dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
29666
zeroibis
join:2017-01-25

2 recommendations

zeroibis to dls

Member

to dls

Re: [AT&T Fiber] Bypass Hardware List

said by dls:

pfSense is software bridging using CPU, that's why it may not allow wire speed. Dedicated router or switch hardware that supports wire speed Layer3 switching is using ASICs or accelerated instructions on SoC. For example, Edgerouter Pro, while running Linux, could route at wire speed due to hardware accelerated routing using Cavium SoC.

RGs are using hardware acceleration on Broadcom SoCs, that's why thr low power SoCs could get close to a full gig throughput.

So it is only theoretically slower?

What your saying is that the accelerated solution is able to do less work to complete the task but that does not make it faster it just makes it more efficient.

There is plenty of PFsense setups that are able to get full gigabit speed it is not very hard unless your going out of your way to find some really crappy hardware to put it on.

I can understand these arguments 10 years ago but not today.

dls
join:2018-12-07
Chicago, IL

3 recommendations

dls

Member

Imagine running modern video games with just a fast CPU, no video card acceleration. Yes, it can be done if you have fast enough CPU, but proper dedicated hardware does the same task with ease on a low power silicon, while CPU-only solution has to work hard to match the same speeds.
pyrodex1980
join:2010-03-17
Suwanee, GA

pyrodex1980 to zeroibis

Member

to zeroibis
said by zeroibis:

said by dls:

pfSense is software bridging using CPU, that's why it may not allow wire speed. Dedicated router or switch hardware that supports wire speed Layer3 switching is using ASICs or accelerated instructions on SoC. For example, Edgerouter Pro, while running Linux, could route at wire speed due to hardware accelerated routing using Cavium SoC.

RGs are using hardware acceleration on Broadcom SoCs, that's why thr low power SoCs could get close to a full gig throughput.

So it is only theoretically slower?

What your saying is that the accelerated solution is able to do less work to complete the task but that does not make it faster it just makes it more efficient.

There is plenty of PFsense setups that are able to get full gigabit speed it is not very hard unless your going out of your way to find some really crappy hardware to put it on.

I can understand these arguments 10 years ago but not today.

It is slower, the only way to get full speed with bridged connections is to have a over kill firewall and most people don’t want or have the means to run a Xeon for full line speeds with bridging.

I can get full line speeds without bridging but I have to bypass the RG.

DarkenMoon
Premium Member
join:2013-11-14
Silver Springs, NV

1 recommendation

DarkenMoon to sd70mac

Premium Member

to sd70mac
I am using a Netgear GS105E to bypass the RG. I have over a year of uptime at this point, with the aid of a UPS (kicks in if the voltage gets too low or high) if something was to happen. I am using a pfSense router with IPv4 and IPv6 connectivity to the internet.
zeroibis
join:2017-01-25

2 recommendations

zeroibis to pyrodex1980

Member

to pyrodex1980
Who in their right mind is going to go grab a xeon for that.If you do not care about ECC any cpu i5 class or above is getting great full line speed even running a shit ton of other crap with no problem. If you needed ECC to sleep at night for your router then you would still not pay for xeon when every Ryzen cpu supports ECC memory.

The cpu is either overloaded or it is not. If not then there is nothing to impact performance. Yea 10 years ago you needed some monster $1000 cpu for this but today that is not true. I literally made one using an old i5 system from 5 years ago our company was throwing away. (Along with a 4port intel NIC)

If you really think pfsense is still so limiting it must have been a long time since you looked at it. I would highly recommend looking at the current capabilities of PFsense today. It has come a very long way.

Honestly, for me it also has been a big turn around where a few years ago I would never consider pfsense on any sort of decent connection without crazy hardware at which point it would be better to buy dedicated solutions where as today. I am looking at 2-5 years down the road at replacing our edge routers with pfsense solutions.
zeroibis

2 recommendations

zeroibis to DarkenMoon

Member

to DarkenMoon
said by DarkenMoon:

I am using a Netgear GS105E to bypass the RG. I have over a year of uptime at this point, with the aid of a UPS (kicks in if the voltage gets too low or high) if something was to happen. I am using a pfSense router with IPv4 and IPv6 connectivity to the internet.

