Update: today I tried again, thinking I might need to delete the DHCP client and re-create it. But today, with the exact same config, the 802.1x status just shows “rejected”. The router’s clock is correct to within a second or two. I’ve triple checked the MAC address in the WAN port and in the 802.1x identity field. What could be going on? The logs are not helpful.
Not sure what changed, but after a reboot I’m once again getting “authenticated” on the dot1x client. I was back to the “not getting an IP address” issue, but then I changed the ethertype on the bridge to 0x9100, and I instantly got an IPv4 address. Yay.
But I can’t seem to get an IPv6 delegation. Does anyone know if there are any tricks to getting one without the AT&T gateway?
Aaannnnd once more, with all the answers. This gives everything needed to get fully functioning IPv4 and IPv6 on a RB5009 running 7.16.1 and bypass a BGW-210.
This assumes ether8 is your WAN port connected to the AT&T ONT. “xx:xx:xx:xx:xx:xx” and “xxxxxxxxxxxx” are the MAC of your BGW-210.
/interface bridge add ingress-filtering=no name=ATTbridge protocol-mode=none vlan-filtering=yes ether-type=0x9100
/interface ethernet set [ find default-name=ether8 ] mac-address=xx:xx:xx:xx:xx:xx
/interface bridge port add bridge=ATTbridge ingress-filtering=no interface=ether8
/interface dot1x client add certificate=ATT_Client eap-methods=eap-tls identity=xxxxxxxxxxxx anon-identity=xxxxxxxxxxxx interface=ether8
/ip dhcp-client remove [find interface=ether8]
/ip dhcp-client add interface=ATTbridge use-peer-dns=no
/ipv6 dhcp-client add add-default-route=yes interface=ATTbridge pool-name=ipv6-pool request=address,prefix use-peer-dns=no
/ipv6 address add from-pool=ipv6-pool interface=vlan-lan
/ipv6 address add from-pool=ipv6-pool interface=vlan-guest
Since July 2024, I’ve been bypassing via XGSPON SFP+. It’s been great; there’s been no need for VLAN0 or dot1x certs.
Using a CCR-2116. Not sure if it will work with other MikroTik routers.
Have you seen any issues on newer firmware? I have this working on 7.21.2 without issues but when I tried to update to the latest stable firmware (7.22.2) I was having issue getting stuck Searching for an IP but dot1x authenticated without any issues.
Not sure if there was a firmware change that caused the issue or something else was going on causing it to not be able to get an IP
Yes, I had the same problem upgrading to 7.22. The upgrade deletes the custom MAC address from the WAN bridge. You need to re-set the admin-mac property on the bridge interface.
Just got AT&T fiber today. I read through this thread, but can't find a definitive answer. Is completely bypassing the gateway still possible on Router OS 7.21.4?