1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
---
title: "Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber"
date: 2022-02-21T20:00:00+01:00
---
Disclaimer
==========
I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as
a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an
error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to
pay for an unsuccessful Telekom technician visit. That is your own risk, and I do not assume any liability.
Tl;dr
=====
The "Telekom Digitalisierungsbox Glasfasermodem" is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter
6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382.
It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate
power supply.
To configure, first access the SFP ONT's web interface at ``10.10.1.1`` by configuring your SPF port's IP to static
``10.10.1.2``. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the
"SLID" setting in ASCII mode, then save & reboot the device. Now, configure PPPoE on the router's SFP port using the
PPPoE UID ``[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de"`` and your "Persönliches Kennwort" as
PPPoE password. Set the VLAN to ``7``, and you are good to go.
Background
==========
I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor
experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own
Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts
in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I
will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.
The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to
power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount
units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to
the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even
act as a VPN endpoint!
Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for "Gigabit Passive Optical
Network" and means that instead of patching through one fiber or pair of fibers to each customer, several customers in
one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they
are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial
cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by
Telekom and will never be able to use their own equipment on the "network" end of the fiber.
Telekom wants you to connect to its fiber network through a small plastic box that they call "modem", and that the rest
of the world calls "ONT", or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC
connector, and a regular RJ45 ethernet port downstream. The "modem" in fact contains an entire linux system that
terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of
transmission slots and adjustment of transmitter laser power.
Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some
research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so
if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my
EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.
Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of
commercial devices that look like they *should be* compatible, I could not be sure and I did not feel like sinking lots
of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with
various Telekom customer service departments I found the solution that ultimately ended up working: For their business
customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for
business customers is called "Digitalisierungsbox" and it in fact comes with an SFP GPON ONT. And, as it turns out, you
can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number
of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.
Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.
Hardware Setup
==============
The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to
the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will
install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable
*on port 2*. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to
use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter
is ``192.168.1.1``, and the default UID/PW is ubnt/ubnt.
Configuration
=============
Getting access to the SFP ONU's config interface
------------------------------------------------
In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop
connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the
EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.
1. First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the
SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For
this, configure the eth5 interface (which is the SFP port) to use the static IP ``10.10.1.2/24``.
.. raw:: html
<figure style="width: 20em">
<a href="images/edgerouter_sfp_config.png">
<img src="images/edgerouter_sfp_config.png" alt="The EdgeRouter's graphical configuration interface showing IP
address 10.10.1.2/24 being configured for interface eth5, which is the SFP interface." data-pagefind-ignore>
</a>
<figcaption>SFP interface configuration to access the SFP ONU from a laptop connected to the EdgeRouter's LAN
port</figcaption>
</figure>
2. With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration
laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP
protocol, with destination address ``10.10.1.0/24`` (the SFP config interface's private network).
.. raw:: html
<figure style="width: 20em">
<a href="images/edgerouter_snat_config.png">
<img src="images/edgerouter_snat_config.png" alt="The EdgeRouter's graphical configuration interface showing a
source NAT being configured for interface eth5 for TCP protocol connections to destination address 10.10.1.1
using masquerading." data-pagefind-ignore>
</a>
<figcaption>Source NAT configuration to access the SFP ONU from LAN. eth5, masquerading on, TCP, destination
10.10.1.1 (the SFP ONU's IP).</figcaption>
</figure>
3. Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within ``10.10.1.0/24``.
On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the
EdgeRouter's ``192.168.1.1``. If that isn't the case, on Linux you can manually add the necessary route by using
``sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0``
After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by
pointing a browser at ``http://10.10.1.1/`` Just make sure you use plain-text HTTP here, not secure HTTP**S**. The
default login credentials for the device are admin/1234.
.. raw:: html
<figure style="width: 30em">
<a href="images/sfp_onu_web_if.png">
<img src="images/sfp_onu_web_if.png" alt="The SFP ONU configuration web interface is a basic-looking website with
a big Zyxel logo on it. It has menu options named status, setup and management. It shows a system overview
page that lists the device's uptime and software version." data-pagefind-ignore>
</a>
<figcaption>The SFP ONU's web interface.</figcaption>
</figure>
Configuring the PLOAM password / SLID / ONT-Installationskennung
----------------------------------------------------------------
On the SFP ONU's web interface, we only have to change one single setting: Under "Setup", we have to set what the SFP
ONU calls "SLID" to the PLOAM password for the interface. Telekom calls this the "ONT-Installationskennung". You get
this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format
``ABCD000000`` with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number
on this page.
.. raw:: html
<figure style="width: 30em">
<a href="images/sfp_onu_ploam_pw_config.png">
<img src="images/sfp_onu_ploam_pw_config.png" alt="The SFP ONU configuration web interface shows its SLID
configuration page. A text field labelled SLID asks the user to enter a value of at most ten characters. As
an example, abcdefg123 is listed." data-pagefind-ignore>
</a>
<figcaption>The SFP ONU's config interface to set SLID/PLOAM PW/ONT-Installationskennung.</figcaption>
</figure>
Press "Save Config" on the top right of the web page, then select "Reset ONU" and click "Apply" under the "Reset ONU"
link on the left. Make sure to not select the factory reset option instead.
.. raw:: html
<figure style="width: 30em">
<a href="images/sfp_onu_reset.png">
<img src="images/sfp_onu_reset.png" alt="The SFP ONU configuration web interface shows its reset ONU page. There
are two options labelled Reset ONU and Reset to factory default settings. The reset ONU option is
selected." data-pagefind-ignore>
</a>
<figcaption>Rebooting the SFP ONU.</figcaption>
</figure>
With the ONU configured, after the reset the "GPON Information" page from the left menu under "Status" from the top menu
should show ``GPON Line Status: O5``. You can now remove the SNAT rule and IP address from the SFP interface in the
EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the
SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next
step, that wizard will reset all of these settings.
Configuring PPPoE and NAT
-------------------------
Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to
authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's "Basic Setup" wizard as
described in the `EdgeOS User Guide`. In the wizard, select the SFP port (``eth5``) as the internet/WAN port. Select
``Internet Connection Type`` as ``PPPoE``, then enter the PPPoE credentials you got from your Telekom technician. The
password is your "Persönliches Kennwort" that you also use to log in to your customer account on Telekom's website. The
account name is ``[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de"``, so something like
``002712345678012345678901#0001@t-online.de``. Enable "Internet connection is on VLAN" and enter VLAN ID ``7``. This is
necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with
the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as
the router's WAN port, the wizard will still reserve port 1 (``eth0``) for another WAN interface, so you will only be
able to access the configuration interface through port 2 (``eth1``) after the wizard is done. You can of course change
this later.
That's it, you're done and your internet should be working!
Having Fun with the SPF GPON ONU
================================
If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great
starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on
the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control
components can be found under open source licenses as well. While I would strictly advice you to not mess around with
the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their
internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON
network.
If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are
collected `here <https://github.com/xvzf/zyxel-gpon-sfp/issues>`__.
.. _`EdgeOS User Guide`: https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf
|
