Tl;dr
The "Telekom Digitalisierungsbox Glasfasermodem" is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter
6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382.
It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate
power supply.
To configure, first access the SFP ONT's web interface at 10.10.1.1 by configuring your SPF port's IP to static
10.10.1.2. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the
"SLID" setting in ASCII mode, then save & reboot the device. Now, configure PPPoE on the router's SFP port using the
PPPoE UID [anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de" and your "Persönliches Kennwort" as
PPPoE password. Set the VLAN to 7, and you are good to go.
Background
I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor
experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own
Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts
in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I
will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.
The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to
power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount
units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to
the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even
act as a VPN endpoint!
Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for "Gigabit Passive Optical
Network" and means that instead of patching through one fiber or pair of fibers to each customer, several customers in
one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they
are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial
cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by
Telekom and will never be able to use their own equipment on the "network" end of the fiber.
Telekom wants you to connect to its fiber network through a small plastic box that they call "modem", and that the rest
of the world calls "ONT", or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC
connector, and a regular RJ45 ethernet port downstream. The "modem" in fact contains an entire linux system that
terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of
transmission slots and adjustment of transmitter laser power.
Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some
research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so
if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my
EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.
Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of
commercial devices that look like they should be compatible, I could not be sure and I did not feel like sinking lots
of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with
various Telekom customer service departments I found the solution that ultimately ended up working: For their business
customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for
business customers is called "Digitalisierungsbox" and it in fact comes with an SFP GPON ONT. And, as it turns out, you
can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number
of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.
Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.
Hardware Setup
The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to
the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will
install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable
on port 2. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to
use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter
is 192.168.1.1, and the default UID/PW is ubnt/ubnt.
Configuration
Getting access to the SFP ONU's config interface
In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop
connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the
EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.
- First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the
SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For
this, configure the eth5 interface (which is the SFP port) to use the static IP 10.10.1.2/24.
- With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration
laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP
protocol, with destination address 10.10.1.0/24 (the SFP config interface's private network).
- Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within 10.10.1.0/24.
On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the
EdgeRouter's 192.168.1.1. If that isn't the case, on Linux you can manually add the necessary route by using
sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0
After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by
pointing a browser at http://10.10.1.1/ Just make sure you use plain-text HTTP here, not secure HTTP**S**. The
default login credentials for the device are admin/1234.
Configuring the PLOAM password / SLID / ONT-Installationskennung
On the SFP ONU's web interface, we only have to change one single setting: Under "Setup", we have to set what the SFP
ONU calls "SLID" to the PLOAM password for the interface. Telekom calls this the "ONT-Installationskennung". You get
this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format
ABCD000000 with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number
on this page.
Press "Save Config" on the top right of the web page, then select "Reset ONU" and click "Apply" under the "Reset ONU"
link on the left. Make sure to not select the factory reset option instead.
With the ONU configured, after the reset the "GPON Information" page from the left menu under "Status" from the top menu
should show GPON Line Status: O5. You can now remove the SNAT rule and IP address from the SFP interface in the
EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the
SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next
step, that wizard will reset all of these settings.
Configuring PPPoE and NAT
Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to
authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's "Basic Setup" wizard as
described in the EdgeOS User Guide. In the wizard, select the SFP port (eth5) as the internet/WAN port. Select
Internet Connection Type as PPPoE, then enter the PPPoE credentials you got from your Telekom technician. The
password is your "Persönliches Kennwort" that you also use to log in to your customer account on Telekom's website. The
account name is [anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de", so something like
002712345678012345678901#0001@t-online.de. Enable "Internet connection is on VLAN" and enter VLAN ID 7. This is
necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with
the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as
the router's WAN port, the wizard will still reserve port 1 (eth0) for another WAN interface, so you will only be
able to access the configuration interface through port 2 (eth1) after the wizard is done. You can of course change
this later.
That's it, you're done and your internet should be working!
Having Fun with the SPF GPON ONU
If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great
starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on
the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control
components can be found under open source licenses as well. While I would strictly advice you to not mess around with
the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their
internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON
network.
If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are
collected here.