Unfortunately, there are some challenges with emulating this process. If we connect our Residential Gateway and ONT to our pfSense box, we can bridge the 802.1/X authentication sequence, tag our WAN traffic as VLAN0, and request a public IPv4 via DHCP using a spoofed MAC address. To bypass the gateway using pfSense, we can emulate the standard procedure. Your LAN traffic is then NAT'd and routed to the outside. After the DHCP lease is issued, the WAN setup is complete.Other than that, there's nothing special about the DCHPv4 handshake. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP.VLAN Priority Tagging ) before the IP gateway will respond. However, all of your traffic will need to be tagged with VLAN ID 0 (a.k.a. Once the authentication completes, you'll be able to properly "talk" to the outside.This process uses a unique certificate that is hardcoded on your residential gateway. So in order to talk to anything, the Router Gateway must first perform the authentication procedure. All traffic on the ONT is protected with 802.1/X.At a high level, the following process happens when the gateway boots up: Standard Procedureįirst, let's talk about what happens in the standard setup (without any bypass). This will make configuration and troubleshooting much easier. How it Worksīefore continuing to the setup, it's important to understand how this method works. It survives reboots, re-authentications, IPv6, and new DHCP leases. The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. For example, the NAT table is still managed by the gateway, which is limited to a measly 8192 sessions (although it becomes unstable at even 60% capacity). While many AT&T residential gateways offer something called IP Passthrough, it does not provide the same advantages of a true bridge mode. For me, I was not using a Linux-based router and the VLAN swap did not seem to work for me. True Bridge Mode is also possible in a Linux via ebtables or using hardware with a VLAN swap trick. There are a few other methods to accomplish true bridge mode, so be sure to see what easiest for you. For Pace 5268AC see special details below. I've tested and confirmed this setup works with AT&T U-Verse Internet on the ARRIS NVG589, NVG599 and BGW210-700 residential gateways (probably others too). This low-level solution was required to account for the unique issues surrounding bridging 802.1X traffic and tagging a VLAN with an id of 0. This method utilizes netgraph which is a graph based kernel networking subsystem of FreeBSD. This repository includes my notes on enabling a true bridge mode setup with AT&T U-Verse and pfSense.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |