Community discussions

 
networknoob88
newbie
Topic Author
Posts: 43
Joined: Sun Jul 15, 2018 6:00 pm

Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Mon Jul 23, 2018 11:43 pm

I'm about to have AT&T Fiber 1000 installed for use with my new CCR1009-7G. The AT&T modem/gateway is a terrible piece of equipment with no bridge-mode and has low NAT table limit. Yet, the AT&T fiber uses some authentication protocol that requires a certificate installed in their own gateway so one cannot simply plug the AT&T line into a real router and call it a day.

Ubiquiti EdgeRouter users have come up with ways to enable bridge mode by routing the authentication traffic through the AT&T gateway, while routing the Internet traffic through the router, effectively bypassing the gateway and realizing true bridge mode. A sample guide can be seen here.

Since MT/RouterOS, especially the CCR, is a much more powerful and sophisticated router, I believe it should be capable of achieving the same bypass. Unfortunately I'm fairly new at this whole networking thing and am really just in the "guide following" stage. I wonder if anyone here has experience with RouterOS + AT&T Fiber bypass.

Thanks!
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jan 15, 2019 9:14 pm

Has anyone found a way around the AT&T supplied router? I have fiber to the home now and the tech installed a BGW210-700. I have it configured for IP Passthrough, however it still maintains a NAT Table. Since its just an ethernet patch cable, would like to simply plug into ether1 on the MikroTik.
Last edited by pcunite on Wed Jan 16, 2019 12:15 am, edited 2 times in total.
 
anav
Forum Guru
Forum Guru
Posts: 2939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jan 15, 2019 9:27 pm

You dont need the att modem/gateway because its not really a modem at least for the internet, all it does is provide a ready made vlan setting for you.

I have my mickrotik directly connected to the ONT, ONT to me means fiber to ethernet modem. Its this device that needs to be registered to your account for ethernet etc....
If that is your case you should be able to do the same. For example our internet on bell uses VLAN35.

The so called modem/gateway of which you speak has been off gathering dust for years. If I used TV from the provider I would have needed it to negotiate the TV vlan, multicast and Q0s protocols, but one can use the router to do that as well but tis complicated. I was close to doing that on an older Zyxel Router as they had recently upgraded software to handle the QoS packets but unfortunately the upgrade included all facets of router use EXCEPT INITIAL CONTACT and handshaking where I needed it the most LOL. I have no doubt its all doable with Mikrotik but I have since cancelled provided TV and gone full digital streaming (only need internet).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jan 15, 2019 11:03 pm

You don't need the att modem/gateway because its not really a modem at least for the internet, all it does is provide a ready made vlan setting for you. I have my MikroTik directly connected to the ONT, ONT to me means fiber to ethernet modem. Its this device that needs to be registered to your account for ethernet etc. If that is your case you should be able to do the same. For example our internet on bell uses VLAN35.

That is what I thought. Could you translate this for me? I'll do the work, just wondering if it makes sense to you.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Jan 16, 2019 4:21 pm

This post by rajl explains it in more technical detail.

AT&T's supplied Residential Gateway, aka RG router (an BGW210-700 in my case) use embedded certificates and the EAPOL protocol to authenticate with their ONT (Alcatel-Lucent G-010G-A) and to their upstream equipment.

Thus, at least initially, the sending of EAPOL packets to the RG and ONT must occur. Then you can do work arounds to send everything else to your MikroTik. Here is an interesting solution.
 
anav
Forum Guru
Forum Guru
Posts: 2939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Jan 16, 2019 6:12 pm

pcunite, I havent read the links but its highly likely that that authentication is strictly for the TV or perhaps TV, telephone services.
I use VOIP for home phone and digital streaming so I dont care.
I did have TV temporarily and when I did I used the modem gateway for the initial connection and then routed the internet through my router and used the Cable connectors on the modem gateway to carry TV signal to the house (thus I used it but not for internet). The initial connection was for the TV signal and not the internet.

Will go read the links now.

Okay the obvious challenge from the first link is ATT uses vlan0, my Bell fiber is using vlan35.
In my case, the technician, when I refused the all in one box. Used the available phone jack on the new ONT, to program it.
Then he phoned in and authorized the number of the box or vice versa given a number over the phone from central he plugged a number into the ONT.
So the ONT is coded appropriately and no modem/gateway device is required.
I just plug my router in creating vlan35 and magic!!

