@Jerky_san @jcolp and anyone else using the latest version of that script please replace it with this new version. In undoing some of the things I had on my own I inadvertently opened up the firewall. It won’t affect PPPoE WANs, but it absolutely will affected DHCP and static WANs.
Here’s a fixed version which defaults to the macvlan method. Technically it’s an extra layer to debug. but it seems to be more robust in general so I think that trade-off is fair.
Please let me know if you have any questions. IF your module is connected to the right SFP+ port, and at the default address then you don’t need to do anything but place this script.
For new users, unfamiliar with placing post-cfg.sh, please see the post HERE.
#!/bin/ash
# /cfg/post-cfg.sh — WAS-110 XGS-PON ONT management (Route10)
#
# Design:
# - Creates a dedicated ONT management interface using a MACVLAN on the chosen parent port
# - Assigns a static router-side IP in the ONT management subnet (typically 192.168.11.0/24)
# - Places ONT management in its own firewall zone (ont_mgmt)
# - Allows LAN -> ONT management access only
# - Prevents ONT management from initiating or transiting traffic to LAN or WAN
#
# Rationale:
# - Avoids shared-parent ambiguity when the ONT port is also used for WAN (DHCP or PPPoE)
# - Prevents trust-boundary violations and accidental traffic leaks
# - Ensures deterministic LAN client access to ONT management across all WAN types
#
# Notes:
# - Avoid using 192.168.11.0/24 internally, as it collides with typical ONT management defaults
# - Script is idempotent and safe to re-run
#
PATH=/sbin:/usr/sbin:/bin:/usr/bin
set -u
log() { logger -t post-cfg -p user.notice "$*"; }
warn() { logger -t post-cfg -p user.warning "$*"; }
# -------------------------
# Settings (edit these)
# -------------------------
ONT_PARENT_DEV="eth4" # Port where the ONT module is connected (Route10 default SFP+ WAN is eth4)
ONT_IP="192.168.11.2" # Router-side IP on the ONT mgmt subnet (choose any unused IP in 192.168.11.0/24)
ONT_NETMASK="255.255.255.0"
ONT_PEER="192.168.11.1" # ONT mgmt IP (typical WAS-110 default)
# MACVLAN device name (kernel netdevice) used for ONT management
MACVLAN_DEV="ont_mgmt0"
# Firewall names
ONT_ZONE_NAME="ont_mgmt"
ONT_FWD_NAME="lan_to_ont_mgmt"
# -------------------------
log "ONT mgmt: mode=macvlan-only parent=$ONT_PARENT_DEV dev=$MACVLAN_DEV ip=$ONT_IP/$ONT_NETMASK peer=$ONT_PEER"
# -------------------------
# Sanity checks
# -------------------------
if ! ip link show "$ONT_PARENT_DEV" >/dev/null 2>&1; then
warn "Parent device '$ONT_PARENT_DEV' not found (skipping config)"
exit 0
fi
# -------------------------
# Network config (MACVLAN-only)
# -------------------------
# Device section for macvlan
uci -q delete network.ont_mgmt_dev
uci set network.ont_mgmt_dev='device'
uci set network.ont_mgmt_dev.name="$MACVLAN_DEV"
uci set network.ont_mgmt_dev.type='macvlan'
uci set network.ont_mgmt_dev.ifname="$ONT_PARENT_DEV"
uci set network.ont_mgmt_dev.mode='bridge'
# Interface section bound to macvlan device
uci -q delete network.ont_mgmt
uci set network.ont_mgmt='interface'
uci -q delete network.ont_mgmt.ifname
uci -q delete network.ont_mgmt.device
uci set network.ont_mgmt.device="$MACVLAN_DEV"
uci set network.ont_mgmt.proto='static'
uci set network.ont_mgmt.ipaddr="$ONT_IP"
uci set network.ont_mgmt.netmask="$ONT_NETMASK"
uci set network.ont_mgmt.defaultroute='0'
uci set network.ont_mgmt.peerdns='0'
uci set network.ont_mgmt.auto='1'
uci set network.ont_mgmt.metric='0'
uci set network.ont_mgmt.dns_metric='0'
# -------------------------
# Firewall config (Model A: dedicated zone + one-way forwarding)
# -------------------------
# Remove ont_mgmt from any existing zones (prevents dual-trust leaks)
# (idempotent: ok if not present)
for sec in $(uci show firewall 2>/dev/null | sed -n "s/^firewall\.\([^=]*\)\.name='[^']*'$/\1/p"); do
uci -q del_list firewall."$sec".network='ont_mgmt'
done
# Create/update dedicated ont_mgmt zone
uci -q delete firewall.ont_mgmt
uci set firewall.ont_mgmt='zone'
uci set firewall.ont_mgmt.name="$ONT_ZONE_NAME"
uci -q delete firewall.ont_mgmt.network
uci add_list firewall.ont_mgmt.network='ont_mgmt'
uci set firewall.ont_mgmt.input='ACCEPT'
uci set firewall.ont_mgmt.output='ACCEPT'
uci set firewall.ont_mgmt.forward='REJECT'
# Create/update lan -> ont_mgmt forwarding only
uci -q delete firewall."$ONT_FWD_NAME"
uci set firewall."$ONT_FWD_NAME"='forwarding'
uci set firewall."$ONT_FWD_NAME".src='lan'
uci set firewall."$ONT_FWD_NAME".dest="$ONT_ZONE_NAME"
# -------------------------
# Apply changes
# -------------------------
uci commit network || warn "uci commit network failed"
uci commit firewall || warn "uci commit firewall failed"
# Bring up the interface
if ifup ont_mgmt >/dev/null 2>&1; then
log "ifup ont_mgmt OK"
else
warn "ifup ont_mgmt failed (exit $?)"
fi
# Reload firewall
if /etc/init.d/firewall reload >/dev/null 2>&1; then
log "firewall reloaded"
else
warn "firewall reload failed"
fi
# -------------------------
# Verify
# -------------------------
# Report link state of parent + macvlan existence
if ip link show "$ONT_PARENT_DEV" 2>/dev/null | grep -q "LOWER_UP"; then
log "$ONT_PARENT_DEV carrier: up"
else
warn "$ONT_PARENT_DEV carrier: down (ONT reachability may fail)"
fi
if ip link show "$MACVLAN_DEV" >/dev/null 2>&1; then
log "macvlan device present: $MACVLAN_DEV"
else
warn "macvlan device missing: $MACVLAN_DEV"
fi
# Quick reachability test from the router
if ping -c1 -W1 "$ONT_PEER" >/dev/null 2>&1; then
log "ONT reachable ($ONT_PEER)"
else
warn "ONT not reachable ($ONT_PEER)"
fi
log "post-cfg.sh complete"
exit 0