ONT connecting to Cisco router and pfsense doing pppoe

ElessarGR · March 1, 2025, 10:07pm

Hello to all,

I would like to ask for you help/knowledge on an issue I am facing and trying to resolve. Seems that I am missing something and few days now I cant find a solution while reading on the web and forums.

Background,
Until very recently I had a VDSL connection to my home which was connecting to my Cisco router 2911 on a VDSL controller which was doing the modulation. From there I was passing the signal through a vlan (32) to a Cisco switch 3750 and then to my hypervisor that had the VM with the pfSense. Then pfSense was doing the PPPoE on vlan32 and all was working well.

New connection,
I just upgraded my connection to a FTTH!
Because I do not have an ONU module I use my ISP ONT to convert the fiber to ethernet. The goal would be again for my pfSense to do the PPPoE.
Unfortunately I have tried to drop the ONT directly to the 3750 switch on vlan32 and play a littlebit with the QinQ vlan on pfSense but no success.
I also tried to follow what I had setup before with the ONT connecting to the 2911 router and setting up a subport (vlan) on that interface and again the pfSense isnt able to establish a connectivity.

Maybe a drawing would help,

Here also the configs from the VDSL:

controller VDSL 0/1/0
 operating mode vdsl2
 firmware filename flash:VA_A_39t_B_35j_24m
 description *** VDSL VODAFONE ***
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.32
 description *** VODAFONE Vlan 32 ***
 encapsulation dot1Q 32
 ip address 192.168.32.1 255.255.255.0
 ip virtual-reassembly in
 bridge-group 2
!
interface Ethernet0/1/0
 description *** VODAFONE ***
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no mop enabled
!
interface Ethernet0/1/0.835
 description *** VLAN VDSL VODAFONE ***
 encapsulation dot1Q 835
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly in
 bridge-group 2

Here the configs for the FTTH:

interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.32
 description *** VODAFONE Vlan 32 ***
 encapsulation dot1Q 32
 ip address 192.168.32.1 255.255.255.0
 ip virtual-reassembly in
 bridge-group 2
!
interface GigabitEthernet0/1
 description *** ftth internet VODAFONE ***
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface GigabitEthernet0/1.835
 description *** VLAN VODAFONE ***
 encapsulation dot1Q 835
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip virtual-reassembly in
 bridge-group 2

If I add to gi0/1.835 the two following lines

 pppoe enable group global
 pppoe-client dial-pool-number 2

and enable my dialer2 I get my 2911 router to do the PPPoE without issues.
I dont want to have the 2911 do the PPPoE because I have another connection there and its a long story.

The ISP requires to use the vlan835 for data and vlan836 for voip.
Basic settings equipment by ISP
Basic characteristics equipment by ISP

Anyone has any idea what am I missing here?
I tried at the pfSense to directly connect it to the vlan32 for the wan and nothing, create an interface with vlan32 for the wan and nothing, do a QinQ (dual nest of vlan) with the 835 on vlan32 for the wan and nothing.
Not sure what I dont see.

Any help would be greatly appreciated!
Thanks again!

ElessarGR

brwainer · March 1, 2025, 11:58pm

Why not just use VLAN 835 and 836 all the way from the ONT port (tagged) to PFSense (connect the ONT to the 3750)? Why introduce VLAN 32 and try to use QinQ?

ElessarGR · March 2, 2025, 8:27am

hi brwainer,
good question. The reason is that I have a second ISP connection to the 2911 that is similar to the old connection (VDSL) and utilizes the vlan835.
So I then use secondary vlans with the “bridge-group” option to connect them to my different vlans that I use internally in my network.
ISP2 utilizes internally the vlan32 and ISP1 utilizes internally the vlan31.

ISP1 (VDSL) is connected to

e0/0/0
e0/0/0.835 (data)

ISP2 (FTTH) is connected to

gi0/1
gi0/1.835 (data)

brwainer · March 2, 2025, 1:07pm

But if ISP1 is properly working through VLAN31, that leaves the VLANs used by ISP2 free within the 3750 and your hypervisor.

ElessarGR · March 2, 2025, 2:16pm

I am not sure that I can use vlan835 since its already in use within the 2911 router.
So you are suggesting to try make a new subinterface at the gi0/0 (gi0/0.835) and then send this to the pfSense?
Should it be set similar to the gi0/0.32?

brwainer · March 2, 2025, 10:41pm

No, I’m saying do this config on the 3750:

vlan 835
vlan 836
int g 1/0/x
switchport mode trunk
switchport trunk allowed vlan 835,836

And then plug the ONT into the port you just configured. Allow vlan 835 to/through your hypervisor, and give PFSense an interface in that VLAN.

I don’t see any purpose in the 2911 being in the middle of this communication. It’s nice that your service vlan config works with the VDSL but it’s a bodge and I think you should try the simpler solution.

ElessarGR · March 3, 2025, 9:29pm

okay so it needed also

 +switchport trunk encapsulation dot1q+
 switchport trunk allowed vlan 835,836
 switchport mode trunk

at the pfSense it also needed the actual creds of the ISP connection and not the generic that the ISP had in his documents.

NOW IT WORKS!!
Thank you soo much!

Next would be to configure the call center to work with vlan836. That would be fun with the SIP!