Looking for router advice before moving to AT&T fiber

Vesalius

Active Member
Nov 25, 2019
116
80
28
Good afternoon everyone I have AT&T fiber I have a Unifi USG switch (8-60w) cloud key (gen 2) AP (nano) and i'm looking for some help getting set up.. My problem is the ATT Router I would like to by pass it.. I'm just starting out learning about networking and linux.. I have been reading alot about this and i'm sure the USG will not handle the connection i have.. (1000)Mbps So i'm getting ready to order the edgerouter 4.. Lastly I know everyones time is limited so i will definitely compensate you up front for your time.Thanks..
I think these might pertain to your hardware.
 

marcoi

Well-Known Member
Apr 6, 2013
1,434
233
63
Gotha Florida
Anyone running pfatt bypass upgrade pfsense to 2.5 yet? Seems like there are reports of issues with cpu per Reddit.
 

Zombielinux

New Member
Jun 14, 2019
28
6
3
Anyone running pfatt bypass upgrade pfsense to 2.5 yet? Seems like there are reports of issues with cpu per Reddit.
I've not had any issues whatsoever. The transition to 2.5 went smoothly, with the exception of having to manually copy all the files over again.
 

Zombielinux

New Member
Jun 14, 2019
28
6
3
did you end up doing an in place upgrade?
I actually didn't. My hard drive for the firewall died before I had a chance to address it. So I installed 2.5 directly, then just copied my old config over and prayed.

HAProxy wasn't happy, but the rest came together.
 

Zombielinux

New Member
Jun 14, 2019
28
6
3
okay i virtualize my pfsense box, so i will need to play with both fresh install and upgrade.
Yea, that's what I'd do. But it really shouldn't be too bad. Worst case is you could set up CARP or some other highly available setup if it behaves.
 

Vesalius

Active Member
Nov 25, 2019
116
80
28
okay i virtualize my pfsense box, so i will need to play with both fresh install and upgrade.
dependent on what you use to virtualize, you can pretty easily bypass the ATT box without pfatt (if you end up having an issue getting pfatt to play nice with pfsense CE 2.5. I no longer use pfatt with proxmox and a pfsense VM.
 

Zombielinux

New Member
Jun 14, 2019
28
6
3
dependent on what you use to virtualize, you can pretty easily bypass the ATT box without pfatt (if you end up having an issue getting pfatt to play nice with pfsense CE 2.5. I no longer use pfatt with proxmox and a pfsense VM.
I went with a physical box because there is no way to connect the ONT to multiple servers (as far as I know) so that the PFSense VM could be HA. I wish that wasn't the case.
 

marcoi

Well-Known Member
Apr 6, 2013
1,434
233
63
Gotha Florida
I'm not worried so much about ha with my setup. I have vm backups, hardware backup and worst case the original att box.

I'm using esxi 6.7 planning upgrade to 7.x over next few months. I have some dell l3 switches that are a few years old now.

What alternative options are there for att work around other then pfatt and pfsense?
 

Zombielinux

New Member
Jun 14, 2019
28
6
3
I'm not worried so much about ha with my setup. I have vm backups, hardware backup and worst case the original att box.

I'm using esxi 6.7 planning upgrade to 7.x over next few months. I have some dell l3 switches that are a few years old now.

What alternative options are there for att work around other then pfatt and pfsense?
So PFatt is just a wrapper script around wpa_supplicant. One could easily rewrite the script for use in a standard Linux environment. Maybe even WSL for the masochists among us.
 
Last edited:

Vesalius

Active Member
Nov 25, 2019
116
80
28
So PFatt is just a wrapper script around wpa_supplicant. One could easily rewrite the script for use in a standard Linux environment. Maybe even WSL for the masochists among us.
Even easier than that, at least in Proxmox, almost completely doable from the GUI even, doable in esxi but I don’t have the exact process. I just bridge past the RG as described below, but I’ll link below from a Reddit post on how to do the same with extracted certs and RG removed.

assuming the ONT connected to eth0 and the RG to eth1. I create 2 Linux bridges in proxmox GUI vmbr1 and vmbr2.
  1. vmbr1 add both eth0 and eth1 as bridge Ports used for EAP auth only, not passed to any VM
  2. vmbr2 add eth0.0 as a bridge port, uses eth0 over vlan0, use this for pfSense WAN, can spoof RG mac here as well

proxmox is Debian so edit /etc/network/interfaces to add post-up echo 8 > /sys/class/net/vmbr1/bridge/group_fwd_mask to vmbr1.

Code:
auto vmbr1
iface vmbr1 inet manual
        bridge-ports eth0 eth1
        bridge-stp off
        bridge-fd 0
        post-up echo 8 > /sys/class/net/vmbr1/bridge/group_fwd_mask
#RG to ONT bridge for EAP Auth
you can also spoof the RG MAC via pfSense by editing interface WAN.

Link on similar setup to skip pfatt/netgraph on pfSense VM using supplicant.
https://www.reddit.com/r/PFSENSE/comments/guwm2u/_/fsnh9fx
 
Last edited:

Zombielinux

New Member
Jun 14, 2019
28
6
3
Even easier than that, at least in Proxmox, almost completely doable from the GUI even, doable in esxi but I don’t have the exact process. I just bridge past the RG as described below, but I’ll link below from a Reddit post on how to do the same with extracted certs and RG removed.

assuming the ONT connected to eth0 and the RG to eth1. I create 2 Linux bridges in proxmox GUI vmbr1 and vmbr2.
  1. vmbr1 add both eth0 and eth1 as bridge Ports used for EAP auth only, not passed to any VM
  2. vmbr2 add eth0.0 as a bridge port, uses eth0 over vlan0, use this for pfSense WAN, can spoof RG mac here as well

proxmox is Debian so edit /etc/network/interfaces to add post-up echo 8 > /sys/class/net/vmbr1/bridge/group_fwd_mask to vmbr1.

Code:
auto vmbr1
iface vmbr1 inet manual
        bridge-ports eth0 eth1
        bridge-stp off
        bridge-fd 0
        post-up echo 8 > /sys/class/net/vmbr1/bridge/group_fwd_mask
#RG to ONT bridge for EAP Auth
you can also spoof the RG MAC via pfSense by editing interface WAN.

Link on similar setup to skip pfatt/netgraph on pfSense VM using supplicant.
https://www.reddit.com/r/PFSENSE/comments/guwm2u/_/fsnh9fx

That's a slick solution.

I'm still on the hunt for one that can give me high availability.
 

Snowknight26

New Member
Apr 28, 2017
22
1
3
Wrote a config script for VyOS to enable EAPOL. ⚓ T1466 Add EAPOL login support Might work on the EdgeRouters too.
Doing it on the post-config script breaks my VPN tunnels and pre-config is done before the MAC gets changed and if-names assigned.
Long shot here, but since this is the only bit of information I can find about wpa_supplicant and broken VPN routes.. how exactly is your setup configured?

I have an ER-4 with wpa_supplicant running and working with EAPOL, but for whatever reason any clients connected to the VPN can't seem to get traffic from the WAN interface.

I have a script in firstboot.d (only run after a firmware update.. not after a factory reset or a config restore) that essentially just disables the default wpa_supplicant service and enables/starts the wired one on eth0. Nothing out of the ordinary. Yet still, no go for VPN routing.