Looking for router advice before moving to AT&T fiber

Discussion in 'Networking' started by Loren, Jun 17, 2019.

  1. Loren

    Loren New Member

    Joined:
    Dec 23, 2018
    Messages:
    6
    Likes Received:
    0
    Hello,

    My wife and I have a white box running freenas and a dell poweredge R710 running a few VMs for backups, plex, and misc other tasks. After we added the R710 I started to realize the limitations of our Verizon fios router and began to research alternatives that would enable me to run something with a little more flexibility like openwrt and pfsense. In that research it became abundantly clear that had I done a little more looking around I could have saved some money and had a much more reliable and powerful router. Right now I am able to route everything that I need to. However, I do travel quite a bit and having some of the options that Pfsense offers with the ease of setup like openvpn would be a huge help. Especially when I'm out of town and need to "look in" on the server and perform maintenance. We are now in the process of moving and will need to contact AT&T to setup service at our new apartment fairly soon.

    The few posts that I have been able to find on the AT&T system is that there is no good alternative to their routers or the ability to bypass them. Has anyone here on this forum had any experience with AT&Ts service or knowledge of better routing options than what they provide.

    Any input would be greatly appreciated.

    Loren
     
    #1
  2. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    There's a couple methods to bypass the AT&T modem here.
    https://www.dslreports.com/forum/r2...al-Gateway-Bypass-True-bridge-mode~start=1260

    I'm personally running a VyOS box with this, kangtastic/peapod

    It should work with any linux based routing distribution. Basically, you connect your box directly to the fiber ONT, spoof the router's MAC, and then proxy through the EAP packets for authentication. The down side is you're stuck with their box connected to your actual router doing nothing but EAPOL.
     
    #2
    Gene and BoredSysadmin like this.
  3. BennyT

    BennyT Member

    Joined:
    Dec 1, 2018
    Messages:
    88
    Likes Received:
    24
    @Loren
    Hello, what model is the ATT gateway box? It's been a few years since I had ATT Fiber when I lived in Dallas. Mine was the att5268AC (ie. Pace 5268AC).

    my Asus wifi router WAN connected to one of the ports on back of the 5268ac

    In the 5268AC menu I went into SETTINGS -> FIREWALL -> APPLICATION, PINHOLES and DMZ:

    The 5268AC will display a listing of devices connected (often it will only show the MAC#). In that listing I found my Asus MAC# and clicked the option to put the Asus into DMZplus Mode. In other words, the ATT5268AC would not filter anything going to or from that device. It's then up to the Device (my Asus or other firewalls further down the line) to route, manage traffic, port forwarding, etc.

    Then next issue I ran into was trying to enable NAT Loopback, which is not supported on the 5268AC... but it is on my Asus router. But the 5268AC was blocking the NAT Loopback of my Asus. To fix that I disabled ALL firewall options on the 5268AC.

    That was back in 2017 so things might have changed/improved since then.

    I've since moved, but Fiber sure was nice and wish I still had it. Gigabit up and down was great! Especially if transferring large VM disks up to Azure cloud, etc.
     
    #3
    Last edited: Jun 18, 2019
  4. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    I have att fiber at home with static block of IPs. I'm currently re-working my home network design see here but probably overkill for you.

    You will probably end up with Arris BGW210 router.
    Strict NAT? Bridge Mode? What is IP Passthrough? Can I enable on my Arris BGW210 or like router?

    You will probably put the router into IP pass through mode and send all traffic to one IP address like pfsense or whatever FW software you want to use. Then FW will allow and route your traffic to whatever home service you want to expose. I havent tested yet but you probably wont be able to use the WIFI access of the router with IP pass through enabled, still researching that.
     
    #4
  5. ReturnedSword

    ReturnedSword Active Member

    Joined:
    Jun 15, 2018
    Messages:
    126
    Likes Received:
    25
    If you’re planning to stick with pfSense, have a look at this:

    aus/pfatt

    You’d need three NICs, and this method provides a true bypass so your AT&T provided gateway becomes a glorified certificate authentication box. There’s no way to fully remove the gateway AFAIK.
     
    #5
    BoredSysadmin likes this.
  6. pyrodex

    pyrodex New Member

    Joined:
    Jan 2, 2018
    Messages:
    3
    Likes Received:
    3
    I do this at home with the wpa_supplicant version of pfatt, it isn't in the master branch now but it is 100% solid. This setup only requires two nics ONT and LAN using an extracted certificate from the AT&T gateway and then your pfSense box basically authenticates just like the AT&T router using 802.1X. I've had this in place for over a month and my router has been turned off and isn't even connected. I've rebooted multiple times without any issues.
     
    #6
    Gene likes this.
  7. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    i would be interested in a guide/steps you used to get this working.
     
    #7
  8. pyrodex

    pyrodex New Member

    Joined:
    Jan 2, 2018
    Messages:
    3
    Likes Received:
    3
    You can read WIP: Supplicant Mode by aus · Pull Request #19 · aus/pfatt for some more insight, you would need to pull the supplicant branch for the updated file. I didn't go down the route to exploit my BGW-210 and purchased a exported certificate from a user on ebay who posts a lot on DSL reports form. He has a few others for sale now under Items for sale by maczrool | eBay if you want to check them out.

