Looking for router advice before moving to AT&T fiber

fohdeesha

Kaini Industries
Nov 20, 2016
1,857
1,660
113
29
fohdeesha.com
It does appear that the ICX6610 removes the vlan 0 tag. I just did a simple "arping -i eth0.0 10.1.1.103 -S 10.1.1.153" and I can see the packets in Wireshark on my untagged interfaces.
helllll yaaa. Try the 802.1x auth onboard? (I would do all this but I don't have ATT fiber (yet))
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
helllll yaaa. Try the 802.1x auth onboard? (I would do all this but I don't have ATT fiber (yet))
You're the expert on these switches haha. I can't find any settings for the switch to do 802.1x as a client, only authorize devices connected to it. I found a passthrough option, but I'm not sure if it'll work with my setup here (ICX6610 -> SX6018 -> Hypervisor). The other house has it's new server connected directly to the ICX to it might be an option there.

Still need to find my GPON SFP too.
 

pcunite

New Member
Dec 10, 2019
7
2
3
Where do you get the 1.5.12 firmware for BGW210? Never mind, just change the file names to 1.5.12 in the url.
I'm trying to locate firmware 1.5.12 or 1.6.9 for my BGW210. It currently has 1.7.17. Does anyone have a link?
 

das1996

New Member
Sep 4, 2018
22
2
3
^^It's pointless to update the gateway fw. It will just pull an update sooner than later again.

If you want to do it right, bypass entirely. Look in the uverse subsection on dslreports for how to (or links earlier in this thread).
 

pcunite

New Member
Dec 10, 2019
7
2
3
It's pointless to update the gateway. It will just pull an update sooner than later again. If you want to do it right, bypass entirely.
Understood, I was wanting to downgrade the firmware in order to extract the certs (to have a complete bypass). I found the older firmware.
 

Zombielinux

New Member
Jun 14, 2019
13
5
3
@fohdeesha @mb300sd

Any progress on the icx6610 front?

I've got att gigabit fiber and can offer a test. I've got almost the exact same setup planned.

My current topology looks like

ONT -> ATT Router -> ICX6610 ->Proxmox Cluster (trunk ports) -> PFSense VM

The WAN vlan is currently tagged as vlan3000, but i can shuffle anything around. I've got a big block of free time to tinker with this too.
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,857
1,660
113
29
fohdeesha.com
@fohdeesha @mb300sd

Any progress on the icx6610 front?

I've got att gigabit fiber and can offer a test. I've got almost the exact same setup planned.

My current topology looks like

ONT -> ATT Router -> ICX6610 ->Proxmox Cluster (trunk ports) -> PFSense VM

The WAN vlan is currently tagged as vlan3000, but i can shuffle anything around. I've got a big block of free time to tinker with this too.
it turned out the switch (and pretty much every other switch ever made) only does 802.1x auth as a server authenticating other devices (which makes sense), it won't act as a 802.1x auth client to ATT
 

Zombielinux

New Member
Jun 14, 2019
13
5
3
Thats kind of what I figured. I guess the best solution is to just replace the existing ATT modem/router with something dumb and low power.

I've got a DD-WRT box set up for just that purpose. I've just gotta get the certs off this modem first.
 
  • Like
Reactions: fohdeesha

Navy_BOFH

Active Member
Aug 2, 2013
145
52
28
Thats kind of what I figured. I guess the best solution is to just replace the existing ATT modem/router with something dumb and low power.

I've got a DD-WRT box set up for just that purpose. I've just gotta get the certs off this modem first.
I am setting up one of my servers at a friend's house for streaming and "DR" and doing the pfatt pfSense method for his house. I am hoping it is as useful as everyone is claiming because the Pace 5268ac at the house is bad enough he can barely stream YouTube and AT&T is useless for troubleshooting.

A small benefit is there are plenty of those "firewall appliance" Pentium J1900 devices on Amazon to make easy work of a low power and compact device to replace your existing setup.
 

