Fiber optic to pfSense Box
-
Hello again !
I received my Netgate device and SFP module as you recommended.
However, when I try to connect to the SFP module I receive the message " connection timed out " . I tried fixing it by changing the IP of the router and PC, but then I get the message " destination unreachable".What am I doing wrong?
-
You are using that in a 2100?
Can you access the module to configure it? Does it show as linked? Edit: I see you can't.
How are you trying to access it? How is the 2100 configured to allow that?
-
Yes, I use FS GPON-ONU-34-20BI on 2100.
Yes, pfSense shows that it is detected .
The manual says that the IP for the module is 192.168.1.10I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.
-
@demonaii said in Fiber optic to pfSense Box:
Yes, I use FS GPON-ONU-34-20BI on 2100.
Yes, pfSense shows that it is detected .
The manual says that the IP for the module is 192.168.1.10I am trying to access it via PuTTY. If by configured you mean changing lots of settings, then, no. I just powered it on, logged via 192.168.1.1 and used the wizard for standard configuration.
You cannot have pfSense have the 192.168.1.x/24 subnet on LAN when you are trying to reach 192.168.1.10 on WAN. You need to reassign a different subnet to LAN and fx. Give WAN 192.168.1.1 to be able to connect to it.
You need to read up on other similar threads on how to acomplish this as using such a GPN module requires quite a lot of networking experience/understanding. That was my other reason for not recommending you attempt this :-)PS: Please read the configuration guidelines I posted/exchanged earlier in this thread. Like I said - I cannot guide you through all of this, so you need to search the net and this forum for everything related to this experiment of yours.
-
Yup that^.
It's probably a subnet conflict. If you're using 192.168.1.X on LAN the traffic for the module is being sent there instead of via the WAN NIC.
-
Hello again !
I managed to gain access to the SSH to the device.
I started configuring it, and then I lost access to the SFP module because I unknowingly changed the IP of the module.
I regained access again to the SFP module.I know my MAC ,GPON SN and D-SIN data.
When I look at my ISP router, I got this crazy idea .
It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.
The problem is that I do not have access to the ISP router.
In this case I have two options eitherA: I somehow hack myself into the router
or
B: I reset the device to its factory settings. The problem is that if I reset it, I could lose that secret information.What's interesting is that when I plugged the fibre back into the ISP router, my browser instantly opened and asked for authentication of the device, as if it knew that I was messing with the fibre . It was a web page of the ISP / router.
-
@demonaii said in Fiber optic to pfSense Box:
I managed to gain access to the SSH to the device.
I started configuring it, and then I lost access toYou've figured out reason number one why the console access is useful
@demonaii said in Fiber optic to pfSense Box:
It could be possible that on the ISP device there could be some kind of "secret information" that I could use to configure the SFP module to the required specifications.
Probably not a 'secret', but your ISP is not going to 'advertise' what they do in their box to make the ISP 'ONT' work on their fiber cable, so it can talk with their equipment on the other side.
( because clients then want to have access to 'support' about how to activate router/firewall X using SFP module Y )My ISP in France uses 'special' DHCP option codes ans trings to enable (authenticate) the ISP against the ISP. Zapping the ISP box (a triple play router) means : you have to set up the pfSense DHCP client "on your own" = making your own DHCP (v6 and v4) client config file, and place it on pfSense.
And the SFP used needs to be compatible, that goes without say. -
@demonaii The webpage comes because the ISP box once again has link/DNS and the service start responding at normal speed.
You only really have one option: Trial and error - clone the MAC, Serialnumber and vendorID and see if it works. If not, you likely have to find some ressource on the web or at your ISP that has actual knowledge on how to do this with your ISP
-
I managed to set the settings and rebooted .
After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
So it looks like the GPON Authenticaton State is at O5 or 5 ?
The question now is :What happens now ? I still don't have internet access .I
-
@demonaii said in Fiber optic to pfSense Box:
I managed to set the settings and rebooted .
After I logged in I typed onu ploamsg and it sits at errorcode= curr_state 5 previous_state=4 .
So it looks like the GPON Authenticaton State is at O5 or 5 ?
The question now is :What happens now ? I still don't have internet access .I
O5 means that the GPON module has logged in successfully to the GPON tree, and link is established on online. In other words: The first part of GPON has completed and the module has now transitioned into being a Bridge/switch between your Ethernet interface and the ISP's GPON delivered network.
