Community discussions

MikroTik App
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:27 pm

Title:
Bypassing AT&T Residential Gateways with MikroTik

Welcome:
If you have AT&T FTTH service and would like to use your MikroTik hardware to its fullest potential, this article is for you. Discover how to connect directly to the Fiber ONT device, bypassing other middleware hardware. The AT&T provided Residential Gateway, aka the ATT RG router, might be one of: BGW210-700, BGW320-505, NVG589, NVG599, 5268AC, or any new models that might come out. These devices do provide value and are required if using IPTV or VoIP service. For pure Internet only service, however, they are not needed.

Why Bypass?
When it comes to a network rack or data closet, it is very frustrating to be forced into adding unnecessary hardware which will only take up space, use more power, generate heat, and become a point of failure in the network. Also, the best firewall and NAT device is a MikroTik! We want it to be the first thing that a packet must traverse. In this article we show you the how to do just that. Note that at all times we respect the AT&T network. This does not enable features you didn't pay for. This article is a benefit to their subscribers. Not everyone is incapable of managing their own on-premises equipment. AT&T has allowed this method to exist for those who are responsible with it.

Hardware and Software requirements:
Faster hardware usually results in a better experience. If you have 1GB Fiber service or higher, consider using the RB4011, CCR1009*, or other higher end models. For slower speeds, the RB3011 and hAP ac² are appropriate. The configurations presented here were tested with the RB4011 on DHCP residential service. The recommended RouterOS firmware for any model should be version 6.46 or higher. Note: at this time, only the RB4011 is recommended.

Bypass Methods:
There are two methods presented here which are known as the Bridge Method and the Supplicant Method. These are explored in detail in the posts below. Choose the method that best meets your needs and application. A lot of individuals have contributed to this effort resulting in what we have today which include: devicelocksmith, aus, brianlan, maczrool, wojo, and others.

Technical Overview:
The nature of how this works is a little more technical than perhaps what you're used to dealing with. I will largely repeat what aus has already written, but making changes to suit this article. Essentially, in a stock setting with the ATT RG as the first and only device connected directly to the Fiber ONT, we have:

  • ATT RG boots up
  • Initializing traffic to the ONT uses the 802.1X standard following the EAP-TLS Authentication Protocol (EAPOL). This is a fancy way of saying that there are unique encryption keys stored on the ATT RG that request authorization to connect and pass standard packets beyond the ONT.
  • After authentication, the Fiber ONT device will send ethernet frames as Cisco priority tagged frames. These follow the typical Dot1q (802.1Q) standard but with 0 set as the VLAN ID and some 802.1P bits set. There is not yet a requirement to reply with 802.1P packets.
  • With traffic tagged correctly, an ethernet port (its MAC address must match values in the encryption key) is given an IP address via DHCP. When the lease is issued, the WAN setup handshaking is complete. LAN traffic can now be routed.

This process takes only a few moments but must be allowed to occur or you can emulate it exactly. Therefore, this article shows you how to bridge the 802.1X EAP-TLS traffic by allowing the ATT RG to do its thing, or you may natively import the encryption keys onto your MikroTik and utilize the Dot1x client interface. The choice is yours.
Last edited by pcunite on Wed Apr 15, 2020 5:51 pm, edited 20 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:28 pm

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.

BridgeMethod.png

Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Fri Dec 20, 2019 9:44 pm, edited 6 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:30 pm

Supplicant Method

Overview:
This option is the preferred way because the ATT RG can be stowed away while MikroTik hardware performs all necessary tasks. All that is required are valid certificates extracted from your ATT RG and a native supplicant client. MikroTik includes this client via their Dot1x interface which provides the wpa_supplicant feature.

