Please confirm that you are at least 18 years old to access the HWZ forum. (Why?)
×

Using Router behind CGNAT, behind ONR (Double NAT), ONR bridging, ONR replacement with ONU or PON Stick

HiHelloBye

HiHelloBye

Senior Member
HWZ Insider
Joined
Oct 8, 2010
Messages
1,312
Reaction score
380
cracker said:
yeah i had already signed some sports and EPL package with them… so i can only opt for the 10GB package which cost $45 first year and $88 the next but it seems this package only give the nokia onr… for now.
Click to expand...
for this package, you can request for ONT, as i did enquire them last Wednesday at their physical outlet...
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
Updated on 17-August-2024

From here, I documented some challenges with unbridged ZTE F8648P XGS-PON ONR with my newly installed Singtel 5Gbps plan.
https://forums.hardwarezone.com.sg/...-simba-and-vq.6930337/page-200#post-153389152

1) No more Singtel native IPv6 (two /56) and no more 2 public IPv4 addresses. Two users have managed to get Singtel native IPv6 to work with the ZTE F8648P ONR but with a lot of efforts.

Update -- I have created a support case with Singtel. Let's see how it goes.

2) I have to live with Double NAT for now with my Asus router / OpenWRT virtual router.

Update -- will have to live with this for now before I get to know a safe bridging method for ZTE F8648P ONR.

3) DDNS on the Asus router and OpenWRT router no longer work. Need to set up DDNS on the Singtel ONR.

Update -- Issue resolved. DDNS on the Asus and OpenWRT are working. Also set up DDNS on the Singtel ONR.

4) VPN servers no longer work (Asus Instant Guard and Wireguard on the Asus and OpenWRT) --> need to try to use port forwarding to get them working again. I will also check whether ZeroTier and Tailscall still work or not.

Update -- Issue resolved. ZeroTier and TailScale work. The Wireguard VPN servers on both Asus and OpenWRT work with port forwarding. I could not get Asus Instant Guard IPsec VPN server to work though.
 
Last edited:
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
xiaofan said:
4) VPN servers no longer work (Asus Instant Guard and Wireguard on the Asus and OpenWRT) --> need to try to use port forwarding to get them working again. I will also check whether ZeroTier and Tailscall still work or not.
Click to expand...

First updates: no issues using Zerotier on my Xiaomi Poco X4 GT phone to access my virtual OpenWRT router. I can even use Termux (Android terminal emulator and with a small Linux systems) to ssh into my virtual OpenWRT router and from there I can ssh into other systems (two N100 mini PCs running Proxmox PVE, and even ssh into my Asus RT-AX86U router).

I have some problems with Tailscale as it seems to me the mobile data connection times out to the OpenWRT virtual router.

So remote access to home network is not an issue with Double NAT.

Zerotier/Tailscale or other oberlay networks can be used for remote access to home network with CGNAT based ISP plan as well (SIMBA, MR and VQ).
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
xiaofan said:
3) DDNS on the Asus router and OpenWRT router no longer work. Need to set up DDNS on the Singtel ONR.
Click to expand...

The DDNS support of the ZTE F8648P has quite some options but most of them have quite some limitations for the free plan. In then end I choose to go with no-ip (need to confirm every 30days).
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
xiaofan said:
4) VPN servers no longer work (Asus Instant Guard and Wireguard on the Asus and OpenWRT) --> need to try to use port forwarding to get them working again. I will also check whether ZeroTier and Tailscall still work or not.
Click to expand...

1) Once I set up DDNS on the ZTE F8648P ONR, and then carry out port forwarding, Wireguard server on the Asus router is now working,

Last time I have two independant home networks so I can easiily test the performance.

Now I use mobie data network on my Xiaomi Poco X4 GT to test the connection.

2) I can not get Asus Instant Guard to work as there is no option in the Asus router app or the Instant Guard app to "Set up VPN with port forwarding". But at least now Asus DDNS is working.
https://www.asus.com/sg/support/faq/1045725/
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
xiaofan said:
3) DDNS on the Asus router and OpenWRT router no longer work. Need to set up DDNS on the Singtel ONR.

4) VPN servers no longer work (Asus Instant Guard and Wireguard on the Asus and OpenWRT) --> need to try to use port forwarding to get them working again. I will also check whether ZeroTier and Tailscall still work or not.
Click to expand...

Update on OpenWRT side.