I would be curious in your setup if you did the same thing.
Setup the mikrotik with the same gateway information (assuming you have a way of sniffing traffic to get your IP and gateway IP etc) plug it all in and the unplug the cable from the ONT from the att device into your ether1 (for example) and see if it you get connectivity??

The only thing you may require is to spoof the mack of your modem gateway onto the mikrotik if there is some reason it checks this periodically etc.......

Its not clear if you require TV or just internet. If just internet call ATT and just say you want an ONT for internet and they should be able to set it up.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
trace323
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu May 07, 2015 5:52 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Jan 16, 2019 10:20 pm

My friend has AT&T Giga Fiber. he had to set their device to bridge mode and it worked without issues.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Jan 19, 2019 12:36 am

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN


Example rule table switching for better performance. If your hardware supports it.
# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1
Last edited by pcunite on Fri Apr 26, 2019 6:06 am, edited 3 times in total.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1775
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Jan 19, 2019 12:52 am

/interface ethernet switch rule ...
unfortunately 4011 doesn't do that in hardware: https://wiki.mikrotik.com/wiki/Manual:S ... troduction

why not use a cheap Tik with better switch in front? (or instead of 4011 altogether...) ex hAP ac2
 
Medikit
just joined
Posts: 4
Joined: Tue Feb 05, 2019 6:08 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Feb 05, 2019 6:12 pm

I tried this with gigabit internet using my RB3011 including your switch rule. Speed is still reduced (getting about 450/450 max), I'm not sure if it's a hardware limitation. CPU-used maxes at 50% during a speed test and cpu-used-per-cpu at up to 90%, 5%.
Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN


# Example rule table switching for better performance. How to make this work on the RB4011?
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1
 
inmultec
just joined
Posts: 4
Joined: Wed Feb 06, 2019 8:25 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 06, 2019 8:34 am

pcunite, I have att fiber 1gb with tv... how do I keep the tv running and use my rb3011 to do the internet stuff.. any ideas.

Also, there is a mention of a vlan0 but in the set up I dont see it mentioned, is that te vpid 111?

I have taken my uverse boxes to my other location (outside the US) and have them working via eoip and bridging that with a port connected to another lan port from the gateway/modem... I do other heavy lifting with my fiber connection and I do feel there is some latency issues probably because of the limited nat muscle of the 210-700.
 
inmultec
just joined
Posts: 4
Joined: Wed Feb 06, 2019 8:25 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 06, 2019 3:32 pm

Did you have to setup any vlan0 if so where, how?

Did you turn on fasttrak?

I am willing to go to a CCR1009 or CCR1016-12G if that's what it takes to make it to 1gbps, but I need to also run uverse TV...


I tried this with gigabit internet using my RB3011 including your switch rule. Speed is still reduced (getting about 450/450 max), I'm not sure if it's a hardware limitation. CPU-used maxes at 50% during a speed test and cpu-used-per-cpu at up to 90%, 5%.
Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN


# Example rule table switching for better performance. How to make this work on the RB4011?
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 06, 2019 5:00 pm

@inmultec,

The configuration I've posted is exactly what I'm doing. Give it a try and I'll help you work out any issues. With regards to TV service, I don't have that. This posts seem to indicate that IGMP is needed to make that work.
 
inmultec
just joined
Posts: 4
Joined: Wed Feb 06, 2019 8:25 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 06, 2019 5:57 pm

Thanks. I will give it a test run when I am there... That nat table on the att modems slows down right with alot of usage? I have a vpn server running on the mtk and have many friends and fam using it to get geolocation workaround, alot of netflixing and directvnow.... I want raw power on this connection. I can use a stronger mtk if need be... but I don't want to lose Uverse TV.... anyone? hehe
@inmultec,

The configuration I've posted is exactly what I'm doing. Give it a try and I'll help you work out any issues. With regards to TV service, I don't have that. This posts seem to indicate that IGMP is needed to make that work.
 
