This page is for notes that don't belong anywhere else

Telekom FTTH

Configuring and OpenWRT router for Telekom FTTH.

Put your router/modem/shitbox from Telekom into bridge mode. Unfortunately it will expose the connection as a PPPoE instead of pain Ethernet with DHCP.

TLDR: You need to tag the packets on your WAN port with VLAN 71:


Using the info from the letter you should have gotten2:

  • Username: ${Anschlusskennung}${Zugangsnummer}${Mitbenutzernummer}
  • Password: ${Kennwort}
  • Protocol: PPPoE


If you enable "easy login" in the Telekom Kundenportal, you can use invalid or no credentials for the PAP/CHAP auth.

These examples are using a Turris Omnia router. Your interface names may be different.

Configure with uci:

$ uci set network.wan.proto='ppoe'
$ uci set network.wan.ipv6='auto'
$ uci set network.wan.username='${Anschlusskennung}${Zugangsnummer}${Mitbenutzernummer}'
$ uci set network.wan.password='${Kennwort}'
$ uci set network.wan.device='eth2.7'

Editing config file /etc/config/network:

config interface 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option password '${Kennwort}'
	option device 'eth2.7'
	option username '${Anschlusskennung}${Zugangsnummer}${Mitbenutzernummer}'
	option metric '0'
	option peerdns '0'
	list dns '${dns_server}'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option ports '1t 6t'

EdgeOS / EdgeRouter

These things work like Cisco devices, enter configuration to change the config:

root@edge:~$ configure

To show or dump the whole config, enter show:

# show
firewall {
interfaces {
port-forward {
service {
system {

To inspect parts of the config,

# show firewall

# show service dhcp-server hostfile-update
>hostfile-update enable

When you are done, commit and save changes:

root@edge# commit
root@edge# save
Saving configuration to '/config/config.boot'...
root@edge# exit

The running config is written to /config/config.boot, which is just a textfile (easy backups).


Act as an authoritative DNS for the zone configured in the DHCP server, recognizing local hostnames3:

set service dhcp-server hostfile-update enable


Forward DNS requests4 for $zone to $resolver:

set service dns forwarding options server=/${zone}/${resolver}

Show DNS forwardings servers and metrics:

show dns forwarding nameservers
show dns forwarding statistics

Enable DNS forwarding on $interface:

set service dns forwarding dhcp $interface

Forward DNS to $ip:

set service dns forwarding name-server $ip>

Override $address with $ip

set service dns forwarding options address=/$address/$ip

Bind DNS to $interface:

set service dns forwarding listen-on $interface

Bind to all interfaces except $interface:

delete service dns forwarding listen-on
set service dns forwarding except-interface $interface


Unifi Access points (and switches)

The access points are running some stripped down Linux. If you set your ssh key in the Network Console, you can ssh to them as the user admin. You'll get dropped into a BusyBox shell in /etc/persistent and can poke around.

They only present an RSA host key. If your OpenSSH doesn't accept it by default, you'll first have to enable it:

Host acess-point
    User admin
    HostkeyAlgorithms +ssh-rsa

They ship with vi, with vim deceptively symlinked to it:

# alias vim

Some firmwares have some Unifi-specific tools, though these seem to be mostly gone from the firmware on newer access points. On older firmwares you can sometimes them.

  • ubnt-systool
  • ubnt-device-info
  • ubnt-tools

All firmwares ship with useful standard network utilities like tcpdump, scp, arp, ip, ping and etc.

Persist filesystem changes

The /etc/persistent path name is not a lie. But if you write to the filesystem and reboot, your changes will be gone. You need to use cfgmtd to actually persist your changes.

# cfgmtd -h
Usage: cfgmtd [options]
	-t <type>			- Configuration type to use [1(active)|2(backup)]. (Default: 1(active))
	-f <config file>		- Configuration file to use. (Default: /tmp/system.cfg)
	-p <persistent directory>	- Directory to persistent dir. (Default: none)
	-w				- Write to flash action.
	-r				- Read from flash action.
	-c				- Clear flash action.
	-o <mtd|file name>		- Use mtd or file name. (Default: /dev/mmcblk0p9)
	-n				- No check size when specify -o. (Default: Check)
	-h				- This message.

# cfgmtd -w -p /etc/persistent

You dont have a lot of space to play with though. :)

Control the LED

The access points have both a blue and white LED, but only the blue LED is configurable in the controller (models prior to AC Lite supposedly had an RGB LED).

They show up under /sys/class/leds/ubnt:{white,blue}:dome on AC Lite access points. On newer U6 access points they seem to be at /sys/class/leds/ubnt:{white,blue}:personality instead.

Turn on the white LED

The brightness file accepts a value between 0-255. Turning on the white LED is just writing 0 to brightness for the blue LED (turning it off) and writing 255 to brightness for the white LED (turning it on). For a dimmer light, use a lower number.

On U6 access points:

# echo 0 > /sys/class/leds/ubnt\:blue\:personality/brightness
# echo 255 > /sys/class/leds/ubnt\:white\:personality/brightness

On AC Lite:

# echo 0 > /sys/class/leds/ubnt\:blue\:dome/brightness
# echo 255 > /sys/class/leds/ubnt\:white\:dome/brightness

Turn the LEDs off

Just write 0 to the brightness file for both. For U6:

# echo 0 > /sys/class/leds/ubnt\:white\:personality/brightness
# echo 0 > /sys/class/leds/ubnt\:blue\:personality/brightness

Use ubnt:{white,blue}:dome on AC Lites and etc.

Adopt an AP over SSH

You can ssh to an AP and initate the adoption process:

# mca-cli-op set-inform http://${controller_host}:8080/inform

Some firmwares come with a set-inform binary, but mca-cli-op seems to ship with all firmwares (that I have seen).

The current controller URL is saved in a text file /etc/persistent/cfg/mgmt:

# grep "mgmt\.servers" cfg/mgmt

Most other controller-configurable settings seem to be persisted in that file, as well as the authentication key it uses for the Adoption protocol (they use plain HTTP on port 8080 without SSL, but the HTTP traffic itself gets encrypted).

Clear the config

This clears the config on the AP, and has the same effect as pressing the phsysical reset button:

# set-default

The access point gets rebooted, and comes up with the factory settings.


Study notes