would you mind sharing a picture or a schema of this "not as elegant" setup ?
also we all would like to know about these vulnerabilities
Alright, then now I would have to find a SFP module, that works with a. my provider and b. has drivers, that work - any suggestions or hints?
Generally speaking the Qotom devices seem to offer the best hardware for the price, so I guess I would be going for it - the remaining parts of RouterPC_Q20331G9S10.html are supported by openwrt?
Old image with a poc case but you get the idea 
Nice but that's not a device but a project.
I believe the OP is looking for a ready to buy router not a dyi one.
Also the vulnerbilities have mitigations so not much of an issue
What is you provider using? Gpon?
Here's a list for turris omnia that should work with openwrt
https://wiki.turris.cz/en/public/sfp
I've successfully used AFM0002
As for the qotom device maybe @JonFo can help with details
My provider is Telekom (https://www.telekom.de/netz/glasfaser/ftth)
Never claimed it were
Except that some do not and some come with severe performance penalties
That is relatively convenient, DTAG is pretty open to provisioning third-party ONTs... However an ONT is essentially its own separate computer (the intel falcon platform actually runs a version of OpenWrt internally) which means that it will need some time to boot up, for some SFP-ONTs on turris omnias there is a report that after a cold boot the omnia will not recognize the ONT and that it takes a "warm" reboot before the OS sees the ONT...
Have a look at:
I take it this refers to the "known hardware vulnerabilities"?
I note that ARM cores are not free of these either:
(Side-note: arm a53, by virtue of being a rather uninspired in-order design, actually avoided that issue).
I am not trying to diss arm here, they have some pretty nice and competent CPU designs that are at the very least playing in the same league as x86 designs (some are faster, some are slower), I am a bit puzzled by your attitude however, given that EUR for EUR x86 is giving Arm a pretty tough fight if we are talking about CPU performance to do interesting things in software. (This is not by necessity, but a choice of those building Arm systems.)
2 Likes
Ok, so MA5671A SFP - Do I get this right, that I have to flash a OpenWRT on that module in addition to the router itself?!
I am still on VDSL2 so I have no first hand experience I can offer. Also, in spite of owning and operating a SFP-capable turris omnia, I personally tend to preferring a standalone ONT over an SFP module... (that would likely be different for AON where SFP modules are considerably simpler, but for GPON I personally see little gain in an SFP ONT).
I fully agree. I ended up ditching the sfp ont as well on my omnia in favor of a dedicated ont mainly because it wasn't supported officially by my isp and it was cutting connection randomly.
But as I understand Telekom supports 3rd party ONTs so OPs experince might very well be positive in this regard.
No, and you can't (none of those are supported to run OpenWrt, nor likely will be).
But these SFP modules themselves are running a proprietary firmware, often building upon an ancient OpenWrt environment, a proprietary kernel 2.4.x and proprietary userspace programs. None of that really visible to you, nor part of your network. A GPON ONT behaves quite similar to the way cable modems are operating, taking time slices for shared resource access (for GPON something like 16 to 64 customers are passively spliced together on one active fibre link).
1 Like
wow, well doesnt that then basically mean SFP module is rather worse than no SFP module?
It depends... SFP modules are really great for what they where designed for, namely being able to change the PHY of a network "port" (NIC or switch port) relatively easily so the same active device can easily integrated into networks with different physical properties (e.g. different optics for different distances). They also work for putting more involved things into an SFP slot, like a G- or XGS-PON ONT or even a DSL-modem, but then the modules are more than simple PHYs and the whole idea comes with different trade-offs. So for active point to point ethernet over fiber (aka AON), I would happily get a SFP module to directly connect my router, but for any of the PONs I personally am far less enthusiastic, BUT that does not mean everybody needs to follow my preference, e.g. if one prefers less devices (and less PSUs) then integrating an ONT into a router might exactly be what one desires.