1) DDNS -- got it working with the tip from OpenWRT forum.
The trick is to go to DDNS Advanced Settings and change "IP address source" from Interface to URL and use some of the following to get the public IP address.
https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip

HgFTIDR.png


2) For Wireguard VPN server on the OpenWRT side, once I sorted out the DDNS thingy, then I just need to carry out port forforwarding on the ZTE F8648P ONR to get it working.
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
xiaofan said:
1) No more Singtel native IPv6 (two /56) and no more 2 public IPv4 addresses. Two users have managed to get Singtel native IPv6 to work with the ZTE F8648P ONR but with a lot of efforts.

2) I have to live with Double NAT for now with my Asus router / OpenWRT virtual router.
Click to expand...

1) IPv6
For IPv6, somehow I can not even get Singtel 6rd to work on the ZTE F8648P ONR with the correct 6rd IPv6 settings. But the desire is to get native Singtel IPv6 to work.

I have created a support case with Singtel. Let's see how it goes.

Interestingly, I can get single instance of Singtel 6rd IPv6 to work under OpenWRT (Double NAT behind ZTE F8648P ONR).

2) Double NAT and Bridging
I have to live with #2 now before I can confirm that a safe bridging method exists for the ZTE F8648P ONR. One user managed to get Singtel to change to Nokia XGS-PON ONR (not deployed by Singtel to the users yet) to get bridging to work again with multiple IPv4 addresses.

I will probably live with the unbridged ONR for a longer while now. The original plan was only to live with ONR for one week...
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
1. Original plan -- that was assuming I can bridge the ZTE ONR.

1) Singtel ONR bridged 10G port -- Miniroute R1 Intel N100 mini PC with dual SFP+ ports and dual 2.5G ports running PVE and virtual OpenWRT/pfSense router (with SFP+ copper module and need a fan to cool down).

2) Miniroute R1 Intel N100 mini PC SFP+ port -- DAC cable -- SFP+ port of Hasivo 2.5G switch with quad 2.5G ports and one SFP+ port and one 10GBase-T port

3) Hasivo 2.5G switch 10GBast-T port -- Windows laptop or Mac Mini M1 with USB4/TB4/TB3 to 10G NIC for SpeedTest

4) Miniroute R1 Intel N100 mini PC 2.5G LAN port 1 -- Asus RT-AX86U as AP

5) Hasivo 2.5G switch 2.5G LAN port 2 -- Asus TUF-6500 or ZTE BE7200 Pro+ as AP

6) Hasivo switch 2.5G LAN port 3 --> CWWK Intel N100 mini PC with quad 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

7) Hasivo switch 2.5G LAN port 4 --> Another CWWK Intel N100 mini PC with dual 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

8) Asus RT-AX86U 1G LAN port --> TP-Link TL-SH1008 8-ports 2.5G switch --> 2.5G LAN port of the two CWWK mini PC and the Miniroute R1 mini PC. This is used as PVE admin access port when I connect my laptop to the Asus RT-AX86U router using wireless.

2. Current setup -- living with Double NAT with the unbridged ZTE F8648P ONR

1) Singtel F8648P ONR 10Gbps LAN port --> Hasivo Switch with dual 10G SFP+ ports + SFP+ copper module (hot, using a USB fan here). I will change it to another Hasivo model with one SFP+ port and one 10GBase-T port so that I do not need to use the hot SFP+ copper module.

2) Hasivo Switch 2nd 10G SFP+ port --> DAC Cable --> Miniroute R1 Intel N100 Mini PC 10G SFP+ port, runing Ubuntu 24.04 Linux (now that the ZTE is not bridged, lazy to set it up as PVE host).

3) Hasivo switch 2.5G port 2 --> CWWK Intel N100 mini PC with quad 2.5G ports running PVE and virtual
OpenWRT (Double NAT) along with some Linux containers and Linux/BSD VMs -- ZTE BE7200 Pro+ (or Asus TUF-6500) in AP mode.

4) Hasivo switch 2.5G port 3 --> Asus RT-AX86U in router mode using 2.5G port as WAN (Double NAT).

5) Hasivo switch 2.5G port 4 --> Another CWWK Intel N100 mini PC with dual 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

6) Hasivo switch 2.5G port 1 -- not used now

7) Asus RT-AX86U 1G LAN port --> TP-Link TL-SH1008 8-ports 2.5G switch --> 2.5G LAN port of the two CWWK mini PC and the Miniroute R1 mini PC. This is used as PVE admin access port for the two CWWK mini PC when I connect my laptop to the Asus RT-AX86U router using wireless. I also use it to SSH into the Ubuntu 24.04 Linux installation of the Miniroute R1 N100 mini PC.
 
S

SNAG

Master Member
Joined
Jan 1, 2000
Messages
4,869
Reaction score
100
xiaofan said:
1. Original plan -- that was assuming I can bridge the ZTE ONR.