SupplicantMethod.png

Details:
Our diagram looks like any normal routing configuration. Really, the only thing unique about this option is that we use a Dot1x client on our yellow ether1 WAN port. The purple ports are all bridged using typical RouterOS syntax. The ether1 MAC address is set to that of your AT RG certs and gets configured as a DHCP client. We must also import certificate files. Beyond that, the Dot1x handles the EAP-TLS authentication. A very straight forward configuration.

1. Manually Set the System Clock:
Set the clock, under System / Clock to be the correct time and date. This is a requirement of the Dot1x client otherwise you will get rejected, connecting, and authenticated without server error loops.

2. Import Certificate Files:
After you have obtained your certificate files, use the Winbox GUI tool and navigate to the Files menu. Drag and drop your files therein. Next, open the System / Certificates menu. Under the Certificates tab, click import and load your files. If possible, import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. You will now have approximately six new certificate files in your store. If you double click on an entry, you can see key usage information from the Key Usage tab. You will want to identify the one with tls client capability. Also in the General tab, you need a Common Name value as a MAC address, and that has Trusted checked. This is the correct key to use with Dot1x later.

3. Configure your WAN port:
We'll use ether1 in this example. Set it to be a standalone port, not part of a bridge etc. Run the following command, using your Common Name MAC address: /interface ethernet set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00. Next, setup a DHCP client on ether1, example command: /ip dhcp-client interface=ether1 add disabled=no. Some RouterBoard models also require the following command: /interface ethernet switch port set ether1 vlan-mode=fallback so that they will not drop packets coming from the ONT that have a VLAN id of 0.

4. Configure the Do1x interface:
This is easy enough in the GUI, but I'll show the command line. Note that you specify the file name that had tls client capability. Set the identity fields to be the MAC address (without the colons). Command: /interface dot1x client add interface=ether1 certificate=Client_myfile.pem eap-methods=eap-tls identity=000000000000.

Conclusion:
At this point everything is ready. Configure the rest of your MikroTik as desired, then reboot the unit. Plug ether1 directly into the Fiber ONT. In the Dot1x GUI, you will note the Status field. After about 30 seconds, it will read authenticated then you'll have an IP address on ether1.
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Tue Dec 24, 2019 12:28 am, edited 14 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:32 pm

Reserved
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 10:45 pm

Reserved
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 4:05 pm

Hi, thanks for this tutorial, and the hard work. I tried this new method with my router, I'm waiting for the new one, I think I got authorization but for some reason I never have an ip address. The message that I received under the dot1.x is authenticated without server . Any idea. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:13 pm

I think I have authorization but for some reason I never get an ip address. The message that I received under the dot1.x is authenticated without server . Any idea?

I'm very new to this, so I don't know all the edge cases yet. The Dot1x documentation mentions it and states access to the port is granted without communication with server. Not sure what that means. Can you do a packet capture on the traffic? Makes me think that perhaps you need a certain VLAN tag. Do you have business or residential service? Also, turn off everything, the Fiber ONT too for a few minutes. Then boot up again.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:18 pm

I have a residential account, I'm going to try with the new Mikrotik when it arrive. Right now I'm using my old one for this test. Like you told me before under powered maybe is the router because is the model crs109-8G. The new one is the CCR1009. Thanks
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:59 am

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.

On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.

The entire setup is as follows:

Replace the following with your values:
  • bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
  • ether3-ont - the interface connected directly to the ONT
  • 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you've uploaded
  • name_of_cert - upload your cert bundle and select this in the dot1x settings

Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=44:E1:37:C4:C8:E1

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont

/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no

This is the script that I run every 5 seconds, which is probably overkill, but it doesn't write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I'll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"

:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]

#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"

:if ($dot1xStatus = "authenticated") do={
  :if ($portDisabled) do={
    :log warn "$scriptName: authenticated, enabling bridge"
    /interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
} else={
  :if (!$portDisabled) do={
    :log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
    /interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
}

For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup

Finally place your DHCP on the "bridge-ont" interface. I'm able to pull both IPv4 and a /60 of IPv6, which I've split up into three /64 subnets for my private network, IoT and guest networks.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:25 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:33 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
I think I've hit that when something was wrong with the certs or dot1x setup. Can you show your configuration with MACs scrubbed and such for dot1x and certificate settings?

