What ONT options - because Calix routers are garbage

[MagicDude4Eva]

FWIW - I learned something new today about the Calix / ONT. MFN and others also provide a Layer2 device (which is typically a 803G) - this would then allow you to place any proper router behind this - full quote below:

Metrofibre use PPPOE for WAN access, however, instead of username & password authentication, we make use MAC based authentication. That means that we authenticate your service subscription based on the GPON WAN MAC address of your Calix home router. The WAN MAC is not clone-able since it lives on a GPON interface and NOT an ethernet interface, also resides behind a router (813G) and not a switch (803G) .

In an open access scenario, the WAN configuration would typically depend on the network architecture of the open access provider you subscribed to, for example, depend on if they use PPPOE, DHCP for WAN access. Which way ever, we simply map the relevant service provider’s WAN access VLAN through to your ONT, a layer 2 connection only, provided by us between you and your chosen service provider. It is then up to the relevant open access service provider to put down his CPE device at your premise, or deliver the service in whatever means was agreed and negotiated with you. If that entails you configuring PPPOE or DHCP on your Ubiquity rather, then that is what you will have to do. It will be totally transparent to us, giving mind we provide the VLAN connectivity between you and your service provider only, and nothing else.

As said, the 803G device is a Layer 2 (switch device) only, and not a Layer 3 (router device) like the 813G.

I am still seeking further clarification if it is just as simple as replacing the layer3 device (813G) with a 803G so that I can do a simple PPPoE via my Ubiquiti. Somehow I have the feeling that there might be other gremlins (VLAN tagging etc....). A true pity that the FTTH sales guys are not very clued up on this (perhaps understandably so as most of their customers don't even know what PPPoE or DHCP is - they just want "The fast WiFi")

 

[savage]

SFP and SPF MAC addresses (the fiber interface), CAN be cloned. Very easily - just FYI. There's an programable EPROM just like on a network card, and getting EPROM programmers to program those chips, are very easy.

Generally, traffic is VLAN tagged (1 for Voice, 1 x Data, 1 x IPTV). Seeing that the FTTx players haven't yet started to deploy IPTV/Voice, you more than likely only have 1 VLAN in question. Technically, you should also be able to have multiple data VLANs, so that you can use multiple ISPs. It's possible technically, whether they do it or not, I don't know.

The ONT also encrypts / decrypts traffic, as any incoming data from the OLT to the ONT is transmitted to ALL ONT devices on the same interface (splitters). That encryption too, has been known to be decrypted relatively easily in the UK/US previously.

If the ONT allows for PPPoE pass through, then yes, you can put any device BEHIND the ONT and run your own L3, but L2 MUST terminate on the ONT itself. It's the nature of FTTx unfortunately.

 

[savage]

PS.. What WOULD be very interesting, is to take the SPF out of the calix, put it into a programmer and get a dump of the code (this effectively should tell you what the SPF does in terms of VLANs, MACs, etc.) Then take the SPF, dump it into a CCR or some other Tik, and configure the appropriate vlans

The encryption/decryption is done on the SPF itself (i.e. hardware), so technically if the SFP is removable and you have the VLANs that MAY work... The provider won't like you very much though

 

[MagicDude4Eva]

PS.. What WOULD be very interesting, is to take the SPF out of the calix, put it into a programmer and get a dump of the code (this effectively should tell you what the SPF does in terms of VLANs, MACs, etc.) Then take the SPF, dump it into a CCR or some other Tik, and configure the appropriate vlans

The encryption/decryption is done on the SPF itself (i.e. hardware), so technically if the SFP is removable and you have the VLANs that MAY work... The provider won't like you very much though

I read that a guy in Italy used a standard GPON module and then dumped the traffic to figure out the VLAN id as his provider refused to provide it to him. I don't know why FTTH providers are so protective over this - I only learned today that there is possible layer2 device and at no point in time did anyone mention that the PPPoE credentials are actually not even used. For now I will be happy if I can swop out that sh*t layer3 device with a layer2 and then do PPPoE passthrough (somehow this sounds too simple and I am sure something will not work - such as them tagging as VLAN-ID 0 which most devices do not support)

 

[Kyoto]

All GPON ont's that I know about don't have a SFP, only an optical port, so all the encryption etc. happens in the ONT.

 

[savage]

They are so protective because it is their way to "lock" you in, to protect their investment. Whom ever deployed the fiber in an area, owns the area. No one else can play, unless MORE fiber is put into the ground (which is unlikely as municipalities are very unlikely to allow the same area to be trenched multiple times, and those with ducts in the ground don't play fairly and lease ducts like they are supposed to).

That's why I personally find these "open access" terms laughable, at best. Open your network up right up to Layer 1 (yes, lease me, the ISP, the actual dark fiber into your home), and THEN you can start to call your network open access Now, FTTH players using GPON can never do that due to the splitters involved, hence, their networks will never, ever be truly open access - the GPON provider will ALWAYS be involved, and they will ALWAYS dictate as to what can, and can not, be done in terms of service delivery. So much for competition, as my competitor now must dictate to me, their competition, what I can and can not do. Partially, the fiber owner is already fixing the prices in that they are dictating minimum costs to other ISPs for resale...