1) Singtel ONR bridged 10G port -- Miniroute R1 Intel N100 mini PC with dual SFP+ ports and dual 2.5G ports running PVE and virtual OpenWRT/pfSense router (with SFP+ copper module and need a fan to cool down).

2) Miniroute R1 Intel N100 mini PC SFP+ port -- DAC cable -- SFP+ port of Hasivo 2.5G switch with quad 2.5G ports and one SFP+ port and one 10GBase-T port

3) Hasivo 2.5G switch 10GBast-T port -- Windows laptop or Mac Mini M1 with USB4/TB4/TB3 to 10G NIC for SpeedTest

4) Miniroute R1 Intel N100 mini PC 2.5G LAN port 1 -- Asus RT-AX86U as AP

5) Hasivo 2.5G switch 2.5G LAN port 2 -- Asus TUF-6500 or ZTE BE7200 Pro+ as AP

6) Hasivo switch 2.5G LAN port 3 --> CWWK Intel N100 mini PC with quad 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

7) Hasivo switch 2.5G LAN port 4 --> Another CWWK Intel N100 mini PC with dual 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

8) Asus RT-AX86U 1G LAN port --> TP-Link TL-SH1008 8-ports 2.5G switch --> 2.5G LAN port of the two CWWK mini PC and the Miniroute R1 mini PC. This is used as PVE admin access port when I connect my laptop to the Asus RT-AX86U router using wireless.

2. Current setup -- living with Double NAT with the unbridged ZTE F8648P ONR

1) Singtel F8648P ONR 10Gbps LAN port --> Hasivo Switch with dual 10G SFP+ ports + SFP+ copper module (hot, using a USB fan here). I will change it to another Hasivo model with one SFP+ port and one 10GBase-T port so that I do not need to use the hot SFP+ copper module.

2) Hasivo Switch 2nd 10G SFP+ port --> DAC Cable --> Miniroute R1 Intel N100 Mini PC 10G SFP+ port, runing Ubuntu 24.04 Linux (now that the ZTE is not bridged, lazy to set it up as PVE host).

3) Hasivo switch 2.5G port 2 --> CWWK Intel N100 mini PC with quad 2.5G ports running PVE and virtual
OpenWRT (Double NAT) along with some Linux containers and Linux/BSD VMs -- ZTE BE7200 Pro+ (or Asus TUF-6500) in AP mode.

4) Hasivo switch 2.5G port 3 --> Asus RT-AX86U in router mode using 2.5G port as WAN (Double NAT).

5) Hasivo switch 2.5G port 4 --> Another CWWK Intel N100 mini PC with dual 2.5G ports running PVE and a few Linux contaniners and Linux/BSD VMs.

6) Hasivo switch 2.5G port 1 -- not used now

7) Asus RT-AX86U 1G LAN port --> TP-Link TL-SH1008 8-ports 2.5G switch --> 2.5G LAN port of the two CWWK mini PC and the Miniroute R1 mini PC. This is used as PVE admin access port for the two CWWK mini PC when I connect my laptop to the Asus RT-AX86U router using wireless. I also use it to SSH into the Ubuntu 24.04 Linux installation of the Miniroute R1 N100 mini PC.
Click to expand...
Just curious, what is the current issue with the bridging workaround? Selecting ONT option in firmware no longer works?
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
SNAG said:
Just curious, what is the current issue with the bridging workaround? Selecting ONT option in firmware no longer works?
Click to expand...

Dare not to try...

I do not want to be the first one to try and lost internet access.

There is no option to back up the ZTE F8648 ONR configuration to a USB drive. So I am not so sure if one can recover or not if the bridging using the ONT option does not work.

The good thing is that it forces me to learn some new stuff to live with Double NAT.
 
Last edited:
Nefalrin

Nefalrin

Banned
Joined
Dec 4, 2018
Messages
4,465
Reaction score
2,206
Switch to AP mode instead of router mode before connecting your downstream wireless router to your ONR.

And do not plug in the ONR to the Wan port of your wifi router.
Use the lan ports instead.

This will prevent double NAT.
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
Nefalrin said:
Switch to
AP mode
instead of
router mode
before connecting your downstream wireless router to your ONR.
And
do not
plug in the ONR to the Wan port of your wifi router.
Use the lan ports instead.
This will prevent double NAT.
Click to expand...

I like Double NAT better in this case.

When you have a good router, it is better to run it as router mode behind the ONR (Double NAT) than run it in bridge mode which makes the good router lose majority of its firmware functions.

But of course the best is to bridge the ONR.

For power users, it is in general better to avoid an ISP plan which uses ONR. That is why I do not recommend SingTel to new users.
 
