This tutorial covers cloning the identity of a Claro Brazil XGS-PON ZTE ZXHN F8748Q ONT into an 8311 X-ONU-SFPP SFP module, so you can run your own router/firewall directly on the fiber without the ISP modem and without double-NAT.
Companion docs: see vivo-8311-clone-tutorial for the Vivo/Askey equivalent. The Vivo line uses PPPoE; Claro uses DHCP/IPoE — the cloning approach is similar but the failure modes and the critical "gotcha" differ.
The ZTE F8748Q runs multiple WAN services, each on its own VLAN with its own MAC, assigned as base, base+1, base+2, base+3:
| Service | VLAN | MAC | Purpose |
|---|---|---|---|
| TR-069 | 10 | base (e.g. …:F8) |
ISP management, IPv6-only |
| Internet | 11 | base+1 (e.g. …:F9) |
IPv4+IPv6, NAT — this is your internet |
| VOIP | 12 | base+2 (…:FA) |
voice |
| IPTV | 13 | base+3 (…:FB) |
IPTV |
The MAC printed on the device label (and shown as "WAN MAC" in most places) is the base MAC — which belongs to the TR-069 management connection, not your internet.
This produces two separate MAC requirements:
- 8311 "IP Host MAC Address" → use the base MAC (
…:F8). This is the OMCI-layer identity (ME 134). It's what gets the OLT to accept the ONU and reach PLOAM state O5.1. - Your router's WAN MAC clone (on the Internet VLAN) → use base+1 (
…:F9). This is the L3/DHCP-layer identity. Claro's BRAS has the Internet service's DHCP lease bound to this MAC. Clone the wrong one and you'll get DHCPOFFERs but never anACK(the server hands "unknown device" pool IPs and silently drops yourREQUEST).
If you clone the base MAC onto your router's WAN, you'll reach O5.1 but never get an IPv4 lease. That single off-by-one is the whole puzzle.
- A Claro Brazil XGS-PON line with a ZTE ZXHN F8748Q ONT
- An 8311 X-ONU-SFPP module with the Community Firmware MOD
- A host with an SFP+ cage (switch/router) to power and bridge the 8311
- A downstream router/firewall that does DHCP on its WAN
- LAN access to the ZTE web UI (default
192.168.0.1, customer login on the device label)
You do not need telnet/root on the ZTE, the webFac exploit, or bridge mode. Everything required is readable from the customer-tier web UI.
Log into the ZTE at http://192.168.0.1 with the customer credentials from the device label.
Go to the device/status info page. Record:
| Field | Example value | Goes to (8311 field) |
|---|---|---|
| Model | F8748Q |
Equipment ID (see note) |
| Manufacturer | ZTE |
— |
| Hardware Version | V2.0 |
Hardware Version |
| Software Version | V2.0.10P6N2 |
(reference) |
| Boot Version | V2.0.10P10N6 |
Software Version A / B |
| Serial Number (hex) | 5A5445471A2B3C4D |
decode → PON Serial |
Decoding the serial: the first 4 bytes are ASCII. 5A 54 45 47 = ZTEG. The remaining 1A2B3C4D is the hex suffix. So the PON Serial Number is ZTEG + 1A2B3C4D = ZTEG1A2B3C4D. (This also matches the XGS-PON SN barcode on the device label.) (Example values — use your own device's actual serial.)
Go to Internet → WAN Connection Status (or the equivalent status page). It lists every WAN service with its Connection Name, VLAN ID, and WAN MAC. You'll see something like:
TR-069 VLAN 10 WAN MAC aa:bb:cc:11:22:f8 (IPv6 only, mgmt)
Internet VLAN 11 WAN MAC aa:bb:cc:11:22:f9 (IPv4/v6, NAT On) ← THIS ONE
VOIP VLAN 12 WAN MAC aa:bb:cc:11:22:fa
IPTV VLAN 13 WAN MAC aa:bb:cc:11:22:fb
(MACs above are illustrative — read the real ones off your own device.)
