AT&T U-verse → ATT Fiber, Sophos UTM full gateway BYPASS SUCCESS!!

Update 3-29-2019. Full bypass achieved! See details »Re: ATT Fiber, Sophos UTM instead of gateway
Update 4-13-2019 Use scripts in this post »Re: ATT Fiber, Sophos UTM instead of gateway rather than the initial full bypass post.

Update 5-3-2019 Final (?) script update »5-3-2019 Script update

------------------
First off this is something I'm trying to achieve. At the moment it's a huge work in progress.

The end goal is to be able to use the eap proxy (»github.com/kangtastic/eap_proxy) on the utm box itself to authenticate the ONT to the gateway. The utm should then receive the public IP and manage all traffic between WAN and LAN.

This is roughly models after this thread - »ATT TrueBridge Mode for for Ubiquity Security Gateway (USG)

So far the first limitation is utm does not allow vlan 0 to be defined in the UI. This is not entirely a deal breaker as it's possible to define it in the shell. My wan port is on eth1.

# vconfig add eth1 0

This defines interface eth1.0 to vlan 0 .

I think the next step would be to configure it for dhcp.

Then the interface for the ONT gateway needs to be defined similarly. Lets say that's on eth2.0 .

The proxy would handles the eap authentication. Things get more interesting from here. The utm already has wan configured at eth1. Somehow eth1 and eth1.0 needs to be bridged so traffic can pass.

That's as far as I get with the framework on how to make this work. Thoughts, suggestions, maybe someone has already implemented this in a different way?

Interesting. I have a UTM, but this is currently moot for me because I can only get VDSL.

After spending much time researching and attempting all sorts of work arounds such as linux bypass scripts, freebsd netgraph, etc, the fix was way easier than expected.

It does require an additional piece of hardware. I used a dlink DGS-1005G 5 port gigabit switch I had in my spare parts.

Connect the ONT and rgw wan ports to two ports of the switch. Wait a minute or so for broadband to authenticate on the rgw.

Before connecting anything else, ensure the mac address is spoofed to that of the rgw in your router/utm/pfsense/whatever and wan dhcp is enabled.

Connect the router/utm/pfsense's wan port to a third port in the switch. Quickly disconnect the rgw from the switch. Can't have 2 devices with the same mac on the same network. Wait a minute or two. The router should now have your public ip.

DHCP lease renewal times seem to vary and point to about 6 1/2 days. So we'll see what happens after a week.

Of course, if the ONT or router loses power then this will have to be repeated. I have all the networking equipment on a UPS so hopefully this will not be an issue. I am using several rt-ac68u/r7000 for AP's (in ap mode). Those are set to reboot nightly. The above will present issues if you're using such a router for NAT purposes.

Can't say I notice much difference in speed as that wasn't really an issue. Raw interface speeds (as indicated in windows task manager) appear ~40mbps higher during speed tests. Ping times and latency appear to be similar.

Max nat sessions now limited to 32000 (utm home use license). Still an improvement over 8K. Also, cloudflare 1.1.1.1 works too .

That's awesome. I wonder if this could be automated using something like »www.amazon.com/NETGEAR-G ··· 0HGLVZLY

Please explain?

Really, this method seems nearly identical to what's posted in the big gateway bypass thread's 1st post except no vlans are used. If I understand the original method correctly, he's segregating the first 3 ports of the switch by assigning them to a different vlan (untagged). Then linking the ONT/RGW ports to gain authentication, then unlinking ONT/RGW and relinking ONT/LAN. What I'm doing is the same except it's not in software.

I'm still trying to understand where the vlan0 tags come into play.

The comments in this thread (»forum.opnsense.org/index ··· c=7298.0) from 4/22/2018 onward is what prompted me to try it.

Is this setup still working for you? How long do you stay connected before you have to re-authenticate with the AT&T gateway router?

As of today it's still good. It hasn't been a week yet. According to the lease detail, it's set to renew on 2018/05/11 01:42:22. So about 3 days from now.

@centeredki69

Just checked the dhcp client log, looks like it did a renew earlier this evening.

Thanks for the update!

So the lease renew on its own without having to re-authenticate using the AT&T Gateway/ Router?
Mine has been up for 2 days using your process. The lease started at 14 days. I will give an update when something changes.

Thanks again.

Correct. In fact after initially authenticating with the gateway, I've plugged in a few other devices before leaving UTM alone. Each device had the mac cloned of the RGW. Devices include a laptop and a rt-ac68u router. I've yet to have to plug in the RGW.

As long as whatever connects to the ONT renews the DHCP requests at minimum 1 time every 14 days, you will keep your connection and auth active.

@Brianlan,

Any thoughts on getting ipv6 to work with this method? Reviewing the larger thread there's references to modifying the duid presented. Sophos utm has no such options for fine tuning this.

There's one file in /var/sec/chroot-dhcpc/var/db/

with contents

utm:/var/sec/chroot-dhcpc/var/db # cat eth4_na.leases6
default-duid "\000\001\000\001\"~\3145\300\240\015w\013\261";

@jsolo1
Have you been able to get this set up to connect with a pfsense router/firewall. My Asus RT AC66U will connect immediately but, I can only get my pfSense to connect using static not DHCP. It's like the pfSense is taking to long to negotiate before the ONT drops the connection. Even with static it seems to to be hit and miss.

Thanks

Nope, I pretty gave up on the IPv6 efforts, its been too flaky to my liken for family usage.