Medikit
just joined
Posts: 4
Joined: Tue Feb 05, 2019 6:08 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Feb 07, 2019 1:40 am

I forgot I deleted my fasttrak rules when I applied this new script. I just added these rules: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Unfortunately still ~450/450

Edit: I did not change the VLAN to 0. I assume this method bypasses that.

Did you have to setup any vlan0 if so where, how?

Did you turn on fasttrak?

I am willing to go to a CCR1009 or CCR1016-12G if that's what it takes to make it to 1gbps, but I need to also run uverse TV...
 
nitrag
just joined
Posts: 7
Joined: Thu Jun 15, 2017 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Feb 09, 2019 7:07 pm

Following. I use the pseudo-bridge on AT&T gateway and max out at around 600. Would enjoy the full Gig....
 
Medikit
just joined
Posts: 4
Joined: Tue Feb 05, 2019 6:08 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 27, 2019 4:41 pm

Just wanted to update: I performed bandwidth test from my router (87.121.0.45, neterra/neterra) and average Tx/Rx was 555/899. Note that CPU usage was up to 100% during this testing. I think the RB3011 isn't cutting it since Hardware offloading does not work with these settings for this router. I'm considering buying a CCR1009.

Edit: I want to add that as above I am only seeing 450/450 max from my connected devices whereas the router itself clearly can hit a gigabit as above though with 100% CPU usage. Seems like a hardware limitation to me.
Last edited by Medikit on Wed Feb 27, 2019 8:21 pm, edited 1 time in total.
 
nescafe2002
Long time Member
Long time Member
Posts: 620
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 27, 2019 4:55 pm

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester?

Even though RB3011 can handle 1Gpbs NAT traffic easily?

Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, therefore the bandwith test should not be used to measure traffic capacity of the device itself.
 
anav
Forum Guru
Forum Guru
Posts: 2939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 27, 2019 6:00 pm

No worries medkit, since that RB3011 seems really underpowered for your Huge network and I have a much smaller network please feel free to send it my way, I will pay postage.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Medikit
just joined
Posts: 4
Joined: Tue Feb 05, 2019 6:08 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Feb 27, 2019 8:17 pm

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester?

Even though RB3011 can handle 1Gpbs NAT traffic easily?

Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, therefore the bandwith test should not be used to measure traffic capacity of the device itself.

So I'm only getting 450 mbps max on my desktops (see above posts) but 900mbps on the built-in bandwidth tester. If the Router could handle VLAN/switching more efficiently I think it wouldn't be a problem.
No worries medkit, since that RB3011 seems really underpowered for your Huge network and I have a much smaller network please feel free to send it my way, I will pay postage.

Trying to sell it at the moment. I am being a little ridiculous since my network is not that big and I could just use AT&T's supplied router but damn it, I want to use my own router.

Edit: Using an RB4011 now and speeds are great, 940/940 from my desktop.
 
november
just joined
Posts: 1
Joined: Mon Apr 08, 2019 6:39 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Mon Apr 08, 2019 7:07 pm

One thing I haven't seen mentioned in this thread.

Do you still need to set the RG into bypass mode or should I reset that to defaults, too?

I'm going to apply this config today when I get home, so if anything I'll be able to test and pass on any additional info I find.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Apr 09, 2019 8:38 pm

Do you still need to set the RG into bypass mode or should I reset that to defaults, too?

Don't know, I think it does not matter what the RG is doing if you intend to power it off. Disable the Wifi feature would be at least one suggestion.
 
phin
just joined
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Apr 13, 2019 8:01 pm

Well was able to get mine going pretty easily on the RB3011. I am getting 900+ speeds, though it is taxing the CPU pretty hard. Would be awesome if we got VLAN/BONDING hw-offload in the furture.

My steps were pretty simple.

Kept my current Firewall configuration, which has fasttrak on the top and a pretty simple configuration, nothing to far out of stock other then my vpn tunnel stuff and some NAT firewall rules for some services.

Setup a bridge for wlan, placed both ether1 and ether 2 on. ONT into ether1, RB into ether2.

Setup vlan tagging on the bridge and placed pvid to 1. Frame type is admit all. STP set to none.

I then setup the switch rules as follows:

/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Works as expected. Survives reboots.