You need to decide for yourself what you prefer, any choice is defensible 
To elaborate, for the download direction the upstream element, called an OLT encrypts each packet with a key only known to the ONT intended to receive that packet (so customers di not see each others download packets), for the upload direction however, GPON employs a request grant mechanism similar to DOCSIS where each device needs to ask for transmit slots and is only allowed to actually transmit inside these slots, otherwise two ONTs might send data to the OLT concurrently, at which point the OLT only receives a garbled mess. (ONTs do not really see each other's transmits due to the splitters all that well, and IIRC they do not even have sensors for the upstream frequency band).
In a perfect world FTTH would be build as a point to point network (allowing to be operated both as PON or AON) but in the world we live in most ISPs opt for the cheaper PON with passive splitters out in the field... still even >10 year old GPON is already a big improvement over DSL or DOCSIS and likely fast enough for at least the next decade, but I digress.
Some ISPs fortunately take that advice, two dedicated fibres per customer to one (of two in the whole town) POPs, passive splitters only being deployed there, on their premises. So all steps necessary to upgrade the line, remove the splitters and switch a line from GPON to AON, can happen within their garage sized POPs. While that obviously doesn't mean that you, as a customer, have any influence on that (apart from ordering a 10 GBit/s connection with "pricing on request"ā¦), but at least they can upgrade the lines easily, in a central location.
1 Like
Turris Omnia looked amazing 7 years ago. I'm not so sure now. We need more devices with the ability to route multi gig speeds on all ports. I'd love that to be a low powered arm device, but I'm tired of waiting and there are x86 devices you can buy right now including the SFP ports if you really need such a thing.
[Placeholder for a later post]
Currently a lot of work, so didn't get to reply yet!
I got the Indiegogo Omnia 2GB. Paid a bit more to get it after the end of the compaign, though. More than $200, I think.
To go back to the original questions:
I never used the SFP connector. It seems to be limited to 1G anyway, so the only benefit is to connect directly to fiber.
I think the concern over the port population number is a bit extremely niche. Most routers, especially affordable routers, have only a single Ethernet PHY going to an internal switch, anyway. This becomes an amusing part of the Omnia story later on. Most people will just connect the router to another switch if they need more ports.
I have had multiple problems. For a small household, it was working OK. When I tried running it in a small-business setting 6 years ago with dozens of users, then the threat analysis reporting script (launched periodically from cron) would cause the memory to fill and the oom-killer would sacrifice the DNS resolver. This was not specific to Knot. I tried more conservative DNS resolvers, and oom-killer kept on killing DNS. I eventually figured out it was the Sentinel distributed threat monitoring system, and turned it off, and the router gave no further RAM problems in this setting.
At my home, with a bunch of roommates, Sentinel causes fewer problems, but it still killed DNS a few times, last time about 2 years ago. And then my roommate configuration changed, so Iām not sure how much of the smoother performance is because of improvements in the software, and how much is less activity for Sentinel to report.
The WiFi in the original Omnia is very not good. I donāt know how good is the WiFi 6 module, though, which can be slotted into the original Omnia as an upgrade.
One charming element of the Omnia design is that it has 2 gigabit PHYs attached to the internal switch. I donāt think it supports LAGG, but in the original version of Turris OS you could allocate different VLANs to each PHY. However, DSA was built for the normal use case, where the router uses a single PHY to connect to the built-in switch. Thus, when OpenWRT 21 changed from swconfig to DSA, and Omnia switched to DSA in Turris OS 4, then it lost the ability to interact through one of the Ethernet interfaces. This is an extremely niche concern, considering the routerās other bandwidth limitations, but it did catch my eye.
My dissatisfaction right now with the Omnia is that itās not fast enough. I have a symmetric gigabit Internet connection, but if CAKE is turned on, then itās limited to about 550 Mbps/550 Mbps combined bandwidth, or 900-something Mbps if going only one way. The alternative ISP in my region is looking to build symmetric 10G fiber, and the original Omnia is nowhere near enough to handle that.
I very much like the auto-updating, distributed firewall, security features built around OpenWRT. OpenWRT gave me flexibility in how I set up my router, so I could use wpasupplicant with 802.1x certificates to log into my ISPās ONT. Turris OS also comes with scripts for maintaining customizations across OS updates. I like not having to fiddle with the router for years at a time. Iām just frustrated at how anemic the hardware is.