Budget Router with Full Feature List?

[byalexandr]

Hey all,

 

I've been battling AT&T and their lack luster BGW210 gateways. After several months and now 3 or 4 replacement gateways (I've even asked for a different model gateway, to no avail since the ONT is separate), I've done some reading and found that I can completely bypass their stupid gateway by cloning the MAC address to a router of my choice. From what I read, this is done by running the CAT6 from the ONT into an unmanaged switch, plugging the routers in and letting the BGW210 authenticate, then just unplugging the AT&T gateway where the new router (using the same MAC address and also plugged into the same unmanaged switch) takes over. Apparently it only authenticates the connection to the ISP on startup and never checks it again.

 

So, I want to give this a try (or if it doesn't work after new firmware patches have possibly banned this process, at least run the BGW210 in passthrough mode), but I don't know a decent router to use. I personally like the Unifi stuff, but for this purpose I'm not too keen on spending a few hundred bucks on a UDM Pro and then even more on some APs, though it would be really cool to have a nice little network rack at the patch panel in my house. I'd like to keep it under $100 if possible, and at least have some modern features like WiFi 6, good coverage, and most importantly the ability to clone MAC addresses on the new router.

 

One thing that stands out is the eero routers, but I'm not sure how well regarded they are or if they have MAC cloning. There are tons of options from ASUS, TP Link, Netgear, etc. but they all look the same to me and I'm not sure what makes one worth $200 vs $120 vs $80... Ideally I'd like the features I need, and not anything extra. From my experience an all-in-one device will tend to have problems, as seen with the BGW210 that AT&T stubbornly forces 1G Fiber users to have.

[byalexandr]

Did a lot more reading...

 

I'm going to set up a pfsense box using an HP 705 G1 and NC360T dual GbE NIC ($83 for both on eBay, A10-7800, 8GB and 256GB SSD). With FreeBSD installed I can set up a "true bridge" instead of having the AT&T gateway in passthrough mode, where the router is using an EAP proxy to forward any authentication packets to the BGW210, otherwise keeping the rest of the traffic solely through the new router and being connected directly to the ONT. From there I'll run the LAN to one of the many unmanaged switches I have laying around to provide wired network at the patch panel to my devices around the house and set up a decent AP for wireless connectivity (either a UniFi 6 Lite or TP Link AC1350, since I only have 1gb from the ISP anyways).

 

I looked at a bunch of routers and a pfsense box really seems like the only way to have full control over the network and allow me to bypass the AT&T gateway as much as possible.

[Falcon1986]

12 hours ago, byalexandr said:

I looked at a bunch of routers and a pfsense box really seems like the only way to have full control over the network and allow me to bypass the AT&T gateway as much as possible.

Glad you found your solution. Keep us updated on how you go about setting everything up as it can serve as a reference point for others in a similar situation.

 

I've seen guides on getting a similar thing done with the UDM-Pro, so it can be done if you have one already. As you've figured out, however, you don't need to spend money on a UDM-Pro to get this working. Actually, pfSense should offer you way more features not just for this scenario but for other things in the future.

[byalexandr]

1 hour ago, Falcon1986 said:

Glad you found your solution. Keep us updated on how you go about setting everything up as it can serve as a reference point for others in a similar situation.

 

I've seen guides on getting a similar thing done with the UDM-Pro, so it can be done if you have one already. As you've figured out, however, you don't need to spend money on a UDM-Pro to get this working. Actually, pfSense should offer you way more features not just for this scenario but for other things in the future.

As much as I'd love to have an actual rack decked out with Ubiquiti gear, it's just too much at this point in time. When I have my own house I'll definitely have a network rack, rack mounted NAS, and more importantly an ISP that allows me to use my own equipment...

 

As far as setting up the PFSense box, I'll be referring to this pretty thorough guide: https://github.com/MonkWho/pfatt

 

My current house does have a patch panel, so I can set up my switch in there and put a couple APs around the house. Otherwise the PFSense router will sit next to the BGW210 where the ONT comes in. The PC has pretty decent specs for only $70 (no OS which is not a problem of course), and the HP NIC uses an Intel chipset as far as I'm aware, so decent start there. I could even buy a single GbE port NIC, and just use a cheap 100mb USB adapter to connect to the BGW210 gateway, but the NICs at my local Micro Center have pretty bad Realtek chipsets and I've heard it's best to just stick to Intel.