    I used the three port method prior to this and just didn't like the issues with the RG sometimes causing problems.
     
    #8
    ejecthawk and Gene like this.
  9. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    Does the bypass method (either way listed in the thread) work with static IP block as well? Seems like some forum posts on the web mention it didnt?
     
    #9
  10. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    Do you know if your IP address changed when you used this method instead of your original RG? I'd love to try this but definitely don't want a new IP, it's set up in more places than I know by now.

    Also, are there instructions to exploit it somewhere? I haven't seen them anywhere.
    It's in the github, I'm an idiot.
     
    #10
    Last edited: Jun 19, 2019
  11. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    I have a /29 and it works perfectly.
     
    #11
  12. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    So i want to build this out using VMs and ESXI hosts. My idea so far, thoughts?

    Build one VM to perform the authentication using a method below.
    I think i want the first VM to just do the bypass. So i dont need to screw with it when i want to make changes.
    1. VyOS box with this, kangtastic/peapod
    2. pfSense with aus/pfatt (3 nics)
    3. pfSense with aus/pfatt using supplicant branch (2 nics with certificate files via pull from modem or buy ebay)
    Second VM will be either pfsense or sophos utm/XG and that will provide my home network FW needs/ rules to access.

    Concerns - how do i get the static block pass to 2nd VM acting as major FW/router for home network?
     
    #12
  13. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    Make sure your hypervisor switch passes EAPOL packets. I'm pretty sure most don't so it might have to be a physical box or at least fully passthru the NIC.

    The static block is simply routed to your main IP. Use static routes to pass it on to whatever devices you want.
     
    #13
  14. pyrodex

    pyrodex New Member

    Joined:
    Jan 2, 2018
    Messages:
    3
    Likes Received:
    3
    For me it did not... in my setup I had to use the MAC of the RG that the certificate came from (I've heard others doing their original RG MAC) but the IP didn't change. This leads me to believe the IP is based on either the ONT MAC or the account itself. I've been with AT&T over two years and haven't had a single IP change but I am also on DHCP.

    I do utilize Route 53 with pfSense updating dynamic records for my main domain and all my sub-domains without issues....
     
    #14
  15. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    okay i was able to get option 2 setup and tested quickly that it is working.

    Now i need to understand how to assign out my public ip addresses. I have 4 port nic card pass-through to pfsense with port 0 and 1 assigned for pfatt function. that leaves me with port 3-4 plus any other virt nic i want to add to the host vm.

    I need a quick setup guide to do the static ip. My current setup i have my sophos utm vm wan attached to lan side of the ATT router and set the wan to static ip address. i want to keep that for now but connect to the pfsense box.
     
    #15
  16. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    What do you want to do with the static IPs? You can assign them all to the router and do NAT, or you can distribute them out to a subnet. Or even crazy tricks like NATing some ports to one host while another is using the address.

    I have mine distributed out on a separate VLAN where my servers (mostly VMs) live, and have it on a wireless SSID so my laptop can use the extra public addresses (helps for those file sharing sites with timers).

    Nothing connected to the LAN side of the ATT box will work - it no longer gets internet if the pfatt bypass is set up correctly.
     
    #16
    Last edited: Jun 19, 2019
  17. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    I want to assign the static ip to two different network segments. First is home network where sophos acts as a UTM and the second is for production services exposed to the internet on various ports.
     
    #17
  18. ReturnedSword

    ReturnedSword Active Member

    Joined:
    Jun 15, 2018
    Messages:
    126
    Likes Received:
    25
    The supplicant method looks interesting. I’ll have to check out dumping my cert if I switch to AT&T. Pretty fed up with Charter’s price hikes by now, but also dreading having to deal with a technician coming over to switch me to fiber.
     
    #18
  19. marcoi

    marcoi Well-Known Member

    Joined:
    Apr 6, 2013
    Messages:
    1,332
    Likes Received:
    205
    getting a slowness after setting up with pfSense with aus/pfatt (3 nics). I removed Sophos for now so it pure PFsense running all of the home network.
    while testing the first time with pfSense with aus/pfatt (3 nics) i was able to get over 1GB speeds up and down on fast.com.
    Now i implemented and starting down redoing the network with this setup my max speed down been 5-600 range.
    Any ideas?

    Im still trying to workout the static block setup.
     
    #19
  20. mb300sd

    mb300sd Active Member

    Joined:
    Aug 1, 2016
    Messages:
    190
    Likes Received:
    65
    If you want to distribute out the static IPs, add another LAN interface with an IP in your static block, and connect your nodes to that interface. Create a firewall rule allowing traffic to those IPs in from the WAN interface. Haven't used pfSense for a couple years, so I'm not sure on exactly how to do it.

    Have you tried speedtest.net? They have more local servers. I just got 430 on fast.com and 860 on speedtest.net, ton of stuff currently using the network.
     
    #20
Similar Threads: Looking router
Forum Title Date
Networking Looking for recommendations: QUAD WAN router? Oct 31, 2018
Networking Looking for Microsemi SyncServer S600 firmware Oct 16, 2019
Networking [EU] Looking for cheap SFP+ switches and QSFP+ backbone switch Jun 15, 2019
Networking Looking for someone with a Force10 account (firmware) May 25, 2019
Networking Looking for an Industrial Switch May 22, 2019

Share This Page