Fiber optic to pfSense Box
-
I create a VLAN in pfSesense->VLANs->Add . Correct ? The question is, which one do I pick ? In my contract I get internet and TV (probably over internet) and looking at the settings it could be anything between 1 and 4094.
Are there any common tags that ISPs use ? Like tag 35 ? I would probably have to eyeball it.
I did a quick search another guy using a different device says that for my ISP provider the internet tag is VLAN 555 and TV VLAN 777 .I did a quick search and could use Wireshark to capture all the traffic, see what VLAN tag is being used. I am not sure if it how to do it if I use an SFP module or do I have to plug the modem into the pfSense WAN port. Wouldn't that ruin the settings ?
Unfortunately , I do not have access to the router settings .
-
You can just capture on the interface in pfSense in Diag > Packet Capture. Just set it to capture all tagged and non-tagged traffic and see what there is.
You can download it and analyze it in Wireshark.
-
@stephenw10
Hello again !The cat bit me, and I decided to risk it and factory reset the ISP router to finally see what is so hidden about it. It looks like, even after reset, the router works just fine. It looks unimpressive to be honest, but there probably should me something salvageable.
The VLAN IDs can be confirmed to be true, and I've added them to the pfSense box VLAN ID section and I think assignments as OPT 1 and OPT 2.
It's not entirely clear where exactly I should configure the DCHP server or client?Even tho I configured the SFP module and received Status 5, in the router there is a LOID + password. Could my O5 be a false positive ?
Here in the pictures below you can see the settings that are by default, when the router is factory reset.
LINK : https://imgur.com/a/mxNrivV -
So the main connection there should be on VLAN555. Set that interface as DHCP.
It seems like you'd need that username/password in the GPON module though, I agree.
-
@demonaii I don’t know of any methods of using a LOID/Password in the L2 GPON connection. Also - I’m quite sure the O5 is not a false positive. The GPON module is connected and linked to the GPON tree.
With my Orange connection the login/password is sent encrypted as L3 DHCP parameters in order for the DHCP client to pass authentication. This is the “black box” I spoke of earlier. If your ISPs setup is similar you are in dire straits if you cannot find someone to clarify how those options should be configured and with what SALT/type of encryption the ID/password should be sent within the DHCP options.
Alternatively a packet capture of the DHCP process in the ISP box (when connected), could reveal how the DHCP process is setup and how the options should be configured. But unless the ISP box has a builtin TCPDUMP you can use, it’s impossible as you cannot sit in the midle of the GPON connection.
-
Ah that's fun*. Hmm, I haven't had cause to dig very deep into GPON. Yet.
-
I asked fs.com customer support and they told me that and I quote
"
The corresponding port of your firewall (i.e. the port where the GPON-ONU-34-20BI module is plugged in) needs to be assigned to the ISP Internet access VLAN- The GPON-ONU-34-20BI module is an SFU, which only has a bridging function. The end user needs to perform PPPoE dial-up on the downstream device. As for whether to perform PPPoE dial-up on the Netgate SG 2100 firewall or on a further downstream device, could please consult the downstream equipment supplier? "
@keyser Maybe I should call the ISP again because I called them and they said " somebody messed with their settings . " .
VLAN555 with parent interface WAN , Enable WAN DCHP on WAN interface ? Set a NAT and firewall rule from WAN to LAN ?
-
You need to assign the WAN as the VLAN555 interface and set it to DHCP. It should then pull a lease from the ISP. Except that it may well require some custom dhcp client options as @keyser said.
-
@demonaii Exactly what @stephenw10 said
-
Okay I switched to DHCP for the VLAN and I pull a IP but still no net. Probably I would have to contact the ISP ?
EDIT: The same thing I do with the IPTV or is IPTV on top of Net ?
-
Getting IPTV to work would probably require some other stuff in place, it depends how it's presented to stuff internally.
However I wouldn't worry about that until you get regular internet working.
It pulls an address/gateway via DHCP? Is the gateway pingable? Is it a real public IP?
-
I can ping my public IP. I don't know about the gateway, however I do have internet. It's not the full 1 Gbps by contract, it's about 96 Mbps, but it works. I don't know what I did, I maybe It's because I turned pfSense of and unplugged the fibre.
What might be the reason for the low speed ?
-
@demonaii said in Fiber optic to pfSense Box:
I can ping my public IP. I don't know about the gateway, however I do have internet. It's not the full 1 Gbps by contract, it's about 96 Mbps, but it works. I don't know what I did, I maybe It's because I turned pfSense and unplugged the fibre.
What might be the reason for the low speed ?
Cool!! - then you really were lucky and have a ISP that does not jump through hoops to make it difficult for customers to use their own equipment. I have experienced several times that pfSense requires a reboot when you assign new VLANs to active interfaces before it starts working. I actually just discussed this with @stephenw10 in another thread last week :-) I’m sure you just experienced the same thing.
About the speed. 96Mbps sound very much like something on your side is only linked at 100Mbps. Check both the physical link speed of WAN and LAN on pfSense and especially your Client PC/switch ports.
-
Yup suspiciously close to 100Mbps. How are you testing?
-
Strange, kind, lost the connection again. Probably because I halted the device and unplugged it from the outlet. I still have the public IP, tho. :/
I am directly or should I say was connected to the router . The standalone switch was planning to install it tomorrow but it looks like it has to wait . :(
I plugged my laptop directly to LAN1. The cable, probably, can't be the problem . WAN,LAN and OPT all says 1000base . The LAN port is on default. The laptop can achieve the speeds of the ISP router.
-
So you are testing against speedtest.net or some similar public site?
It's possible the ISP limits you depending on the login.
-
@stephenw10 Well, I use whatever is out there speedtest, fast.com .
What do you mean exactly ? Using mine or their router ?
-
I mean some ISPs will provide some limited connection speed, often for testing, until you authenticate correctly. It's possible you're seeing that if everything internally is linked at 1G or higher.
-
I called the ISP and the technicians came today. They weren't happy what I was planning, they told is it is not possible, and I was cut from the network.
The younger technician told me that I wasn't getting internet and the problem lied at the box for the flat. He plugged it in to the ISP and called it a day but gave me a wink or so I thought of what I wanted to do. I checked the ISP router settings and there is a new WAN connection known as CGNAT for internet. The VLANIDs looked changed, so probably I would have to change them.
-
Can only try it and see.