Only thing i am trying to possibly sort out, is to disable using vlan filtering on the bridge and somehow get it working on the switch chip level. One can hope.
 
archerious
just joined
Posts: 11
Joined: Sun Aug 26, 2018 7:50 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu May 23, 2019 5:44 pm

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN


Example rule table switching for better performance. If your hardware supports it.
# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1
Thank you for this guide, unfortunately I am only getting 111mbps on the upload with my CCR-1009 bandwidth tests.

Actual downloads (such as torrents) rarely exceed 100/60 despite being on the 1000/1000 AT&T Fiber plan. Gateway is BGW-210. If I connect everything directly to BGW-210 I can seed 939mbps upload easily on the same busy torrents (Game of Thrones).

Image

EDIT: Somehow fast path was checked off.....:(. I'm stupid.

Image
 
bitstorm
just joined
Posts: 2
Joined: Tue Aug 28, 2018 12:09 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Fri May 31, 2019 8:45 am

Well was able to get mine going pretty easily on the RB3011. I am getting 900+ speeds, though it is taxing the CPU pretty hard. Would be awesome if we got VLAN/BONDING hw-offload in the furture.

My steps were pretty simple.

Kept my current Firewall configuration, which has fasttrak on the top and a pretty simple configuration, nothing to far out of stock other then my vpn tunnel stuff and some NAT firewall rules for some services.

Setup a bridge for wlan, placed both ether1 and ether 2 on. ONT into ether1, RB into ether2.

Setup vlan tagging on the bridge and placed pvid to 1. Frame type is admit all. STP set to none.

I then setup the switch rules as follows:

/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Works as expected. Survives reboots.

Only thing i am trying to possibly sort out, is to disable using vlan filtering on the bridge and somehow get it working on the switch chip level. One can hope.
So you didn't have to use the scripts, etc from above? Just a simple, bridge + vlan + switch rules? We're looking at getting ATT Fiber in a couple months, and would like to make this work with an rb4011 at full gigabit. I'm assuming with the 4011's CPU will probably be closer to 60% under load compared to the rb3011 maxing out? I'd rather have the extra headroom if that's the case.

I'm also considering picking up a static IP block, do you think I'll have any issue with that? I'd like to just throw a couple more ports into the WAN bridge and let the servers use the static IPs. Seems like that should be doable? Is there a specific gateway I should request? I found a post on r/homelab that recommended asking the tech to install a BGW210-700 Gateway.

https://www.reddit.com/r/homelab/commen ... _ip_block/
 
botcoder
just joined
Posts: 2
Joined: Mon Jun 03, 2019 10:12 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jun 04, 2019 12:27 am

Hello,

Thanks for the instructions. I just got an RB4011 today. Just wanted a clarification with this method. ether2 connection is between the ATT RG ONT port and Mikrotik ? Asking because another user in the same thread reported success without an RG being involved. I am guessing if there is no TV service then EAPOL isn't involved ?

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.
##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN


Example rule table switching for better performance. If your hardware supports it.
# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1
 
botcoder
just joined
Posts: 2
Joined: Mon Jun 03, 2019 10:12 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Jun 06, 2019 10:23 pm

I tried the method posted by @pcunite and I ran into some issues. ether1,ether2 on bridge with pvid=111. On my router broadband light and service light lit up green but I was not getting DHCP on ether1. Settings seemed ok. vlan_filtering=yes, admit-all set.

So I tried a different approach and for others who are interested in getting this to work on an RB4011 with the AT&T RG this works very well and I haven't seen a connection drop in 48 hours.


- if you have a spare switch connect ONT and RG to switch. Let EAPOL authentication go through. (Green on RG on Broadband+Service LEDS)
- on Mikrotik, create a bridge with only one port on it <ether1>. PVID can be default. vlan-filtering is yes and admit-all=yes. Run dhcp-client with peer-dns set to no (I prefer not to use ATTs)
- Set MAC to MAC of RG on the interface
- Ensure firewall rules specify the newly created bridge (I just added the bridge to my WAN interface list as my firewall rules already specify this list)
- Disconnect ONT cable from switch and connect it to ether1. Check if DHCP is received on the interface (ip->dhcp-client on web interface)
- Turn RG off.
My ONT is battery backed. But if I lose the connection then simply connect RG and ONT to switch-re-authenticate and re-connect ONT cable back to Mikrotik.

