Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Hardware & GPON SFP Fiber / Glasfaser How-To

Ich hatte mich seinerzeit über diesen Artikel eingelesen wegen Telekom FTTH und GPON Modul. 

 RE: Sophos Hardware und GPON SFP 

Ich habe jetzt einen genauen Leitfaden was geht und wie.

Zunächst gehen wie angegeben aus dem alten Post am besten das Zyxel PMG3000 aka Telekom Digitalisierungsbox Glasfaser oder eins von FS.com. 

Bei FS.com kann man seine ONT Nummer 10 stellig HEX angeben und die wird dann geflashed beim bestellen.

Das Zyxel kann wie aus dem alten Beitrag per GitHub Cli oder per Webserver mit ONT Nummer konfiguriert werden. Die ONT gibt es meistens erst bei Anschlussschlatung.

In dem Beitrag ist das für einen Ubiquity Edgerouter beschrieben. Am Ende kann man dann per Web BRöser auf die GUI und die ONT Nummer eintragen. 

Der Zyxel GPON SFP hat einen Webserver intern laufen.

https://jaseg.de/blog/telekom-gpon-sfp/

https://github.com/xvzf/zyxel-gpon-sfp/issues

Disclaimer

I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to pay for an unsuccessful Telekom technician visit. That is your own risk, and I do not assume any liability.

Tl;dr

The "Telekom Digitalisierungsbox Glasfasermodem" is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter 6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382. It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate power supply.

To configure, first access the SFP ONT's web interface at 10.10.1.1 by configuring your SPF port's IP to static 10.10.1.2. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the "SLID" setting in ASCII mode, then save & reboot the device. Now, configure PPPoE on the router's SFP port using the PPPoE UID [anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de" and your "Persönliches Kennwort" as PPPoE password. Set the VLAN to 7, and you are good to go.

Background

I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.

The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even act as a VPN endpoint!

Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for "Gigabit Passive Optical Network" and means that instead of patching through one fiber or pair of fibers to each customer, several customers in one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by Telekom and will never be able to use their own equipment on the "network" end of the fiber.

Telekom wants you to connect to its fiber network through a small plastic box that they call "modem", and that the rest of the world calls "ONT", or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC connector, and a regular RJ45 ethernet port downstream. The "modem" in fact contains an entire linux system that terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of transmission slots and adjustment of transmitter laser power.

Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.

Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of commercial devices that look like they should be compatible, I could not be sure and I did not feel like sinking lots of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with various Telekom customer service departments I found the solution that ultimately ended up working: For their business customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for business customers is called "Digitalisierungsbox" and it in fact comes with an SFP GPON ONT. And, as it turns out, you can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.

Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.

Hardware Setup

The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable on port 2. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter is 192.168.1.1, and the default UID/PW is ubnt/ubnt.

Configuration

Getting access to the SFP ONU's config interface

In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.

  1. First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For this, configure the eth5 interface (which is the SFP port) to use the static IP 10.10.1.2/24.
SFP interface configuration to access the SFP ONU from a laptop connected to the EdgeRouter's LAN port
  1. With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP protocol, with destination address 10.10.1.0/24 (the SFP config interface's private network).
Source NAT configuration to access the SFP ONU from LAN. eth5, masquerading on, TCP, destination 10.10.1.1 (the SFP ONU's IP).
  1. Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within 10.10.1.0/24. On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the EdgeRouter's 192.168.1.1. If that isn't the case, on Linux you can manually add the necessary route by using sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0

After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by pointing a browser at https://10.10.1.1/ Just make sure you use plain-text HTTP here, not secure HTTP**S**. The default login credentials for the device are admin/1234.

The SFP ONU's web interface.

Configuring the PLOAM password / SLID / ONT-Installationskennung

On the SFP ONU's web interface, we only have to change one single setting: Under "Setup", we have to set what the SFP ONU calls "SLID" to the PLOAM password for the interface. Telekom calls this the "ONT-Installationskennung". You get this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format ABCD000000 with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number on this page.

The SFP ONU's config interface to set SLID/PLOAM PW/ONT-Installationskennung.

Press "Save Config" on the top right of the web page, then select "Reset ONU" and click "Apply" under the "Reset ONU" link on the left. Make sure to not select the factory reset option instead.

Rebooting the SFP ONU.

With the ONU configured, after the reset the "GPON Information" page from the left menu under "Status" from the top menu should show GPON Line Status: O5. You can now remove the SNAT rule and IP address from the SFP interface in the EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next step, that wizard will reset all of these settings.

Configuring PPPoE and NAT

Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's "Basic Setup" wizard as described in the EdgeOS User Guide. In the wizard, select the SFP port (eth5) as the internet/WAN port. Select Internet Connection Type as PPPoE, then enter the PPPoE credentials you got from your Telekom technician. The password is your "Persönliches Kennwort" that you also use to log in to your customer account on Telekom's website. The account name is [anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de", so something like 002712345678012345678901#0001@t-online.de. Enable "Internet connection is on VLAN" and enter VLAN ID 7. This is necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as the router's WAN port, the wizard will still reserve port 1 (eth0) for another WAN interface, so you will only be able to access the configuration interface through port 2 (eth1) after the wizard is done. You can of course change this later.

That's it, you're done and your internet should be working!

Having Fun with the SPF GPON ONU

If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control components can be found under open source licenses as well. While I would strictly advice you to not mess around with the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON network.

If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are collected here.

Die NAT Regel aus dem Beitrag geht auch unter Sophos oder in der PF/Opnsense. Muss nur richtig adaptiert werden. 

Das was die FRITZ!Box bei Eingabe der ONT Nummer macht, muss bei anderer Hardware eben vorher erledigt werden. Sonst gelingt die Hardware Anmeldung mittels PLOAM nicht am Glasfaserverteiler.

Dann noch die PPPoE Zugangsdaten rein auf dem Port und VLAN 7, dann läufts.

Das ganze habe ich auf meiner SG 310 mit 10G FlexiPorts und 2x SFP Ports getestet. Läuft unter UTM und XG. Auch PFSense oder Opnsense geht das ohne Probleme. Ich habe auf meiner Sophos Opnsense laufen. 

In einem nativen SFP Port, wird das Modul auch nur mit Speed 1000SX erkannt. Das Zyxel kann aber wie in der FRITZ!Box das GPON AVM Modul 2,5Gbit down und 1,25Gbit up. 

Daraufhin habe ich das Zyxel Modul in den 10G Port von der Flexikarte gestöpselt und siehe wird mit 2,5G/1,25G erkannt. Hier ist das Thema SMG2 wohl.

Interessanterweise soll die Flexikarte (aka Intel Adapter x520) das nicht erkennen. Nur weis ich nicht, ob der Speed nur angezeigt wurde oder ob es tatsächlich erkannt wurde. 

Es gibt da die Diskussion bei 1Gbit Glasfaser, dass nur 940Mbit gehen maximal und 100mbit verschenkt werden. Diesen Hypothetischen Fall konnte ich noch nicht testen, da ich erst Ende Februar 1000/200 Mbit bei 1und1 geschaltet bekomme, aktuell noch 50Mbit.

Hier findet man eine ausgiebige Diskussion über die GPON Module verschiedener Hersteller ab Seite 24 wird es interessant.

https://www.computerbase.de/forum/threads/eigenes-modem-an-ftth-anschluss-via-sfp-gpon-modul.2061989/page-32

Meiner Meinung nach werden vermutlich sämtliche GPON Module immer im SFP Port als 1000SX erkannt, da hier nur Intel Nics verbaut werden seitens Sophos.



This thread was automatically locked due to age.
Parents Reply Children
No Data