Well was able to get mine going pretty easily on the RB3011. I am getting 900+ speeds, though it is taxing the CPU pretty hard. Would be awesome if we got VLAN/BONDING hw-offload in the furture.
My steps were pretty simple.
Kept my current Firewall configuration, which has fasttrak on the top and a pretty simple configuration, nothing to far out of stock other then my vpn tunnel stuff and some NAT firewall rules for some services.
Setup a bridge for wlan, placed both ether1 and ether 2 on. ONT into ether1, RB into ether2.
Setup vlan tagging on the bridge and placed pvid to 1. Frame type is admit all. STP set to none.
Only thing i am trying to possibly sort out, is to disable using vlan filtering on the bridge and somehow get it working on the switch chip level. One can hope.
Thank you for this guide, unfortunately I am only getting 111mbps on the upload with my CCR-1009 bandwidth tests.
Actual downloads (such as torrents) rarely exceed 100/60 despite being on the 1000/1000 AT&T Fiber plan. Gateway is BGW-210. If I connect everything directly to BGW-210 I can seed 939mbps upload easily on the same busy torrents (Game of Thrones).
EDIT: Somehow fast path was checked off…. I’m stupid.
So you didn’t have to use the scripts, etc from above? Just a simple, bridge + vlan + switch rules? We’re looking at getting ATT Fiber in a couple months, and would like to make this work with an rb4011 at full gigabit. I’m assuming with the 4011’s CPU will probably be closer to 60% under load compared to the rb3011 maxing out? I’d rather have the extra headroom if that’s the case.
I’m also considering picking up a static IP block, do you think I’ll have any issue with that? I’d like to just throw a couple more ports into the WAN bridge and let the servers use the static IPs. Seems like that should be doable? Is there a specific gateway I should request? I found a post on r/homelab that recommended asking the tech to install a BGW210-700 Gateway.
Thanks for the instructions. I just got an RB4011 today. Just wanted a clarification with this method. ether2 connection is between the ATT RG ONT port and Mikrotik ? Asking because another user in the same thread reported success without an RG being involved. I am guessing if there is no TV service then EAPOL isn’t involved ?
I tried the method posted by @pcunite and I ran into some issues. ether1,ether2 on bridge with pvid=111. On my router broadband light and service light lit up green but I was not getting DHCP on ether1. Settings seemed ok. vlan_filtering=yes, admit-all set.
So I tried a different approach and for others who are interested in getting this to work on an RB4011 with the AT&T RG this works very well and I haven’t seen a connection drop in 48 hours.
if you have a spare switch connect ONT and RG to switch. Let EAPOL authentication go through. (Green on RG on Broadband+Service LEDS)
on Mikrotik, create a bridge with only one port on it . PVID can be default. vlan-filtering is yes and admit-all=yes. Run dhcp-client with peer-dns set to no (I prefer not to use ATTs)
Set MAC to MAC of RG on the interface
Ensure firewall rules specify the newly created bridge (I just added the bridge to my WAN interface list as my firewall rules already specify this list)
Disconnect ONT cable from switch and connect it to ether1. Check if DHCP is received on the interface (ip->dhcp-client on web interface)
Turn RG off.
My ONT is battery backed. But if I lose the connection then simply connect RG and ONT to switch-re-authenticate and re-connect ONT cable back to Mikrotik.
I am getting 940/900 consistently on speedtest.net on my main PC downstairs (connected by approximately a 100ft Cat5e). I am also seeing similar high Tx/Rx numbers on the bridge interface on the web mgmt page. I also have a CRS326 to connect in front in a router on a stick setup since I have about 15-20 cat5e connections at home (currently PC is connected directly to router port 3)
I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:
In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?
On my network, I’m running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?
Wanted to report back that with the 6.45.1 upgrade the DHCPv6 client is working on the dual stack AT&T GPON network. I now have access to the entire /60! What I have learned from getting IPv6 on AT&T and Comcast network is to mix dynamic and static subnets i.e. let the client communicate with the ISP and initiate routing and assign static addresses to the VLANs on my network. Since the subnet assignment does not appear to ever change unless there is a MAC change, it is much more stable than the dynamic assignment of addresses which is the default behavior for the Mikrotik.
I’m still stuck on the 802.1X question. To simply the issue, I’m looking for a solution to the following sequence:
(the Residential Gateway (RG) is attached to port A, the ONT to port B, and whatever network you have is routed over the bridge)
The RG initiates a 802.1/X EAPOL-START from port A.
If the packet matches an 802.1/X type (which is does), it is passed to the ONT interface. If it does not, the packet is discarded. This prevents our RG from initiating DHCP.
The packet is then bridged through ROS to the ONT port B
The ONT should then see and respond to the EAPOL-START, which is passed back through ROS to the RG. At this point, the 802.1X authentication should be complete
The MAC address of the RG is spoofed on the bridge and the ROS DHCP clients (IPv4 & IPv6) request a DHCP lease from the ONT
I’m hoping that the 802.1x support in 6.45.1 will allow processing of the EAPOL-START packet, but I understand that there is a challenge since both the RG and the bridge potentially have the same Mac address. Today we achieve this by disabling the RG port and then clone the MAC address onto the bridge before a DHCP request is issued.
Hi all! I have AT&T fiber and I’m in need a new router and was wondering about Ubiquiti Edgerouter 4 vs a Mikrotik RB3011 (yes I realize this is a Mikrotik forum).
I have a rackmount server on my home network I use for development, like a workstation. I don’t want to use it as a router in case I need to shut it down or something.
So I’m looking for something that I can use as a VPN as well. Better than port forwarding.
Would the RB3011 get the full gig up/down? I know the ER-4 and even ER Lite have good bandwidth, but I can’t find much about the RB3011… especially when it comes to AT&T fiber. You folks look like you have a good handle on it though
Big bonus if I can eliminate that AT&T router too! Thanks!
I’m able to authenticate with the ONT using the dot1x 802.11x support on my CCR1009, just took disabling CRL, setting both the identity and anonymous identity to the MAC on the certs and then importing the entire cert chain. Probably can enable the CRL if the supplemental certs are there, not sure.
However… I cannot get dot1x to work on a bridged interface! This is necessary as that’s how I strip the VLAN 0 tagged frames due to the 802.1p priority being set. It stops after the EAP exchange for identity, before the certs start flying over the wire.
Once fixed or a workaround is found, it should be possible to have a complete solution without a switch chip and without having the RG even plugged in.
I am completely new to Mikrotik hardware and I have the PACE 5268AC (AT&T Fiber 1 Gig). Can someone please let me know the steps and Mikrotik hardware to get in order to bypass the AT&T gateway without impacting speed (apparently the PACE has a DMZ bug, that impacts the speed)? I have PACE 5268AC firmware 11.1.0.531418.
First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.
Would it be possible for you to release what you have? I wouldn’t need IPv6, but interested to see if your method is better than the original one posted.
Thanks for the recommendation! After obtaining the replacement modem, what hardware do you recommend? What do you have in your setup, note that I am just using INTERNET service. No need for TV or Telephone from AT&T.
. I’m stupid.