What is happening in terms of GPON deployments, is that they are creating hundreds of small little isolated "islands" of fiber... No interoperability, no interexchageability. A fixed, isolated, static network.

The Fiber port (to the provider) is generally a trunk, and then there would be one ethernet port (you'll need to find out which one) which is a access port (to the consumer), designated to the data vlan. If you use a seperate modem/router plugged into the correct port on the ONT, you shouldn't need to worry about VLANs and what not. It should be just as simple as to connect and fire up the PPPoE session.

What what I've seen in the past overseas, the ONT's has multiple ports, and each port is dedicated to one service (i.e. one for data, one for voip, one for iptv, etc). The providers generally configure the units like that so that you don't need to worry about the vlans and what not. Traffic going in on ether1 is encapsulated by the correct vlan id on the ONT, and passed to the provider through the fiber port.

EDIT: I think what the fiber provider meant to say is that the fiber provider authenticates the ONT via MAC address (i.e. is the ONT permitted to connect to the network - similar to what you do with wireless devices in a WISP network), and once the ONT connects, it sets up encryption, vlans, and all those other nice thingies. The ISP (ala AH, CrystalWeb, etc), most definitely would use usernames / passwords for PPPoE authentication I believe. But, EDIT 2, I also know that there are a few ISPs that do not use usernames / passwords, so I guess it's up to what ever the ISP decides to do.

 

[savage]

All GPON ont's that I know about don't have a SFP, only an optical port, so all the encryption etc. happens in the ONT.

The Fiber port IS the SPF port It's perhaps just not removable, but rather soldered into the board and/or integrated.

 

[MagicDude4Eva]

<snip>

EDIT: I think what the fiber provider meant to say is that the fiber provider authenticates the ONT via MAC address (i.e. is the ONT permitted to connect to the network - similar to what you do with wireless devices in a WISP network), and once the ONT connects, it sets up encryption, vlans, and all those other nice thingies. The ISP (ala AH, CrystalWeb, etc), most definitely would use usernames / passwords for PPPoE authentication I believe. But, EDIT 2, I also know that there are a few ISPs that do not use usernames / passwords, so I guess it's up to what ever the ISP decides to do.

Thank you - a really good explanation. If a ISP chooses not to authenticate via PPPoE how will a layer3 device get an IP (static IP / DHCP)? Does this then mean that the ONT's layer2 traffic is just switched onto the ISP without any interference from the layer1 provider? (I should really find some time to read up on how GPON and it's switching work).

 

[Sinbad]

The Fiber port IS the SPF port It's perhaps just not removable, but rather soldered into the board and/or integrated.

please, SFP?
SPF is sunscreen.

and SFP = small form-factor pluggable, so soldering it on the board would mean it isn't one

 

[Sinbad]

They are so protective because it is their way to "lock" you in, to protect their investment. Whom ever deployed the fiber in an area, owns the area. No one else can play, unless MORE fiber is put into the ground (which is unlikely as municipalities are very unlikely to allow the same area to be trenched multiple times, and those with ducts in the ground don't play fairly and lease ducts like they are supposed to).

That's why I personally find these "open access" terms laughable, at best. Open your network up right up to Layer 1 (yes, lease me, the ISP, the actual dark fiber into your home), and THEN you can start to call your network open access Now, FTTH players using GPON can never do that due to the splitters involved, hence, their networks will never, ever be truly open access - the GPON provider will ALWAYS be involved, and they will ALWAYS dictate as to what can, and can not, be done in terms of service delivery. So much for competition, as my competitor now must dictate to me, their competition, what I can and can not do. Partially, the fiber owner is already fixing the prices in that they are dictating minimum costs to other ISPs for resale...

What is happening in terms of GPON deployments, is that they are creating hundreds of small little isolated "islands" of fiber... No interoperability, no interexchageability. A fixed, isolated, static network.

The Fiber port (to the provider) is generally a trunk, and then there would be one ethernet port (you'll need to find out which one) which is a access port (to the consumer), designated to the data vlan. If you use a seperate modem/router plugged into the correct port on the ONT, you shouldn't need to worry about VLANs and what not. It should be just as simple as to connect and fire up the PPPoE session.

What what I've seen in the past overseas, the ONT's has multiple ports, and each port is dedicated to one service (i.e. one for data, one for voip, one for iptv, etc). The providers generally configure the units like that so that you don't need to worry about the vlans and what not. Traffic going in on ether1 is encapsulated by the correct vlan id on the ONT, and passed to the provider through the fiber port.

EDIT: I think what the fiber provider meant to say is that the fiber provider authenticates the ONT via MAC address (i.e. is the ONT permitted to connect to the network - similar to what you do with wireless devices in a WISP network), and once the ONT connects, it sets up encryption, vlans, and all those other nice thingies. The ISP (ala AH, CrystalWeb, etc), most definitely would use usernames / passwords for PPPoE authentication I believe. But, EDIT 2, I also know that there are a few ISPs that do not use usernames / passwords, so I guess it's up to what ever the ISP decides to do.

