Fiber optic to pfSense Box

demonaii

Hello!

A few months ago, I purchased 1 Gbps Internet and the technicians installed the service, and I am happy to have fast internet. I was provided by the ISP a router/modem that is quite lacking, and I want to change it. The router I was provided is the ZTE ZXHN F670L. Unfortunately, I cannot access the router itself.I want to get rid of this thing. I purchased a Netgate pfSense 2100 with an SFP WAN port. As far as I know if I want to connect the fiber optic cable connector directly to the Netgate box, I would need an SFP transceiver that can translate the signal into digits and backwards. When I was checking the specs requirements of the router, I am not sure which criteria is critical for optimal functioning. Is laser wavelength important? How about optical transmit power or receiver sensitivity ? The device manual says SC/APC PON interface and the Net says SC/UPC PON interface. I checked fs.com for transceivers with the known parameters and I landed with these three transceivers:
3x (GPON / SC/ACP / Wavelength 1310 TX / 1490 RX )

https://www.fs.com/de-en/products/133619.html?now_cid=4895

https://www.fs.com/de-en/products/192476.html?now_cid=4895

https://www.fs.com/de-en/products/192478.html?now_cid=4895

Gertjan

@demonaii

Be aware that de SFP should be compatible with your 2100.
And compatible with the specs of the fibre side == your ISP.

And when installed, you probably have to to login into he SFP module (yep, I'm serious) !) and set parameters like (example) : the MAC, as the ISP might only accept the MAC from your actual "ZTE ZXHN F670L" - or not - and who knows what else is needed.

Here in France, DHCP and DHCPv6 OPTIONs are needed to identify against the ISP : we have to encode login user and password and more stuff, and build big DHCP options to enable to connection.

Every ISP handles fiber differently. You didn't talk about yours, so : who knows ^^

stephenw10

Also your ISP may simply refuse to register 3rd party GPON devices. I would want to be sure other ISP customers have been able to do this before spending money.

demonaii

@Gertjan

What should I look for when searching for an SFP module that is compatible with my box and the ISP ?

Logging into and configuring SFP module, that's understandable. Where can I find this kind of information ?

My ISP is A1 Bulgaria.

Otherwise, you're telling me I should discard what I am thinking and just use my modem in bridge mode while my pfSense works as a router ?

@stephenw10

It is possible that my ISP can refuse to register my GPON device . How do I make sure ISP doesn't do that ?

elvisimprsntr

@demonaii said in Fiber optic to pfSense Box:

What should I look for when searching for an SFP module that is compatible with my box and the ISP ?

found the spec for the ZTE ZXHN F670 (non-L) model. Not sure if the F670L is the same or different.

https://www.router-switch.com/pdf2html/pdf/zte-zxhn-f670-datasheet.pdf

Do you use the ZTE for VoIP or IPTV service? If so, then you will never be able to completely eliminate it. You would have to figure out how to put it in bridge or pass-thru mode.

demonaii

@elvisimprsntr

Right now, they are only two devices that are connected to the network, a computer and a smart TV box. I plan on connecting more devices via a switch, however that's not important right now.

The only information I can gather from the manual in the box for the ZXHN F670L is that it uses an SC/APC GPON optic interface.

Searching for further information on the net, I find conflicting information, for example:

https://www.telecomate.com/zte-zxhn-f670l.html
This website writes about SC/UPC interface, even tho it has the same model. No information for wavelength.

https://www.ycict.net/products/zxhn-f670l-ftth/
This website writes about SC/APC interface and wavelength, however I don't have information on my side to verify that my router/modem uses the same wavelength.

https://fiberm.pl/en/zte-zxhn-f670l-ce-gpon-ont-4xge
This website writes about the same interface from the first example but adds the question of different GPON class.

stephenw10

@demonaii said in Fiber optic to pfSense Box:

It is possible that my ISP can refuse to register my GPON device . How do I make sure ISP doesn't do that ?

You could call them and ask. But many ISPs are just clueless about that stuff so you may get nothing useful there.

You could just try it and find out.

Or you could try to find some other customers from that ISP who have tried it already. That's what I would do first. Perhaps they have a user forum or reddit channel etc.

elvisimprsntr

@demonaii

I'd just put the device in bridge mode, but it doesn't seem very user friendly.

https://www.animmouse.com/p/converge-zte-bridge-mode/#google_vignette

demonaii

@elvisimprsntr

I contacted tech support, and they told me that bridge mode is enabled and that the public IP goes to the second router behind my modem. Which will be my future Netgate 2100 .

When it comes to the modem, I am not sure if ISP can provide me with this information.

stephenw10

That probably isn't using gpon on the 2100 though. I would expect bridge mode like that to be passing the IP via Ethernet.

keyser

@demonaii Agree with @stephenw10 - If your ISP box supports/can run in Bridgemode, then use that. Bridgemode means that it will transparantly bridge (switch) from the very complicated GPON setup to standard Ethernet on the inside - to which you can easily connect your pfSense’s WAN interface.