Last edited:
Nefalrin

Nefalrin

Banned
Joined
Dec 4, 2018
Messages
4,465
Reaction score
2,206
xiaofan said:
I like Double NAT better in this case.

When you have a good router, it is better to run it as router mode behind the ONR (Double NAT) than run it in bridge mode which makes the good router lose majority of its firmware functions.

But of course the best is to bridge the ONR.

For power users, it is in general better to avoid an ISP plan which uses ONR. That is why I do not recommend SingTel to new users.
Click to expand...
Creating a new network is always bad for networking.

AP mode only loses NAT and dhcp functionality which is ok because all we need is a switch and wifi for downstream.
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
Nefalrin said:
Creating a new network is always bad for networking.
AP mode only loses NAT and dhcp functionality which is ok because all we need is a switch and wifi for downstream.
Click to expand...

Sorry but no need to convince me in this case. I know what is the best for my use cases, which may well be different from your use cases...

All you need is a switch and WiFi for downstream. My requirements are totally different.
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
More info for bridging the Huawei HG8240T5 ONR.

cdjockey said:
Hi, I just signed up to WC and they installed the other day I have a double NAT and was thinking of bridging ports.

They supplied a HG8240T5 which although the label says 192.168.1.254 was actually set at 192.168.10.254.

I think the ONR might be a refurb (stuff written on carboard box) so maybe that explains it. I logged on as 'root' using info on base and also logged on as 'support' (PW backwards). Under neither login view was WAN listed as an option on the 'cog' (advanced configuration) menu at the top where I have seen it in other posts, only LAN was listed. Am I doing something wrong?

I found this in one of the menus:
HWVer:17ED.A;
SWVer:V5R021C10S235;

Does anyone have any more info on HG8240T5 bridging?

Any help much appreciated. Thanks
Click to expand...

cdjockey said:
Thanks xiaofan, I forgot to mention I had looked at your consolidated list before (thanks for putting that together, a great resource(y)). Unfortunately mine seems to be different, maybe because of a newer firmware (SWVer:V5R021C10S235)?

The telecomadmin account didn't work, but the 'support' one did (with backward password) and it does give more options, but not a WAN tab under the cog settings.

What I did find when looking back through the threads is that people got it working doing two steps; enable 'DHCP relay' and then alter under 'mode switching' you should be able to bridge some ports.

Firstly does anyone know if I just enable 'DHCP relay' it will likely cause any issues (at least for testing)?:

1.jpg


secondly I located the 'mode switching' section, but interestingly all the labels are 'undefined'. would enabling 'DHCP relay' somehow enable/label them?:

2.jpg


or does anyone who has this model (HG8240T5) have a screenshot of what their settings are on this page for a successful bridge?

When I try to alter the settings the only one that seems to allow me to individually choose LANs is option 2.

Option 1 - not able to select and deselect individual LANs
Option 2 - can select individual LANS (not tried applying yet)
Option 3 - current default, no ability to select individual LANs

3.jpg


Thanks
Click to expand...

dhnoob said:
I have the same setup.

So I went with my gut and unchecked LAN1 on the second undefined checkbox, then clicked on the first undefined button.

A blank pop up appears with just 'Cancel' and 'OK' .

I hit OK.

After that my router starts to turn on the second WAN for load balancing, now the light is blinking normally.

I don't seem to have a second public IP, in fact according to WC, they only provide private IP now. Nevertheless, on the ONR's Ethernet info, the two ports seem to work. If there is a second IP address provided from WC on the unchecked LAN port, I cannot see it.

Hope this works for you.

I don't hit beyond 1Gbps sadly, so I think it's not a proper bridge. But my ping and jitter are down massively. And I am using a VPN to speedtest and hitting almost full 1Gbps.

Edit: I notice that on my Dual WAN settings, if I set the load balance to anything other than 2:2, the whole thing goes bonkers. Not sure if you will have the same issue. I'm also not quite able to properly access the ONR settings unless I connect directly.

Wondering if anyone knows if I should still enable DHCP server on the ONR, or just enable DHCP relay?
Click to expand...
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
seowbin said:
Even have the xgspon onu, nowadays the password also super complicated. No longer can find online. Unless someone leaks it
Click to expand...

You mean the password of the XGS-PON ONR from ISPs, right?

In the case of Singtel ZTE F8648P XGS-PON ONR, super-admin password is available.

In the case of Starhub Nokia XS-2426X-A ONR, super-admin password is generated during the installation. So you can only hope to get that password. If missing the boat then that is it.
 
X

xiaofan

High Supremacy Member
HWZ Insider
Joined
Sep 16, 2018
Messages
30,170
Reaction score
8,231
You must log in or register to reply here.
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top