AT&T U-verse → ATT TrueBridge Mode for for Ubiquity Security Gateway (USG)

So, I have taken the plunge and replaced my PFSense firewall with a Ubiquity USG. This is an affordable device, around $110 on Amazon, and is the perfect companion to Ubiquiti Unifi wireless access points and its controller if you happen to use any. For the same reason as "rockstar" did with his PFSense thread, I decided to open up a separate topic for those searching for information, without having to go through the "True Bypass" monster thread.

During my research before purchasing, I came across this gem:

»blog.taylorsmith.xyz/att ··· ifi-usg/

It explains in clear steps what you have to do. The most difficult portion is the trimming of the .json file somewhere halfway. I spent a good 20 minutes on it, and the examples that were given on the site above were of good help.

Remember: when you start following the guide above, you will eventually disconnect from the internet, so make sure you have all the sites open you want open, and have all the files you need before proceeding. Make sure you read every step, don't skip any.

PROS:

Latency decrease. As if the gigapower itself wasn't good enough, a ping to 8.8.8.8 has changed from 3-4ms to a solid 2ms. If you are further away from bigger datacenters, the latency decrease can actually be noticeable.
Speed: Speedtests are the same, really.... 930/930 to 940/940, the maximum you can push through gigabit. No change.

DPI: This is with deep packet inspection enabled on the USG, so you can really keep check to see where your data is going. This is actually a cool feature, it shows you exactly how much hundreds of applications take in data, ranging from Facebook to P2P/Torrent to Netflix to OneDrive to Speedtest.net to Gmail to online games, you name it, and all displayed in a userfriendly and accessible way.

CONS:

No decent IPv6 support yet. Ubiquiti is working on it, and current firmware has "alpha" support for it, but it will be coming soon. If you need IPv6 NOW, don't use this.... if you can wait a few months till Ubiquiti really has their IPv6 ironed out, we may be able to get it to work in a similar fashion. It may actually work now, I just haven't gotten around to really testing it yet.

NEUTRAL:

I have static IP's. I have them mostly "just because", for the geekness of it, to run servers etc.... but the reality is I managed to consolidate all those back to the one DHCP IP for now (which never changes anyways), so I can take my sweet time figuring out how to get them to work. I'm sure its not that hard, just will take some digging.

Ipv6 works fine from the GUI. Request a /60 and get your firewall rules set up in the GUI.

Mine works perfect.

I think I am still caught in the 14-day thing.... since I only set it up yesterday, I will likely have to wait 14 days.

Nice ping times. Fiber here too but average 20ms to Google and 8ms for Speedtest.net. Still within range and fast but not as fast as what you're seeing.

Also, on the pfSense side for me I have yet to have an issue with the 14 day. If I asked correctly for the allocation it gave it to me as if I were the provided gateway. That is with me updating and flipping back and forth from the GW to bypass doing comparisons for IPv6 testing.

This is fantastic to see. I have a USG myself, but have been staying on Spectrum because of AT&T cramming their crappy RGs down our throats.

Would this work on VDSL2, or is this strictly a fibre affair? Not that it really matters, because AT&T's VDSL2 is still slower than Spectrum [at least at my house, as AT&T refuses to push 100/20 to me because of loop length, even though my lines are capable of 150/70], but would still be nice to have as a backup. I'm hoping we get fibre some day soon...

I would think strictly fiber since you still need a modem for vdsl2

But I presume I have to sacrifice voice & TV to make this work...right?

Correct. This will only work if you have internet-only, the same with the other bypass modes.

I currently have my Pace modem in DMZ mode, do I need to change it back before doing this procedure?

also in this part of the guide

Gateway/Subnet: 192.168.254.1/24 (or whatever you prefer)

did you put in your IP address scheme? for example I use 192.168.0.x for my network.

It shouldn't matter. If you do the bypass correctly, you won't even need the RG plugged in.

ok cool, I was reading through the original thread, and the author of the procedure said he was having issues if he bounced the USG or ONT about the Pace modem locking up, does that still happen?

That is only for the WAN2/LAN2 port, only one device will be connected to it: The RG. I used the subnet above.

My internal network is on 192.168.2.0/24 - which I did when I setup my PFSense and Cascaded routing, I had some issues reaching 192.168.1.254 (the original gateway IP address, and it was explained that the Pace unit had some quirkiness routing back to itself making it respond extremely slow to web requests.... so I used .2 instead of .1 and configured my network on it.

ah ok, so I can use the 192.168.254.1/24 just fine then. thanks for the clarification. I will take a stab at it later tonight and report back. Also curious about the issue the author had/has with the modem locking up if you bounce the USG or UNT and not the modem.

I have only booted the gateway once, on Saturday, when I was told to do so by the guide linked above.... it has been running since. I rebooted my USG several time, and reprovisioned it several times since then, with absolutely no problems.

For the record: It takes about 1m30 seconds for the USG to boot up, and then another 30 seconds or so for internet connectivity to be re-established.

thanks for the details. Hopefully it works well. Am curious what will happen when the USG needs a software update and what happens to the gateway.config file.

The firmware doesn't touch the JSON file, which is the most critical. (It resides on the controller, after all)

If you want to be sure, simply pull a backup of your config before you do the upgrade, and if anything goes awry, you can downgrade the firmware and put your backed up config back in.

The config.gateway.json file is on your controller, not on the USG. When the USG needs a software update at the end it will reprovision and the config.gateway.json will be applied as part of the provisining.

ah ok. Only been on the UBNT platform since october , so still figuring it out.

All good I have had the controller + accesspoints for some time.... but Saturday was the first day I unpacked a USG.

took a bit with the JSOn file but got it working!

Do you need to have the cloud controller to be able to bypass with the USG?

No you don't. The cloud controller is really just for remote management and such.

Regarding static IPs I have investigated this setup on an ERL3 and found out from ubiquiti that they're not supporting a DHCP WAN interface that has static IPs too.

I ended up installing ubuntu and shorewall on a qotom box to get the statics and ipv6 going.

I don't remember if I tried this but perhaps you configure the wan as statics and then manually run dhclient.
Not sure how that would affect eap_proxy.py though.

I have come to the same conclusion. However, a lot of progress is being made on new firmware and controller software that will eventually support WAN's with multiple static IP's.

Will it allow both DHCP and Static IPs on the same interface? That is the key.

Yeah. That will be the question. Although apparently it SHOULD be possible to ONLY use the static IP block. That could be a solution unless you really really need that 6th DHCP IP.

Whatever I will try (and I still have a list of things to go through from the ubnt.com forums), it will involve taking down the internet so I will have to plan it when I can take it down for a while to geek around.

My experience is that you have to keep authenticating and sending dhcp requests or your link will not stay up so you can't just use the statics. I think the path to pursue is to configure the wan as statics and then use eap_proxy.py to fill the dhcp/dhclient role.

I'm not in a position to research it at this point on the ubiquiti ERL/USG myself but I will stay tuned as I love the platform and would love to see this nut cracked.

How did you request a /60? Did you have to call ATT? Does that cost extra. My RG gets a /60 but will only delegate a /64 to my USG.

You have to do the bypass. Then the USG will receive a /60 and can delegate /64s. There is a 14 day lease taht needs to expire if it isn't released so don't be shocked that you can't pull an address right away.