summaryrefslogtreecommitdiff
path: root/posts
diff options
context:
space:
mode:
Diffstat (limited to 'posts')
-rw-r--r--posts/index.html5
-rw-r--r--posts/index.xml11
-rw-r--r--posts/telekom-gpon-sfp/images/edgerouter_interface_config.pngbin0 -> 148433 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/edgerouter_route_config.pngbin0 -> 75601 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/edgerouter_sfp_config.pngbin0 -> 56138 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/edgerouter_snat_config.pngbin0 -> 118370 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/edgerouter_snat_config2.pngbin0 -> 82458 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.pngbin0 -> 152023 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/sfp_onu_reset.pngbin0 -> 132106 bytes
-rw-r--r--posts/telekom-gpon-sfp/images/sfp_onu_web_if.pngbin0 -> 133838 bytes
-rw-r--r--posts/telekom-gpon-sfp/index.html269
11 files changed, 284 insertions, 1 deletions
diff --git a/posts/index.html b/posts/index.html
index 46d3979..2d8a76e 100644
--- a/posts/index.html
+++ b/posts/index.html
@@ -43,6 +43,11 @@
<ul>
<li>
+ <span class="date">2022/02/21</span>
+ <a href="/posts/telekom-gpon-sfp/">Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber</a>
+ </li>
+
+ <li>
<span class="date">2021/11/23</span>
<a href="/posts/ihsm-worlds-first-diy-hsm/">New Paper on Inertial Hardware Security Modules</a>
</li>
diff --git a/posts/index.xml b/posts/index.xml
index 1df9a62..18a5a5a 100644
--- a/posts/index.xml
+++ b/posts/index.xml
@@ -6,7 +6,16 @@
<description>Recent content in Posts on blog.jaseg.de</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
- <lastBuildDate>Tue, 23 Nov 2021 23:42:20 +0100</lastBuildDate><atom:link href="https://blog.jaseg.de/posts/index.xml" rel="self" type="application/rss+xml" />
+ <lastBuildDate>Mon, 21 Feb 2022 20:00:00 +0100</lastBuildDate><atom:link href="https://blog.jaseg.de/posts/index.xml" rel="self" type="application/rss+xml" />
+ <item>
+ <title>Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber</title>
+ <link>https://blog.jaseg.de/posts/telekom-gpon-sfp/</link>
+ <pubDate>Mon, 21 Feb 2022 20:00:00 +0100</pubDate>
+
+ <guid>https://blog.jaseg.de/posts/telekom-gpon-sfp/</guid>
+ <description>Disclaimer I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to pay for an unsuccessful Telekom technician visit.</description>
+ </item>
+
<item>
<title>New Paper on Inertial Hardware Security Modules</title>
<link>https://blog.jaseg.de/posts/ihsm-worlds-first-diy-hsm/</link>
diff --git a/posts/telekom-gpon-sfp/images/edgerouter_interface_config.png b/posts/telekom-gpon-sfp/images/edgerouter_interface_config.png
new file mode 100644
index 0000000..72d2a9b
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/edgerouter_interface_config.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/edgerouter_route_config.png b/posts/telekom-gpon-sfp/images/edgerouter_route_config.png
new file mode 100644
index 0000000..fe65051
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/edgerouter_route_config.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/edgerouter_sfp_config.png b/posts/telekom-gpon-sfp/images/edgerouter_sfp_config.png
new file mode 100644
index 0000000..01da1e7
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/edgerouter_sfp_config.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/edgerouter_snat_config.png b/posts/telekom-gpon-sfp/images/edgerouter_snat_config.png
new file mode 100644
index 0000000..6e033ac
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/edgerouter_snat_config.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/edgerouter_snat_config2.png b/posts/telekom-gpon-sfp/images/edgerouter_snat_config2.png
new file mode 100644
index 0000000..fb7ce32
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/edgerouter_snat_config2.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png b/posts/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png
new file mode 100644
index 0000000..66f6f6a
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/sfp_onu_ploam_pw_config.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/sfp_onu_reset.png b/posts/telekom-gpon-sfp/images/sfp_onu_reset.png
new file mode 100644
index 0000000..13c2ca6
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/sfp_onu_reset.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/images/sfp_onu_web_if.png b/posts/telekom-gpon-sfp/images/sfp_onu_web_if.png
new file mode 100644
index 0000000..dea0b8f
--- /dev/null
+++ b/posts/telekom-gpon-sfp/images/sfp_onu_web_if.png
Binary files differ
diff --git a/posts/telekom-gpon-sfp/index.html b/posts/telekom-gpon-sfp/index.html
new file mode 100644
index 0000000..20159eb