Record:
- Base MAC = the TR-069 / lowest one (
…:F8) - Internet MAC = the Internet row (
…:F9) — confirm it's literally base+1 - Internet VLAN = the Internet row's VLAN (commonly
11— but read it, don't assume)
8311 web UI → 8311 → PON:
| 8311 UI Field | Value | Notes |
|---|---|---|
| PON Serial Number (ONT ID) | ZTEG1A2B3C4D |
decoded from the hex serial (use yours) |
| Vendor ID | ZTEG |
first 4 chars of the serial (auto-derives if blank) |
| Equipment ID | ZXHN F8748Q |
ONU2-G ME [257]. The full marketing name ZXHN F8748Q, not just F8748Q |
| Hardware Version | V2.0 |
as shown in device info |
| Sync Circuit Pack Version | enabled | propagates HW Version into Circuit Pack ME [6] |
| Software Version A | V2.0.10P10N6 |
the Boot Version string |
| Software Version B | V2.0.10P10N6 |
same |
| Firmware Version Match | (empty) | |
| Override active firmware bank | A |
|
| Override committed firmware bank | (empty) | |
| PON Mode | XGS-PON |
|
| OMCC Version | 0xB0 |
ZTE XGS-PON uses 0xB0 (8311 default 0xA3 does NOT work) |
| OMCI Interoperability Mask | 18 |
default |
| Registration ID (HEX) | (empty) | Claro does not use a PLOAM password |
| Logical ONU ID | (empty) | not used |
| Logical Password | (empty) | not used |
| MIB File | /etc/mibs/prx300_1V_32tcont.ini |
HGU profile with 32 T-CONTs — the F8748Q is a multi-service HGU |
| PON Slot | (empty) | |
| IP Host MAC Address | AA:BB:CC:11:22:F8 |
the BASE MAC (TR-069 connection — use yours). OMCI ME [134]. |
| IP Host Hostname | (empty) | |
| IP Host Domain Name | (empty) |
Key points vs. the Vivo/Askey clone:
- OMCC Version
0xB0— not0xA0, not the0xA3default. ZTE XGS-PON. - MIB File
prx300_1V_32tcont.ini— the 32-T-CONT HGU MIB. The F8748Q exposes many GEMs/T-CONTs (Internet, Voice, IPTV, TR-069, community wifi); the standard1VMIB may not have enough pre-instantiated T-CONTs. - IP Host MAC = base MAC — this is the OMCI identity. Do not put base+1 here.
- No Registration ID / Logical Password — Claro authenticates on the GPON serial alone.
Save, then reboot the 8311 (the PON-tab fields are applied at boot via the poninit script).
SSH to the 8311 and confirm the identity MEs:
omci_pipe.sh meg 256 0 # ONU-G — Vendor ZTEG, Serial ZTEG…
omci_pipe.sh meg 257 0 # ONU2-G — Equipment ID ZXHN F8748Q, OMCC 0xB0
omci_pipe.sh meg 7 0 # Software image A
omci_pipe.sh meg 134 0 # IP host — MAC should be the base …:F8On the router/firewall that sits behind the 8311, configure the Claro WAN interface:
| Setting | Value |
|---|---|
| VLAN ID | 11 (the Internet service VLAN — read from Step 1.2) |
| Connection type | DHCP (IPv4) + DHCPv6/SLAAC |
| MAC Address Clone | AA:BB:CC:11:22:F9 — the base+1 (Internet) MAC (use yours) |
| NAT | On |
That's the second half of the puzzle. The 8311 bridges the OLT's VLAN 11 transparently; your router does the DHCP, and because it presents the Internet service's MAC (base+1), Claro's BRAS recognizes it as the legitimate Internet client and completes the lease.