So, I'm just IPv4 and its perfectly A-OK that way. Nothing I will need in the foreseeable future is only IPv6. If that was the case, there is always the tried and true HE.net Tunnel Broker that I can tightly control the routing through with my router.

@centeredki69

I haven't tried pfsense here. I may have some time this afternoon to load it up on a vm (via pci passthrough for the nics) and try it that way.

Maybe there's some advanced setting in pfsense that can be adjusted.

@brianlan

Thanks for that info. I agree, I don't see ipv4 going away any time in the immediate future, but this is something that will be needed eventually.

I gave both pfsense and opnsense a try. No go with dhcp. Looking at tcpdumps I do see references to vlan0, but as we've already seen, it works fine for some with dumb switches which lack vlan capability entirely. It was mentioned in the large thread not too long ago that the vlan references vlan priority, so perhaps that's where pfsense/opnsense is getting hung up on.

One can define a new vlan (1-4094) and adjust vlan priority, but none can be adjusted through the gui directly for an untagged interface (wlan). Maybe manipulating this through shell will fix the issue?

-------------

EDIT: Just wanted to add, during the testing above, I never unplugged the ONT from the dumb switch and thus did not have to reconnect the RGW. When I reconnected the UTM box, it pulled an IP immediately.

Thanks for the update. I tried for 2 hours to get it to work but it would only connect via static and that sometime would still fail. I wonder if I set my WAN interface to VLAN-1 if it would connect. I have read on other sites where they set vlans however it was not clear if the used a dumb or smart switch. Its a shame I just spent a few hundred $ on a fanless PC to set up as a pfsense router so I could finally retire my Asus RT66u to AP only mode. thanks again

@brianlan
I read a post by you on another forum that referred to pfsense connected as your router. Were you able to get a pfsense router to connect to the ONT using the GS108Ev2 switch and Vlans? I can get my old ASUS AC RT66u to connect using a dumb switch and just swapping the cables but the pfsense just will not connect.
Thanks

That won't work. If the port is defined as vlan1, then packets will be tagged with vlan1. The ont does not appear to use vlan tags, instead just priority tagging, it won't even recognize something si connected to the wan port.

FWIW, i've had no issues with utm acquiring an ip. I got the qotom box last august to use with pfsense too, but discovered utm. After playing with both for a few days, went with utm because it is more novice friendly.

Thanks for the insite. I decided to get one of the netgear plus switches GS105E, And do the Vlan swap. Others seem to have luck with it instead of a dumb switch when they are using pfsense. If it does not work ill have to decide if I want to stay with the Asus or use the pfsense an go back to using the DMZ-Plus/pinhole feature in the RGW.
BTW is (Sofos UMT software like pfsense or and hardware device?

I have a dgs-1210-10 smart switch here too. I didn't have a chance to try that yesterday. I'll give that a shot in the next day or so since opnsense is still installed in the vm.

Sophos utm is similar to pfsense but is a commercial product. I'd say it's a bit more bloated too because functions that are addon packages to pf/opn are already built in. They do make hardware too, but also offer it as a software for your own hardware. Free home license is good for up to 50 ip's.
------------

Edit. I take that back. I won't be trying the smart switch method for a few weeks. Want to see what happens with the current set up as far as ipv6 goes. Need the existing RGW ipv6 lease to expire.

Have you attempted to use static ipv6 by replicating the rgw's address?

Nope, lost interest like I said above.

For those using the dumb switch bypass method, what kind of lease times are you seeing?

Lately i'm seeing times around 1500-1700 sec. Maybe time time to reconnect the rgw...

Update: Plugged the rgw in last night. Was expecting it to pull a new firmware but it didn't. Still on 1.6.7 (bgw210).

Did the bypass few minutes ago. Still pulling similar ~1500s lease times. Looks like it's assigning hour long leases now rather than 14 days.

# cat eth5.leases
 
lease {
  interface "eth5";
  fixed-address 123.456.789.10;
  option subnet-mask 255.255.252.0;
  option routers 123.456.789.1;
  option dhcp-lease-time 3600;
  option dhcp-message-type 5;
  option domain-name-servers 68.94.156.10,68.94.157.10;
  option dhcp-server-identifier 123.456.789.1;
  option broadcast-address 123.456.789.255;
  renew 6 2018/11/17 17:23:06;
  rebind 6 2018/11/17 17:51:42;
  expire 6 2018/11/17 17:59:12;
}
 

Good new to reports. With the help of dls, amiskell, and brianlan (and others), I now have a working solution that completely eliminates the need for the rgw. Details to follow later today! This appears to survive reboots, ONT cable disconnects, etc. Have not tested with ipv6 yet.

»i.imgur.com/HexJhWW.png

For IPv6 you would want to do DHCPv6-PD with /60, while supplying DUID-EN (you could generate the latter yourself, it just needs to be supplied in request).

Don't use DHCPv6-NA - you'll get an IP that's not routable outside of ATT network.

Did you use the wpa_supplicant version 2.5 package I built or the stock SuSE 11.4 0.7.3 version?

Yours. I got nowhere with the older version.

If you run rpm -qa | grep wpa it says wpa_supplicant 2.5?

It's possible the 0.7.3 didn't have any of the code required to handle EAP-TLS. It *was* from 2010 and still in it's infancy.

I might be able to take your start script and integrate it into the package since the package already supports being run as a service.