OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: allebone on March 26, 2021, 04:27:29 pm
-
Hi there,
There was no good write up online so I am making one on how to avoid using a media converter and instead only use the home switch from Unifi for the SFP conversion.
I have a physical OPNSense box, and a Unifi switch. The fiber is supplied by bell via a mac address authorized SFP+ module that can work in the SFP ports of the Unifi US-8-150W switch, allowing you to not use the supplied router from bell. Location is ON, Canada where vlan 35 is used.
--------
KNOWN LIMITATIONS:
The 8-150W switch SFP port only syncs at a maximum of 1G so if you have an internet connection from bell faster than 500/500 you can forget about it. Thats about the max you will get (I think you would get about 600/600 on this method). For higher speeds you will need to buy and use a media converter, that should get you to about 800/800 with a 1.25G media converter. I have both the media converter and the switch but wanted to ditch the media converter as its more power efficient for my UPS. The speeds are the same if you have the 500/500 package so for this reason just using the switch is an option for me. True speeds can be achieved with a 2.5G sync but this is only available on expensive equipment such as Unifi Edgerouters/switches or whatever and Microtic's etc which I dont have and dont really want to have to buy.
--------
Setup Layer 1:
Plug appropriate cable from FW WAN to switch and the Fiber to the SFP module on the switch as pictured in example.
(https://i.imgur.com/ZZwvm1r.jpg)
Port 1 is WAN on FW and first SFP port is 'Fiber'.
(https://i.imgur.com/Pdl7YvK.png)
Setup Layer 2:
In ON the Bell network runs on VLAN 35. Additional VLANS are needed for the TV service if you use this but I only get internet from Bell. As such only internet setup is shown below. You can adapt to your use case as required.
In the switch you will need to configure a few things. Start by accessing the networks section n the controller and make a new VLAN as per below:
(https://i.imgur.com/IwsPIgz.png)
Next make 2 switch profiles. BellVlan35SFP is to be used for the SFP port and FWVlan35Native is for the FW Wan port. Please note that the FW port has a native network set. This is important as it means we do NOT have to tag packets with a VLAN ID on the OPNSense box, as we are specifying the default VLAN for untagged traffic is 35 on this port. This means you can bypass the buggy vlanning on pppoe in opnsense entirely (ie what I found was inconsistent and did not work well). In theory you should be able to vlan tag on the pppoe connection but I found it did not always connect and the unreliability meant it was not a solution for me:
(https://i.imgur.com/KVbRlKa.png)
Next assign the relevant profiles to the relevant ports on the switch:
(https://i.imgur.com/gHG7GTu.png)
Layer 3:
Finally we can now authenticate via PPPoE on the Opnsense Router:
This is exceedingly basic. If you already have PPPoE working to the homeHub3000 no changes are required. If you previously had VLAN tagging you just need to remove it. So the settings are super simple. Assign your WAN interface to the relevant interface in OPNsense and setup PPPoE as per example like this (replace relevant username/pass with your credentials):
(https://i.imgur.com/9PpFnwd.png)
As you can see no vlanning now required on the OPNSense. Here are example speeds on my 500/500 connection:
(https://i.imgur.com/EvrwBod.png)
To conclude, using this method you just need 2 pieces of equipment, your OPNsense FW and your Unifi Switch. No more Bell HH3000. All equipment can be restarted and auto reconnects as one would expect automatically with no user intervention at any point with this setup. Tested multiple times, no issues and get my expected full speeds.
Any questions just let me know :)
Pete
-
Just an update, this has been working rock solid for me for a while now, no issues at all. Only thing I would say is if you have this same switch from unifi it runs pretty hot so I ended up adding a fan to it to run it cooler as I didnt like that. I would suggest something similar if you have this exact model.
-
Hi Allebone,
Thanks for this. I was with Videotron before and decided to make the jump to Bell. Videotron made this easy by having a bridge mode option on their Helix box and when I talked to a Bell Rep, they told me it would be as easy with their box.. Well after reading around it seems that it is not as easy as I thought.
Your solution seems very simple however, unfortunately for me, I only have a layer 2 switch and I guess that wont work for me. So that leaves me with the Media converter option.
I was wondering if I could ask you a few questions since you seem to have experience with all this.
1) If I set Bell's HH3000 box as DMZ, can I avoid all those headaches and continue to have my VPN server work? That is, in the case I want to limit the amount of change I need to do and keep Bell's router?
2) If I use a media converter, I will need to bring the RJ-45 from the media converter over to my OPNSense's WAN assigned interface and then :
a) I need to create the VLAN ID for the internet on the WAN interface (In my case OPNSense is virtualized on Promox but it comes down to selecting the right interface which is vtnet0 for me)
b) Configure PPPOE handling on the wan interface
And I should be good correct?
