Looking for router advice before moving to AT&T fiber

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Loren

New Member
Dec 23, 2018
7
0
1
Hello,

My wife and I have a white box running freenas and a dell poweredge R710 running a few VMs for backups, plex, and misc other tasks. After we added the R710 I started to realize the limitations of our Verizon fios router and began to research alternatives that would enable me to run something with a little more flexibility like openwrt and pfsense. In that research it became abundantly clear that had I done a little more looking around I could have saved some money and had a much more reliable and powerful router. Right now I am able to route everything that I need to. However, I do travel quite a bit and having some of the options that Pfsense offers with the ease of setup like openvpn would be a huge help. Especially when I'm out of town and need to "look in" on the server and perform maintenance. We are now in the process of moving and will need to contact AT&T to setup service at our new apartment fairly soon.

The few posts that I have been able to find on the AT&T system is that there is no good alternative to their routers or the ability to bypass them. Has anyone here on this forum had any experience with AT&Ts service or knowledge of better routing options than what they provide.

Any input would be greatly appreciated.

Loren
 

mb300sd

Active Member
Aug 1, 2016
204
80
28
34
There's a couple methods to bypass the AT&T modem here.
https://www.dslreports.com/forum/r2...al-Gateway-Bypass-True-bridge-mode~start=1260

I'm personally running a VyOS box with this, kangtastic/peapod

It should work with any linux based routing distribution. Basically, you connect your box directly to the fiber ONT, spoof the router's MAC, and then proxy through the EAP packets for authentication. The down side is you're stuck with their box connected to your actual router doing nothing but EAPOL.
 

BennyT

Active Member
Dec 1, 2018
166
46
28
@Loren
Hello, what model is the ATT gateway box? It's been a few years since I had ATT Fiber when I lived in Dallas. Mine was the att5268AC (ie. Pace 5268AC).

my Asus wifi router WAN connected to one of the ports on back of the 5268ac

In the 5268AC menu I went into SETTINGS -> FIREWALL -> APPLICATION, PINHOLES and DMZ:

The 5268AC will display a listing of devices connected (often it will only show the MAC#). In that listing I found my Asus MAC# and clicked the option to put the Asus into DMZplus Mode. In other words, the ATT5268AC would not filter anything going to or from that device. It's then up to the Device (my Asus or other firewalls further down the line) to route, manage traffic, port forwarding, etc.

Then next issue I ran into was trying to enable NAT Loopback, which is not supported on the 5268AC... but it is on my Asus router. But the 5268AC was blocking the NAT Loopback of my Asus. To fix that I disabled ALL firewall options on the 5268AC.

That was back in 2017 so things might have changed/improved since then.

I've since moved, but Fiber sure was nice and wish I still had it. Gigabit up and down was great! Especially if transferring large VM disks up to Azure cloud, etc.
 
Last edited:

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
I have att fiber at home with static block of IPs. I'm currently re-working my home network design see here but probably overkill for you.

You will probably end up with Arris BGW210 router.
Strict NAT? Bridge Mode? What is IP Passthrough? Can I enable on my Arris BGW210 or like router?

You will probably put the router into IP pass through mode and send all traffic to one IP address like pfsense or whatever FW software you want to use. Then FW will allow and route your traffic to whatever home service you want to expose. I havent tested yet but you probably wont be able to use the WIFI access of the router with IP pass through enabled, still researching that.
 

pyrodex

New Member
Jan 2, 2018
3
4
3
43
If you’re planning to stick with pfSense, have a look at this:

aus/pfatt

You’d need three NICs, and this method provides a true bypass so your AT&T provided gateway becomes a glorified certificate authentication box. There’s no way to fully remove the gateway AFAIK.
I do this at home with the wpa_supplicant version of pfatt, it isn't in the master branch now but it is 100% solid. This setup only requires two nics ONT and LAN using an extracted certificate from the AT&T gateway and then your pfSense box basically authenticates just like the AT&T router using 802.1X. I've had this in place for over a month and my router has been turned off and isn't even connected. I've rebooted multiple times without any issues.
 
  • Like
Reactions: Gene

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
I do this at home with the wpa_supplicant version of pfatt, it isn't in the master branch now but it is 100% solid. This setup only requires two nics ONT and LAN using an extracted certificate from the AT&T gateway and then your pfSense box basically authenticates just like the AT&T router using 802.1X. I've had this in place for over a month and my router has been turned off and isn't even connected. I've rebooted multiple times without any issues.
i would be interested in a guide/steps you used to get this working.
 

pyrodex

New Member
Jan 2, 2018
3
4
3
43
i would be interested in a guide/steps you used to get this working.
You can read WIP: Supplicant Mode by aus · Pull Request #19 · aus/pfatt for some more insight, you would need to pull the supplicant branch for the updated file. I didn't go down the route to exploit my BGW-210 and purchased a exported certificate from a user on ebay who posts a lot on DSL reports form. He has a few others for sale now under Items for sale by maczrool | eBay if you want to check them out.

I used the three port method prior to this and just didn't like the issues with the RG sometimes causing problems.
 

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
Does the bypass method (either way listed in the thread) work with static IP block as well? Seems like some forum posts on the web mention it didnt?
 

mb300sd

Active Member
Aug 1, 2016
204
80
28
34
You can read WIP: Supplicant Mode by aus · Pull Request #19 · aus/pfatt for some more insight, you would need to pull the supplicant branch for the updated file. I didn't go down the route to exploit my BGW-210 and purchased a exported certificate from a user on ebay who posts a lot on DSL reports form. He has a few others for sale now under Items for sale by maczrool | eBay if you want to check them out.