 

[Lurick]

Just be aware, if they upgrade you to the BGW3xx series then you're sol with bypassing it since it uses cert based authentication in addition to other checks and actually checks in now and again but that could be incorrect, just what I've heard here and there with people saying you can't easily bypass it like you can with the 210. Right now the 3xx series seem to be limited to new users or those upgrading to the multi-gig plans but they might decide to push that to you in the future at which point it has to stay inline and you'll need to do bypass mode on it.

 

Edit:

Completely forgot the BGW3xx is also the ONT as well, duh, which is why it's such a PITA to bypass compared to the 210 which is separated out.

[byalexandr]

2 hours ago, Lurick said:

Just be aware, if they upgrade you to the BGW3xx series then you're sol with bypassing it since it uses cert based authentication in addition to other checks and actually checks in now and again but that could be incorrect, just what I've heard here and there with people saying you can't easily bypass it like you can with the 210. Right now the 3xx series seem to be limited to new users or those upgrading to the multi-gig plans but they might decide to push that to you in the future at which point it has to stay inline and you'll need to do bypass mode on it.

 

Edit:

Completely forgot the BGW3xx is also the ONT as well, duh, which is why it's such a PITA to bypass compared to the 210 which is separated out.

Yep, ONT is separate on the 210. After I read that the 'dumb switch' method doesn't tend to work all the time and would have to be reset every time the power is cycled, I found that packet forwarding solution that makes it a "true bridge" at least, much better than the IP passthrough that the gateway has (which still sends all the traffic through the gateway's NAT tables, negating any benefits).

 

I actually asked AT&T if they could at least give me a different model gateway during the several times they replaced the gateway, since the 210 has a reputation of being a POS, but they assured me that's the best they can give me with the 1g Fiber. Had I asked them for the 2g or 5g Fiber when we moved in, they would've had to run the fiber line into the house with a different gateway instead of how it already was where the ONT is outside the house and only copper comes inside.

 

I already switched my cell plan over to Verizon, has been so much better than AT&T. Unfortunately the house we moved into was already wired with AT&T so kind of stuck with it... Definitely staying away from AT&T in the future, they really are the worst.

[byalexandr]

Quick update:

 

 

Here is how I plan to wire the network using the new pfSense router. I ended up buying a different HP machine that has an i5 4590, as I figure it will be a little more suited than the AMD A10 I was looking at (it was the same price anyways). Both the NIC and the desktop are on the way, hopefully arriving soon. I also ended up getting two APs, both rated for 1200Mbps (at 5GHz, I think 450Mbps at the standard 2.4GHz) with some high gain antennae, which I think (strategically placed around the house) will provide a lot better coverage than the AT&T gateway ever did.

 

As seen in the above Figma diagram, the ONT no longer connects directly to the BGW-210, and instead pfSense intercepts the connection and does the forwarding magic that the pfATT plugin will handle. The only thing I'm not too sure about at the moment is having an unmanaged switch at the patch panel (just a simple Netgear "business grade" 8-port unmanaged switch), as I've read that it's better to have a managed switch with pfSense. I think it will still work either way, and there is no need for a PoE switch as the APs have DC input.

 

As the equipment comes in, I'll post more updates. Hopefully it will be a breeze to not only set up pfSense but get pfATT working correctly. The instructions are a little unclear as to the setup process prior to setting up the gateway bypass, but hopefully I can figure it out. I am already looking forward to more stability and no dropped connection at the slightest amount of load...

[byalexandr]

Short update:

 

Though I had an 8-port switch lying around, I went and got a 16-port unmanaged switch and wired it up all nice in the patch panel/cable box. Each face plate has two EJ45 jacks, one blue for Internet and one white for phone, but since we don't have a home phone system I just hooked these to the switch so there are multiple Ethernet ports in each room. The 16-port is mostly to have Ethernet in every available jack, but also so I don't have to move any connections around or really ever have to open the box again unless diagnosing an issue.

 

 

The house also had cable coax in some of the rooms, so there were a couple splitters in here that I just unplugged, bundled up and then tucked all the coax outside the box, since we don't use cable. I had considered getting a 24-port switch, but luckily when I was actually wiring it I noticed some CAT5e cables I will never use (second service line, alarm, etc.) so I still have a couple spare ports if needed and every RJ45 in the house is connected to the network.

