UPDATE
Please read my new article on this subject. This thread is no longer current.
.
.
.
Good news folks, you don’t need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!
The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.
This working sample also has automatic recovery from power loss too!
A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################
##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
# ONT <-> ether1
# ATT RG ONT Port <-> ether2
# Your PCs etc. <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################
# Create two bridges. One for your network and the other for the WAN.
/interface bridge
# LAN
add name=Bridge_LAN protocol-mode=none
# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes
# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes
# Add ports to each bridge
/interface bridge port
# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2
# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10
# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no
# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"
# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"
# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"
# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN
Example rule table switching for better performance. If your hardware supports it.
# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1