Add Telekom GPON SFP ONU page

content/posts/telekom-gpon-sfp/index.rst

@@ -0,0 +1,216 @@
+---
+title: "Ubiquiti EdgeRouter on Deutsche Telekom GPON Fiber"
+date: 2022-02-21T20:00:00+01:00
+---
+
+Disclaimer
+==========
+
+I provide this guide as a reference for other knowledgeable users without any warranty. Please feel free to use this as
+a resource but do not hold me responsible if this does not work for you. There is a significant chance that due to an
+error on my side or due to Telekom changing their setup this guide will not work for you, and you may end up having to
+pay for an unsuccessful Telekom technician visit. That is your own risk, and I do not assume any liability.
+
+Tl;dr
+=====
+
+The "Telekom Digitalisierungsbox Glasfasermodem" is a GPON ONT in SFP form factor that works with an Ubiquiti EdgeRouter
+6P's SFP port. You can order it from Telekom or other vendors using the Telekom P/N 40823569 or its EAN 4718937619382.
+It costs about the same as the separate plastic box modem, but saves a lot of space and does not require a separate
+power supply.
+
+To configure, first access the SFP ONT's web interface at ``10.10.1.1`` by configuring your SPF port's IP to static
+``10.10.1.2``. User credentials are either admin/admin or admin/1234. In the web interface, set put PLOAM password into the
+"SLID" setting in ASCII mode, then save & reboot the device. Now, configure PPPoE on the router's SFP port using the
+PPPoE UID ``[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de"`` and your "Persönliches Kennwort" as
+PPPoE password. Set the VLAN to ``7``, and you are good to go.
+
+Background
+==========
+
+I moved into a new apartment that has a fiber internet connection operated by Deutsche Telekom. Having made some poor
+experiences with AVM's FritzBox brand of routers that is commonly used by German carriers, I decided to use my own
+Router instead of the one provided by Deutsche Telekom. Like other German providers, Telekom charges exorbitant amounts
+in monthly fees for their routers, so even though my choice ended up being a high-end piece of commercial equipment I
+will still be cheaper than going with Telekom's much shittier device when added up over a two-year contract period.
+
+The hardware I chose is the Ubiquiti EdgeRouter 6P. This device is from Ubiquiti's commercial lineup and is intended to
+power something like a small branch office of a company. It comes in a small form factor (as opposed to larger rackmount
+units), it does not consume a lot of power, it has five PoE-capable Ethernet ports which I can directly connect up to
+the Ubiquiti Unifi UAP access point that I already have, and it has a powerful configuration interface. It can even
+act as a VPN endpoint!
+
+Telekom's fiber internet offering for residential customers is GPON-based. GPON stands for "Gigabit Passive Optical
+Network" and means that instead of patching through one fiber or pair of fibers to each customer, several customers in
+one building are connected to a single fiber through optical splitters. These optical splitters are passive, i.e. they
+are just fancy pieces of glass and fibers and do not require electrical power. The advantage of GPON is lower initial
+cost for the operator, the disadvantage is that competing providers can only ever hope to get traffic handed through by
+Telekom and will never be able to use their own equipment on the "network" end of the fiber.
+
+Telekom wants you to connect to its fiber network through a small plastic box that they call "modem", and that the rest
+of the world calls "ONT", or Optical Network Terminator. Telekom's ONT has an upstream optical port with an LC
+connector, and a regular RJ45 ethernet port downstream. The "modem" in fact contains an entire linux system that
+terminates the ITU-standard suite of protocols that is used to manage what happens on the fiber, e.g. scheduling of
+transmission slots and adjustment of transmitter laser power.
+
+Looking at Telekom's plastic box ONT and my nice and shiny EdgeRouter, I was not a fan of this solution. Doing some
+research I found out that you can in fact get GPON ONTs in an SFP module form factor. My EdgeRouter has an SFP slot, so
+if I could get one of these that is compatible with Telekom's GPON flavor I could theoretically just plug it into my
+EdgeRouter's SFP slot with no separate power supply needed, saving a lot of space in the process.
+
+Finding a GPON SFP ONT that is compatible with Telekom's network turned out to be the hard part. While there are lots of
+commercial devices that look like they *should be* compatible, I could not be sure and I did not feel like sinking lots
+of money and weeks of trial and error into figuring out which are and which are not. After about half a dozen calls with
+various Telekom customer service departments I found the solution that ultimately ended up working: For their business
+customer fiber internet offering, Telekom uses the same GPON standard, but different ONT equipment. Their router for
+business customers is called "Digitalisierungsbox" and it in fact comes with an SFP GPON ONT. And, as it turns out, you
+can order that SFP GPON ONT separately for about 50 € (the same as the plastic box one) from either Telekom or a number
+of independent online stores. The Telekom part number of the thing is 40823569, the EAN is 4718937619382.
