I’ve gone ahead and sent this to you directly via your support ticket, but for visibility I’ll also share it here.
I have an EN–XGSFPP–0MAC–V2 XGS-PON module (WAS-110) which is accessible at 192.168.11.1. We need to modify the configuration via shell (or ultimately a post-cfg.sh script), but there’s no need to use a static route. Instead, we can assign the router interface an IP in that management subnet and add it to the lan zone. This effectively connects the ONT’s network directly to the LAN, allowing any LAN device to access it.
Important: Do not create a VLAN that resides in the same address space, to avoid conflicts.
Below is what you would need to add in the /cfg/post-cfg.sh script file assuming that your XGS-PON module is connected to W2 (eth4) (updated 01.30.2026) :
#!/bin/ash
# /cfg/post-cfg.sh — WAS-110 XGS-PON ONT management (Route10)
#
# Design:
# - Creates a dedicated ONT management interface using a MACVLAN on the chosen parent port
# - Assigns a static router-side IP in the ONT management subnet (typically 192.168.11.0/24)
# - Places ONT management in its own firewall zone (ont_mgmt)
# - Allows LAN -> ONT management access only
# - Prevents ONT management from initiating or transiting traffic to LAN or WAN
#
# Rationale:
# - Avoids shared-parent ambiguity when the ONT port is also used for WAN (DHCP or PPPoE)
# - Prevents trust-boundary violations and accidental traffic leaks
# - Ensures deterministic LAN client access to ONT management across all WAN types
#
# Notes:
# - Avoid using 192.168.11.0/24 internally, as it collides with typical ONT management defaults
# - Script is idempotent and safe to re-run
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
set -u
log() { logger -t post-cfg -p user.notice "$*"; }
warn() { logger -t post-cfg -p user.warning "$*"; }
# -------------------------
# Settings (edit these)
# -------------------------
ONT_PARENT_DEV="eth4" # Port where the ONT module is connected (Route10 default SFP+ WAN is eth4)
ONT_IP="192.168.11.2" # Router-side IP on the ONT mgmt subnet (choose any unused IP in 192.168.11.0/24)
ONT_NETMASK="255.255.255.0"
ONT_PEER="192.168.11.1" # ONT mgmt IP (typical WAS-110 default)
# MACVLAN device name (kernel netdevice) used for ONT management
MACVLAN_DEV="ont_mgmt0"
# Firewall names
ONT_ZONE_NAME="ont_mgmt"
ONT_FWD_NAME="lan_to_ont_mgmt"
# -------------------------
log "ONT mgmt: mode=macvlan-only parent=$ONT_PARENT_DEV dev=$MACVLAN_DEV ip=$ONT_IP/$ONT_NETMASK peer=$ONT_PEER"
# -------------------------
# Sanity checks
# -------------------------
if ! ip link show "$ONT_PARENT_DEV" >/dev/null 2>&1; then
warn "Parent device '$ONT_PARENT_DEV' not found (skipping config)"
exit 0
fi
# -------------------------
# Network config (MACVLAN-only)
# -------------------------
# Device section for macvlan
uci -q delete network.ont_mgmt_dev
uci set network.ont_mgmt_dev='device'
uci set network.ont_mgmt_dev.name="$MACVLAN_DEV"
uci set network.ont_mgmt_dev.type='macvlan'
uci set network.ont_mgmt_dev.ifname="$ONT_PARENT_DEV"
uci set network.ont_mgmt_dev.mode='bridge'
# Interface section bound to macvlan device
uci -q delete network.ont_mgmt
uci set network.ont_mgmt='interface'
uci -q delete network.ont_mgmt.ifname
uci -q delete network.ont_mgmt.device
uci set network.ont_mgmt.device="$MACVLAN_DEV"
uci set network.ont_mgmt.proto='static'
uci set network.ont_mgmt.ipaddr="$ONT_IP"
uci set network.ont_mgmt.netmask="$ONT_NETMASK"
uci set network.ont_mgmt.defaultroute='0'
uci set network.ont_mgmt.peerdns='0'
uci set network.ont_mgmt.auto='1'
uci set network.ont_mgmt.metric='0'
uci set network.ont_mgmt.dns_metric='0'
# -------------------------
# Firewall config (Model A: dedicated zone + one-way forwarding)
# -------------------------
# Remove ont_mgmt from any existing zones (prevents dual-trust leaks)
# (idempotent: ok if not present)
for sec in $(uci show firewall 2>/dev/null | sed -n "s/^firewall\.\([^=]*\)\.name='[^']*'$/\1/p"); do
uci -q del_list firewall."$sec".network='ont_mgmt'
done
# Create/update dedicated ont_mgmt zone
uci -q delete firewall.ont_mgmt
uci set firewall.ont_mgmt='zone'
uci set firewall.ont_mgmt.name="$ONT_ZONE_NAME"
uci -q delete firewall.ont_mgmt.network
uci add_list firewall.ont_mgmt.network='ont_mgmt'
uci set firewall.ont_mgmt.input='ACCEPT'
uci set firewall.ont_mgmt.output='ACCEPT'
uci set firewall.ont_mgmt.forward='REJECT'
# Create/update lan -> ont_mgmt forwarding only
uci -q delete firewall."$ONT_FWD_NAME"
uci set firewall."$ONT_FWD_NAME"='forwarding'
uci set firewall."$ONT_FWD_NAME".src='lan'
uci set firewall."$ONT_FWD_NAME".dest="$ONT_ZONE_NAME"
# -------------------------
# Apply changes
# -------------------------
uci commit network || warn "uci commit network failed"
uci commit firewall || warn "uci commit firewall failed"
# Bring up the interface
if ifup ont_mgmt >/dev/null 2>&1; then
log "ifup ont_mgmt OK"
else
warn "ifup ont_mgmt failed (exit $?)"
fi
# Reload firewall
if /etc/init.d/firewall reload >/dev/null 2>&1; then
log "firewall reloaded"
else
warn "firewall reload failed"
fi
# -------------------------
# Verify
# -------------------------
# Report link state of parent + macvlan existence
if ip link show "$ONT_PARENT_DEV" 2>/dev/null | grep -q "LOWER_UP"; then
log "$ONT_PARENT_DEV carrier: up"
else
warn "$ONT_PARENT_DEV carrier: down (ONT reachability may fail)"
fi
if ip link show "$MACVLAN_DEV" >/dev/null 2>&1; then
log "macvlan device present: $MACVLAN_DEV"
else
warn "macvlan device missing: $MACVLAN_DEV"
fi
# Quick reachability test from the router
if ping -c1 -W1 "$ONT_PEER" >/dev/null 2>&1; then
log "ONT reachable ($ONT_PEER)"
else
warn "ONT not reachable ($ONT_PEER)"
fi
log "post-cfg.sh complete"
exit 0
I wrote another guide HERE which touches on pasting the content for post-cfg.sh, but you can also direclty transfer the file via scp. If doing the latter, it still needs permissions updated after, etc. Also, if helpful, we have a help centre article HERE on adding SSH keys, which would be needed if going the scp transfer route.