonaii said in Fiber optic to pfSense Box:

                                    It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.

                                    Probably not a 'secret', but your ISP is not going to 'advertise' what they do in their box to make the ISP 'ONT' work on their fiber cable, so it can talk with their equipment on the other side.
                                    ( because clients then want to have access to 'support' about how to activate router/firewall X using SFP module Y )

                                    My ISP in France uses 'special' DHCP option codes ans trings to enable (authenticate) the ISP against the ISP. Zapping the ISP box (a triple play router) means : you have to set up the pfSense DHCP client "on your own" = making your own DHCP (v6 and v4) client config file, and place it on pfSense.
                                    And the SFP used needs to be compatible, that goes without say.

                                    No "help me" PM's please. Use the forum, the community will thank you.
                                    Edit : and where are the logs ??

                                    1 Reply Last reply Reply Quote 0
                                    • keyserK
                                      keyser Rebel Alliance @demonaii
                                      last edited by

                                      @demonaii The webpage comes because the ISP box once again has link/DNS and the service start responding at normal speed.

                                      You only really have one option: Trial and error - clone the MAC, Serialnumber and vendorID and see if it works. If not, you likely have to find some ressource on the web or at your ISP that has actual knowledge on how to do this with your ISP

                                      Love the no fuss of using the official appliances :-)

                                      1 Reply Last reply Reply Quote 1
                                      • D
                                        demonaii
                                        last edited by

                                        I managed to set the settings and rebooted .
                                        After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
                                        So it looks like the GPON Authenticaton State is at O5 or 5 ?
                                        The question now is :What happens now ? I still don't have internet access .

                                        I

                                        keyserK 1 Reply Last reply Reply Quote 0
                                        • keyserK
                                          keyser Rebel Alliance @demonaii
                                          last edited by

                                          @demonaii said in Fiber optic to pfSense Box:

                                          I managed to set the settings and rebooted .
                                          After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
                                          So it looks like the GPON Authenticaton State is at O5 or 5 ?
                                          The question now is :What happens now ? I still don't have internet access .

                                          I

                                          O5 means that the GPON module has logged in successfully to the GPON tree, and link is established on online. In other words: The first part of GPON has completed and the module has now transitioned into being a Bridge/switch between your Ethernet interface and the ISP's GPON delivered network.

                                          If your ISP had no special config needed, you should just get a DHCP address on your WAN interface in pfSense and everything would be online.

                                          Sinces thats not the case they likely have some DHCP options you need to send to authenticate, or their services are encapsulated into a VLAN number that you need to tag all frames in/out of your WAN connection with.

                                          Since they do GPON, it is highly likely you need to use a specific VLAN number. Once that is in place, you may or may not also need special DHCP options to authenticate and get the connection going.

                                          Love the no fuss of using the official appliances :-)

                                          1 Reply Last reply Reply Quote 1
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            I would probably try running a pcap and see if anything VLAN tagged is shown. As a first step at least. It may not show anything but if it does you could try that VLAN.

                                            I assume you have no access to the ISP router that might show the required settings?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.