FTTH setups - connect fiber directly to pfSense

robi

OK so most FTTH providers use GPON architecture to deploy the service at the customers. For the home and small business category users they give a CPE which already contains NAT functions with VoIP and TV out - this prevents the effective usage of pfSense.
The good way would be if there would be some hardware with an SFP slot in it (like a PCI card with an SFP slot), and use a GPON SFP module with it. See:
https://routerboard.com/SFPONU
http://dlink.am/mn/products/1383/1871.html
http://www.ingellen.com/c/gpon-onu-sfp_612

Another way would be to just use a GPON-Ethernet bridge:
https://www.alibaba.com/product-detail/GPON-ONU-for-fiber-to-the_1965826801.html
http://www.netsodis.com/ngn-02g
http://www.dlink.com/uk/en/service-provider-solutions/customer-premises-equipment/gpon
but it's questionable if these are really bridges, and what performance loss they include. And not talking about the extra power they need.

Anybody has experience on this?
Any PCI or PCI-E card with an SFP cage with proven working GPON stick in it?

crw030

I don't know anything about hooking fiber straight up to pfSense, but I know when I mentioned it to the provider they said they require their OTN (their equipment, no rental charge) since if any device on the fiber starts acting up all the customers on the fiber end up having performance issues.

The OTN was about the size of two packs of playing cards stacked on top of each other.  Of course, first two limitations are it is doing fiber-to-copper conversion, and has only a single 1Gbps ethernet jack as output.

Is this them just covering their butts?  Can I tell from the model number on the box they provide?  I'm not sure, maybe, but right now don't want to jack with my working 950 Mbps U/D :P

robi

It it working in bridge mode or router mode? Do you have double-nat?

robi

I also found this:
https://www.ubnt.com/ufiber/ufiber-nano-g/
Clearly stated as: "Operation mode: Bridge only (router mode coming soon as a firmware update)"

Guest

You would be better off getting a fiber to copper converter. I don't know many ISP's that actually expose the fiber directly to the customer, most of the setups I've geen have some sort of NTU/FTU that is closed to the customer. It's usually something like a media converter with a single ethernet port. There's nothing wrong with that (unless you have more than 1Gbps), and unless you already have something like a GPON port of miniGBIC port, there really isn't much to gain by directly attaching a pfSense box to a fiber connection in those setups.

On top of this all, usually, media converters are quite cheap: https://www.amazon.com/TP-Link-Ethernet-Converter-Multi-Mode-MC200CM/dp/B003AVRLZI/ref=sr_1_3?ie=UTF8&qid=1498153166&sr=8-3&keywords=fiber+converter+ethernet

Regarding the connection itself; there are many setups, the ones I usually connect pfSense to have some sort of VLAN + PPPoE setup. Often there are 3 or 4 VLANs, some have PPPoE, some DHCP, some static and one is multicast only or something like that (for IPTV). Most of the time, it's enough to have pfSense connect to the WAN VLAN and start a PPPoE session, for IPTV you sometimes need IGMP Proxies, snooping on any involved switches and for some interactive features a DHCP client with some special options set is required to get that working.

I'm testing a newer setup where I only extract the WAN VLAN, and start a PPPoE server on pfSense and loop that back to the CPE the provider supplies. This way, all the 'services' are using the CPE, and internet is totally managed by pfSense.

robi

FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

Guest

@robi:

FTTH is deployed using GPON, which is not Ethernet. A simple media converter is not suitable for this task.

The problem is (as I described in my first post), that in many areas they offer a full-featured home router which has GPON port as WAN, has 4 ethernet ports offering DHCP in the 192.168.1.1 subnet. It's got wifi, voip and other services built-in. Like Huawei EchoLife HG8245A, or ZTE ZXA10 F625G.

These don't support bridge mode. You can't use pfSense behind them, because you'd have a double NAT then.

Ah yes, you are right. It's much more like coax RF style PTP networking. That kind of sucks! But I suppose you'll need an active device that does GPON (de)modulation and where applicable encryption (upstream data seems to be broadcasted to all access points on the same passive splitter?). While a media converter won't work, a NTU/FTU will as it's more designed as a barebones CPE with no services other than plain ethernet. I believe Genexis is one of the big manufactures that do them. Usually you have some sort of 'universal' FTU base where an NTU can connect pretty much directly, in some cases a short patch is needed.

Anyway, the thing is that pfSense does support miniGBIC via ordinary PHY interfaces, but doesn't do much with the adapter that you stick in there. In theory, you could have a GPON transceiver in miniGBIC form factor but unless it exposes some MII-type PHY interface there really isn't anything BSD can do in the GPON scheme of things. Same goes for stuff like DSL, there is almost no support for xDSL chips, and even when there is, a dedicated bridge device is the only 'good' solution so far. It's comparable to WiFi chips where they have to run their own firmware with a tiny RTOS that does the low-level radio stuff. The same goes for cable (i.e. DOCSIS) and GPON as well. 3G/4G, 56k modems etc. do exactly the same thing: an embedded firmware RTOS runs the low level hardware, on top of that is an embedded OS (often linux) on an application processor that does the rest.

To get a GPON interface, you would probably need a 'bare' modem, unless GPON streams have additional control parameters per-connection, then you need a somewhat more involved setup. I've seen some diagrams that suggest there is some form of tagging or multiplexing happening, which might need to be mapped to VLANs or separate physical interfaces. I suspect that most full-blown CPE's have the GPON interface and then do internal VLANs, DHCP, PPPoE, IGMP etc. for the rest of the net.

tl;dr: GPON is comparable to DSL, Frame Relay or DOCSIS and requires a device to turn it into ethernet before you can use pfSense with it.

chpalmer

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Guest

@chpalmer:

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

nickod

@johnkeates:

@chpalmer:

Ive been watching this thread myself-  https://www.dslreports.com/forum/r31118482-Yes-you-CAN-bypass-the-HomeHub-3000

Good ideas there but its reliant on being able to move the SFP module to your equipment..  :)

Probably, but the SFP/mGBIC modules could be purchasable separately too. Unless GPON relies on some sort of ID, MAC address and it is used by the ISP to allow you online, in which case you need to duplicate that, or indeed use the module.

Using the module isn't hard using a media converter, but you really do need the module in that case. Since GPON is point to point and not ethernet packet switching I do wonder how this all works.

If some want to use the SFP from h3000,
The GPON use the SFP Serials number to allow yo online!

Harvy66

GPON is a standard line protocol, but there is no standard when it comes to the management features. I doubt your ISP will let you plug in any GPON end-point. A lot of literature from device manufactures is about proprietary and patented features that require both the head device and client to support.

There is no reason why you can't double NAT if you can setup port forwarding.  My ISP allows bridge mode, but I've had them mess it up at least one where they switched me back to "residential gateway" mode. Instead of dealing with them making the mistake again, I just placed pfSense in the DMZ and double NAT. Zero issues.

SammyWoo

How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

Guest

@SammyWoo:

How much do they want for these gigabit services?  a couple usd$hundred/month? can't believe they won't even provide a customer-requested plain fiber modem.

They won't because setting up the infrastructure, support, manuals, service endpoints isn't worth the cost. This is how it's always been, and why we still have shitty DOCSIS, DSL and G.PON. And providers that MITM modify traffic legally (well, that's mostly in the USA and BRIC).