-
Hi,
1) If I set Bell's HH3000 box as DMZ, can I avoid all those headaches and continue to have my VPN server work? That is, in the case I want to limit the amount of change I need to do and keep Bell's router?
The HH does not work in DMZ mode correctly. To avoid this you can instead of using a media converter, leave the bell HH with all default settings so it provides internet as normal 'out of the box' and then plug from your OpnSense WAN to LAN1 on the HH. Then configure PPPoE on OpnSense. The HH will function as normal and have a live IP and in addition a second live IP will be provided to your OpnSense. You can then turn off wifi on the HH if required or leave on (although you will not be going via Opnsense if connected to the HH directly). No VLAN config needed in this setup.
This solution means the Bell Box acts as a media converter for the firewall and allows PPPoE pass Through.
Another advantage of this is you can connect devices via the HH and they work as intended by Bell or connect devices behind the Opnsense and they work as you want your setup to do so. I used this myself for a while.
If you are in ON, then PPPoE will work. I believe some areas in Canada dont support PPPoE (atlantic areas?)
2) If I use a media converter, I will need to bring the RJ-45 from the media converter over to my OPNSense's WAN assigned interface and then :
a) I need to create the VLAN ID for the internet on the WAN interface (In my case OPNSense is virtualized on Promox but it comes down to selecting the right interface which is vtnet0 for me)
b) Configure PPPOE handling on the wan interface
And I should be good correct?
Yes this is correct. You are setting up VLAN35 on wan PPPoE and then the spf module is also connected to the same media converter so it will get the packets thrown down to the exchange box outside.
I have not used this method to connect extensivly. I believe its less reliable or perhaps more fiddly to get working as the VLAN settings on PPPoE seem to need coaxing to get working but in a perfect world it will just work as you have said. I read some people had to delete the interface and start again as it was the only way to get it to work properly rather than modifying an already setup interface but this method is not the route I went as I mentioned so just going off what I read. I did have some trouble getting it to work at first but seemed okay afterwards. It was not a solution I was happy with however.
Out of the 2 options I would recommend using the Bell HH and pppoe (option 1 with the HH I suggested) as it is tested and reliable (by myself) and requires no media converter.
I needed to take the HH out of the equation as I have a UPS and did not want to power an unneeded device (I save about 15w without it). If this requirement does not exist or you are using a media converter instead of the Bell equipment (ie something else is being powered in its place to accommodate) I dont see the point unless you hate bell so much you cannot stand to use their equipment as a free media converter they have supplied.
Pete
-
Hi Allebone,
Thanks so much for all this information. It will be quite useful. I am in Gatineau btw so I'm hoping we it will be using PPPOE but then again I don't know. It will be my first time with Bell Fiber. Like I wrote before, with Videotron it was a simple task, flip the switch to BRIDGE mode.
My only worry comes from my experience with Videotron's HELIX modem/router solution that didn't support static routing ergo I could never get a connection to my VPN server and so I assumed I would be facing the same issues with Bell's router if can't find a way to make it into a bridge.
With the solutions you provided it seems to me option 1 is the less painful and sounds like my VPN server will work that way. And if I may ask one more question, setting PPPOE on OPNSense that is just a simple matter of configuring a point-to-point device on my VTNET0 interface which is my WAN and should be good to go correct? May sound like I'm repeating myself from what I wrote previously but I am headed into uncharted territory with this config.
Thanks again for the help!
BTW, if I could afford a Ubiquity switch (or any layer 3 capable switch) right this moment, I would probably go that route, not because I hate Bell but because I'm all for efficiency when I can, less power consumption. Granted, 15w is not a lot but still...
-
Just select your wan interface after pluggin it into lan1 on the bell HH and configure it as PPPoE on "IPv4 Configuration Type"
Under (PPPoE configuration) username/password you must type in the settings from your bell account.
Thats about it :)
I dont recommend the US-8-150W switch as it has no internal fans and gets quite hot. I would buy an active cooled one if I had to do it again. Just dont like hot PC equipment thats all. I havent had an issue so far after adding my own cooling but just dont really like that.
-
Found it! I can't set it right now since I didn't move into my new house yet. I also will have to wire the house myself with CAT6 but at least I know exactly what to do now, thanks!
Duly noted for the US-8-150W. I think most POE switches have the same problems, they run hot and have loud fans unless you upgrade the fans. That is why I bought myself an HP ProCurve 1810-24G J9803A, an old and used 1G switch I know but, it is fanless and doesn't run so hot. Of course, I have no POE and as much as I wanted to install two WIFI POE devices like the ubiquiti ones or cameras, I've decided not to do it. I'll go WIFI for the cameras and just get some good WIFI Access Points that I can connect in an outlet for power. Not the most elegant but I just don't want to have to deal with hot running devices and loud fans.
Thanks again!