 

Also got the NIC in earlier than expected, just waiting on the actual desktop PC and the two APs I ordered to come in. Peeling off the HP stickers reveals that nice Intel logo. Ended up being a good deal at only $12 shipped for the dual GbE NIC.

 

 

Slowly coming along, mainly just waiting on the shipping carriers at this point. I also got a 250ft spool of CAT5e and a terminating kit with some passthrough connectors so I can make some custom length patch cables. Also updated the home network diagram, currently the family room TV is on a wired connection, but I'll switch it over to wireless since the kitchen AP is pretty close by. Should be a pretty solid home network once it's all installed and configured.

 

[byalexandr]

Another update:

 

 

Ended up ordering another HP ProDesk 600 G1 to make a small file server, as I've been wanting to offload my raw video files and other media from my laptop, which is absolutely dying anytime I access file explorer lol. I'll probably just grab a couple 8TB SATA drives and throw them in there with no RAID config to make a 16TB file server, which should be enough for the time being. With the file server coming, I also introduced another switch after the pfSense router/before the AT&T gateway, just to add more LAN ports to the pfSense router outside of the bigger 16-port switch. The extra switch will allow me to keep the gateway, router, server, etc. all in one location (in the family room TV console, also allowing the TV to have a wired connection), so I won't have to access the cable box/patch panel as much as possible.

 

I think the AT&T gateway should be okay coming off an unmanaged switch, as it's still behind pfSense so no issue with security or a network loop. Most of the equipment comes in today, so I have pfSense ready on a USB drive. Will post another update after some configuration and setting everything else up.

[byalexandr]

Well, desktop didn't come in yet, but the APs did (along with my CAT5e spool and RJ45 crimpers) so I set them up in the appropriate areas around the house. WiFi coverage and speed is much improved, averaging about 500Mbps in line of sight of the APs and around 150-300Mbps through walls (depending how many walls); decent enough for wireless even though my wired connections are much faster. Overall the TP Link AC1200 APs are pretty good value for the money, and I like how I can configure the broadcast SSID through a remote login, or even switch between different modes (though they will always serve as APs). The AT&T gateway has the WiFi broadcast turned off now, so one step closer to bypassing it as much as possible and getting a solid home network together.

[byalexandr]

Next update.

 

Got the desktop in, and also picked up another (cheap) NIC with a single GbE port that the AT&T gateway will use. After reading the pfatt documentation some more it forwards traffic in context of the interface, and not to a specified IP or MAC address, so I needed a separate interface only for the gateway as I obviously don't want to also bridge anything also connected to that interface (hence why the documentation mentions having at least three physical interfaces, and not allowing for the gateway to be on a switch with other devices).

 

Anyways, I popped the NICs in, got pfSense installed, and assigned my interfaces in the console, but everywhere I read is saying that after I assign interfaces, I should be able to log in to the webConfigurator at the default LAN IPv4 address (192.168.1.1). But for some reason the address is unreachable on my laptop with a wired connection to the LAN interface.

 

Here are my assignments:

 

WAN - em2 (Intel I217LM) - built in GbE network port on the motherboard

LAN - re0 (Realtek 8168) - this is what will be connected to the AT&T gateway, no need for a nice Intel chipset as this will only occasionally send/receive a few EAP packets

OPT1 - em0 (Intel 82571EB/GB)

OPT2 - em1 (Intel 82571EB/GB) - OPT1 and 2 are the ports on the nicer Intel NIC that will actual serve traffic to all the clients on the network

 

I connected my laptop to LAN - re0, typed in 192.168.1.1 in the browser and.... address unreachable or takes too long to respond. So not sure what's going on. Troubleshooting included restarting PHP-FPM, restarting webConfigurator, enabling Secure Shell (sshd), etc. It might be something with the browser cache, maybe my interface IP addresses are not set up, etc. I ended up resetting to factory defaults and only set my interface assignments again, so I will do some more testing later to see where the problem is (Internet was needed in the house again so I just hooked up the AT&T gateway for the time being).

