Howto configure GPON's sfp-wan?

Hello,

I have a Sinovoip BananaPi BPI-R4 with a XGSPON ONU Stick with MAC SFP+.

I would like to replace my Connect Box 3 Fiber from my Sunrise's CH Fiber ISP.

I followed New fiber connection - 1G GPON vs 2.5G/10G XGS-PON to maybe something working (ONU id 46) with the GPON into sfp-lan (and with an internal ip of 192.168.0.77).

And then to get a non private ip and be connected to the internet I put the GPON into sfp-wan and then it only receive two packets and no more despite all different attempts I do.
I tried to have firewall all set to accepted, without masquerading, etc.

Also I didn't find a way to be able to telnet to the GPON when it's in the sfp-wan port.
Is there a way to be able to access GPON (192.168.0.77) when it's into wan port (and keeping lan into 192.168.0.1/24) ?

I tried lots of different images and also the ones selfcompiled (because I need the Add tx_power check during eeprom loading #954 otherwise I am limited to 5mW for Wi-Fi).

/etc/config/network :
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd99:5184:5276::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'sfp-lan'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'wan'
	list ports 'sfp-wan'

config device
	option name 'wan'
	option macaddr 'random mac'

config device
	option name 'sfp-wan'
	option macaddr 'Mac from CB 3'
	option promisc '1'
	option acceptlocal '1'
	option arp_accept '1'
	option drop_gratuitous_arp '1'

config interface 'wan'
	option device 'wan'
	#option device 'sfp-wan.12'
	option proto 'dhcp'
	#option vendorid '100008,0001'
	#option broadcast '1'
	#option force_link '1'

config interface 'wan6'
	option device 'wan'
	#option device 'sfp-wan.12'
	option proto 'dhcpv6'
	#option reqaddress 'try'
	#option reqprefix 'auto'
	#option norelease '1'
	#option force_link '1'

config device
	option type '8021q'
	option ifname 'sfp-wan'
	option vid '131' (I am not sure which vlan I need so I tried lots of them)
	option name 'sfp-wan.12'
	option macaddr 'Ont's Mac from CB3'
	option promisc '1'
	option acceptlocal '1'
	option arp_accept '1'

/etc/config/firewall :
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Anyone got an idea on what to try ?

Thank you very much !

Get rid of br-wan and list sfp-wan directly (with or without a VLAN number as needed) as the wan device. It is not going to work the way you have it since once a port is in a bridge, it can't be used directly, you would use the bridge name.

If the wan DHCP ends up 192.168.0.X you need to change lan to something else.

Thank you very much for your answer.
Sorry I should have written that I also tried (with same result) without br-wan but I have certainly done some other errors in the try (I have done since your suggestion lots of retry without success).
Is there somewhere a complete example on how it should be done ?
Thank you very much again.