I am getting 940/900 consistently on speedtest.net on my main PC downstairs (connected by approximately a 100ft Cat5e). I am also seeing similar high Tx/Rx numbers on the bridge interface on the web mgmt page. I also have a CRS326 to connect in front in a router on a stick setup since I have about 15-20 cat5e connections at home (currently PC is connected directly to router port 3)
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Jul 06, 2019 1:45 am

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Jul 11, 2019 10:24 am

Wanted to report back that with the 6.45.1 upgrade the DHCPv6 client is working on the dual stack AT&T GPON network. I now have access to the entire /60! What I have learned from getting IPv6 on AT&T and Comcast network is to mix dynamic and static subnets i.e. let the client communicate with the ISP and initiate routing and assign static addresses to the VLANs on my network. Since the subnet assignment does not appear to ever change unless there is a MAC change, it is much more stable than the dynamic assignment of addresses which is the default behavior for the Mikrotik.
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Jul 11, 2019 10:55 am

I'm still stuck on the 802.1X question. To simply the issue, I'm looking for a solution to the following sequence:
(the Residential Gateway (RG) is attached to port A, the ONT to port B, and whatever network you have is routed over the bridge)
  1. The RG initiates a 802.1/X EAPOL-START from port A.
  2. If the packet matches an 802.1/X type (which is does), it is passed to the ONT interface. If it does not, the packet is discarded. This prevents our RG from initiating DHCP.
  3. The packet is then bridged through ROS to the ONT port B
  4. The ONT should then see and respond to the EAPOL-START, which is passed back through ROS to the RG. At this point, the 802.1X authentication should be complete
  5. The MAC address of the RG is spoofed on the bridge and the ROS DHCP clients (IPv4 & IPv6) request a DHCP lease from the ONT
I'm hoping that the 802.1x support in 6.45.1 will allow processing of the EAPOL-START packet, but I understand that there is a challenge since both the RG and the bridge potentially have the same Mac address. Today we achieve this by disabling the RG port and then clone the MAC address onto the bridge before a DHCP request is issued.

Any pointers would be appreciated.
 
tomm
just joined
Posts: 1
Joined: Tue Jul 30, 2019 5:30 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jul 30, 2019 5:51 am

Hi all! I have AT&T fiber and I'm in need a new router and was wondering about Ubiquiti Edgerouter 4 vs a Mikrotik RB3011 (yes I realize this is a Mikrotik forum).

I have a rackmount server on my home network I use for development, like a workstation. I don't want to use it as a router in case I need to shut it down or something.

So I'm looking for something that I can use as a VPN as well. Better than port forwarding.

Would the RB3011 get the full gig up/down? I know the ER-4 and even ER Lite have good bandwidth, but I can't find much about the RB3011... especially when it comes to AT&T fiber. You folks look like you have a good handle on it though 😃

Big bonus if I can eliminate that AT&T router too! Thanks!
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Tue Jul 30, 2019 3:59 pm

We are standardized on the CCR line with UBNT APs, as this gives us the headroom we need on 1Gb/s. Firewall rules, VPNs, OSPF, etc. quickly adds up.
 
wojo
just joined
Posts: 13
Joined: Tue Aug 21, 2018 4:37 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Aug 01, 2019 1:57 am

I'm able to authenticate with the ONT using the dot1x 802.11x support on my CCR1009, just took disabling CRL, setting both the identity and anonymous identity to the MAC on the certs and then importing the entire cert chain. Probably can enable the CRL if the supplemental certs are there, not sure.

However... I cannot get dot1x to work on a bridged interface! This is necessary as that's how I strip the VLAN 0 tagged frames due to the 802.1p priority being set. It stops after the EAP exchange for identity, before the certs start flying over the wire.

