diff options
Diffstat (limited to 'blog/telekom-gpon-sfp')
| -rw-r--r-- | blog/telekom-gpon-sfp/images/edgerouter_interface_config.png | bin | 0 -> 148433 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/edgerouter_route_config.png | bin | 0 -> 75601 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/edgerouter_sfp_config.png | bin | 0 -> 56138 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/edgerouter_snat_config.png | bin | 0 -> 118370 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/edgerouter_snat_config2.png | bin | 0 -> 82458 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png | bin | 0 -> 152023 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/sfp_onu_reset.png | bin | 0 -> 132106 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/images/sfp_onu_web_if.png | bin | 0 -> 133838 bytes | |||
| -rw-r--r-- | blog/telekom-gpon-sfp/index.html | 226 |
9 files changed, 226 insertions, 0 deletions
diff --git a/blog/telekom-gpon-sfp/images/edgerouter_interface_config.png b/blog/telekom-gpon-sfp/images/edgerouter_interface_config.png Binary files differnew file mode 100644 index 0000000..72d2a9b --- /dev/null +++ b/blog/telekom-gpon-sfp/images/edgerouter_interface_config.png diff --git a/blog/telekom-gpon-sfp/images/edgerouter_route_config.png b/blog/telekom-gpon-sfp/images/edgerouter_route_config.png Binary files differnew file mode 100644 index 0000000..fe65051 --- /dev/null +++ b/blog/telekom-gpon-sfp/images/edgerouter_route_config.png diff --git a/blog/telekom-gpon-sfp/images/edgerouter_sfp_config.png b/blog/telekom-gpon-sfp/images/edgerouter_sfp_config.png Binary files differnew file mode 100644 index 0000000..01da1e7 --- /dev/null +++ b/blog/telekom-gpon-sfp/images/edgerouter_sfp_config.png diff --git a/blog/telekom-gpon-sfp/images/edgerouter_snat_config.png b/blog/telekom-gpon-sfp/images/edgerouter_snat_config.png Binary files differnew file mode 100644 index 0000000..6e033ac --- /dev/null +++ b/blog/telekom-gpon-sfp/images/edgerouter_snat_config.png diff --git a/blog/telekom-gpon-sfp/images/edgerouter_snat_config2.png b/blog/telekom-gpon-sfp/images/edgerouter_snat_config2.png Binary files differnew file mode 100644 index 0000000..fb7ce32 --- /dev/null +++ b/blog/telekom-gpon-sfp/images/edgerouter_snat_config2.png diff --git a/blog/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png b/blog/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png Binary files differnew file mode 100644 index 0000000..66f6f6a --- /dev/null +++ b/blog/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png diff --git a/blog/telekom-gpon-sfp/images/sfp_onu_reset.png b/blog/telekom-gpon-sfp/images/sfp_onu_reset.png Binary files differnew file mode 100644 index 0000000..13c2ca6 --- /dev/null +++ b/blog/telekom-gpon-sfp/images/sfp_onu_reset.png diff --git a/blog/telekom-gpon-sfp/images/sfp_onu_web_if.png b/blog/telekom-gpon-sfp/images/sfp_onu_web_if.png Binary files differnew file mode 100644 index 0000000..dea0b8f --- /dev/null +++ b/blog/telekom-gpon-sfp/images/sfp_onu_web_if.png diff --git a/blog/telekom-gpon-sfp/index.html b/blog/telekom-gpon-sfp/index.html new file mode 100644 index 0000000..e077a44 --- /dev/null +++ b/blog/telekom-gpon-sfp/index.html @@ -0,0 +1,226 @@ +<!DOCTYPE html> +<html><head> + <meta charset="utf-8"> + <title>Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber | Home</title> + <meta name="description" content=""> + <meta name="viewport" content="width=device-width, initial-scale=1"> + <meta name="mobile-web-app-capable" content="yes"> + <meta name="color-scheme" content="dark light"> + <link rel="stylesheet" href="/style.css"> +</head> +<body><nav> + <div class="internal"> + + <a href="/" title="Home">Home</a> + <a href="/blog/" title="Blog">Blog</a> + <a href="/projects/" title="Projects">Projects</a> + <a href="/about/" title="About">About</a> + </div> + <div class="external"> + <a href="https://git.jaseg.de/" title="cgit">cgit</a> + <a href="https://github.com/jaseg" title="Github">Github</a> + <a href="https://gitlab.com/neinseg" title="Gitlab">Gitlab</a> + <a href="https://chaos.social/@jaseg" title="Mastodon">Mastodon</a> + </span> +</nav> + + <header> + <h1>Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber</h1> +<ul class="breadcrumbs"> + <li><a href="/">jaseg.de</a></li> + <li><a href="/blog/">Blog</a></li><li><a href="/blog/telekom-gpon-sfp/">Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber</a></li> +</ul> + <strong>2022-02-21</strong> + </header> + <main> + <div class="document"> + + +<div class="section" id="disclaimer"> +<h2>Disclaimer</h2> +<p>I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as +a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an +error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to +pay for an unsuccessful Telekom technician visit. That is your own risk, and I do not assume any liability.</p> +</div> +<div class="section" id="tl-dr"> +<h2>Tl;dr</h2> +<p>The "Telekom Digitalisierungsbox Glasfasermodem" is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter +6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382. +It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate +power supply.</p> +<p>To configure, first access the SFP ONT's web interface at <tt class="docutils literal">10.10.1.1</tt> by configuring your SPF port's IP to static +<tt class="docutils literal">10.10.1.2</tt>. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the +"SLID" setting in ASCII mode, then save & reboot the device. Now, configure PPPoE on the router's SFP port using the +PPPoE UID <tt class="docutils literal">[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] <span class="pre">"@t-online.de"</span></tt> and your "Persönliches Kennwort" as +PPPoE password. Set the VLAN to <tt class="docutils literal">7</tt>, and you are good to go.