L009UiGS-2HaxD and Zyxel PMG3000-D20B

derOberfranke · December 16, 2024, 6:46pm

I have a L009UiGS-2HaxD and a Zyxel PMG3000-D20B ONT.
Previously, I had an external GPON module and the Mikrotik was connected via Ethernet with it to the Internet.
Now, I have a Zyxel PMG3000-D20B ONT SFP module and the Mikrotik uses it to connect directly to the internet.
IPv4 and IPv6 were working before, but with the SFP module, I don’t get a v6 address anymore. IPv4 is still working.

Any thoughts, what could be wrong?

[admin@MikroTik] > /export hide-sensitive
# 2024-12-16 18:32:07 by RouterOS 7.16.1
# software id = NPTX-3ZRK
#
# model = L009UiGS-2HaxD
# serial number = <redacted>
/interface bridge
add admin-mac=xxxx auto-mac=no comment=defconf name=bridge
add disabled=yes name=bridge_guest
add name=bridge_internet
add name=bridge_iot
add name=bridge_old
/interface ethernet
set [ find default-name=sfp1 ] loop-protect=off sfp-rate-select=low
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp1 name=vlan50_sfp vlan-id=50
add interface=ether7 name=vlan87_up vlan-id=87
add interface=ether3 name=vlan91 vlan-id=91
add interface=ether7 name=vlan91_up vlan-id=91
/interface ethernet switch port-isolation
set 7 forwarding-override=switch1-cpu
/interface ethernet switch port
set 6 mirror-ingress-target=switch1-cpu
/interface ethernet switch port-isolation
set 6 forwarding-override=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.30-192.168.88.254
add name=iot-pool ranges=192.168.91.10-192.168.91.100
add name=old-pool ranges=192.168.87.20-192.168.87.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1w10m name=defconf
add address-pool=iot-pool interface=bridge_iot lease-time=1w30m name=iot
add address-pool=old-pool interface=bridge_old lease-time=2w23h30m name=old
/queue simple
add max-limit=60M/22M name=wan target=vlan50_sfp,vlan50_sfp
/queue type
add kind=sfq name=default-sfq
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=hitzing4
add bridge=bridge_iot interface=ether8 pvid=91
add bridge=bridge_iot interface=vlan91
add bridge=bridge_iot interface=iot
add bridge=bridge_iot interface=vlan91_up
add bridge=bridge_old interface=vlan87_up
add bridge=bridge interface=ether1
add bridge=bridge_internet ingress-filtering=no interface=vlan50_sfp pvid=50
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge_iot disabled=yes tagged=ether3 vlan-ids=91
add bridge=bridge disabled=yes untagged=ether3 vlan-ids=1
add bridge=bridge_iot disabled=yes tagged=ether3 vlan-ids=1
add bridge=bridge_internet vlan-ids=50
/interface ethernet switch
set 0 mirror-egress-target=switch1-cpu
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan50_sfp list=WAN
add interface=bridge_internet list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.91.1/24 interface=bridge_iot network=192.168.91.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
add address=192.168.89.1/24 interface=wireguard1 network=192.168.89.0
add address=192.168.87.1/24 interface=bridge_old network=192.168.87.0
add address=10.10.1.2/24 interface=sfp1 network=10.10.1.0
/ip dhcp-client
add disabled=yes interface=bridge
add disabled=yes interface=vlan50_sfp
add interface=bridge_internet
/ipv6 dhcp-client
add add-default-route=yes interface=bridge_internet pool-name=delegation pool-prefix-length=56 request=address,prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=log chain=output log=yes
add action=log chain=input log=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward out-interface-list=WAN
add action=drop chain=forward out-interface-list=LAN
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=bridge_internet passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu out-interface=bridge_internet passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 nd
set [ find default=yes ] dns=2a02:ca00:dc:102::51,2a02:ca00:dc:101::51,2606:4700:4700::1111,2606:4700:4700::1001 hop-limit=64 interface=\
    bridge ra-interval=20s-1m
/system logging
add topics=wireless
add topics=wireguard
add disabled=yes prefix=dhcp topics=debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set enter-setup-on=delete-key

derOberfranke · January 9, 2025, 9:50am

The problem seems to sit in the SFP module. I ordered a different SFP module from fs.com which now works with ipv6

Jonny · November 10, 2025, 6:17pm

Hallo derOberfranke,

i have actually the same problem ! Ont top i have the problem that the connection to Telekom dropped off approximately 20 times per day. I have also ordered a GPON ONU Modul from fs.com ! Is you problem solved with this GPON Modul ?

mfg Jonny

derOberfranke · November 11, 2025, 2:04pm

@Jonny I never had connection problems other than IPv6 not working. But I am using a different ISP and not Telekom. Anyway, the fs.com module works perfectly with IPv6.

Jonny · November 11, 2025, 4:22pm

Now i have received the Stick from FS but he not have a HEX Modem ID between 12-16 characters. They have just a serialnumber with 11 characters. This can not be registered on the Telekom !!!

BartoszP · November 11, 2025, 4:24pm

So it seems to be a problem on telecom's side.

derOberfranke · November 11, 2025, 6:00pm

Check the documentation from fs.com. you may need to SSH into the sfp module to get/set the id. Don't mix up serial number with the id that you need for telekom

Jonny · November 12, 2025, 2:57pm

So all is fine !!! The GPON Serialnumber (12 HEX digits) can only see with the SSH !

This GPON Serialnumber get to Telekom and they actualize this in his system. Then it works without issues.

Thank you all for help !