I used the three port method prior to this and just didn't like the issues with the RG sometimes causing problems.
Do you know if your IP address changed when you used this method instead of your original RG? I'd love to try this but definitely don't want a new IP, it's set up in more places than I know by now.

Also, are there instructions to exploit it somewhere? I haven't seen them anywhere.
It's in the github, I'm an idiot.
 
Last edited:

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
So i want to build this out using VMs and ESXI hosts. My idea so far, thoughts?

Build one VM to perform the authentication using a method below.
I think i want the first VM to just do the bypass. So i dont need to screw with it when i want to make changes.
  1. VyOS box with this, kangtastic/peapod
  2. pfSense with aus/pfatt (3 nics)
  3. pfSense with aus/pfatt using supplicant branch (2 nics with certificate files via pull from modem or buy ebay)
Second VM will be either pfsense or sophos utm/XG and that will provide my home network FW needs/ rules to access.

Concerns - how do i get the static block pass to 2nd VM acting as major FW/router for home network?
 

mb300sd

Active Member
Aug 1, 2016
204
80
28
34
Make sure your hypervisor switch passes EAPOL packets. I'm pretty sure most don't so it might have to be a physical box or at least fully passthru the NIC.

The static block is simply routed to your main IP. Use static routes to pass it on to whatever devices you want.
 

pyrodex

New Member
Jan 2, 2018
3
4
3
43
Do you know if your IP address changed when you used this method instead of your original RG? I'd love to try this but definitely don't want a new IP, it's set up in more places than I know by now.

Also, are there instructions to exploit it somewhere? I haven't seen them anywhere.
It's in the github, I'm an idiot.
For me it did not... in my setup I had to use the MAC of the RG that the certificate came from (I've heard others doing their original RG MAC) but the IP didn't change. This leads me to believe the IP is based on either the ONT MAC or the account itself. I've been with AT&T over two years and haven't had a single IP change but I am also on DHCP.

I do utilize Route 53 with pfSense updating dynamic records for my main domain and all my sub-domains without issues....
 

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
So i want to build this out using VMs and ESXI hosts. My idea so far, thoughts?

Build one VM to perform the authentication using a method below.
I think i want the first VM to just do the bypass. So i dont need to screw with it when i want to make changes.
  1. VyOS box with this, kangtastic/peapod
  2. pfSense with aus/pfatt (3 nics)
  3. pfSense with aus/pfatt using supplicant branch (2 nics with certificate files via pull from modem or buy ebay)
Second VM will be either pfsense or sophos utm/XG and that will provide my home network FW needs/ rules to access.

Concerns - how do i get the static block pass to 2nd VM acting as major FW/router for home network?
okay i was able to get option 2 setup and tested quickly that it is working.

Now i need to understand how to assign out my public ip addresses. I have 4 port nic card pass-through to pfsense with port 0 and 1 assigned for pfatt function. that leaves me with port 3-4 plus any other virt nic i want to add to the host vm.

I need a quick setup guide to do the static ip. My current setup i have my sophos utm vm wan attached to lan side of the ATT router and set the wan to static ip address. i want to keep that for now but connect to the pfsense box.
 

mb300sd

Active Member
Aug 1, 2016
204
80
28
34
What do you want to do with the static IPs? You can assign them all to the router and do NAT, or you can distribute them out to a subnet. Or even crazy tricks like NATing some ports to one host while another is using the address.

I have mine distributed out on a separate VLAN where my servers (mostly VMs) live, and have it on a wireless SSID so my laptop can use the extra public addresses (helps for those file sharing sites with timers).

Nothing connected to the LAN side of the ATT box will work - it no longer gets internet if the pfatt bypass is set up correctly.
 
Last edited:

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
I want to assign the static ip to two different network segments. First is home network where sophos acts as a UTM and the second is for production services exposed to the internet on various ports.
 

ReturnedSword

Active Member
Jun 15, 2018
526
235
43
Santa Monica, CA
The supplicant method looks interesting. I’ll have to check out dumping my cert if I switch to AT&T. Pretty fed up with Charter’s price hikes by now, but also dreading having to deal with a technician coming over to switch me to fiber.
 

marcoi

Well-Known Member
Apr 6, 2013
1,532
288
83
Gotha Florida
getting a slowness after setting up with pfSense with aus/pfatt (3 nics). I removed Sophos for now so it pure PFsense running all of the home network.
while testing the first time with pfSense with aus/pfatt (3 nics) i was able to get over 1GB speeds up and down on fast.com.
Now i implemented and starting down redoing the network with this setup my max speed down been 5-600 range.
Any ideas?

Im still trying to workout the static block setup.
 

mb300sd

Active Member
Aug 1, 2016
204
80
28
34
If you want to distribute out the static IPs, add another LAN interface with an IP in your static block, and connect your nodes to that interface. Create a firewall rule allowing traffic to those IPs in from the WAN interface. Haven't used pfSense for a couple years, so I'm not sure on exactly how to do it.

Have you tried speedtest.net? They have more local servers. I just got 430 on fast.com and 860 on speedtest.net, ton of stuff currently using the network.