</p> +</div> +<div class="section" id="background"> +<h2>Background</h2> +<p>I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor +experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own +Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts +in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I +will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.</p> +<p>The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to +power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount +units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to +the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even +act as a VPN endpoint!</p> +<p>Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for "Gigabit Passive Optical +Network" and means that instead of patching through one fiber or pair of fibers to each customer, several customers in +one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they +are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial +cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by +Telekom and will never be able to use their own equipment on the "network" end of the fiber.</p> +<p>Telekom wants you to connect to its fiber network through a small plastic box that they call "modem", and that the rest +of the world calls "ONT", or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC +connector, and a regular RJ45 ethernet port downstream. The "modem" in fact contains an entire linux system that +terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of +transmission slots and adjustment of transmitter laser power.</p> +<p>Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some +research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so +if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my +EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.</p> +<p>Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of +commercial devices that look like they <em>should be</em> compatible, I could not be sure and I did not feel like sinking lots +of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with +various Telekom customer service departments I found the solution that ultimately ended up working: For their business +customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for +business customers is called "Digitalisierungsbox" and it in fact comes with an SFP GPON ONT. And, as it turns out, you +can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number +of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.</p> +<p>Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.</p> +</div> +<div class="section" id="hardware-setup"> +<h2>Hardware Setup</h2> +<p>The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to +the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will +install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable +<em>on port 2</em>. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to +use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter +is <tt class="docutils literal">192.168.1.1</tt>, and the default UID/PW is ubnt/ubnt.</p> +</div> +<div class="section" id="configuration"> +<h2>Configuration</h2> +<div class="section" id="getting-access-to-the-sfp-onu-s-config-interface"> +<h3>Getting access to the SFP ONU's config interface</h3> +<p>In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop +connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the +EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.</p> +<ol class="arabic simple"> +<li>First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the +SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For +this, configure the eth5 interface (which is the SFP port) to use the static IP <tt class="docutils literal">10.10.1.2/24</tt>.</li> +</ol> +<figure style="width: 20em"> + <a href="images/edgerouter_sfp_config.png"> + <img src="images/edgerouter_sfp_config.png" alt="The EdgeRouter's graphical configuration interface showing IP + address 10.10.1.2/24 being configured for interface eth5, which is the SFP interface."> + </a> + <figcaption>SFP interface configuration to access the SFP ONU from a laptop connected to the EdgeRouter's LAN + port</figcaption> +</figure><ol class="arabic simple" start="2"> +<li>With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration +laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP +protocol, with destination address <tt class="docutils literal">10.10.1.0/24</tt> (the SFP config interface's private network).</li> +</ol> +<figure style="width: 20em"> + <a href="images/edgerouter_snat_config.png"> + <img src="images/edgerouter_snat_config.png" alt="The EdgeRouter's graphical configuration interface showing a + source NAT being configured for interface eth5 for TCP protocol connections to destination address 10.10.1.1 + using masquerading."> + </a> + <figcaption>Source NAT configuration to access the SFP ONU from LAN. eth5, masquerading on, TCP, destination + 10.10.1.1 (the SFP ONU's IP).</figcaption> +</figure><ol class="arabic simple" start="3"> +<li>Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within <tt class="docutils literal">10.10.1.0/24</tt>. +On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the +EdgeRouter's <tt class="docutils literal">192.168.1.1</tt>. If that isn't the case, on Linux you can manually add the necessary route by using +<tt class="docutils literal">sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0</tt></li> +</ol> +<p>After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by +pointing a browser at <tt class="docutils literal"><span class="pre">http://10.10.1.1/</span></tt> Just make sure you use plain-text HTTP here, not secure HTTP**S**. The +default login credentials for the device are admin/1234.