GPON SFP Module on Netgate 2100 for SFR Business Fiber

Bob60

Hi,

In our small business in France, I am struggling around with a Netgate 2100 trying to by-pass our ISP box (SFR Business) to make administration easier (NAT, VPN, Port forwarding, etc.).

I bought this SFP GPON module
https://www.fs.com/fr/products/133619.html?attribute=2874&id=326024

When I plug into my Netgate, the combo port lights up :

dmesg gives the following log :

mvneta0: link state changed to UP

and ifconfig -vvvm mvneta0

mvneta0: flags=1028b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
        description: WAN
        options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
        capabilities=804bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,LINKSTATE>
        ether cc:aa:aa:bb:cc:dd
        hwaddr 90:zz:yy:xx:ww:vv
        inet6 fe80::cexx:aaaa:feee:ddcc%mvneta0 prefixlen 64 scopeid 0x1
        media: Ethernet autoselect (1000baseSX <full-duplex>)
        status: active
        supported media:
                media autoselect
                media 1000baseSX mediaopt full-duplex
                media 1000baseSX
                media 1000baseT mediaopt full-duplex,master
                media 1000baseT mediaopt full-duplex
                media 1000baseT mediaopt master
                media 1000baseT
                media 100baseTX mediaopt full-duplex
                media 100baseTX
                media 10baseT/UTP mediaopt full-duplex
                media 10baseT/UTP
                media none
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Interface seems active... but when I plug the fiber into my SFP module, and tcpdump it, I can't get any packet other than the ones coming form my interface mvneta0... no reply to my DHCP inquiries

00:44:15.229402 cc:aa:aa:bb:cc:dd > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 385: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 371)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from cc:aa:aa:bb:cc:dd, length 343, xid 0x1005eabc, secs 52, Flags [none] (0x0000)
	  Client-Ethernet-Address cc:aa:aa:bb:cc:dd
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Discover
	    Vendor-Class (60), length 65: "neufbox_NB6VAC-FXC-r1_NB6VAC-MAIN-R4.0.45d_NB6VAC-XDSL-A2pv6F039p"
	    Client-ID (61), length 7: ether cc:aa:aa:bb:cc:dd
	    Hostname (12), length 9: "RouPfsS01"
	    Parameter-Request (55), length 10: 
	      Subnet-Mask (1), BR (28), Time-Zone (2), Classless-Static-Route (121)
	      Default-Gateway (3), Domain-Name (15), Domain-Name-Server (6), Hostname (12)
	      Unknown (119), MTU (26)

So, I am wondering if the SFP module is compatible with the fiber signal from my ISP...

I am new to Netgate, PFSense and FreeBSD... Is there any way to check the optical signal ?

Best regards,

Bob

stephenw10

GPON modules usually need to be configured in some way or registered with the provider.

This sort of setup would usually be acheived by moving an existing module from an ISPs router.

Can you access the GPON modules SSH interface at 192.168.1.10? That might conflict with your LAN which would require at least temporarily changing it.

Steve

Bob60

Dear Steve,

Thanks for your help. Unfortunately, the ISP box is provided with a built-in GPON module... I have a hammer nearby but I am not sure it is the best solution ;-)

I have connected my Netgate to a standalone PC.

My configuration :

LAN IP : 192.168.1.5
WAN interface activated but not configured

I log into the Netgate with SSH. I can't ping nor ssh 192.168.1.10

The SFP interface lights up on the Netgate but is there any command line that could help knowing what's going on ?

Any suggestion ?

Bob

stephenw10

Ok so first change the LAN subnet to something else like 192.168.100.1/24.

Now try to ping 192.168.1.10 from pfSense.

If it still fails add an IPAlias VIP on WAN in that subnet so for example 192.168.1.254/24. Then try to ping again.

Gertjan

@stephenw10 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

Now try to ping 192.168.1.10 from pfSense.

Wouldn't that IP address be mentioned in the documentation that comes with such a module ?

Bob60

Hi,

Indeed, I have tried this, did not work the first time, but did the second... something must have went wrong...

I have managed to log on and change the PON IP address to 192.168.0.10. I did reconnect the Netgate to my network.