Nice!
pyrodex1980
join:2010-03-17
Suwanee, GA

pyrodex1980 to zeroibis

Member

to zeroibis
said by zeroibis:

Who in their right mind is going to go grab a xeon for that.If you do not care about ECC any cpu i5 class or above is getting great full line speed even running a shit ton of other crap with no problem. If you needed ECC to sleep at night for your router then you would still not pay for xeon when every Ryzen cpu supports ECC memory.

The cpu is either overloaded or it is not. If not then there is nothing to impact performance. Yea 10 years ago you needed some monster $1000 cpu for this but today that is not true. I literally made one using an old i5 system from 5 years ago our company was throwing away. (Along with a 4port intel NIC)

If you really think pfsense is still so limiting it must have been a long time since you looked at it. I would highly recommend looking at the current capabilities of PFsense today. It has come a very long way.

Honestly, for me it also has been a big turn around where a few years ago I would never consider pfsense on any sort of decent connection without crazy hardware at which point it would be better to buy dedicated solutions where as today. I am looking at 2-5 years down the road at replacing our edge routers with pfsense solutions.

I don't want to argue with you because I have tested it REAL world.

I have a C2758 and did the bypass method, heck my pfSense still has it ready to go as needed, recently and I saw a change in performance. I have a way to saturate my line both in and out thanks to work and when I bridge I see a drop from 930MBps down to 600-700 both in and out, when I bypass I see the full 930MBps both in and out without a sweat.

I also see a hit in CPU performance and interrupts when bridging because the computer is having to do more passing data.

Maybe if I had a system with dedicated interfaces with a different ASIC per interface for the bridging traffic it wouldn't be so bad but this is what I've observed and I run the LATEST and greats with pfSense along with other modules on it. Heck I even helped get IPv6 working on the bridge method and non-bridge.

So next time you want to call someone out put up or shut-up.

dls
join:2018-12-07
Chicago, IL

2 recommendations

dls to zeroibis

Member

to zeroibis
Could you measure bridging performance on your pfSense machine using 64-byte packets? Maximum PPS thoughout with large packets may be very different from PPS throughput with 64-byte packets, as smaller packets would require more CPU interrupts per second at given bandwidth.
pyrodex1980
join:2010-03-17
Suwanee, GA

2 recommendations

pyrodex1980

Member

said by dls:

Could you measure bridging performance on your pfSense machine using 64-byte packets? Maximum PPS thoughout with large packets may be very different from PPS throughput with 64-byte packets, as smaller packets would require more CPU interrupts per second at given bandwidth.

I can do it after the new year, I’m off for the rest of the year and will try once back to work.
zeroibis
join:2017-01-25

2 recommendations

zeroibis to pyrodex1980

Member

to pyrodex1980
said by pyrodex1980:

I have a C2758

Ah, I think this is where the issue is. Ironically we both have CPUs from the same year 2013 but where as I am using a midrange i5-4670K your using one of the slowest cpus released 5 years go. Yea I would not expect a low end cpu from back then to be able to handle pfsense at line speeds that is not surprising to me.

If you check the specs and benchmarks you will find that the i5-4670K is about 2.5 times faster than the C2758 so I think you can imagine how I am able to not see any performance issues on my setup while your box is getting overloaded.
pyrodex1980
join:2010-03-17
Suwanee, GA

2 recommendations

pyrodex1980

Member

said by zeroibis:

said by pyrodex1980:

I have a C2758

Ah, I think this is where the issue is. Ironically we both have CPUs from the same year 2013 but where as I am using a midrange i5-4670K your using one of the slowest cpus released 5 years go. Yea I would not expect a low end cpu from back then to be able to handle pfsense at line speeds that is not surprising to me.

