Fiber optic to pfSense Box
-
@demonaii Yeah - please make sure you understand that GPON is NOT Ethernet. So we are not talking a traditional Ethernet SFP module here. You need a GPON to Ethernet Bridge SFP module. I use this model in my Netgate 2100 in France:
https://www.fs.com/de-en/products/133619.html
Works like a charm, but let me assure you - that is only the case because there are hundreds of frenchmen doing reverse engineering on how Orange (ISP) have setup their GPON infrastructure - AND - still - It’s only possible because Orange also have a “leak” through one of their technicians, and he provides important needed information for actually passing authentication with a non-orange GPON unit.
Without the leaked information from him it would be impossible.
It requires a lot of SPECIAL DHCP config and DHCP options in pfSense along with a little config and MAC addr./device ID cloning from a Orange router to the Linux running within the SFP module. -
@demonaii said in Fiber optic to pfSense Box:
Probably could burn their equipment, who knows ?
It wouldn't burn the equipment but it could interfere with another customer. The wavelength could be any of several. Also, sometimes the same wavelength is used for both directions, with a duplex fibre. Other times it's two wavelengths with simplex fibre.
And yes, I do have hands on experience with this stuff with a telecom company.
-
@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.
Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode. -
@Gblenn said in Fiber optic to pfSense Box:
@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.
Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode.The module I suggested uses the LC connector of the fiber the OP has. The other modules you are referring to as bidirectional is not GPON modules, they are BiDi Ethernet modules and has nothing to do with GPON.
GPON is a single fiberstrand passive optical multiplexing technology - something completely different than optical Ethernet - both in specs, transport framing and signaling.Regarding the MAC address cloning - doing it in pfSense does not help as it is the GPON interface in the SFP that logs into the GPON tree. So you need to clone the MAC address to the GPON interface of the SFP which is controlled by the built in Linux inside the SFP. After that has logged in to GPON, then it enters bridge mode so the pfSense Ethernet frames are bridged to the GPON transport by the SFP module. Here it may or may not be nescessary to have the same MAC address in pfSense as The GPON module used for login (Depends on the ISP)
-
@keyser said in Fiber optic to pfSense Box:
@Gblenn said in Fiber optic to pfSense Box:
@demonaii So the type of module that keyser suggested will probably work fine. It has to be one with a full width opening to take that connector you are showing. There are bidirectional modules that have a single half size slot but they will only take the smaller connector you see on the right in the picture I pasted.
Also, to make sure MAC address isn't becoming an issue, simply locate the MAC of the ZTE modem and copy it over to pfsense. It's probably printed on the back of the device, or you will find it in the UI for "internet connection".
Worst case, you end up sending the module back and you have to stick to running the modem in bridge mode.The module I suggested uses the LC connector of the fiber the OP has. The other modules you are referring to as bidirectional is not GPON modules, they are BiDi Ethernet modules and has nothing to do with GPON.
GPON is a single fiberstrand passive optical multiplexing technology - something completely different than optical Ethernet - both in specs, transport framing and signaling.Understood, and of course the fs.com site and others will list all the info on their sites and let you search by category. But it's quite the jungle and a lot of data that fits in the "headline/name", where most of it will actually be the same.
But good that you clarified!Regarding the MAC address cloning - doing it in pfSense does not help as it is the GPON interface in the SFP that logs into the GPON tree. So you need to clone the MAC address to the GPON interface of the SFP which is controlled by the built in Linux inside the SFP. After that has logged in to GPON, then it enters bridge mode so the pfSense Ethernet frames are bridged to the GPON transport by the SFP module. Here it may or may not be nescessary to have the same MAC address in pfSense as The GPON module used for login (Depends on the ISP)
Ah yes, and most likely (or hopefully) the ISP will not bother locking MAC at the GPON level, as it would just complicate things. Then again, who knows...
But it's not impossible that they have registered the ethernet MAC of the Router, which my ISP does for example. In which case cloning in pfsense will of course work.
But then again, I suppose that would have come up already when setting the modem in bridge mode wouldn't it? -
@Gblenn Yeah, the fact that they offer bridgemode likely suggests that they do not care about the actual router MAC address.
But they might care about the GPON logon MAC address - to make sure it's their box that connects to the GPON tree.
So the OP should probably expect to be required to clone the MAC to the GPON part of the SFP. -
@keyser Hmm, and I suppose not all modules allow changing MAC and/or serial number? So best bet might be to buy one that does...
-
@Gblenn Yes - exactly. That is one thing you need to consider. The FS module I suggested allows you to change the MAC address.
-
But that still may not help if the ISP doesn't allow unregistered GPON devices to connect. It's possible (but shouldn't be!) to get gpon modules you can reprogram to match your existing device. But that's a deep rabbit hole!
-
@stephenw10 True - The FS module I linked to allows vendor and regID customisation as well.
So if you can get all the needed details, you can have that GPON SFP look exactly like your ISP provided GPON device (typically the router with integrated GPON).