Also -- I can't remember entirely if it was required but I did import the entire cert chain as well as disable the CRL.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:34 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks

Yes, I just tested my system again (resetting everything for testing) and get the same error. I'll be tracking this down. For now, set your system clock to the correct time. Also, make sure, under System Certificates, that your Client key is KT.

Interestingly, when I restore my system from backup, everything works. So, there is something stored in the backup file, that simply enables an ether1 interface to just work without putting into bridge, then removing, as wojo is having to.
Last edited by pcunite on Sun Dec 22, 2019 4:39 am, edited 1 time in total.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:39 am

This is part of my config without the Dotx1 check. I imported the 3 certificates (CA_00..., Client_00.., PrivateKey_PKCS1_00..) that was created when using the utility for create the wpa_supplicant.conf

interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7

/interface bridge settings
set use-ip-firewall=yes
/interface dot1x client
add anon-identity=xxxxxxxxxxxx certificate=Client_cert.pem_0 \
eap-methods=eap-tls identity=xxxxxxxxxxxx interface=ether1
Last edited by jack2020 on Sun Dec 22, 2019 5:05 am, edited 1 time in total.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:59 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:03 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:08 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:09 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?

No, the LAN side is fine. What we are doing is fairly advanced here. I understand it must be confusing for you. We are only talking about WAN interfaces.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:12 am

OK, eth1 is alone without any WAN_Bridge. And no WAN_Bridge. I'm going to try the Dotx Script. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:34 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:35 am

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
I got bit by the same thing when first starting as well, until I started throwing reboots and disconnects at the situation.

Well... the scripts aren't ideal, but are fast and seem to be reliable so far. Like you said, the ONT doesn't seem to ask for reauth once up, ever.

If dot1x ever reports it's not auth'd the script will at least try to let it do it again by taking the interface out of the bridge. I'm just scared if the ONT decides to unauth without a link drop/status change, nothing would not notice.

In order to catch that situation, would need to test the gateway and try bouncing or something I guess.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:46 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:08 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:13 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:18 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:21 am

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
Same model here.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:36 am

My time is correct and synced via NTP. Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the MikroTik.

Replying to this again, going to take a break for now. However, please test the following:

  • Do a System / Reset Configuration unchecking No Default Configuration.
  • Reboot
  • Set the System / Clock manually to ensure the correct time, right now.
  • Import your certs
  • Then apply a setup script that looks something like below. Note the order of things to keep auto mac assignments sane.
  • Reboot

# dec/21/2019 23:11:39 by RouterOS 6.46.1
# model = RB4011iGS+

/system identity
set name=Router

# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on
# yadda yadda

# WAN Port, now set the MAC to your cert MAC on ether1
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes

# reboot

 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:22 pm

Hi, I followed the last instruction and keep the same message "Authorized without server". Maybe my area have another kind of configuration or the Mikrotik RB4011iGS+ works different than my CCR1009-7G-1C(tile). Something curious is if I change my mac address in the Dotx using both format 000000000000 or 00:00:00:00:00:00 or removing it from the field anon-identity or changing eap-method to None. I always received the "Authorized without server".

Note: I have at&t fiber residential account from 2017, my public ip always stay the same never change basic Internet.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:50 pm

Here is my capture. Please make one for your WAN interface, so we can compare. Go to Tools / Packet Sniffer. Under the General tab set the File Name to be something.pcap. Under the Filter tab, set the Interface, then Direction any. Then press Start. When done press Stop then download the file from the Files menu. Next, load the pcap file into Wireshark. To hide things, use a display filter like this at the top !(ip.addr == 1.2.3.4). Then photoshop the rest.