 

As for pfatt, I edited the pfatt.sh file from the repository (specified the interfaces and gateway MAC address that netgraph will refer to), ready to copy it over to root/bin/, but not even sure how to do that if I can't access webConfigurator or SSH. There are clear instructions to copy pfatt.sh in the documentation, but I'm not exactly sure how to get it into root/bin lol:

 

Copy `bin/pfatt.sh` to `/root/bin` (or any directory):
 
    ssh root@pfsense mkdir /root/bin
    scp bin/pfatt.sh root@pfsense:/root/bin/
    ssh root@pfsense chmod +x /root/bin/pfatt.sh

 

Luckily I have someone much more experienced with networking than me coming to help, so next update will hopefully be with everything working.

[wseaton]

I'm not a fan of PFsense on baremetal finding out its not Linux Mint in terms of hardware compatibility. Too many issues with AHCI mode, or NIC drivers, etc. Different animal entirely in a VM where you can present it with a unified hardware set.  

 

Ubiquiti Edgerouters are my goto for bang per buck. Stupidly capable routers at stupidly cheap prices. 

 

The problem is speed. An EdgeRouter X can be had for like $70, and do anything you want, but they can't do gig. The newer Edgerouters with faster processors are unfortunately backordered like crazy. You will find the same problem with other cheap routers. They might not be able to handle gig internet. 

 

 

[byalexandr]

8 hours ago, wseaton said:

I'm not a fan of PFsense on baremetal finding out its not Linux Mint in terms of hardware compatibility. Too many issues with AHCI mode, or NIC drivers, etc. Different animal entirely in a VM where you can present it with a unified hardware set.  

 

Ubiquiti Edgerouters are my goto for bang per buck. Stupidly capable routers at stupidly cheap prices. 

 

The problem is speed. An EdgeRouter X can be had for like $70, and do anything you want, but they can't do gig. The newer Edgerouters with faster processors are unfortunately backordered like crazy. You will find the same problem with other cheap routers. They might not be able to handle gig internet. 

 

 

Well handling 1Gb is really my one main requirement, I mean it is what’s coming from the ISP after all. But if I just wanted speed, the AT&T gateway manages 1Gb; this project is more about reliability and the ability to configure the network much more than what the locked down gateway allows.

 

As far as drivers go, I really didn’t have any issues with pfSense detecting all the NICs, even the super cheap Realtek NIC I picked up last minute showed up without any additional configuration. I did check the FreeBSD version that pfSense 2.6 is running, and then referenced the supported hardware list to make sure that Realtek chipset was supported first, but the list seemed pretty expansive and sure enough it was there.

 

I am liking pfSense so far in that there is SO much you are able to configure, the only problem I have is it’s a little overwhelming for someone like me with little networking experience outside of hardware. Especially since I am also doing more complex things like running a bridging script… But, one step at a time. I’m doing as much documentation reading as I can trying to get a better grasp on it.

[Alex Atkin UK]

9 hours ago, wseaton said:

I'm not a fan of PFsense on baremetal finding out its not Linux Mint in terms of hardware compatibility. Too many issues with AHCI mode, or NIC drivers, etc. Different animal entirely in a VM where you can present it with a unified hardware set. 

I'm the opposite, I ONLY run it bare-metal as you get the lowest latency that way.  If you want the best performance, bare-metal using Intel NICs is the way to go.  Realtek NICs historically have a tendency to not reach as a high a speed over Gigabit, like only passing 910Mbit rather than Intel doing 940Mbit (an example, can't remember specifically).

 

I also hate the idea of having to reboot it when trying to keep the host OS updated.

 

Even 2.5Gbit capable custom appliances are dirt cheap now, I just don't see the point of adding more points of failure and latency.

[byalexandr]

31 minutes ago, Alex Atkin UK said:

I'm the opposite, I ONLY run it bare-metal as you get the lowest latency that way.  If you want the best performance, bare-metal using Intel NICs is the way to go.  Realtek NICs historically have a tendency to not reach as a high a speed over Gigabit, like only passing 910Mbit rather than Intel doing 940Mbit (an example, can't remember specifically).

 

I also hate the idea of having to reboot it when trying to keep the host OS updated.

 

Even 2.5Gbit capable custom appliances are dirt cheap now, I just don't see the point of adding more points of failure and latency.

