IP and Routing: SFP GPON Module WebUI access

Hello!
I am trying to access WebUI on my SFP GPON Module (Zyxel PMG3000-D20B from Telekom, Germany) to set a password for the GPON connection, but I can’t understand what is wrong.
WebUI must be on 10.10.1.1 IP of SFP Module according to this article
I am creating IP 10.10.1.2/24 for sfp-sfpplus1 interface. Disabled bridge for sfp-sfpplus1.
IP Route for 10.10.1.0 on sfp-sfpplus1 was created automatically but is unreachable and invalid.
DIcH 10.10.1.0/24 sfp-sfpplus1 0
SFP Modem in interfaces was recognized and I can see a model number, and temperature, but can’t see anything on the status page.
Maybe the problem is not in the IP configuration but in the SFP Module? I am expecting if SFP Modul was recognized (it shows the correct name, serial, and temperature) - all fine…
How to fix it?

Here is my Config.
You can find, that I am already made access to the WebUI of the external modem (192.168.100.1) by creating an IP on the ether1 port.
And I expected to make the same with SFP.

[admin@MikroTik-PK] > export
# aug/20/2022 18:16:18 by RouterOS 7.4.1
# software id = 4J2H-VK94
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxx
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=defconf name=bridge
add comment="Wireguard NL" name=bridge-nl
add comment="Wireguard NL2" name=bridge-nl2
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80/160mhz-XXXXXXXX country=germany disabled=no distance=indoors installation=indoor mode=\
    ap-bridge skip-dfs-channels=all ssid=Dom-Pon wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=2442 installation=indoor mode=\
    ap-bridge ssid=Dom-Pon tx-power=10 tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface wireguard
add listen-port=111 mtu=1420 name=wireguard_nl
add listen-port=1111 mtu=1420 name=wireguard_nl2
/interface vlan
add interface=ether1 name=Telekom-vlan-7 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=Telekom-vlan-7 name=Telekom-pppoe-out user=qweqweq@t-online.de
/interface wireless
add keepalive-frames=disabled mac-address=zxxz master-interface=wlan2 multicast-buffering=disabled name=wlan-nl ssid=Dom-Pon-N wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add keepalive-frames=disabled mac-address=zxzxz master-interface=wlan2 multicast-buffering=disabled name=wlan-nl2 ssid=Dom-Pon-N2 wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool2 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-nl name=dhcp1
add address-pool=dhcp_pool2 interface=bridge-nl2 name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=yes fib name=wg-rable-nl
add disabled=yes fib name=wg-table-nl2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-nl comment="Wireguard NL" interface=wlan-nl
add bridge=bridge-nl2 comment="Wireguard NL2" interface=wlan-nl2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=1231231 endpoint-port=1111 interface=wireguard_nl persistent-keepalive=23s public-key=\
    "qweqw"
add allowed-address=0.0.0.0/0 endpoint-address=12312312 endpoint-port=1111 interface=wireguard_nl2 persistent-keepalive=23s public-key=\
    "eqweqw"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.60/24 interface=wireguard_nl network=10.66.66.0
add address=192.168.90.1/24 disabled=yes interface=bridge-nl network=192.168.90.0
add address=10.66.66.23/24 interface=wireguard_nl2 network=10.66.66.0
add address=192.168.100.1/24 disabled=yes interface=bridge-nl2 network=192.168.100.0
add address=192.168.1.1 disabled=yes interface=ether1 network=192.168.1.1
add address=192.168.100.2/24 interface=ether1 network=192.168.100.0
add address=10.10.1.2/24 interface=sfp-sfpplus1 network=10.10.1.0
/ip dhcp-server lease
add address=192.168.88.250 client-id=1:0:11:32:7e:fc:5b comment=NAS mac-address=adas server=defconf
add address=192.168.88.247 client-id=1:2c:9e:fc:52:6b:32 comment=Printer mac-address=sfsdfsd server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
add address=192.168.100.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_nl
add action=masquerade chain=srcnat out-interface=wireguard_nl2
add action=dst-nat chain=dstnat comment="NAS 5000" dst-port=5000 protocol=tcp to-addresses=192.168.88.250 to-ports=0
add action=dst-nat chain=dstnat comment="NAS 5001" dst-port=5001 protocol=tcp to-addresses=192.168.88.250 to-ports=0
add action=dst-nat chain=dstnat comment="NAS 443" disabled=yes dst-port=443 protocol=tcp to-addresses=192.168.88.250
add action=dst-nat chain=dstnat comment="NAS 1194 UDP" disabled=yes dst-port=1194 protocol=udp to-addresses=192.168.88.250
add action=masquerade chain=srcnat out-interface=Telekom-pppoe-out
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard_nl pref-src="" routing-table=wg-rable-nl scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard_nl2 pref-src="" routing-table=wg-table-nl2 scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=yes src-address=10.66.66.0/24 table=wg-rable-nl
add action=lookup-only-in-table disabled=yes src-address=10.66.66.0/24 table=wg-table-nl2
add action=lookup-only-in-table disabled=yes src-address=192.168.90.0/24 table=wg-rable-nl
add action=lookup-only-in-table disabled=yes src-address=192.168.100.0/24 table=wg-table-nl2
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-PK
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

