Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FTTH setups - connect fiber directly to pfSense

    Scheduled Pinned Locked Moved Hardware
    13 Posts 7 Posters 15.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robi
      last edited by

      It it working in bridge mode or router mode? Do you have double-nat?

      1 Reply Last reply Reply Quote 0
      • R
        robi
        last edited by

        I also found this:
        https://www.ubnt.com/ufiber/ufiber-nano-g/
        Clearly stated as: "Operation mode: Bridge only (router mode coming soon as a firmware update)"

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          You would be better off getting a fiber to copper converter. I don't know many ISP's that actually expose the fiber directly to the customer, most of the setups I've geen have some sort of NTU/FTU that is closed to the customer. It's usually something like a media converter with a single ethernet port. There's nothing wrong with that (unless you have more than 1Gbps), and unless you already have something like a GPON port of miniGBIC port, there really isn't much to gain by directly attaching a pfSense box to a fiber connection in those setups.

          On top of this all, usually, media converters are quite cheap: https://www.amazon.com/TP-Link-Ethernet-Converter-Multi-Mode-MC200CM/dp/B003AVRLZI/ref=sr_1_3?ie=UTF8&qid=1498153166&sr=8-3&keywords=fiber+converter+ethernet

          Regarding the connection itself; there are many setups, the ones I usually connect pfSense to have some sort of VLAN + PPPoE setup. Often there are 3 or 4 VLANs, some have PPPoE, some DHCP, some static and one is multicast only or something like that (for IPTV). Most of the time, it's enough to have pfSense connect to the WAN VLAN and start a PPPoE session, for IPTV you sometimes need IGMP Proxies, snooping on any involved switches and for some interactive features a DHCP client with some special options set is required to get that working.

          I'm testing a newer setup where I only extract the WAN VLAN, and start a PPPoE server on pfSense and loop that back to the CPE the provider supplies. This way, all the 'services' are using the CPE, and internet is totally managed by pfSense.

          1 Reply Last reply Reply Quote 0
          • R
            robi
            last edited by

            FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

            The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

            These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              @robi:

              FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

              The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

              These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

              Ah yes, you are right. It's much more like coax RF style PTP networking. That kind of sucks! But I suppose you'll need an active device that does GPON (de)modulation and where applicable encryption (upstream data seems to be broadcasted to all access points on the same passive splitter?). While a media converter won't work, a NTU/FTU will as it's more designed as a barebones CPE with no services other than plain ethernet. I believe Genexis is one of the big manufactures that do them. Usually you have some sort of 'universal' FTU base where an NTU can connect pretty much directly, in some cases a short patch is needed.

              Anyway, the thing is that pfSense does support miniGBIC via ordinary PHY interfaces, but doesn't do much with the adapter that you stick in there. In theory, you could have a GPON transceiver in miniGBIC form factor but unless it exposes some MII-type PHY interface there really isn't anything BSD can do in the GPON scheme of things. Same goes for stuff like DSL, there is almost no support for xDSL chips, and even when there is, a dedicated bridge device is the only 'good' solution so far. It's comparable to WiFi chips where they have to run their own firmware with a tiny RTOS that does the low-level radio stuff. The same goes for cable (i.e. DOCSIS) and GPON as well. 3G/4G, 56k modems etc. do exactly the same thing: an embedded firmware RTOS runs the low level hardware, on top of that is an embedded OS (often linux) on an application processor that does the rest.

              To get a GPON interface, you would probably need a 'bare' modem, unless GPON streams have additional control parameters per-connection, then you need a somewhat more involved setup. I've seen some diagrams that suggest there is some form of tagging or multiplexing happening, which might need to be mapped to VLANs or separate physical interfaces. I suspect that most full-blown CPE's have the GPON interface and then do internal VLANs, DHCP, PPPoE, IGMP etc. for the rest of the net.

              tl;dr: GPON is comparable to DSL, Frame Relay or DOCSIS and requires a device to turn it into ethernet before you can use pfSense with it.

              1 Reply Last reply Reply Quote 0
              • chpalmerC
                chpalmer
                last edited by

                Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

                Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  @chpalmer:

                  Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

                  Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

                  Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

                  Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

                  1 Reply Last reply Reply Quote 0
                  • N
                    nickod
                    last edited by

                    @johnkeates:

                    @chpalmer:

                    Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

                    Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

                    Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

                    Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

                    If some want to use the SFP from h3000,
                    The GPON use the SFP Serials number to allow yo online!

                    1 Reply Last reply Reply Quote 0
                    • H
                      Harvy66
                      last edited by

                      GPON is a standard line protocol, but there is no standard when it comes to the management features. I doubt your ISP will let you plug in any GPON end-point. A lot of literature from device manufactures is about proprietary and patented features that require both the head device and client to support.

                      There is no reason why you can't double NAT if you can setup port forwarding.  My ISP allows bridge mode, but I've had them mess it up at least one where they switched me back to "residential gateway" mode. Instead of dealing with them making the mistake again, I just placed pfSense in the DMZ and double NAT. Zero issues.

                      1 Reply Last reply Reply Quote 0
                      • SammyWooS
                        SammyWoo
                        last edited by

                        How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          @SammyWoo:

                          How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

                          They won't because setting up the infrastructure, support, manuals, service endpoints isn't worth the cost. This is how it's always been, and why we still have shitty DOCSIS, DSL and G.PON. And providers that MITM modify traffic legally (well, that's mostly in the USA and BRIC).

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.