I have now the following configuration

LAN IP address : 192.168.11.2/24
WAN IP address : 192.168.0.5/24
ONT IP address : 192.168.0.10/24

Here is the ONT network configuration

root@SFP:/home/ONTUSER# uci show network
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.globals=globals
network.globals.ula_prefix=auto
network.lct=interface
network.lct.ifname=lct0
network.lct.netmask=255.255.255.0
network.lct.proto=static
network.lct.macaddr=00:06:B5:B5:B5:B5
network.lct.ipaddr=192.168.0.10
network.lct.gateway=192.168.2.0
network.host=interface
network.host.ifname=host
network.host.ipaddr=0.0.0.0
network.host.netmask=0.0.0.0
network.host.macaddr=cc:aa:aa:bb:cc:dd
network.host.proto=static
network.host6=interface
network.host6.ifname=@host
network.host6.proto=static

As far as I know how my ISP distrIbutes IP address through its DHCP, I need to send the following information in my DHCP request :

Vendor-Class (60), length 65: "neufbox_NB6VAC-FXC-r1_NB6VAC-MAIN-R4.0.45d_NB6VAC-XDSL-A2pv6F039p"
	    Client-ID (61), length 7: ether cc:aa:aa:bb:cc:dd

So, I already changed network.host.macaddr=cc:aa:aa:bb:cc:dd.

I am right ? What is the difference between network.lct and network host parameters ?

Any ideas how to get any further ? (I need to wait my employees to leave after 6 pm to test the connection...)

Regards,

Bob

Bob60

I realize that the GPON embedded system is a WRT system

root@SFP:/etc# cat openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="7.5.3"
DISTRIB_REVISION="14.07_ltq"
DISTRIB_CODENAME="sfp"
DISTRIB_TARGET="lantiq/generic"
DISTRIB_DESCRIPTION="OpenWrt SFP 7.5.3"
DISTRIB_TAINTS="no-all busybox"

Is there any possibility to pass the configuration of this module through pfSense ?

Bob

Gertjan

@Bob60 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

Any ideas how to get any further ?

and ...

@Bob60 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

neufbox

Oh oh ... FAI(ISP) alert.

Dono about Neuf (edit : wrong : SFR ...), but if they publish details like the other ISP, Orange, then no one knows, even not the ISP itself. Forget about calling the support : "this is unsupported".

But, help does exists, I guess : You probably are already aware of this forum ?

@Bob60 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

Is there any possibility to pass the configuration of this module through pfSense ?

The rest is "what I've read / seen / etc"

pfSense sees, in the GPON slot, a 'NIC' that has a 'connection speed X'. Nothing more.
You have to access the console of the PGON module to set up parameters, so that the other device, on the other side, recognizes the connection. This is probably, as you've already figured out : the MAC it announces -as this would indicate : "a neuf box on this side".

On the pfSense level pfSense level, the DHCP WAN client, a DHCP option has to to be set up that contain info about the "requesting neuf box" (that isn't a neuf box - it you using pfSEnse and a GPON ^^). If this goes like Orange : an encoded DHCP option number full with 'numbers' that include the user ID, a connection password etc.
Neuf (SFT) could be totally different of course.
The forum I've mentioned above has all the info.

I'm just brainstorming btw. I know how this could work with a Livebox & Orange, and if I was just using the connection as "Internet" only I could actually do this : no more Livebox, just the green fiber plug into the PGON into my 4100. Great. One (stupid !!) box less.
But I also use the phone as a fax line (while this is still a thing ..... being a hotel : it actually is).
And then there is the "TV" part what makes it really a "mess" - but I need the box as a TV set, as that is the only way I can see 'CNN' (I know, no comments please - : I keep my Livebox ... as I'm paying for it anyway, if i'm using it, or not.
And, as said above : not using the 'box' can work, but unsupported. So as soon as some (Orange) changes something, not telling neither documenting this no where, my connection drops ..... and ChatPG won't be able to advice me, neither the "Orange Pro support". And all this while the connection is down.
I'm to old for this ;)

keyser

@Bob60 Follow @Gertjan ’s advice. That forum (LaFibre) is where I found everything I needed to get that very fs.com ONT SFP running in my SG-2100 with Orange in France. Seems its not only Orange that does all they can to make it impossible for customers to have proper passthrough/RAW public IP on their own equipment 8-)

But it works when it works, and I have done it for 2 years running now. The DEALBREAKER is the dhcp options they require/insist on.
It has to be flawless with Orange - until you have transmitted a flawless DHCP discover frame with all the correctly formatted options, you wont recieve a single frame/packet on the link.