Like I mentioned, I only have the Realtek NIC to serve as the gateway bridge, as netgraph forwards traffic through an entire interface, not to a particular IP or MAC. It was the only NIC available locally as I just needed another interface to set up pfSense properly with the bridging script. All other traffic (that the clients actually use) goes through the nice Intel NICs. The pfatt script documentation even mentions using a crappy 100Mb USB Ethernet adapter as the speed really doesn't matter for the gateway, since it's only transmitting a few packets every now and then for authentication.

 

I was initially worried about driver compatibility with FreeBSD, which is why I checked the hardware support list before I drove to Micro Center and bought the NIC, but sure enough it was there. Even if it's not the best, the only thing connected to it is the gateway which is not managing the NAT table or firewall anyways.

 

Anyways, I will try to figure out the webConfigurator issue today, hopefully switching to that and SSH instead of having to do everything through the console. Then I can probably figure out how to use SCP to copy over the script to the root directory and force it to run at startup (I think it's as simple as using a USB drive? I'm not too sure).

[byalexandr]

Another potential thing I think is causing the issue with remoting in to the LAN port is that I don't have any other interfaces connected to the network. I fear that connecting to the ONT or residential gateway without first having the script in place on pfSense to forward the EAP traffic will raise some red flags on the ISP's side, but now I'm wondering if WAN needs to be connected in order for me to remote in using webConfigurator on another machine through LAN.

 

I'll try from a different machine that has a physical RJ45, as the TP Link USB-C dongle I'm using on my XPS 15 could be causing the issue (it's given me trouble before on an otherwise working network). If that does not work it may be the browser I'm using and something to do with certificate validity, but typically I would see an error message for this and not just "host unreachable".

[Alex Atkin UK]

On 1/2/2023 at 4:09 PM, byalexandr said:

Another update:

 

 

Ended up ordering another HP ProDesk 600 G1 to make a small file server, as I've been wanting to offload my raw video files and other media from my laptop, which is absolutely dying anytime I access file explorer lol. I'll probably just grab a couple 8TB SATA drives and throw them in there with no RAID config to make a 16TB file server, which should be enough for the time being. With the file server coming, I also introduced another switch after the pfSense router/before the AT&T gateway, just to add more LAN ports to the pfSense router outside of the bigger 16-port switch. The extra switch will allow me to keep the gateway, router, server, etc. all in one location (in the family room TV console, also allowing the TV to have a wired connection), so I won't have to access the cable box/patch panel as much as possible.

 

I think the AT&T gateway should be okay coming off an unmanaged switch, as it's still behind pfSense so no issue with security or a network loop. Most of the equipment comes in today, so I have pfSense ready on a USB drive. Will post another update after some configuration and setting everything else up.

What's your reasoning for this layout?  I find it hard to grasp how the TV and File Server are able to function when they are on the BGW like this.  Considering how hacky this whole solution has to be, I wouldn't want anything else on the same network as the BGW even if it DID work.

 

How is the BGW even connected to any sort of LAN when that's surely supposed to be its WAN port connected straight to the ONT?

[byalexandr]

2 hours ago, Alex Atkin UK said:

What's your reasoning for this layout?  I find it hard to grasp how the TV and File Server are able to function when they are on the BGW like this.  Considering how hacky this whole solution has to be, I wouldn't want anything else on the same network as the BGW even if it DID work.

 

How is the BGW even connected to any sort of LAN when that's surely supposed to be its WAN port connected straight to the ONT?

I changed that diagram you quoted by getting another NIC that only the gateway is connected to. If you see a couple posts down I noticed this issue as well and got a separate interface just for the BGW. I have a total of 4 interfaces on the pfSense box now.

 

The script bridges WAN (ONT) and LAN (BGW), forwarding EAP traffic and then tagging the rest of the traffic with VLAN0 so it passes through the ONT without issue. This allows the LAN interface to only ever see authentication packets, the rest of the traffic goes through my OPT1 and OPT2 interfaces and is completely managed by pfSense.

[byalexandr]

Another update, I was able to remote in to the LAN interface and access webConfigurator and complete the setup process. It turned out my laptop did not have an IP assigned so I set a static IP to the Ethernet adapter in Windows.

 

Once logged in, I temporarily connected the WAN to the switch on the BGW, so I could install packages (mainly shellcmd). I edited the script file and moved it over using WinSCP to the /root/bin folder with chmod +x permissions.