If your ISP had no special config needed, you should just get a DHCP address on your WAN interface in pfSense and everything would be online.
Sinces thats not the case they likely have some DHCP options you need to send to authenticate, or their services are encapsulated into a VLAN number that you need to tag all frames in/out of your WAN connection with.
Since they do GPON, it is highly likely you need to use a specific VLAN number. Once that is in place, you may or may not also need special DHCP options to authenticate and get the connection going.
-
I would probably try running a pcap and see if anything VLAN tagged is shown. As a first step at least. It may not show anything but if it does you could try that VLAN.
I assume you have no access to the ISP router that might show the required settings?
-
I create a VLAN in pfSesense->VLANs->Add . Correct ? The question is, which one do I pick ? In my contract I get internet and TV (probably over internet) and looking at the settings it could be anything between 1 and 4094.
Are there any common tags that ISPs use ? Like tag 35 ? I would probably have to eyeball it.
I did a quick search another guy using a different device says that for my ISP provider the internet tag is VLAN 555 and TV VLAN 777 .I did a quick search and could use Wireshark to capture all the traffic, see what VLAN tag is being used. I am not sure if it how to do it if I use an SFP module or do I have to plug the modem into the pfSense WAN port. Wouldn't that ruin the settings ?
Unfortunately , I do not have access to the router settings .
-
You can just capture on the interface in pfSense in Diag > Packet Capture. Just set it to capture all tagged and non-tagged traffic and see what there is.
You can download it and analyze it in Wireshark.
-
@stephenw10
Hello again !The cat bit me, and I decided to risk it and factory reset the ISP router to finally see what is so hidden about it. It looks like, even after reset, the router works just fine. It looks unimpressive to be honest, but there probably should me something salvageable.
The VLAN IDs can be confirmed to be true, and I've added them to the pfSense box VLAN ID section and I think assignments as OPT 1 and OPT 2.
It's not entirely clear where exactly I should configure the DCHP server or client?Even tho I configured the SFP module and received Status 5, in the router there is a LOID + password. Could my O5 be a false positive ?
Here in the pictures below you can see the settings that are by default, when the router is factory reset.
LINK : https://imgur.com/a/mxNrivV -
So the main connection there should be on VLAN555. Set that interface as DHCP.
It seems like you'd need that username/password in the GPON module though, I agree.
-
@demonaii I don’t know of any methods of using a LOID/Password in the L2 GPON connection. Also - I’m quite sure the O5 is not a false positive. The GPON module is connected and linked to the GPON tree.
With my Orange connection the login/password is sent encrypted as L3 DHCP parameters in order for the DHCP client to pass authentication. This is the “black box” I spoke of earlier. If your ISPs setup is similar you are in dire straits if you cannot find someone to clarify how those options should be configured and with what SALT/type of encryption the ID/password should be sent within the DHCP options.
Alternatively a packet capture of the DHCP process in the ISP box (when connected), could reveal how the DHCP process is setup and how the options should be configured. But unless the ISP box has a builtin TCPDUMP you can use, it’s impossible as you cannot sit in the midle of the GPON connection.
-
Ah that's fun*. Hmm, I haven't had cause to dig very deep into GPON. Yet.
-
I asked fs.com customer support and they told me that and I quote
"
The corresponding port of your firewall (i.e. the port where the GPON-ONU-34-20BI module is plugged in) needs to be assigned to the ISP Internet access VLAN- The GPON-ONU-34-20BI module is an SFU, which only has a bridging function. The end user needs to perform PPPoE dial-up on the downstream device. As for whether to perform PPPoE dial-up on the Netgate SG 2100 firewall or on a further downstream device, could please consult the downstream equipment supplier? "
@keyser Maybe I should call the ISP again because I called them and they said " somebody messed with their settings . " .
VLAN555 with parent interface WAN , Enable WAN DCHP on WAN interface ? Set a NAT and firewall rule from WAN to LAN ?
-
You need to assign the WAN as the VLAN555 interface and set it to DHCP. It should then pull a lease from the ISP. Except that it may well require some custom dhcp client options as @keyser said.
-
@demonaii Exactly what @stephenw10 said