Opening ports on a NTT GE-ONU

8 comments

1. I have the same setup, but with a different router. I only have a vague memory of setting this up years ago, but I think the ONU is in bridge mode by default, and all the configuration happens in your router.

   How have you configured port forwarding on your router, and how are you trying to connect externally?

2. If your attempts fail, another option is to use a solution like Tailscale for your needs

3. The GE-PON ONU is a dumb device, as in it has no sort of routing/firewall intelligence inside it. It’s merely a media converter, taking in the NTT fiber on one side and outputting ethernet on the other. It passes all traffic between the two ports with no filtering or blocking.

   All the intelligence is in your TP-Link router. You’ve probably opened the ports on the firewall side, but haven’t created the port-forwards on the NAT/routing side. On some devices these are done as one setting but on others they are separate. It’s actually better to have them as separate settings, IMO, but it does make it a two-step process.

   You also need to make sure the raspi that is running your VPN server has a fixed internal IP. If it’s using DHCP without a reservation, the IP could eventually change and your VPN would stop working.

   On the raspi, I hope you are using pivpn with Wireguard. It’s the best.

   Edit: And of course if you are not using pivpn and have instead tried to set up your own VPN server on a raspi, perhaps sharing the device with other services, you will need to make sure that (a) your VPN server is set up properly (it probably isn’t…) and (b) that you have the correct ports open on the raspi firewall to allow connections to the VPN service.

4. They are all open by default and the onus is on you to protect your own system or use their paid services.

   You need to forward the incoming port to the port on your VPN. Should be the NAT Forwarding -> Port Forwarding section in your router. For VPN, use UDP as the protocol and make sure you have it enabled.

   Since it is using UDP, use a site like [this](https://www.ipvoid.com/udp-port-scan/) to make sure the port is open.

   If you’re using something like “home 5G” you might not be able to connect. I had the equivalent Softbank Air and that was all closed, you can’t open any of the ports.

5. The GE-ONU shouldn’t have any sort of firewall or NAT to do any kind of port forwarding setting.

   Do you know if you are using IPv4 over IPv6? If so there is a CGNAT between your ipv4 connection and the internet which will require some special settings to get around. It is easier if it is MAP-E.

6. AFAIK NTT is only connecting you to Asahi Net, so if you were to call someone it’d be them.

   However, the most likely outcome is that it’s impossible to host a server on your current plan. Especially on IPv4, which NTT (east, at least) doesn’t even support (all connections are IPv6), your IPv4 connections are likely tunneled and NATed together with a bunch of other customers and there’s actually no way for them to open a port for you.

7. The problem is your router not the ONU.

8. It’s all done in your router so you have to figure out port forward and firewall/filter settings with your specific model.

   It is easy to accept incoming IPv6 connections; if you rely on IPv4 you need either MAP-E (double check with Asahi-Net) or if you’re on Transix or Xpass, the only option is an additional PPPoE connection, static IPv4 option or you rent a cheap VPS and forward an IPv4 port to your IPv6 (or VPN from your Raspberry to your VPS).

   Basically, you don’t need IPv4 for the incoming VPN if you VPN via mobile and use an IPv6-enabled SIM such as Rakuten Mobile or IIJmio (their data SIM is very cheap and can be used as 2nd SIM on dual-sim phones).