--- /dev/null
+++ b/posts/telekom-gpon-sfp/index.html
@@ -0,0 +1,269 @@
+<!DOCTYPE html>
+<html lang="en-us">
+ <head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <title>Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber | blog.jaseg.de</title>
+ <link rel="stylesheet" href="/css/style.css" />
+ <link rel="stylesheet" href="/css/fonts.css" />
+
+ <header>
+
+
+ <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-light.min.css">
+ <script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/highlight.min.js"></script>
+ <script>hljs.initHighlightingOnLoad();</script>
+ <nav>
+ <ul>
+
+
+ <li class="pull-left ">
+ <a href="https://blog.jaseg.de/">/home/blog.jaseg.de</a>
+ </li>
+
+
+
+
+ </ul>
+ </nav>
+</header>
+
+ </head>
+
+ <body>
+ <br/>
+
+<div class="article-meta">
+<h1><span class="title">Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber</span></h1>
+
+<h2 class="date">2022/02/21</h2>
+<p class="terms">
+
+
+
+
+
+</p>
+</div>
+
+
+
+<main>
+<div class="document">
+
+
+<div class="section" id="disclaimer">
+<h2>Disclaimer</h2>
+<p>I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as
+a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an
+error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to
+pay for an unsuccessful Telekom technician visit. That is your own risk, and I do not assume any liability.</p>
+</div>
+<div class="section" id="tl-dr">
+<h2>Tl;dr</h2>
+<p>The &quot;Telekom Digitalisierungsbox Glasfasermodem&quot; is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter
+6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382.
+It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate
+power supply.</p>
+<p>To configure, first access the SFP ONT's web interface at <tt class="docutils literal">10.10.1.1</tt> by configuring your SPF port's IP to static
+<tt class="docutils literal">10.10.1.2</tt>. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the
+&quot;SLID&quot; setting in ASCII mode, then save &amp; reboot the device. Now, configure PPPoE on the router's SFP port using the
+PPPoE UID <tt class="docutils literal">[anschlusskennung] [zugangsnummer] &quot;#&quot; [mitbenutzernummer] <span class="pre">&quot;&#64;t-online.de&quot;</span></tt> and your &quot;Persönliches Kennwort&quot; as
+PPPoE password. Set the VLAN to <tt class="docutils literal">7</tt>, and you are good to go.</p>
+</div>
+<div class="section" id="background">
+<h2>Background</h2>
+<p>I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor
+experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own
+Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts
+in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I
+will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.</p>
+<p>The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to
+power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount
+units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to
+the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even
+act as a VPN endpoint!</p>
+<p>Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for &quot;Gigabit Passive Optical
+Network&quot; and means that instead of patching through one fiber or pair of fibers to each customer, several customers in
+one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they
+are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial
+cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by
+Telekom and will never be able to use their own equipment on the &quot;network&quot; end of the fiber.</p>
+<p>Telekom wants you to connect to its fiber network through a small plastic box that they call &quot;modem&quot;, and that the rest
+of the world calls &quot;ONT&quot;, or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC
+connector, and a regular RJ45 ethernet port downstream. The &quot;modem&quot; in fact contains an entire linux system that
+terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of
+transmission slots and adjustment of transmitter laser power.</p>
+<p>Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some
+research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so
+if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my
+EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.</p>
+<p>Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of
+commercial devices that look like they <em>should be</em> compatible, I could not be sure and I did not feel like sinking lots
+of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with
+various Telekom customer service departments I found the solution that ultimately ended up working: For their business
+customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for