The problem is getting the needed info as you might not have a login to the ISP box that can reveal all this info.Like I said in my first comment: If the ISP box does Bridgemode, then use that. Doing GPON directly in a GPON SFP is a rabbithole and could require you to configure settings/info that you cannot get unless the ISP is ready to assist you.
-
I understand that I am looking for a SFP module that is optic to digital and not digital to optic. Like this one, as you suggested.
https://www.fs.com/de-en/products/133619.html
Is this my only choice ?
I would have to connect to the module through my Netgate via LAN and configure it . I saw there is a bit of information written down under the ISP modem/router like MAC, GPON SN and so on.
What kind of information are we talking about ?
-
Mmm, interesting. I didn't realise the FS module was that 'open'. If it was me I would try it because that sort of fun is what I'm here for.
But, yes, just using bridge mode is likely to be far easier. -
@demonaii MAC and Serial number is exactly the information you may need (and possibly one other item . But it could also be that you don't need to do anything, and it simply works. That is, if your ISP has not made any efforts at limiting what endpoint equipment is being used.
You would not configure that part from pfsense UI however...
I guess @keyser knows the details of that specific module, but I suppose there will be a manual with all the info you need. Any changes will be done by logging into the device via Telnet or SSH.So you will need to plug it into something that allows you to access it from your LAN side. So any cheap switch with SFP ports will do. I'm guessing it may default to an IP that conflicts with e.g. pfsense (192.168.1.1) but setting your PC to a static IP within the right subnet and disconnecting the switch from LAN will get you there.
-
You can access a modem/module UI through pfSense as long as it's IP address doesn't conflict with some subnet already defined there.
You may need to configure pfSense to NAT to it's subnet.
-
@stephenw10 said in Fiber optic to pfSense Box:
You can access a modem/module UI through pfSense as long as it's IP address doesn't conflict with some subnet already defined there.
You may need to configure pfSense to NAT to it's subnet.
Seems like it will use 192.168.1.10, and it's SSH only according to the manual
https://resource.fs.com/mall/doc/20230831180515egrzs6.pdf -
@demonaii This particular SFP comes preconfigured with the IP address 192.168.1.10.
There are multiple ways to access it, but if you have LAN running on your pfSense and it is using the 192.168.1.0/24 network, then you need to resolve the conflict first. If you have any other subnet as LAN, you can simply create a your WAN interface in pfsense using your SPF NIC port. You can then create a VIP address on WAN and give that IP 192.168.1.1/24. You need to create a VIP because the actual WAN IP address will be the one learned using DHCP from your ISP (Unless of course your ISP uses a VLAN which mine does)To be able to connect to SSH on 192.168.1.10 from LAN will require a firewall rule that allows this on LAN, and you need to create a NAT rule that NAT's outbound traffic on your WAN interface with a destination of 192.168.1.10. This needs to be NAT'ed and originate from the VIP address. This is needed because the SFP module does not have a default Gateway address, so it can only talk to clients in the same 192.168.1.0/24 network.
-
@keyser said in Fiber optic to pfSense Box:
@demonaii This particular SFP comes preconfigured with the IP address 192.168.1.10.
There are multiple ways to access it, but if you have LAN running on your pfSense and it is using the 192.168.1.0/24 network, then you need to resolve the conflict first. If you have any other subnet as LAN, you can simply create a your WAN interface in pfsense using your SPF NIC port. You can then create a VIP address on WAN and give that IP 192.168.1.1/24. You need to create a VIP because the actual WAN IP address will be the one learned using DHCP from your ISP (Unless of course your ISP uses a VLAN which mine does)I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?
And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...
-
@Gblenn said in Fiber optic to pfSense Box:
I suppose since this will be done without a connection to the ISP, one could instead simply set WAN to static 192.168.1.1/24, right?
Yes, that would work to.
And of course any IP conflict still needs to be resolved but when that is done, you don't need anything further, or? You would be able to connect to 192.168.1.10 from LAN without any special rules or NAT...
You cannot connect from LAN without a NAT rule as the GPON module does not have a default gateway. So i can only respond to IPs in the same 192.168.1.0/24 subnet. Hence the need to have pfSense NAT and source packets from the VIP address (or WAN IP if you configure it directly there).
-
I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.
-
@demonaii said in Fiber optic to pfSense Box:
I would have to report when I receive my Netgate 2100, and it's already three months late from delivery, and purchase the SFP module that @keyser recommends.
Just to clarify: I'm not recommending going down this rabbithole. Use your ISP box in bridgemode - it's much better and will require no additional support.
I have not checked if my suggested SFP fullfills all the requirements/wavelengths and so on you might need, so that's up to you to do that. I just suggested it because it works for me, and it seems our situation is somewhat similar.
Be advised I cannot do support on configuration of the SFP - you will need to search the internet for that. There is no real deep usable manual on the product from FS.
