Fiber optic to pfSense Box

Gblenn

@keyser said in Fiber optic to pfSense Box:

@demonaii This particular SFP comes preconfigured with the IP address 192.168.1.10.
There are multiple ways to access it, but if you have LAN running on your pfSense and it is using the 192.168.1.0/24 network, then you need to resolve the conflict first. If you have any other subnet as LAN, you can simply create a your WAN interface in pfsense using your SPF NIC port. You can then create a VIP address on WAN and give that IP 192.168.1.1/24. You need to create a VIP because the actual WAN IP address will be the one learned using DHCP from your ISP (Unless of course your ISP uses a VLAN which mine does)

I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?

And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...

keyser

@Gblenn said in Fiber optic to pfSense Box:

I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?

Yes, that would work to.

And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...

You cannot connect from LAN without a NAT rule as the GPON module does not have a default gateway. So i can only respond to IPs in the same 192.168.1.0/24 subnet. Hence the need to have pfSense NAT and source packets from the VIP address (or WAN IP if you configure it directly there).

demonaii

I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.

keyser

@demonaii said in Fiber optic to pfSense Box:

I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.

Just to clarify: I'm not recommending going down this rabbithole. Use your ISP box in bridgemode - it's much better and will require no additional support.

I have not checked if my suggested SFP fullfills all the requirements/wavelengths and so on you might need, so that's up to you to do that. I just suggested it because it works for me, and it seems our situation is somewhat similar.

Be advised I cannot do support on configuration of the SFP - you will need to search the internet for that. There is no real deep usable manual on the product from FS.

demonaii

@keyser Well, it's not my first or last rabbithole that I've entered.

When it comes to the SFP requirements, with the known parameters/requirements that I found, I land on these to options on fs.com

https://www.fs.com/de-en/products/133619.html
https://www.fs.com/de-en/products/192476.html

The worst thing that can happen is that I would have to return the item.

I contacted Support, and they told me that the cable is configured to the ISP modem/router, and they told it is" impossible" . I asked them why is it impossible, but I remain unconvinced. Either they don't know or don't want to tell me.

stephenw10

It's not impossible, nothing is.

However it may be very difficult!

The ISP support probably has no idea though. Either they can't support it so.....

keyser

@demonaii If they are like most ISPs (read: all), they just will not help you, and they prefer not to have any other equipment than their own on the infrastructure - which is very understandable.

About the GPON SFP - I think you need to use the first option (the one I linked to), because the generic ones are not customizable. I'm not saying they won't work, but they will only work if your ISP has no GPON device filtering measures in place (such as MAC address, Device Vendor and such).

claferriere

@Gertjan I have been using a Media converter box in which my gpon is placed in the SFP port and then the RJ45 into the 6100. Works fine, I was just wondering how to cut out the "middleman" so to speak. i.e.: replace. the media conversion box with a SFP GPON OTN that does what the media conversion box does. It can't be that outlandish to think this can be don no ?

keyser

@claferriere If you are using a ethernet media converter now that has a GPON Bridge SFP module from your ISP in the SFP port, there should be no issues in just plugging that GPON SFP into the SG-6100.
If it’s not a Ethernet media converter but a GPON to Ethernet media converter (no Ethernet SFP port) then you would need to to embark on the adventure this thread is all about.

demonaii

@keyser

Hello again !

I received my Netgate device and SFP module as you recommended.
However, when I try to connect to the SFP module I receive the message " connection timed out " . I tried fixing it by changing the IP of the router and PC, but then I get the message " destination unreachable".

What am I doing wrong?

stephenw10

You are using that in a 2100?

Can you access the module to configure it? Does it show as linked? Edit: I see you can't.

How are you trying to access it? How is the 2100 configured to allow that?

demonaii

@stephenw10

Yes, I use FS GPON-ONU-34-20BI on 2100.

Yes, pfSense shows that it is detected .
The manual says that the IP for the module is 192.168.1.10

I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.

keyser

@demonaii said in Fiber optic to pfSense Box:

@stephenw10

Yes, I use FS GPON-ONU-34-20BI on 2100.