+business customers is called &quot;Digitalisierungsbox&quot; and it in fact comes with an SFP GPON ONT. And, as it turns out, you
+can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number
+of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.</p>
+<p>Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.</p>
+</div>
+<div class="section" id="hardware-setup">
+<h2>Hardware Setup</h2>
+<p>The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to
+the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will
+install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable
+<em>on port 2</em>. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to
+use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter
+is <tt class="docutils literal">192.168.1.1</tt>, and the default UID/PW is ubnt/ubnt.</p>
+</div>
+<div class="section" id="configuration">
+<h2>Configuration</h2>
+<div class="section" id="getting-access-to-the-sfp-onu-s-config-interface">
+<h3>Getting access to the SFP ONU's config interface</h3>
+<p>In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop
+connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the
+EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.</p>
+<ol class="arabic simple">
+<li>First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the
+SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For
+this, configure the eth5 interface (which is the SFP port) to use the static IP <tt class="docutils literal">10.10.1.2/24</tt>.</li>
+</ol>
+<figure style="width: 20em">
+ <a href="images/edgerouter_sfp_config.png">
+ <img src="images/edgerouter_sfp_config.png" alt="The EdgeRouter's graphical configuration interface showing IP
+ address 10.10.1.2/24 being configured for interface eth5, which is the SFP interface.">
+ </a>
+ <figcaption>SFP interface configuration to access the SFP ONU from a laptop connected to the EdgeRouter's LAN
+ port</figcaption>
+</figure><ol class="arabic simple" start="2">
+<li>With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration
+laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP
+protocol, with destination address <tt class="docutils literal">10.10.1.0/24</tt> (the SFP config interface's private network).</li>
+</ol>
+<figure style="width: 20em">
+ <a href="images/edgerouter_snat_config.png">
+ <img src="images/edgerouter_snat_config.png" alt="The EdgeRouter's graphical configuration interface showing a
+ source NAT being configured for interface eth5 for TCP protocol connections to destination address 10.10.1.1
+ using masquerading.">
+ </a>
+ <figcaption>Source NAT configuration to access the SFP ONU from LAN. eth5, masquerading on, TCP, destination
+ 10.10.1.1 (the SFP ONU's IP).</figcaption>
+</figure><ol class="arabic simple" start="3">
+<li>Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within <tt class="docutils literal">10.10.1.0/24</tt>.
+On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the
+EdgeRouter's <tt class="docutils literal">192.168.1.1</tt>. If that isn't the case, on Linux you can manually add the necessary route by using
+<tt class="docutils literal">sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0</tt></li>
+</ol>
+<p>After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by
+pointing a browser at <tt class="docutils literal"><span class="pre">http://10.10.1.1/</span></tt> Just make sure you use plain-text HTTP here, not secure HTTP**S**. The
+default login credentials for the device are admin/1234.</p>
+<figure style="width: 30em">
+ <a href="images/sfp_onu_web_if.png">
+ <img src="images/sfp_onu_web_if.png" alt="The SFP ONU configuration web interface is a basic-looking website with
+ a big Zyxel logo on it. It has menu options named status, setup and management. It shows a system overview
+ page that lists the device's uptime and software version.">
+ </a>
+ <figcaption>The SFP ONU's web interface.</figcaption>
+</figure></div>
+<div class="section" id="configuring-the-ploam-password-slid-ont-installationskennung">
+<h3>Configuring the PLOAM password / SLID / ONT-Installationskennung</h3>
+<p>On the SFP ONU's web interface, we only have to change one single setting: Under &quot;Setup&quot;, we have to set what the SFP
+ONU calls &quot;SLID&quot; to the PLOAM password for the interface. Telekom calls this the &quot;ONT-Installationskennung&quot;. You get
+this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format
+<tt class="docutils literal">ABCD000000</tt> with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number
+on this page.</p>
+<figure style="width: 30em">
+ <a href="images/sfp_onu_ploam_pw_config.png">
+ <img src="images/sfp_onu_ploam_pw_config.png" alt="The SFP ONU configuration web interface shows its SLID