Wireshark Notes:
Right click on a column name at the top, choose Column Preferences, then Columns. Now, you can add a new column. I added 802.1Q VLAN id and set the label for it.

Notes about Starting a capture
My ether1 is my WAN port. It is not part of a bridge. So, I disabled the interface. Then I re-enabled it, and then pressed Start in the packet sniffer to get this capture. I think the packet sniffer tool may have an issue with disabled interfaces. That's why I did it like this.

capture.png
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Sun Dec 22, 2019 10:38 pm, edited 1 time in total.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:29 pm

Here's my capture. This is on my ether3-ont interface with no bridge. As you can see it goes through EPOL successfully and then when I broadcast for DHCP I get an offer back on VLAN 0. The only way I've been able to process those incoming packets (incl. all subsequent IP packets) is to place that interface on a bridge alone and enable VLAN Filtering to strip VLAN 0.

Screen Shot 2019-12-22 at 11.49.17.png

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows processing of those VLAN 0 tagged packets whereas in my situation I have a raw CPU connection and cannot.

I've tried all combos of IP mangle to set DSCP to fix the packets, but it's not early enough in the pipeline. In fact I never even see any packets match my rules when they are VLAN 0.
You do not have the required permissions to view the files attached to this post.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:51 pm

...
Last edited by jack2020 on Sun Dec 22, 2019 11:16 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:00 pm

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows for the processing of those VLAN 0 tagged packets, whereas in my situation, I have a raw CPU connection and cannot.

Thank you for the packet capture, very interesting. Your switch chip observation may have some truth to it. Whenever I export settings from an RB4011, the following appear in the results. So, it seems that VLAN 0 is the default. However, why would VLAN type packets not appear in the capture, as yours does? One way to know if ATT is doing this or its the MikroTik's is for me to test with a CCR1009. I don't have one at this time.

# This always appears when exporting configurations on an RB4011
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:01 pm

Update: see your post about the switch config, yeah that's exactly what I'm thinking. Here's my post I was just about to hit Submit on:

OK, my theory seems like it could be correct. I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT. To test this, I took a managed switch (a TL-SG2216 I had around) that had VLAN capabilities and set it up with the following:

  • ports 1 (ONT), 2 (Mikrotik) on VLAN 2, PVID 2, untagged -- VLAN 2 is an arbitrary choice, just the next free one but doesn't matter
  • all other ports on VLAN 1 (default), PVID 2, untagged

This forces my switch to accept accept the frames and strip the VLAN tag before sending to my Mikrotik. The result looks like this:

Screen Shot 2019-12-22 at 14.24.23.png

Notice that the DSCP header is unchanged, but the VLAN 0 tag has been removed.

This is a simpler setup without any scripts and running both dot1x and DHCP/everything else on the single port, no bridge. My CPU usage is around 1% now without the bridge, and it seems I may be getting slightly better speeds (was getting ~high 90s before, but who knows with the stuff between me and the test file):

/dev/null 26%[============> ] 268.57M 105MB/s
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:44 pm

I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT.

I updated my capture post to show DSCP.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 2:07 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:05 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.

Let's work on EAPOL first, then we can work on ARP and DHCP. You'll need to see an EAPOL Start, then finally an EAP Success. It takes about 30 seconds or so for that to happen. So, let's start from the beginning for you. Since you have a CCR1009, wojo has discovered that ultimately you'll need use the Bridge option. However, for testing, I only want to work on EAPOL first, so we're going to use the bare interface method for now. In wireshark, please turn on the columns for VLAN (802.1Q) and DSCP (IP DSCP Value). Use the display filter: eapol || dhcp.

Do the following:

  • Install firmware 6.46.1. Reboot. Then also the secondary part via the /system routerboard upgrade command. Reboot. Then reset everything via System / Reset Configuration unchecking No Default Configuration. Reboot. Now you have a base configuration.
  • Set the System / Clock manually to ensure the correct time.
  • Import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. Note the KT key with a MAC address for its Common Name.
  • Finally, implement this script (adjust with your values). Keep your overall configuration simple, very few firewall rules, etc. We don't care about that right now, we just want to see the EAP Success value in the capture.