If you check the specs and benchmarks you will find that the i5-4670K is about 2.5 times faster than the C2758 so I think you can imagine how I am able to not see any performance issues on my setup while your box is getting overloaded.

I get line speeds without bridging, this is why not everyone is running a super processor to get bridged line speeds.
Genghis1227
join:2018-11-14
Pflugerville, TX

3 recommendations

Genghis1227 to sd70mac

Member

to sd70mac
Anybody have the Amplifi HD mesh router/network running with a switch bypass?

scots
Are we there yet??
Premium Member
join:1999-12-06
Raleigh, NC

2 recommendations

scots

Premium Member

said by Genghis1227:

Anybody have the Amplifi HD mesh router/network running with a switch bypass?

I have an Amplifi HD that I've tried, but no luck. Says there's no internet after it comes up.

Silly question - I have the 5268AC, and there's a MAC address (along with some other info) printed on the label on the side. Is that the MAC address that I'm supposed to clone, or do I need to connect a computer to the 5268AC and get a MAC address that's somewhere in the interface?
jfgilbert3
join:2005-10-14
Atherton, CA

2 recommendations

jfgilbert3 to sd70mac

Member

to sd70mac
I have an older Netgear GS116 that I had decommissioned some time ago. Anybody knows whether this is dumb enough a switch to use for the bypass procedure? I am expecting my fiber connection in the next couple of weeks (well, perhaps), and I will be happy to report on my attempt to bypass whatever gateway they install to my USG Pro.

dls
join:2018-12-07
Chicago, IL

5 recommendations

dls to sd70mac

Member

to sd70mac
If you are technical enough to be comfortable with linux CLI and can get your hands on a rooted NVG or BGW device, you could use an ultimate bypass method. You could extract EAP-TLS credentials and install them on your own BSD/linux/Cisco IOS device.

To extract the credentials you will need root access to an Arris RG and a parser from devicelocksmith blog.

You could extract credentials from a used device from eBay or Craigslist. The extracted credentials should work without any kind of additional provisioning on AT&T side. The same method should also work for Frontier.
SlabBulkhead
join:2001-12-05
Dayton, OH
(Software) pfSense
Ubiquiti U6-Pro
Ubiquiti U6-LR

2 recommendations

SlabBulkhead

Member

said by dls:

If you are technical enough to be comfortable with linux CLI and can get your hands on a rooted NVG or BGW device, you could use an ultimate bypass method. You could extract EAP-TLS credentials and install them on your own BSD/linux/Cisco IOS device.

To extract the credentials you will need root access to an Arris RG and a parser from devicelocksmith blog.

You could extract credentials from a used device from eBay or Craigslist. The extracted credentials should work without any kind of additional provisioning on AT&T side. The same method should also work for Frontier.

If we ever get fiber available at my address, I will definitely attempt this.
Genghis1227
join:2018-11-14
Pflugerville, TX

2 recommendations

Genghis1227 to jfgilbert3

Member

to jfgilbert3
I have the switch and it didn't work. I bought the DLink one from eBay, got further but still would not give my Amplifi HD internet.
Genghis1227

3 recommendations

Genghis1227 to scots

Member

to scots
Yeah same experience here. Yes that MAC is correct. There is one in the web admin but it's the same on the sticker. I'm getting the WAN IP but no internet when I'm switching over from the gateway to the Amplifi router.
startover909
join:2018-07-22

1 edit

4 recommendations

startover909 to sd70mac

Member

to sd70mac
I believe some routers/switch combination do not work well due to the vlan0 implementation of the ONT DHCP.

I tried to bypass with a dumb Netgear GS105, it works with a DD-WRT router (grabs the DHCP public IP in 2 seconds), but not with my Mikrotik CCR (DHCP client stuck on "searching"). The procedures were all correct, including MAC clones etc.