+
+Below is a list of steps that I had to undertake in order to get my EdgeRouter/SFP ONT setup to work.
+
+Hardware Setup
+==============
+
+The hardware setup is really simple. The SFP ONU is plugged into the EdgeRouter's SFP port. The ONU is connected to
+the Telekom Fiber through the LC/APC to SC/APC adapter cable that is included in its package. Telekom's technician will
+install an LC/APC coupler to join both cables. To configure the EdgeRouter, connect yourself through an ethernet cable
+*on port 2*. Ubiquiti's setup wizards assume the WAN interface is either port 1 or the SFP port (port 5), and default to
+use port 2 as their LAN interface even when port 5 is configured as the only WAN port. The default IP for the EdgeRouter
+is ``192.168.1.1``, and the default UID/PW is ubnt/ubnt.
+
+Configuration
+=============
+
+Getting access to the SFP ONU's config interface
+------------------------------------------------
+
+In this section I am assuming you want to configure the SFP ONU while it is plugged into the EdgeRouter from a laptop
+connected to the EdgeRouter's ethernet port 2. To do this, we have to first configure the right IP/subnet on the
+EdgeRouter's SFP interface, then patch connections between the SFP ONU and the laptop through the EdgeRouter.
+
+1. First, inside the EdgeRouter's config interface we need to configure a static IP with accompanying SNAT rule on the
+   SFP port to allow us to access the SFP module's web interface through the laptop connected to the EdgeRouter. For
+   this, configure the eth5 interface (which is the SFP port) to use the static IP ``10.10.1.2/24``.
+
+.. raw:: html
+    
+    <figure style="width: 20em">
+        <a href="images/edgerouter_sfp_config.png">
+        <img src="images/edgerouter_sfp_config.png" alt="The EdgeRouter's graphical configuration interface showing IP
+           address 10.10.1.2/24 being configured for interface eth5, which is the SFP interface.">
+        </a>
+        <figcaption>SFP interface configuration to access the SFP ONU from a laptop connected to the EdgeRouter's LAN
+            port</figcaption>
+    </figure>
+
+2. With the SFP port assigned an IP address, we need to add a NAT rule to forward connections from the configuration
+   laptop on eth2 to the SFP port. We do this by adding a source NAT rule with masquerading enabled, for the TCP
+   protocol, with destination address ``10.10.1.0/24`` (the SFP config interface's private network).
+
+.. raw:: html
+    
+    <figure style="width: 20em">
+        <a href="images/edgerouter_snat_config.png">
+        <img src="images/edgerouter_snat_config.png" alt="The EdgeRouter's graphical configuration interface showing a
+            source NAT being configured for interface eth5 for TCP protocol connections to destination address 10.10.1.1
+            using masquerading.">
+        </a>
+        <figcaption>Source NAT configuration to access the SFP ONU from LAN. eth5, masquerading on, TCP, destination
+            10.10.1.1 (the SFP ONU's IP).</figcaption>
+    </figure>
+
+3. Finally, make sure that your laptop will actually use the EdgeRouter as its gateway for IPs within ``10.10.1.0/24``.
+   On the laptop, disable any VPNs, disconnect your Wifi and make sure that IP r shows a default route pointing at the
+   EdgeRouter's ``192.168.1.1``. If that isn't the case, on Linux you can manually add the necessary route by using 
+   ``sudo ip r a 10.10.1.0/24 via 192.168.1.1 dev enp5s0``
+
+After setting up this temporary route, you should be able to access the SFP ONU's configuration web interface by
+pointing a browser at ``http://10.10.1.1/`` Just make sure you use plain-text HTTP here, not secure HTTP**S**. The
+default login credentials for the device are admin/1234.