/system identity set name=EAPOLTEST

# Create your LAN Bridge first
/interface bridge add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on yadda yadda

# WAN Port, set the MAC to your cert MAC on ether1
/interface ethernet set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=123 identity=123 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

#reboot, turn turn on Packet Sniffer tool
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:59 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.
My first interface is combo1, then I have ether1....ether7
The RouterOS is 6.46.1

/system identity
set name=Mikrotik
# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no
# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether1
add bridge=BR_LAN interface=ether2
add bridge=BR_LAN interface=ether3
add bridge=BR_LAN interface=ether4
add bridge=BR_LAN interface=ether5
add bridge=BR_LAN interface=ether6
add bridge=BR_LAN interface=ether7
# WAN Port, now set the MAC to your cert MAC on combo1
/interface ethernet
set [ find default-name=combo1 ] mac-address=:00:00:00:00:00
# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no
# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=combo1
# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_000000-000000000000.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=combo1
# setup your firewall
/ip firewall filter
# yadda yadda
# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1 comment="Default masq"
# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes
# reboot

And this is the result:Image
Last edited by jack2020 on Mon Dec 23, 2019 6:04 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:03 pm

Here is my configuration with my modification. I removed the real MAC address for this post.

For the wireshark output, please put the VLAN and DSCP values to the left of the Info column, so we can see them.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:50 pm

Here is with the info requested. This one is without the Bridge. I see no activity for the authentication only EAPOL start and failure.
Image
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:54 pm

This one with the Bridge.
Image
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:07 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.

Hmm, the EPOL process is failing for sure. You get the identity request, but the tik doesn't even try to respond.

Could you use "export hide-sensitive" and also mask the MACs so we can see the exact config? I haven't tested all these combos of potential errors, they are just from memory but I believe I saw that status when one of these was wrong. Ensure that:
  • the certificate imported has KT flags (aka has the private key in addition to the public key, and also is trusted)
  • the rest of the cert chain is installed, 5 additional certs for me (Motorola Intermediate, Motorola Root CA, System Infrastructure Root CA, ATT Services Inc Root CA and Frontier-RootCA)
  • on dot1x the identity and anon-identity MACs are set to the cert MAC (your example doesn't have the colons, just from your redaction?)
  • the interface has the MAC address overridden to the cert MAC via the CLI
  • the cert MAC is correct (see commands below)
  • dot1x use-crl must be no
  • the MAC address is not on any other interface (I've done that while testing with many different ports, moving stuff around)
  • system clock is correct
  • that port is connected directly to ONT, and power cycle the ONT just in case

Check certificate CN for the MAC:

# openssl x509 -in Client-xxx.pem -text | grep Subject
        Subject: C=US, O=Motorola, Inc., CN=00:00:00:00:00:00/serialNumber=xxx
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:40 pm

- The certificate imported has the KT flags.
- I imported the first 3 certificates and then I finished with 6 certificates under certificates, including the Client with the KT flag.
- on my dot1x I tried both, with colon and without it. Same result.
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
- In the dot1x I uncheck both options for crl.
- The system clock and date are right.
- The port is connected to the ONT, and some of my test I power cycle the ONT.
- My config with the bridge "The bridge, interface and dot1x info". Like you posted before.
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 8:01 pm

Just for info I have at&t fiber 300MB with Directv plan. I have no idea if they manage that account different.
For my Certificates I used the mfg_dat_decode utility for linux and for windows. Same result
My first at&t modem was a Pace and then I change it for a Motorola NVG589 the one that I have now.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 9:41 pm

Well, I have some more info. It seems that @jack2020 is correct, there can be a configuration to where a bare interface or even a bridge, will not be able to process EAPOL with a good certificate. Acting on wojo's switch chip theory, I am testing with a hEX Poe Lite. Just to see what would happen. It has the Atheros8227 switch chip which seems different from the others. With this unit, I'm having the same issues that jack2020 is having. My capture for reference.

