FTTH setups - connect fiber directly to pfSense

robi

It it working in bridge mode or router mode? Do you have double-nat?

robi

I also found this:
https://www.ubnt.com/ufiber/ufiber-nano-g/
Clearly stated as: "Operation mode: Bridge only (router mode coming soon as a firmware update)"

Guest

You would be better off getting a fiber to copper converter. I don't know many ISP's that actually expose the fiber directly to the customer, most of the setups I've geen have some sort of NTU/FTU that is closed to the customer. It's usually something like a media converter with a single ethernet port. There's nothing wrong with that (unless you have more than 1Gbps), and unless you already have something like a GPON port of miniGBIC port, there really isn't much to gain by directly attaching a pfSense box to a fiber connection in those setups.

On top of this all, usually, media converters are quite cheap: https://www.amazon.com/TP-Link-Ethernet-Converter-Multi-Mode-MC200CM/dp/B003AVRLZI/ref=sr_1_3?ie=UTF8&qid=1498153166&sr=8-3&keywords=fiber+converter+ethernet

Regarding the connection itself; there are many setups, the ones I usually connect pfSense to have some sort of VLAN + PPPoE setup. Often there are 3 or 4 VLANs, some have PPPoE, some DHCP, some static and one is multicast only or something like that (for IPTV). Most of the time, it's enough to have pfSense connect to the WAN VLAN and start a PPPoE session, for IPTV you sometimes need IGMP Proxies, snooping on any involved switches and for some interactive features a DHCP client with some special options set is required to get that working.

I'm testing a newer setup where I only extract the WAN VLAN, and start a PPPoE server on pfSense and loop that back to the CPE the provider supplies. This way, all the 'services' are using the CPE, and internet is totally managed by pfSense.

robi

FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

Guest

@robi:

FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

Ah yes, you are right. It's much more like coax RF style PTP networking. That kind of sucks! But I suppose you'll need an active device that does GPON (de)modulation and where applicable encryption (upstream data seems to be broadcasted to all access points on the same passive splitter?). While a media converter won't work, a NTU/FTU will as it's more designed as a barebones CPE with no services other than plain ethernet. I believe Genexis is one of the big manufactures that do them. Usually you have some sort of 'universal' FTU base where an NTU can connect pretty much directly, in some cases a short patch is needed.

Anyway, the thing is that pfSense does support miniGBIC via ordinary PHY interfaces, but doesn't do much with the adapter that you stick in there. In theory, you could have a GPON transceiver in miniGBIC form factor but unless it exposes some MII-type PHY interface there really isn't anything BSD can do in the GPON scheme of things. Same goes for stuff like DSL, there is almost no support for xDSL chips, and even when there is, a dedicated bridge device is the only 'good' solution so far. It's comparable to WiFi chips where they have to run their own firmware with a tiny RTOS that does the low-level radio stuff. The same goes for cable (i.e. DOCSIS) and GPON as well. 3G/4G, 56k modems etc. do exactly the same thing: an embedded firmware RTOS runs the low level hardware, on top of that is an embedded OS (often linux) on an application processor that does the rest.

To get a GPON interface, you would probably need a 'bare' modem, unless GPON streams have additional control parameters per-connection, then you need a somewhat more involved setup. I've seen some diagrams that suggest there is some form of tagging or multiplexing happening, which might need to be mapped to VLANs or separate physical interfaces. I suspect that most full-blown CPE's have the GPON interface and then do internal VLANs, DHCP, PPPoE, IGMP etc. for the rest of the net.

tl;dr: GPON is comparable to DSL, Frame Relay or DOCSIS and requires a device to turn it into ethernet before you can use pfSense with it.

chpalmer

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Guest

@chpalmer:

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

nickod

@johnkeates:

@chpalmer:

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

If some want to use the SFP from h3000,
The GPON use the SFP Serials number to allow yo online!

Harvy66

GPON is a standard line protocol, but there is no standard when it comes to the management features. I doubt your ISP will let you plug in any GPON end-point. A lot of literature from device manufactures is about proprietary and patented features that require both the head device and client to support.

There is no reason why you can't double NAT if you can setup port forwarding.  My ISP allows bridge mode, but I've had them mess it up at least one where they switched me back to "residential gateway" mode. Instead of dealing with them making the mistake again, I just placed pfSense in the DMZ and double NAT. Zero issues.

SammyWoo

How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

Guest

@SammyWoo:

How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

They won't because setting up the infrastructure, support, manuals, service endpoints isn't worth the cost. This is how it's always been, and why we still have shitty DOCSIS, DSL and G.PON. And providers that MITM modify traffic legally (well, that's mostly in the USA and BRIC).