+ configuration page. A text field labelled SLID asks the user to enter a value of at most ten characters. As
+ an example, abcdefg123 is listed.">
+ </a>
+ <figcaption>The SFP ONU's config interface to set SLID/PLOAM PW/ONT-Installationskennung.</figcaption>
+</figure><p>Press &quot;Save Config&quot; on the top right of the web page, then select &quot;Reset ONU&quot; and click &quot;Apply&quot; under the &quot;Reset ONU&quot;
+link on the left. Make sure to not select the factory reset option instead.</p>
+<figure style="width: 30em">
+ <a href="images/sfp_onu_reset.png">
+ <img src="images/sfp_onu_reset.png" alt="The SFP ONU configuration web interface shows its reset ONU page. There
+ are two options labelled Reset ONU and Reset to factory default settings. The reset ONU option is
+ selected.">
+ </a>
+ <figcaption>Rebooting the SFP ONU.</figcaption>
+</figure><p>With the ONU configured, after the reset the &quot;GPON Information&quot; page from the left menu under &quot;Status&quot; from the top menu
+should show <tt class="docutils literal">GPON Line Status: O5</tt>. You can now remove the SNAT rule and IP address from the SFP interface in the
+EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the
+SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next
+step, that wizard will reset all of these settings.</p>
+</div>
+<div class="section" id="configuring-pppoe-and-nat">
+<h3>Configuring PPPoE and NAT</h3>
+<p>Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to
+authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's &quot;Basic Setup&quot; wizard as
+described in the <cite>EdgeOS User Guide</cite>. In the wizard, select the SFP port (<tt class="docutils literal">eth5</tt>) as the internet/WAN port. Select
+<tt class="docutils literal">Internet Connection Type</tt> as <tt class="docutils literal">PPPoE</tt>, then enter the PPPoE credentials you got from your Telekom technician. The
+password is your &quot;Persönliches Kennwort&quot; that you also use to log in to your customer account on Telekom's website. The
+account name is <tt class="docutils literal">[anschlusskennung] [zugangsnummer] &quot;#&quot; [mitbenutzernummer] <span class="pre">&quot;&#64;t-online.de&quot;</span></tt>, so something like
+<tt class="docutils literal"><span class="pre">002712345678012345678901#0001&#64;t-online.de</span></tt>. Enable &quot;Internet connection is on VLAN&quot; and enter VLAN ID <tt class="docutils literal">7</tt>. This is
+necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with
+the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as
+the router's WAN port, the wizard will still reserve port 1 (<tt class="docutils literal">eth0</tt>) for another WAN interface, so you will only be
+able to access the configuration interface through port 2 (<tt class="docutils literal">eth1</tt>) after the wizard is done. You can of course change
+this later.</p>
+<p>That's it, you're done and your internet should be working!</p>
+</div>
+</div>
+<div class="section" id="having-fun-with-the-spf-gpon-onu">
+<h2>Having Fun with the SPF GPON ONU</h2>
+<p>If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great
+starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on
+the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control
+components can be found under open source licenses as well. While I would strictly advice you to not mess around with
+the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their
+internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON
+network.</p>
+<p>If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are
+collected <a class="reference external" href="https://github.com/xvzf/zyxel-gpon-sfp/issues">here</a>.</p>
+</div>
+</div>
+</main>
+
+ <footer>
+
+<script>
+(function() {
+ function center_el(tagName) {
+ var tags = document.getElementsByTagName(tagName), i, tag;
+ for (i = 0; i < tags.length; i++) {
+ tag = tags[i];
+ var parent = tag.parentElement;
+
+ if (parent.childNodes.length === 1) {
+
+ if (parent.nodeName === 'A') {
+ parent = parent.parentElement;
+ if (parent.childNodes.length != 1) continue;
+ }
+ if (parent.nodeName === 'P') parent.style.textAlign = 'center';
+ }
+ }
+ }
+ var tagNames = ['img', 'embed', 'object'];
+ for (var i = 0; i < tagNames.length; i++) {
+ center_el(tagNames[i]);
+ }
+})();
+</script>
+
+
+ <div id="license-info">
+ &#169;2020 by Jan Götte. This work is licensed under
+ <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC-BY-NC-SA 4.0</a>.
+ </div>
+ <div id="imprint-info">
+ <a href="/imprint">Impressum und Haftungsausschluss und Datenschutzerklärung</a>.<br/>
+ <a href="/about">About this blog</a>.
+ </div>
+ </footer>
+ </body>
+</html>
+