 

After rebooting, I noticed it did not run the script, so my next step is to use a different text editor as I read that Notepad will interfere with the encoding and make it so FreeBSD doesn’t see the file as executable. Once it starts the script though after I fix this issue, it should prompt me to configure the bridged connection as WAN and start forwarding the traffic as expected.

 

Edit: It actually did run the script, as I now have a bridge interface called ngeth0 in my interfaces. The only thing I need to figure out now is how to log in to the web GUI from a different interface, as the LAN interface will now be connected to the AT&T gateway only, so I can't plug my laptop into that port anymore and actual set my WAN assignment to the bridge and get it working outside of the web GUI.

[byalexandr]

Next update.

 

 

Getting pretty close to having it working, just need more configuration in the web GUI to have the LAN interface access the public Internet.

 

I ended up reassigning my interfaces:

 

WAN - Now ngeth0 (ngeth0 is a bridged interface between em2 and re0 that netgraph uses to forward the traffic and tag as VLAN0)

LAN - Now em0

OPT1 - Now em1

OPT2 - Now re0 (this is where the AT&T gateway plugs in to, freeing up my LAN port for the actual home network)

 

I may end up editing the script to use em1 (the second port on the Intel NIC) as OPT1/where the gateway is connected and remove re0 (Realtek NIC) altogether, since my entire home network is on LAN and I will not be bridging LAN and OPT1 (even though they are on the same NIC). My two switches are now just daisy chained on the LAN interface, as it should have been originally and all on the same subnet. The home network looks something like this now:

 

 

Anyways, I verified the script is running correctly and the netgraph, using the output from # ngctl dot (aside from the nodes that don't have any hooks), matches what it is supposed to look like according to the Github repository:

 

I also checked the # ngctl list and # ngctl show xxX: commands and everything looks good, matching what the visual version of netgraph is showing.

 

I am at the point where the DHCP server is assigning IPs on the LAN interface correctly, pfSense is obtaining the public IP from the ONT, and automatic outgoing NAT rules are in place. But, I still have no connection to the outside Internet yet. The gateway is not happy as the "Broadband" light on the device is still blinking red, so something is not configured correctly as I don't think the gateway is talking to the ONT, even though the ONT is happily responding to the pfSense DHCP lease request and issuing the public IP to my router.

 

Though everything looks good as far as the script and netgraph goes, so I will do some more troubleshooting later when the network is not busy (for now I am just running off the AT&T gateway to have Internet access in the meantime). I did notice that the repository mentions the script will also create $ONT_IF and $RG_IF interfaces (even though these are never assigned), but these are still just labeled as my physical interfaces em2 and re0 when I do a tcpdump. But I think the issue lies somewhere with my IP assignments or DNS. Not too sure at the moment but making some progress.

 

I also considered the wpa_supplicant method, but that seems pretty hacky and very involved, even though it would cut out the AT&T gateway from the network entirely. Either exploiting the root access to the device and decoding the certificates, or physical dumping the contents of the flash memory by desoldering the hardware, both of which I'm not planning on doing.

[byalexandr]

Another update.

 

Spent several hours troubleshooting, and for some reason despite having a functioning netgraph and everything set correctly, it looks like the gateway is not communicating with the ONT properly. I did a tcpdump on both interfaces, and I can see the EAPOL Start request being sent from the gateway, but not seeing much from the ONT. Traffic is being tagged as VLAN 0 correctly, and even though I can ping to the default gateway, I can't get any connection to the outside, meaning the ONT is dropping all the packets as though the initial authentication process was not successful.

 

I have tried power cycling the gateway and monitoring the system log, pfatt log, and both interface tcpdumps and (sorting through all the mess of devices on the network still trying to ping) the only thing I can see is the EAPOL Start from the gateway, which is sent to some MAC address that does not show up in my ARP Table (and is not the ONT MAC address). From there it gets lost and never makes it to the ONT.

 

Anyways, spent enough time on it that I am tired of looking at IPs and interface names and MAC addresses for the night, so I'll pick it up some other time when the network is not busy. The troubleshooting section in the repository has been somewhat helpful in figuring out the process of everything, but I need to look into it more and find what's causing it to not connect to the Internet. Hopefully it is a simple issue I overlooked, but even sitting with a couple (much more experienced) people than me, they were not able to find anything out of place.