If your 8311 "ISP Fixes" tab is set to strip/untag, make sure the Internet VLAN handling matches what your router expects. If the router is set to tag VLAN 11 itself, leave the 8311 passing VLAN 11 through; if the router expects untagged, use the 8311 ISP-Fixes "Internet VLAN" to remap. Simplest: have the router tag VLAN 11 and the 8311 pass it through.
- Move the fiber from the ZTE ONT to the 8311.
- On the 8311, watch PLOAM reach operational:
Expect it to walk to
while true; do pon psg | grep -oE 'current=[0-9]+'; sleep 2; done
current=51(O5.1, Associated). - On your router, watch the WAN DHCP. Success looks like:
(IPs shown are RFC 5737 documentation placeholders; yours will be in Claro's real pool.) The offered IP should be the same IP the ZTE's Internet connection held (it's a per-line binding) — not a random pool address.DHCP offer 203.0.113.xx/23 ... accepted dhcp-client: ... DHCP lease 203.0.113.xx:bound ← BOUND, not a loop Adding new dynamic route 0.0.0.0/0 via 203.0.113.1 ← default route installed - Confirm traffic:
ip addr show <wan-iface> # should show the Claro IP ping -c3 -I <wan-iface> 1.1.1.1 curl --interface <wan-iface> -s ifconfig.me
| Symptom | Cause / Fix |
|---|---|
| PLOAM never leaves O1.x | Optic/fiber issue, or PON Mode not set to XGS-PON. Check Rx power. |
| PLOAM stuck cycling O2↔O3 | OLT rejecting the serial — re-check PON Serial / Vendor ID / OMCC Version (0xB0). |
| PLOAM reaches O5.1 but no IPv4 lease | The classic one. Your router is cloning the wrong MAC. It must be the Internet service MAC = base+1 (…:F9), not the label/base MAC (…:F8). |
DHCP OFFER arrives but REQUEST gets no ACK; offered IP keeps changing (.51, .52…) |
Same as above — server sees an "unknown" MAC, hands pool IPs, won't bind. Switch the router WAN MAC clone to base+1. |
| IPv6 works but IPv4 doesn't | Also the MAC-offset bug. IPv6 SLAAC is stateless and needs no per-MAC server binding, so it comes up regardless; IPv4 DHCP is the one that's MAC-bound. |
| O5.1 + correct MAC but still no service | Check the Internet VLAN is correct (read it from WAN Connection Status, commonly 11), and that the 8311 isn't stripping/remapping it inconsistently with the router. |
| Wrong service entirely (e.g. router gets a VOIP-scope address) | You cloned base+2/base+3 by mistake, or tagged the wrong VLAN. Internet = base+1 on VLAN 11. |
Earlier attempts on this device went deep — the Septrum101/zteOnu webFac exploit (which fails on the F8748Q's newer re_rand= v3 protocol), hidden-page enumeration via the web framework's ?_type=menuView/menuData handlers, etc. None of that turned out to be necessary for the clone.
Everything the clone needs — PON serial, equipment/HW/SW versions, the per-service VLAN+MAC map — is visible in the customer-tier WAN Connection Status page. The only real trick was understanding the base / base+1 MAC split between the OMCI identity layer and the DHCP layer.
(The exploration wasn't wasted — the web-framework data-extraction technique is documented in the session notes and could matter for a more locked-down device. But for a straightforward F8748Q clone: just read the status page.)
- PON Serial — decode from the hex serial (
5A544547…→ZTEG…) or read the SN barcode - Vendor ID —
ZTEG - Equipment ID —
ZXHN F8748Q - Hardware Version — e.g.
V2.0 - Software Version A/B — the Boot Version string
- OMCC Version —
0xB0 - MIB File —
/etc/mibs/prx300_1V_32tcont.ini - IP Host MAC — the base WAN MAC (TR-069 connection / device label)
- Router WAN MAC clone — base+1 (the Internet connection MAC)
- Router WAN VLAN — the Internet service VLAN (commonly
11) - No Registration ID, no Logical Password — Claro doesn't use them
Get the base/base+1 split right and the rest falls into place.