Setting up a GPON SFP directly in your pfSense to work with your ISP can be borderline impossible. It may (probably will) require information/settings that you cannot obtain unless the ISP is willing to assist you and detail EVERY requirement they place on their GPON delivery setup - something I’ll bet they wont :-)

Gblenn

@demonaii said in Fiber optic to pfSense Box:

@elvisimprsntr

I contacted tech support, and they told me that bridge mode is enabled and that the public IP goes to the second router behind my modem. Which will be my future Netgate 2100 .

When it comes to the modem, I am not sure if ISP can provide me with this information.

Have you checked the SFP module in the modem? Can you try to simply move it over to your pfsense box, it may be compatible?
One thing that may be needed is to spoof the MAC from the ZTE unit they have provided.

ISP's are different of course but I have done exactly that with three different ISP's I've had in the past few years, all with their own and quite different equipment installed at my place.

elvisimprsntr

@Gblenn
ZTE devices typically don't have a SPF module. Bridge or pass through mode is the way to go.

Internal photo of the F670E, but can't imagine the F670L is much different.

https://fccid.io/Q78-ZXHNF670E

JKnott

@demonaii said in Fiber optic to pfSense Box:

What should I look for when searching for an SFP module that is compatible with my box and the ISP ?

One factor is the wavelength used for you. With fibre, multiple wavelengths of infrared are used to connect different customers. The ISP can use Coarse Wavelength Division Multiplexing (CWDM) for multiple connections over the same fibre, with a diffraction grating filter to separate them. Your ISP will have to tell you what to use. However, if they already provided a gateway, you may be able to find out by reading the info on the SFP.

demonaii

@keyser

How does it look like from a security standpoint? Am I more or less secure with or without the ZTE, if we assume that I configure the pfSense the right way ?

@Gblenn

Does the module in the modem differ from your usual modules ? I mean, I would have to disassemble the whole router to even see it. I still do not have my pfSense box.

There are three options:

1. Use SFP module by ISP or from a 3rd party vendor
2. To use a media converter, however, I still would be with the same number of devices.
3. Use standard RJ45 cable

@JKnott

From the information I've gathered, I come landed on three different SFP modules.
In my second post I talk about conflicting information between the manual in the box what the internet says about this matter.

keyser

@demonaii From a security standpoint you are as secure as your pfSense config is done - with or without the ISP box in bridgemode.

Getting a GPON SFP module (even if you can get all the relevant info from your ISP to configure it) is exactly the same as running the ISP box in bridgemode.
In fact, a GPON SFP module for pfSense is a small GPON to Ethernet Bridge with a running Linux distro within the SFP module to configure and manage the bridge on it - Exactly like the ISP box in Bridgemode. The only difference is you have to configure it with the relevant ISP settings, and perhaps a slightly lower power consumption.

Gblenn

@demonaii said in Fiber optic to pfSense Box:

@Gblenn

Does the module in the modem differ from your usual modules ? I mean, I would have to disassemble the whole router to even see it. I still do not have my pfSense box.

There are three options:

1. Use SFP module by ISP or from a 3rd party vendor
2. To use a media converter, however, I still would be with the same number of devices.
3. Use standard RJ45 cable

So the ZTE seems to have the media converter built in. So what do you have going into the slot at the bottom right? Isn't that your patch cable/fiber, looking like one of these perhaps?

Then you just need a compatible SFP module, with the correct wavelengths.

Alternative two will, as you say, not save you any equipment, and as others are saying you can always simply continue using the modem in bridge mode.

demonaii

@Gblenn

My optic fiber looks like this :

My biggest concern when deciding on a compatible SFP module is the wavelength. My ISP wont be happy if there is a mismatch in laser wavelength. Probably could burn their equipment, who knows ?

If I understand it correctly, wavelength downstream is RX (1490nm) and wavelength upstream is TX (1310 nm). Am I right?

When I checked the information for the connector type, it looks like this is an SC/APC connector because it is angled, while the SC/UPC is not angled at all.

stephenw10

@demonaii said in Fiber optic to pfSense Box:

My ISP wont be happy if there is a mismatch in laser wavelength. Probably could burn their equipment, who knows

It just won't see any data.

A much bigger issue is that the ISP has to accept 3rd party GPON devices on to their network and, AFAIK, most do not.

keyser

@demonaii Yeah - please make sure you understand that GPON is NOT Ethernet. So we are not talking a traditional Ethernet SFP module here. You need a GPON to Ethernet Bridge SFP module. I use this model in my Netgate 2100 in France:

https://www.fs.com/de-en/products/133619.html

Works like a charm, but let me assure you - that is only the case because there are hundreds of frenchmen doing reverse engineering on how Orange (ISP) have setup their GPON infrastructure - AND - still - It’s only possible because Orange also have a “leak” through one of their technicians, and he provides important needed information for actually passing authentication with a non-orange GPON unit.
Without the leaked information from him it would be impossible.
It requires a lot of SPECIAL DHCP config and DHCP options in pfSense along with a little config and MAC addr./device ID cloning from a Orange router to the Linux running within the SFP module.