</p> +<figure style="width: 30em"> + <a href="images/sfp_onu_web_if.png"> + <img src="images/sfp_onu_web_if.png" alt="The SFP ONU configuration web interface is a basic-looking website with + a big Zyxel logo on it. It has menu options named status, setup and management. It shows a system overview + page that lists the device's uptime and software version."> + </a> + <figcaption>The SFP ONU's web interface.</figcaption> +</figure></div> +<div class="section" id="configuring-the-ploam-password-slid-ont-installationskennung"> +<h3>Configuring the PLOAM password / SLID / ONT-Installationskennung</h3> +<p>On the SFP ONU's web interface, we only have to change one single setting: Under "Setup", we have to set what the SFP +ONU calls "SLID" to the PLOAM password for the interface. Telekom calls this the "ONT-Installationskennung". You get +this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format +<tt class="docutils literal">ABCD000000</tt> with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number +on this page.</p> +<figure style="width: 30em"> + <a href="images/sfp_onu_ploam_pw_config.png"> + <img src="images/sfp_onu_ploam_pw_config.png" alt="The SFP ONU configuration web interface shows its SLID + configuration page. A text field labelled SLID asks the user to enter a value of at most ten characters. As + an example, abcdefg123 is listed."> + </a> + <figcaption>The SFP ONU's config interface to set SLID/PLOAM PW/ONT-Installationskennung.</figcaption> +</figure><p>Press "Save Config" on the top right of the web page, then select "Reset ONU" and click "Apply" under the "Reset ONU" +link on the left. Make sure to not select the factory reset option instead.</p> +<figure style="width: 30em"> + <a href="images/sfp_onu_reset.png"> + <img src="images/sfp_onu_reset.png" alt="The SFP ONU configuration web interface shows its reset ONU page. There + are two options labelled Reset ONU and Reset to factory default settings. The reset ONU option is + selected."> + </a> + <figcaption>Rebooting the SFP ONU.</figcaption> +</figure><p>With the ONU configured, after the reset the "GPON Information" page from the left menu under "Status" from the top menu +should show <tt class="docutils literal">GPON Line Status: O5</tt>. You can now remove the SNAT rule and IP address from the SFP interface in the +EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the +SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next +step, that wizard will reset all of these settings.</p> +</div> +<div class="section" id="configuring-pppoe-and-nat"> +<h3>Configuring PPPoE and NAT</h3> +<p>Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to +authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's "Basic Setup" wizard as +described in the <cite>EdgeOS User Guide</cite>. In the wizard, select the SFP port (<tt class="docutils literal">eth5</tt>) as the internet/WAN port. Select +<tt class="docutils literal">Internet Connection Type</tt> as <tt class="docutils literal">PPPoE</tt>, then enter the PPPoE credentials you got from your Telekom technician. The +password is your "Persönliches Kennwort" that you also use to log in to your customer account on Telekom's website. The +account name is <tt class="docutils literal">[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] <span class="pre">"@t-online.de"</span></tt>, so something like +<tt class="docutils literal"><span class="pre">002712345678012345678901#0001@t-online.de</span></tt>. Enable "Internet connection is on VLAN" and enter VLAN ID <tt class="docutils literal">7</tt>. This is +necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with +the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as +the router's WAN port, the wizard will still reserve port 1 (<tt class="docutils literal">eth0</tt>) for another WAN interface, so you will only be +able to access the configuration interface through port 2 (<tt class="docutils literal">eth1</tt>) after the wizard is done. You can of course change +this later.</p> +<p>That's it, you're done and your internet should be working!</p> +</div> +</div> +<div class="section" id="having-fun-with-the-spf-gpon-onu"> +<h2>Having Fun with the SPF GPON ONU</h2> +<p>If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great +starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on +the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control +components can be found under open source licenses as well. While I would strictly advice you to not mess around with +the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their +internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON +network.</p> +<p>If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are +collected <a class="reference external" href="https://github.com/xvzf/zyxel-gpon-sfp/issues">here</a>.</p> +</div> +</div> + </main><footer> + Copyright © 2023 Jan Sebastian Götte + / <a href="/about/">About</a> + / <a href="/imprint/">Imprint</a> +</footer> +<script> + if(navigator.getEnvironmentIntegrity!==undefined)document.querySelector('body').innerHTML=`<h1>Your browser + contains Google DRM</h1>"Web Environment Integrity" is a Google euphemism for a DRM that is designed to + prevent ad-blocking, and which Google has forced into their browsers against widespread public opposition. + In support of an open web, this website does not function with this DRM. Please install a browser such + as <a href="https://www.mozilla.org/en-US/firefox/new/">Firefox</a> that respects your freedom and supports + ad blockers.`; + </script> + </body> +</html> |