You can see and pile on to my post regarding that specific feature being broken here: viewtopic.php?f=2&t=150700&p=742476

Once fixed or a workaround is found, it should be possible to have a complete solution without a switch chip and without having the RG even plugged in.
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Aug 01, 2019 4:08 pm

@wojo - I saw your other post earlier and figured out that you made some progress THANK YOU! Did you also file a ticket with support?
 
wojo
just joined
Posts: 13
Joined: Tue Aug 21, 2018 4:37 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Aug 01, 2019 8:29 pm

@wojo - I saw your other post earlier and figured out that you made some progress THANK YOU! Did you also file a ticket with support?
I didn't, thought it wasn't provided to the built in license types after 30 days. I'll give it a shot though.
 
mejiacalle
just joined
Posts: 4
Joined: Thu Aug 15, 2019 8:28 pm
Location: Miami, Florida

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Thu Aug 15, 2019 11:37 pm

Hello,

I am completely new to Mikrotik hardware and I have the PACE 5268AC (AT&T Fiber 1 Gig). Can someone please let me know the steps and Mikrotik hardware to get in order to bypass the AT&T gateway without impacting speed (apparently the PACE has a DMZ bug, that impacts the speed)? I have PACE 5268AC firmware 11.1.0.531418.

Thanks,
 
inmultec
just joined
Posts: 4
Joined: Wed Feb 06, 2019 8:25 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Fri Aug 16, 2019 3:37 pm

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.
 
wojo
just joined
Posts: 13
Joined: Tue Aug 21, 2018 4:37 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Fri Aug 16, 2019 4:19 pm

That's a good tip to get a the better router for sure.

I'm still working on the solution for Mikrotik, just need to get back to it have a lot of other things that popped up.
 
berzerker
just joined
Posts: 17
Joined: Thu Oct 26, 2017 6:55 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Fri Aug 16, 2019 4:47 pm

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?
Would it be possible for you to release what you have? I wouldn't need IPv6, but interested to see if your method is better than the original one posted.
 
mejiacalle
just joined
Posts: 4
Joined: Thu Aug 15, 2019 8:28 pm
Location: Miami, Florida

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Fri Aug 16, 2019 10:06 pm

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.
Thanks for the recommendation! After obtaining the replacement modem, what hardware do you recommend? What do you have in your setup, note that I am just using INTERNET service. No need for TV or Telephone from AT&T.

Regards,
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Aug 17, 2019 2:19 am

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?
Would it be possible for you to release what you have? I wouldn't need IPv6, but interested to see if your method is better than the original one posted.
I'll put together something over the weekend. What config/instruction are you looking for; the one for Cienna or ONT? For the Cienna we feed the traffic via fiber directly to our CCRs via the SFP port. The ONT version is connected on the direct ethernet CPU port (ports 5-8). Both versions now support IPv6 (though we need to use 6to4 for the Cienna due to the config on the MUX)
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sat Aug 17, 2019 2:25 am

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.
Thanks for the recommendation! After obtaining the replacement modem, what hardware do you recommend? What do you have in your setup, note that I am just using INTERNET service. No need for TV or Telephone from AT&T.

Regards,
I would stay away from either boxes (though the BGW210-700 seems to be better). As you can observe from these discussions, bypassing is the way to go. If you are on a 1G plan, CCR is probably what you are looking for to handle VPN, firewall rules, etc. You will also need to need some good quality APs for your WiFi. Most folks turn off the WiFi on the T supplied equipment as it lacks range and device compatibility.
 
technoredneck
just joined
Posts: 1
Joined: Wed Aug 28, 2019 10:40 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Aug 28, 2019 10:44 pm

Howdy folks. I've got this very bypass setup and working great on my CCR1009, but I can't for the life of me get the IPTV from Uverse to work any longer than around 10-20 seconds before freezing. I've taken a look at several of the links in this thread and I've tried all manners of new firewall rules, but none seem to help. Anybody have any specific suggestions?

***Update***
I've got the IPTV working now, but I think I need to tighten up the firewall rules a bit still. Ultimately, I'd like to get all of the IPTV stuff in my home segregated on it's own VLAN, but I've got several of the wireless TV Receivers...so that gets things more complicated than they already are. Thanks anyway guys for all of the info in this thread!
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 1:46 am

Hey everyone!

I guess I haven't really said anything in this thread, but I used these instructions (slightly modified) to get my RB4011 up and running without the BGW. It was running just fine for about a month - and I've gotten some serious speeds (1Gbps/1Gpbs easy) through the RB4011, with like 10% cpu use. Good stuff, just proves you don't need anything more powerful (I have a CCR1009-8G-1S-1S+ sitting and collecting dust, got it for some testing purposes a couple of years back and didn't realize I had it still until I've already got the 4011 installed and running.