Bob60

@Gertjan, I know this forum but I thought that problem was more Netgate related... and regarding the SFR support, they are almost useless and if needed I can replug their box.

Are you also a NL guy living in France ;-) ?

stephenw10

The GPON module is not what connects to the ISP it just passes the connection.

The pfSense WAN interface should still be set to DHCP. You have to add the IPAlias VIP in the GPON mgmt subnet to access it.

You should be able to see at least some sort of signal strength so you know the fiber is connected correctly in the gpon cli there.

Gertjan

@Bob60 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

but I thought that problem was more Netgate related...

I see it like this :

pfSense is a 'hardware a,d or sofware box' with RJ45 on all sides.
Specs for these sockets are world known. [ that is, if you can keep over the top VM virtual driver and realtek NIXs out of the door ]

The "ISP" box is another animal.
It has a (useless) wifi AP biuld in.
As soon as the connection comes up, it can do a 'phone simulation". At best this is a SIP thing, or it looks ike SIP, smells like SIP but isn't SIP.
It can "create" an extra access to the ISP video and video on demand servers. You often need another box for this. The video communication is often pure, totally undocumented magic.

And then there is the media convert. back in the past : the classic "modem". later on : a TV cable carrier modulator. And ADSL was also used : worked pretty well over classic POTS ....
And now : fiber ... but what goes on over fiber is speced, but what is not known/RFC detailed/written somewhere : how to 'create' the connection.
What to send, what to receive, before you have your actual "IP" channel open.

That's why every ISP makes its own box. If they didn't, support would melt down the very same day. So things have become very easy these days : when I hook up my Livebox I even don't have to connect to "192.168.1.1" (default Livebox GUI) anymore to enter my fti/xxxx and connection password .
But under the hood, everything changed. Things became huge.

edit : I've edited my post above.

edit :

@Bob60 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

Are you also a NL guy living in France ;-) ?

Yep.

keyser

@stephenw10 said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

The GPON module is not what connects to the ISP it just passes the connection.

The pfSense WAN interface should still be set to DHCP. You have to add the IPAlias VIP in the GPON mgmt subnet to access it.

You should be able to see at least some sort of signal strength so you know the fiber is connected correctly in the gpon cli there.

Stephen is correct unless your ISP provides it Internet Service in a specific VLAN like Orange do.

So you need to figure out if SFR is using a VLAN number for its internet service.

The ONT mudule is just a bridge (like a switch) once it’s configured to connect to the ISP’s fiber. Any frames recieved on the fiber is passed on to the NIC in pfSense (Including VLAN tags if present)

Gertjan

@keyser said in GPON SFP Module on Netgate 2100 for SFR Business Fiber:

(like a switch)

Or even a modem, as it modulates light waves according to the incoming electrical Ethernet bit stream.
And the other way around.
And it has of course a micro controller with some OS (a WRT in this case) onboard to monitor stuff, like temp checking, bit rate syncing, and who knows what more.
It could even contain have a 'call home' process for the greater data collection needs ... oh boy ...

stephenw10

Mmm, it could do all sorts of things but mostly they don't because no ISP wants to maintain that!

Bob60

Hi guys,

Thanks for all your help and advises. I thought that by-passing the SFR box would be much more easier to achieve.

I know that some SFR Box 6 users succeeded because ONTs on these boxes are supplied separately allowing easier tcpdumping to know what is going on, not having to mess around with all fiber complicated stuff (sorry but I stopped working in the IT for 13 years now).

On the SFR Box 8 I now have, ONTs are built in making the challenge a step higher.

Unfortunately, I have no time to spend hours or days on this kind of improvement of our small network.

I have much more Netgate related problems to deal with, I will surely post again.

Sorry for this,

Thanks again,

Robert

stephenw10

Always good to details efforts in an edge case. Someone else will be trying this.