*Edit: I made it work with Mikrotik RouterOS by defining a bridge, enable bridge vlan filtering, set frame type to "admit all", and run DHCP client on the bridge*

Upon reading many forum posts on this, I think the issue is that the AT&T ONT sends egress DHCP packets tagged with vlan ID 0, which is a reserved vlan ID that cannot be set on many routers/switches. On the other hand, the ONT does not seem to require the vlan ID 0 on ingress traffic.

The end result is that if a switch or router strips off, or simply ignores the vlan0 tagged DHCP packets, they will work just fine. In my case, I believe the "dumb switch" passes along the vlan id 0 frames, but DD-WRT simply ignores it. So it works.

But my Mikrotik is very "strict" (any when it comes to networking that seems to be a bad thing oftentimes), and refuses to accept the vlan0 tagged traffic the ONT sends out, so DHCP does not work. Still trying to find a workaround.

*Edit: I made it work with Mikrotik RouterOS by defining a bridge, enable bridge vlan filtering, set frame type to "admit all", and run DHCP client on the bridge*
jfgilbert3
join:2005-10-14
Atherton, CA

3 recommendations

jfgilbert3 to Genghis1227

Member

to Genghis1227
Thank you. You are saving me the aggravation of trying, finding that it does not work, and wondering if I did something wrong. Cheers.

dls
join:2018-12-07
Chicago, IL

3 recommendations

dls to sd70mac

Member

to sd70mac
The 802.1q encapsulation (VLAN tag) is used to allow transmission of IEEE 802.1p QoS tags. Without VLANs, Ethernet frames do not have a place to attach a QoS indicator at transport level. ISP DHCP server sends DHCP responses with 802.1p PCP value 7 (Network control), which is highest available. VLANs are there for a good reason.

If you cannot get VLAN-encapsulated traffic recognized on your router, have you actually tried creating a VLAN-encapsulated interface, like eth0.0?
Routers that only have GUI may not be capable of this, but if you have access to underlying linux, there should be no problem in configuring an interface in VLAN0.
startover909
join:2018-07-22

2 recommendations

startover909

Member

said by dls:

If you cannot get VLAN-encapsulated traffic recognized on your router, have you actually tried creating a VLAN-encapsulated interface, like eth0.0?
Routers that only have GUI may not be capable of this, but if you have access to underlying linux, there should be no problem in configuring an interface in VLAN0.

For Mikrotik RouterOS, I believe the GUI (Winbox) is capable of doing everything its CLI can. The problem is not defining the vlan interface (which it certainly can), but the vlan ID of 0. My understanding is that vlan 0 is an invalid or reserved ID on these routers meant for untagged traffic. However, the AT&T ONT is literally using the vlan id 0 as if it's a normal vlan id (like vlan 100). This is what's causing the confusion if the router is being "strictly" standard-abiding.

dls
join:2018-12-07
Chicago, IL

1 edit

6 recommendations

dls

Member

It is not really an illegal VLAN, it is just a way to attach 802.1p QoS attributes to ethernet frames without specifying VLAN.

»www.cisco.com/c/en/us/td ··· tag.html

Linux can definitely do this. In fact, Linux-based Ubiquity routers support this from GUI and CLI.
startover909
join:2018-07-22

2 recommendations

startover909

Member

Thanks for the clarification and the link. Upon digging it deeper I was able to make it work with my Mikrotik CCR/RouterOS. So apparently the standard ethernet interface and vlan interface (defined on ethernet) don't like the vlan0. However, if I define a bridge, and enable bridge vlan filtering, it gave me the option to set "Frame Types" to "admit all". That did the trick and DHCP client (set on the bridge) was able to grab an IP instantly. Not very intuitive but it's working perfectly now. I was also able to add my purchased /29 static IP block to the same bridge (thankfully RouterOS easily supports multiple addresses on the same interface, unlike Ubiquiti) and use them right away.
pyrodex1980
join:2010-03-17
Suwanee, GA

1 recommendation

pyrodex1980

Member

said by startover909:

Thanks for the clarification and the link. Upon digging it deeper I was able to make it work with my Mikrotik CCR/RouterOS. So apparently the standard ethernet interface and vlan interface (defined on ethernet) don't like the vlan0. However, if I define a bridge, and enable bridge vlan filtering, it gave me the option to set "Frame Types" to "admit all". That did the trick and DHCP client (set on the bridge) was able to grab an IP instantly. Not very intuitive but it's working perfectly now. I was also able to add my purchased /29 static IP block to the same bridge (thankfully RouterOS easily supports multiple addresses on the same interface, unlike Ubiquiti) and use them right away.