+
+.. raw:: html
+    
+    <figure style="width: 30em">
+        <a href="images/sfp_onu_web_if.png">
+        <img src="images/sfp_onu_web_if.png" alt="The SFP ONU configuration web interface is a basic-looking website with
+            a big Zyxel logo on it. It has menu options named status, setup and management. It shows a system overview
+            page that lists the device's uptime and software version.">
+        </a>
+        <figcaption>The SFP ONU's web interface.</figcaption>
+    </figure>
+
+Configuring the PLOAM password / SLID / ONT-Installationskennung
+----------------------------------------------------------------
+
+On the SFP ONU's web interface, we only have to change one single setting: Under "Setup", we have to set what the SFP
+ONU calls "SLID" to the PLOAM password for the interface. Telekom calls this the "ONT-Installationskennung". You get
+this from your Telekom technician. In the config interface, select ASCII mode and enter the number using the format
+``ABCD000000`` with four capital letters followed by six zeros. If necessary, you can read the SFP ONU's serial number
+on this page.
+
+.. raw:: html
+    
+    <figure style="width: 30em">
+        <a href="images/sfp_onu_ploam_pw_config.png">
+        <img src="images/sfp_onu_ploam_pw_config.png" alt="The SFP ONU configuration web interface shows its SLID
+            configuration page. A text field labelled SLID asks the user to enter a value of at most ten characters. As
+            an example, abcdefg123 is listed.">
+        </a>
+        <figcaption>The SFP ONU's config interface to set SLID/PLOAM PW/ONT-Installationskennung.</figcaption>
+    </figure>
+
+Press "Save Config" on the top right of the web page, then select "Reset ONU" and click "Apply" under the "Reset ONU"
+link on the left. Make sure to not select the factory reset option instead.
+
+.. raw:: html
+    
+    <figure style="width: 30em">
+        <a href="images/sfp_onu_reset.png">
+        <img src="images/sfp_onu_reset.png" alt="The SFP ONU configuration web interface shows its reset ONU page. There
+            are two options labelled Reset ONU and Reset to factory default settings. The reset ONU option is
+            selected.">
+        </a>
+        <figcaption>Rebooting the SFP ONU.</figcaption>
+    </figure>
+
+With the ONU configured, after the reset the "GPON Information" page from the left menu under "Status" from the top menu
+should show ``GPON Line Status: O5``. You can now remove the SNAT rule and IP address from the SFP interface in the
+EdgeRouter's config. I recommend this since there is no way to change the ONU's default credentials, and leaving the
+SNAT rule in place makes it vulnerable to attacks from your LAN. If you use the EdgeRouter's setup wizard in the next
+step, that wizard will reset all of these settings.
+
+Configuring PPPoE and NAT
+-------------------------
+
+Our ONU now has a low-level connection to Telekom's fiber network. The next step is to configure the EdgeRouter to
+authenticate with the ONU through PPPoE. The easiest way to do this is to use the EdgeRouter's "Basic Setup" wizard as
+described in the `EdgeOS User Guide`. In the wizard, select the SFP port (``eth5``) as the internet/WAN port. Select
+``Internet Connection Type`` as ``PPPoE``, then enter the PPPoE credentials you got from your Telekom technician. The
+password is your "Persönliches Kennwort" that you also use to log in to your customer account on Telekom's website. The
+account name is ``[anschlusskennung] [zugangsnummer] "#" [mitbenutzernummer] "@t-online.de"``, so something like
+``002712345678012345678901#0001@t-online.de``. Enable "Internet connection is on VLAN" and enter VLAN ID ``7``. This is
+necessary because of the way Telekom set up their triple play (TV/phone/internet) service. After following through with
+the wizard, your internet should be already working on port 2 of the router. Note that despite selecting the SFP port as
+the router's WAN port, the wizard will still reserve port 1 (``eth0``) for another WAN interface, so you will only be
+able to access the configuration interface through port 2 (``eth1``) after the wizard is done. You can of course change
+this later.
+
+That's it, you're done and your internet should be working!
+
+Having Fun with the SPF GPON ONU
+================================
+
+If you want to dig deeper into the internals of Telekom's GPON implementation, the SFP ONU's firmware is a great
+starting point. Default credentials are all admin/admin or admin/1234 and you can even get a regular busybox shell on
+the device through SSH. The device's firmware is based on OpenWRT, and the source for large parts of the core control
+components can be found under open source licenses as well. While I would strictly advice you to not mess around with
+the actual modem settings because due to GPON you share a medium with your neighbors and might very well disrupt their
+internet if you mess up, inspecting the ONU's firmware is a great way to learn about the inner workings of a modern GPON
+network.
+
+If you are interested in messing around with the SFP ONU, there is a github repository where interesting thins are
+collected `here <https://github.com/xvzf/zyxel-gpon-sfp/issues>`__.
+
+.. _`EdgeOS User Guide`: https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf
+