Falcon07

New Member
Mar 9, 2020
1
0
1
About to get AT&T fiber 1000 this week, why do they make using your own Wifi router so damn difficult? For $10 bucks a month, makes no sense, they could just say the $10 fee is for the ONT. What am I missing?
 

ReturnedSword

Active Member
Jun 15, 2018
200
48
28
Santa Monica, CA
It's due to the way AT&T chose to authenticate the customer end. AT&T uses 802.1x certificate-based authentication, which requires a signed certificate on an authenticator (the AT&T RG). In a 802.11x system, AT&T (or the authentication server controlling authority) can provide the signed certificate if they want, but sadly for practical reasons most customers would hardly know what to do with said certificate. With AT&T I'm not as annoyed about needing the extract the certificate manually, than I am with the $10/month mandatory charge for the RG. Typically they waive the RG fee for the first year, though thereafter $120/yr for something you won't be using is a bit annoying.

FIOS authentication was initially based on a PPPoE (a carry-over from Verizon's DSL auth method, similar to how 802.1x was a carry over from AT&T's DSL auth method), but later FIOS moved to DHCP authentication, which is why the customer may simply use any third-party network equipment they want.

I would note though, that "modem" fees are commonplace in the industry where effectively there is a regional duopoly between the traditional "telecom" and "cable" companies. For example Frontier also charges a mandatory $10/mo even though it's trivial to use a third-party router since they bought most of Verizon's FIOS network. In some more rural areas it's worse, being controlled by a monopoly, if they can even get decent internet service at all.
 

AiC

New Member
Oct 28, 2018
17
6
3
It's due to the way AT&T chose to authenticate the customer end. AT&T uses 802.1x certificate-based authentication, which requires a signed certificate on an authenticator (the AT&T RG). In a 802.11x system, AT&T (or the authentication server controlling authority) can provide the signed certificate if they want, but sadly for practical reasons most customers would hardly know what to do with said certificate. With AT&T I'm not as annoyed about needing the extract the certificate manually, than I am with the $10/month mandatory charge for the RG. Typically they waive the RG fee for the first year, though thereafter $120/yr for something you won't be using is a bit annoying.
I have the 1g ATT service and do not pay $10 for the modem, which I have unplugged on the shelf.
 

ReturnedSword

Active Member
Jun 15, 2018
200
48
28
Santa Monica, CA
Interesting. There was a modem charge for me before I insisted to be put back on the promotional pricing. Another customer I know also has this charge, though he’s not as proactive as I am about getting it waived.

Whatever the case is, if someone is being charged it can be waived if customer service is called.
 

archerious

New Member
Jun 9, 2020
1
0
1
You need an interface on your router configured with one of the static IPs. Configure all your hosts with a different IP and use that at the gateway, just like your regular LAN interfaces using private IPs, but using your public IPs instead.

For example, my setup
Router:
eth0: dhcp public IP
eth1: 10.1.1.1/24
eth2: xx.xx.xx.200/29

Server1:
IP: xx.xx.xx.201
Netmask: 255.255.255.248
Gateway: xx.xx.xx.200

Server2:
IP: xx.xx.xx.202
Netmask: 255.255.255.248
Gateway: xx.xx.xx.200

Don't set up NAT, just firewall rules allowing traffic destined to xx.xx.xx.xx/29 in from eth0 out eth2.
I registered on here just to thank you.

The way the others had said was using srcnat and dstnat, but that broke the ability to use port 80 on one of my static ips since it was forwarding all to the gateway on the /29.

Your simple method made sense and works perfectly on both pfSense and Mikrotik.

Instead of eth2 though I'm using VLAN300 on my sfp-plus1 interface. WAN = ether1 in my case on my Mikrotik RB4011.

as simple as that.PNG

mikrotik static ip.PNG
mikrotik hextrixtools.PNG