Since you are bridging what is your internet speed? If it is a GIG are you seeing same speeds in a bridge?

Is your device your NAT gateway for your home or do you have a separate firewall downstream?
startover909
join:2018-07-22

1 edit

2 recommendations

startover909

Member

said by pyrodex1980:

Since you are bridging what is your internet speed? If it is a GIG are you seeing same speeds in a bridge?

Is your device your NAT gateway for your home or do you have a separate firewall downstream?

Yes I have the Gigabit plan and I get full speed (around 950/940).

The Mikrotik CCR1009 I'm using is an entry-level datacenter grade router with 9 x 1Ghz cores. So it can easily handle this speed on the bridge even without hardware offloading (when doing the speed test the CPU was below 5%). It may be a different story with lower powered routers like some Ubiquiti models.

In my case I defined a bridge on a single port (eth1), with vlan filtering on and frame types set to admit all.

Life feels good with bypass!


Genghis1227
join:2018-11-14
Pflugerville, TX

2 recommendations

Genghis1227 to startover909

Member

to startover909
I really wish I could figure out how to get this to work with the Amplifi HD router. There is an option to tag the VLAN but 0 is not allowed.

dls
join:2018-12-07
Chicago, IL

2 recommendations

dls

Member

I am not familiar with Amplifi, but is there access to Linux that runs under the hood? If there is access, there may be a way to configure VLAN0 even though you may not an option for it in GUI.
startover909
join:2018-07-22

1 edit

3 recommendations

startover909 to Genghis1227

Member

to Genghis1227
The Amplifi HD is a pure consumer-oriented device, with very limited networking configuration options. I believe it doesn't even grant access to SSH. Ideally, such a consumer device should just ignore the vlan0 tag and accept the packets as they are, as is apparently the case with the common ASUS RT series Wi-Fi routers as well as DD-WRT routers.

If your issue with the Amplifi is that it refuses to discard the vlan0 tag and yet won't recognize it as being valid, I'm afraid you're out of luck unless the vendor releases a firmware update in the future to address this. I doubt there will be much demand given the target market of the device.

Maybe you can consider just getting a router and use the Amplifi in AP mode. This is probably more ideal anyway if you have the Gigabit service, as I believe the Amplifi is not a particularly powerful device in terms of raw processing power. Its strength is on the wlan side.

dls
join:2018-12-07
Chicago, IL

5 recommendations

dls to startover909

Member

to startover909
said by startover909:

Thanks for the clarification and the link. Upon digging it deeper I was able to make it work with my Mikrotik CCR/RouterOS. So apparently the standard ethernet interface and vlan interface (defined on ethernet) don't like the vlan0. However, if I define a bridge, and enable bridge vlan filtering, it gave me the option to set "Frame Types" to "admit all". That did the trick and DHCP client (set on the bridge) was able to grab an IP instantly. Not very intuitive but it's working perfectly now. I was also able to add my purchased /29 static IP block to the same bridge (thankfully RouterOS easily supports multiple addresses on the same interface, unlike Ubiquiti) and use them right away.

What makes you think Ubiquiti cannot have multiple IPs on an interface? It is easy to setup even from GUI, and you could have multiple IPs on interface, or have a static or dynamic routing configured. Also from the GUI.



I've just had to reset one of my UBNT routers to factory defaults and went through the initial setup wizard. Configuring it for VLAN 0 with DHCPv6-PD is just stupid easy, there is no way it could be easier than that.