To be able to ping interface must be running!

Hmmm… It is not running in my case.
But why?
Do I need to connect an optical cable to run it?
But it is not activated on ISP side and i also need to enter PLOAM on WebUI to activate it…

Thanks a lot for your idea!
My SFP GPON module needs to be connected by optic cable and it changes the status to runned after 1 minute.
After the status switched to runned I was successfully able to ping and access SFP WebUI!
Thanks!

Hi,
I need to make logon on a web gui off my Gpon SFP module. My bridge has 192.168.1.0 network while the SFP module has 192.168.2.1 ip address.

The gpon module is powered and working and I’m able to link to my ISP network


Please could you help me to understand why I cannot ping the 192.168.2.1 address from my PC with 192.168.1.14 address ?

Because you’re using /32 addresses with wrong network address. Do yourself a favour and use /28 or less. If you don’t know what I’m talking about, then use /24.

Another issue is setup of SFP+ module … it needs a route back to your PC. If that can’t be setup, then you have to perform SRC-NAT …

add sfp gpon ip and mac in IP-ARP list then you can login sfp gopn WebUI

ok,I i’ve changed the ip address configuration,

please explain me how to setup the route
thanks

no , it is not useful

That entirely depends on SFP+ module management interface.

If your router’s firewall and NAT config is still more or less default (as in: small MT RB devices’ default), then it should be enough to add sfp-sfpplus1 interface to WAN interface list and the default SRC-NAT (masquerade) will do the job for you.

I cannot change route on Gpon module. I mean which is the srcnat config to do on the mikrotik

Post your current config (output of /export file=anynameyouwish, redact sensitive data such as serial number, public IP address, passwords, etc.). Because proper advice can only be made after we see the rest of config.

# 2024-08-16 18:30:59 by RouterOS 7.15.3
# software id =  
#
# model = RB5009UPr+S+
# serial number =  
/interface bridge
add admin-mac=  auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no rx-flow-control=\
    auto speed=2.5G-baseX tx-flow-control=auto
/interface vlan
add interface=sfp-sfpplus1 name=vlan1 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=timadsl
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Dhcp ranges=192.168.1.10-192.168.1.99
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m \
    name=defconf
add address-pool=Dhcp interface=bridge name=server1
/queue type
add kind=fq-codel name=Fq_Codel
/queue simple
add disabled=yes dst=ether1 max-limit=800M/2G name=Fq_codel queue=\
    Fq_Codel/Fq_Codel target=ether1,ether1 total-queue=Fq_Codel
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge disabled=yes interface=sfp-sfpplus1 unknown-unicast-flood=\
    no
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.1.2/24 interface=bridge network=192.168.1.0
add address=192.168.2.2/24 comment="modulo Gpon" interface=sfp-sfpplus1 \
    network=192.168.2.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment="Configurazione personal" gateway=\
    192.168.1.2
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool graphing interface
add interface=ether8
add interface=ether5
add interface=ether3 store-on-disk=no
add interface=ether1 store-on-disk=no
add interface=ether2 store-on-disk=no
add interface=ether4 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Just add sfp-sfpplus1 interface to WAN interface list:

/interface list member
add comment=defconf interface=sfp-sfpplus1 list=WAN

And you should be fine.

@mkx

thank you