Vumatel do not use credentials at all. There's no PPPoE. It's basically DHCP over ethernet to get your IP address, and your CPE is in a VLAN that connects to the ISP directly.

 

[savage]

Does this then mean that the ONT's layer2 traffic is just switched onto the ISP without any interference from the layer1 provider? (I should really find some time to read up on how GPON and it's switching work).

I would assume so. I haven't had the opportunity to look at a FTTx installation in great detail in SA yet so I can't say for certain. My assumptions are just based on my understanding of the technology (been at it for many, many years - installed by first outdoor fiber back in '98 / '99 already), and what from what read/pick up from others that has the service. In terms of "without any interference from the layer1," I can't tell you that until I see some packet dumps on the WAN side.

Technically, it should be a clean pass through yes with the only overhead to the packet being the PPPoE header and the VLAN header. In practice however, I think it's safe to expect a bit more (MPLS overhead would be a good assumption). I'd also be keen to see the levels of fragmentation and out of order packets (especially on "smaller" providers that isn't necessarily THAT skilled up).

The ISP can choose to still use PPPoE but authenticate on MAC, and not username/password, or, as you say, DHCP yes. PPPoE and DHCP is really the two most common forms used, but I suspect most ISPs will stick to PPPoE in order to tie into existing back-end systems in place already to handle PPPoE (DSL for example).

 

[savage]

Vumatel do not use credentials at all. There's no PPPoE. It's basically DHCP over ethernet to get your IP address, and your CPE is in a VLAN that connects to the ISP directly.

Vumatel runs Active Ethernet, not GPON I would KILL for a Vuma connection...

Because it's Active Ethernet, you can put any router onto the fiber, no "specific" ONT required.

 

[Sinbad]

Vumatel runs Active Ethernet, not FTTx I would KILL for a Vuma connection...

Because it's Active Ethernet, you can put any router onto the fiber, no "specific" ONT required.

Well their CPE is managed by them (it's a switch) so I imagine they'd want you to keep that there - but yes, whatever the heck router you want.

And I assume you meant GPON not FTTx? Since it's FTTH...

i<3 my vumatel

 

[savage]

And I assume you meant GPON not FTTx? Since it's FTTH...

Yes, edited x 3

 

[MagicDude4Eva]

Vumatel runs Active Ethernet, not GPON I would KILL for a Vuma connection...

Because it's Active Ethernet, you can put any router onto the fiber, no "specific" ONT required.

Sadly most of us have no choice other than go with GPON. At least with MetroFibre there is some "open access" in the sense that there is access to some ISPs. Getting technical answers from FTTH providers is like pulling hens teeth - I am still swaying between "Why can't they not explain this, it's their business" and "Wow, they have no clue!" and "I am sure they know but don't want to give out 'secrets'!".

I get that the average household will rework their home-network like I did, but then for heaven's sake allow the minority of us some flexibility and don't drop off some cheap-a$$ fong-kong router which is outperformed by my Raspberry.

 

[savage]

BTW - what is the max packet size that you can transmit? Just out of curiosity.

http://www.letmecheck.it/mtu-test.php will more than likely be the quickest way to test. Sinbad being on Active Ethernet, should be able to pass 1500 byte packets, whilst I think you will be in the 1480 (or possibly less) region.

 

[Sinbad]

BTW - what is the max packet size that you can transmit? Just out of curiosity.

http://www.letmecheck.it/mtu-test.php will more than likely be the quickest way to test. Sinbad being on Active Ethernet, should be able to pass 1500 byte packets, whilst I think you will be in the 1480 (or possibly less) region.

1472 payload + header = 1500

 

[savage]

1472 payload + header = 1500

Yep. Clean ethernet (no PPP, tunnels, etc. involved). So there's your confirmation that you are on ActiveEthernet. Your provisioning is indeed either via DHCP or Statically done as there's no encapsulation involved with your traffic. Viva Vumatel for doing things CORRECTLY.

 

[MagicDude4Eva]

BTW - what is the max packet size that you can transmit? Just out of curiosity.

http://www.letmecheck.it/mtu-test.php will more than likely be the quickest way to test. Sinbad being on Active Ethernet, should be able to pass 1500 byte packets, whilst I think you will be in the 1480 (or possibly less) region.

Tested this a few weeks ago - it's 1480.

Good that you raised this - I forgot to follow up with Ubiquiti if there would be any merit to reduce MTU on my UniFi Security Gateway.

 

[savage]

Tested this a few weeks ago - it's 1480.

Ah ok. The -20 is due to 20 bytes required for PPPoE. At least you can safely say that nothing else (encapsulation wise) are involved except PPPoE, so you have a clean layer 2 hand off between your CPE and your ISP, and your ISP takes the 20 bytes to encapsulate your traffic inside PPPoE.