Yes, pfSense shows that it is detected .
The manual says that the IP for the module is 192.168.1.10

I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.

You cannot have pfSense have the 192.168.1.x/24 subnet on LAN when you are trying to reach 192.168.1.10 on WAN. You need to reassign a different subnet to LAN and fx. Give WAN 192.168.1.1 to be able to connect to it.
You need to read up on other similar threads on how to acomplish this as using such a GPN module requires quite a lot of networking experience/understanding. That was my other reason for not recommending you attempt this :-)

PS: Please read the configuration guidelines I posted/exchanged earlier in this thread. Like I said - I cannot guide you through all of this, so you need to search the net and this forum for everything related to this experiment of yours.

stephenw10

Yup that^.

It's probably a subnet conflict. If you're using 192.168.1.X on LAN the traffic for the module is being sent there instead of via the WAN NIC.

demonaii

Hello again !

I managed to gain access to the SSH to the device.
I started configuring it, and then I lost access to the SFP module because I unknowingly changed the IP of the module.
I regained access again to the SFP module.

I know my MAC ,GPON SN and D-SIN data.

When I look at my ISP router, I got this crazy idea .

It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.

The problem is that I do not have access to the ISP router.
In this case I have two options either

A: I somehow hack myself into the router
or
B: I reset the device to its factory settings. The problem is that if I reset it, I could lose that secret information.

What's interesting is that when I plugged the fibre back into the ISP router, my browser instantly opened and asked for authentication of the device, as if it knew that I was messing with the fibre . It was a web page of the ISP / router.

Gertjan

@demonaii said in Fiber optic to pfSense Box:

I managed to gain access to the SSH to the device.
I started configuring it, and then I lost access to

You've figured out reason number one why the console access is useful

@demonaii said in Fiber optic to pfSense Box:

It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.

Probably not a 'secret', but your ISP is not going to 'advertise' what they do in their box to make the ISP 'ONT' work on their fiber cable, so it can talk with their equipment on the other side.
( because clients then want to have access to 'support' about how to activate router/firewall X using SFP module Y )

My ISP in France uses 'special' DHCP option codes ans trings to enable (authenticate) the ISP against the ISP. Zapping the ISP box (a triple play router) means : you have to set up the pfSense DHCP client "on your own" = making your own DHCP (v6 and v4) client config file, and place it on pfSense.
And the SFP used needs to be compatible, that goes without say.

keyser

@demonaii The webpage comes because the ISP box once again has link/DNS and the service start responding at normal speed.

You only really have one option: Trial and error - clone the MAC, Serialnumber and vendorID and see if it works. If not, you likely have to find some ressource on the web or at your ISP that has actual knowledge on how to do this with your ISP

demonaii

I managed to set the settings and rebooted .
After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
So it looks like the GPON Authenticaton State is at O5 or 5 ?
The question now is :What happens now ? I still don't have internet access .

I

keyser

@demonaii said in Fiber optic to pfSense Box:

I managed to set the settings and rebooted .
After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
So it looks like the GPON Authenticaton State is at O5 or 5 ?
The question now is :What happens now ? I still don't have internet access .

I

O5 means that the GPON module has logged in successfully to the GPON tree, and link is established on online. In other words: The first part of GPON has completed and the module has now transitioned into being a Bridge/switch between your Ethernet interface and the ISP's GPON delivered network.

If your ISP had no special config needed, you should just get a DHCP address on your WAN interface in pfSense and everything would be online.

Sinces thats not the case they likely have some DHCP options you need to send to authenticate, or their services are encapsulated into a VLAN number that you need to tag all frames in/out of your WAN connection with.

Since they do GPON, it is highly likely you need to use a specific VLAN number. Once that is in place, you may or may not also need special DHCP options to authenticate and get the connection going.

stephenw10

I would probably try running a pcap and see if anything VLAN tagged is shown. As a first step at least. It may not show anything but if it does you could try that VLAN.

I assume you have no access to the ISP router that might show the required settings?