Anywho, to the issue I am having the past day. Connection cut out, and had to restart RB, ONT and BGW, a couple of hours after, same thing happen - and seems to be happening multiple time/day. I don't know if anyone else had any of this happen the last day - but here I am.

So, I was thinking, it might be time to work out a way to forward all auth/cert requests to the BGW, not just during startup, meaning this would - no matter what - always respond and continue working. Has anyone been working on this? If so, I am willing to work together to get this completed/resolved. If not, anyone has some insight to how this is handled by AT&T/BGW RG? Before I start dumping traffic and looking...
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 1:59 am

Ok, so I read through the full thread and man, there's already two people working in this. vikinggeek and wojo. Did you guys ever put anything togethers? Should we combine forces to get this resolved - one and for all? ;)
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 2:41 am

Apologize for the lateness posting my scripts (been traveling for the past few weeks). The script I use will automatically reboot the router if it detect loss of connectivity. Will post soon (promise)

@robbz: Regarding the problem you describe, I had something similar happening in July. It turned out to be the fiber connector going into the ONT. The tech concluded that the "crimp on" connector was to blame, (old school guy) replaced the connector with the true and tried epoxy glue method connector. No problem since then. He got the hint due to the very high error rate on the fiber.
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 6:45 pm

Vikinggeek, thanks for the update.

I was thinking something like pass through all auth packets no matter when - or - just move the auth to the RB. Anyone with insight into how the auth works?
 
vikinggeek
just joined
Posts: 13
Joined: Sat Aug 02, 2014 4:14 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 7:48 pm

The authentication method is fairly well known by now. There is a nice solution for pfSense. https://github.com/aus/pfatt. For this to work:
  • 802.1x from a bridge has to be working. See @wojo post viewtopic.php?p=742598 (Everybody should +1 that thread)
  • You need to get hold of a certificate. (Google is your friend)
The longer term solution is for T to let us connect directly to the ONT/eMux without the legacy DSL auth mechanism. I'm working on that to :wink:
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 11:14 pm

Gotcha, yeah, I spent some time reading all this through last night too.

The certificate is hard coded on the BGW. Seems there's a tool that we can use to extract that: https://www.devicelocksmith.com/2018/12 ... g-and.html

There are a lot of people that has this down and working on Ubiquiti routers.. We should be able to do the same. Also another thread related: viewtopic.php?t=147901
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 11, 2019 11:39 pm

Another post that sucessfully done this without using "pfatt" on pfsense. https://www.dslreports.com/forum/r32474 ... -w-PFSense

I will need to research more to come up with anything. Either way - where did you find a cert for bgw210? I think I'll end up extracting. BTW: are these not specific to the devices/mac?
 
wojo
just joined
Posts: 13
Joined: Tue Aug 21, 2018 4:37 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sun Sep 15, 2019 1:16 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Sun Sep 15, 2019 8:12 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.
 
wojo
just joined
Posts: 13
Joined: Tue Aug 21, 2018 4:37 am

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Mon Sep 16, 2019 4:57 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.
Correct, the certs do authenticate but I'm unable to get traffic to also go at the same time unless I change how it is bridged. I'm going to continue to bang on this.
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 18, 2019 2:08 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.
Correct, the certs do authenticate but I'm unable to get traffic to also go at the same time unless I change how it is bridged. I'm going to continue to bang on this.
Sounds interesting. Do you have a config you can share?
 
robbz
just joined
Posts: 18
Joined: Wed Mar 02, 2016 9:22 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Wed Sep 18, 2019 2:11 am

btw, saw in this thread: viewtopic.php?f=2&t=150700&p=749673#p749673

That you're able to auth on a bare interface but not if interface is part of a bridge. Just for curiosity sake - why does it need to be part of a bridge?
 
shiromar
just joined
Posts: 4
Joined: Mon May 07, 2018 11:31 pm

Re: Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

Mon Sep 23, 2019 1:28 am

Just moved from a fios market to a t market. I was using an rb3011 and maxing out the 1g. Reading over this thread is it safe to assume that if I wanted to plug directly to the ont, I should consider a different router?

Who is online

Users browsing this forum: No registered users and 69 guests