 

I am starting to think that maybe the firmware was updated on these gateways to where this script does not work anymore (perhaps changing the method of authentication), but I kind of doubt this as it's pretty standard RADIUS protocol for authentication. I really am considering somehow exploiting the root access of the AT&T gateway and grabbing the certificates off of the hardware, as the more I deal with AT&T the more I want to rip apart their equipment lol.

[Alex Atkin UK]

15 hours ago, byalexandr said:

I am starting to think that maybe the firmware was updated on these gateways to where this script does not work anymore (perhaps changing the method of authentication), but I kind of doubt this as it's pretty standard RADIUS protocol for authentication. I really am considering somehow exploiting the root access of the AT&T gateway and grabbing the certificates off of the hardware, as the more I deal with AT&T the more I want to rip apart their equipment lol.

Obviously we can't approve of this on the forum (this thread is probably skating the edge of of the rules as it is) but I honestly don't blame you in your frustration.  I can't see any logical reason why they need such convoluted security.

I'm thankful that in the UK that the major network is using the ONT as a replacement for the telephone socket, calling that the end of their network and as we have competition for ISPs independent of the infrastructure, things are mostly simple.  So with any luck, they will continue to do this and we won't be back in the bad old days of every ISP having their own gateway and some not sharing the login credentials, which honestly was a breeze compared to what you are dealing with.

 

A friend of mine is on AT&T in Texas and they completely changed his LAN IP range one day, this broke his access to my LAN connected to my VPN as now the IP range clashed.  So I had to change my entire LAN range just to deal with some random thing AT&T did which I can't fathom why the LAN IP range is any of their business.

[byalexandr]

39 minutes ago, Alex Atkin UK said:

Obviously we can't approve of this on the forum (this thread is probably skating the edge of of the rules as it is) but I honestly don't blame you in your frustration.  I can't see any logical reason why they need such convoluted security.

I'm thankful that in the UK that the major network is using the ONT as a replacement for the telephone socket, calling that the end of their network and as we have competition for ISPs independent of the infrastructure, things are mostly simple.  So with any luck, they will continue to do this and we won't be back in the bad old days of every ISP having their own gateway and some not sharing the login credentials, which honestly was a breeze compared to what you are dealing with.

 

A friend of mine is on AT&T in Texas and they completely changed his LAN IP range one day, this broke his access to my LAN connected to my VPN as now the IP range clashed.  So I had to change my entire LAN range just to deal with some random thing AT&T did which I can't fathom why the LAN IP range is any of their business.

It's enough to make me never use AT&T as an ISP (or phone provider) in the future... I already switched to Verizon for my phone plan and it's been 100x better.

 

If I can't get it figured out though, I will probably have no choice but to just put the gateway in passthrough mode and use pfSense as a secondary router. Kind of defeats the point and will likely not fix my dropped connection issues, but maybe with enough tinkering I will figure it out.

[Alex Atkin UK]

5 minutes ago, byalexandr said:

It's enough to make me never use AT&T as an ISP (or phone provider) in the future... I already switched to Verizon for my phone plan and it's been 100x better.

 

If I can't get it figured out though, I will probably have no choice but to just put the gateway in passthrough mode and use pfSense as a secondary router. Kind of defeats the point and will likely not fix my dropped connection issues, but maybe with enough tinkering I will figure it out.

He wont use anyone else as he considers them worse.  I can't remember who is available in his area but I think the only other option is cable, his AT&T is only DSL too.

Its very ambitious of you to try to get around this issue, but surely the gateway will always blink red as if pfSense is handling the connection, the gateway will always technically be disconnected/offline.  You may be able to fudge the initial authentication, but if the gateway needs to think its fully connected that would be a whole different ball game.

 

Its just frustrating as the ONT should be able to do all initial authentication, this extra layer is silly.

[Donut417]

2 hours ago, Alex Atkin UK said:

Its just frustrating as the ONT should be able to do all initial authentication, this extra layer is silly.

AT&T is moving to a gateway only model. I mean newer installs tend to not have stand alone ONT's from my understanding. The gateway they supply I think works on all services they provide as well, because AT&T still have a lot of DSL subscribers. They are trying to make things simpler for their tech support I would suppose.