Atheros8327.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:36 pm

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:57 pm

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 3:31 am

...
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
...
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no

Ugh, it should have at least done dot1x successfully when standalone. In bridge mode though, the combo1 interface needs the MAC from the certificate. 802.1x is done on the interface level, not the bridge (in fact only works when disabled from the bridge per my script).

I'm lost :( You have the same router and it doesn't work like it does for me. Right now I'm stripping packets with another switch, but don't understand why it isn't working for you.

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback

Good find. Other thing that may work is "vlan-header=always-strip" to get rid of the VLAN tag entirely as well.

I have a RB750Gr3 which doesn't have VLAN capabilities on the switch, so I'd have to resort to bridge VLAN filtering and do it in software or my current method (a VLAN switch to strip it before the CCR1009).

What's interesting with devices that support hardware switch VLAN is these two things:

  • if it supports vlan-mode (and probably vlan-header) then you can fix up the packets marked with VLAN 0 and process them
  • if it supports VLAN rules on the switch, you can do fancy things like hook the ONT to port 1, forward ethertype = 0x888E (EAPOL) to port 2 on the RG, and the rest to the Mikrotik
    /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
    /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Still lost why jack2020 can't get it to work on the same exact model I have, the CCR1009-7G-1C (without switches). Hmm.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:12 am

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.

There is probably a way to process VLAN 0 with the CCR1009. I just don't own one to test. In the Winbox GUI (version 3.20), do you even have a Switch menu? Some of the older CCR's did have switch chips. The new ones do not.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:24 am

No Switch option this is my menu
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 7:10 am

No Switch option, this is my menu.

Okay, well that makes sense as their is no switch chip. Hmmm, I don't yet know how to accept anything over the WAN interface on the CCR1009. As wojo has explained, a carefully constructed bridge with vlan-filtering=yes should do it. But I don't know why it fails for you. If you can, please try using a RB4011 and see how it responds on your Fiber ONT.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 2:08 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 10:51 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 2:17 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 7:35 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.

Wojo,

Sounds like a great plan! I can't seem to figure out how to pm here, so if you could pm me your config, I'll load it with my certs and give it a try. If that doesn't work, I'll send you my certs for testing.

Thanks,

John
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:26 pm

Someone, please test with a CCR1009 (the new one without any switch chips), and see how you fair.
Last edited by pcunite on Tue May 05, 2020 9:39 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:33 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.

I will help you!
: - )
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 11:55 pm

Thanks for all the help received. Just waiting for the other router to arrive, I hope that by putting everything as indicated in the instructions, it will work on the first attempt and nothing special in my area.
 
planetcoop
Member Candidate
Member Candidate
Posts: 136
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 5:40 pm

is this configuration specific to the RB4011 with the vlan0 att RG bypass or suplicant?

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 6:07 pm

Is this configuration specific to the RB4011 with the vlan0 att RG bypass or supplicant?
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
etc...

I don't follow your question. The default values on an RB4011, for whatever reason as determined by MikroTik, do set default-vlan-id to a 0. It appears to help with our requirements. Is it working for you?
 
planetcoop
Member Candidate
Member Candidate
Posts: 136
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 9:22 pm

its working great. i have been able to dhcp the wan interface and statically set a second port to my lan block range. I have also been able to request the ipv6 delegation /60 and statically assign addresses to interfaces and route accordingly.

I am using the supplicant method on a rb4011 to act as the carrier L3 hand-off and then whatever is behind it can be physical or virtual in a static block range.

Great work here, here is my short anonymous configuration (don't forget to secure your device and network):

/interface ethernet
set [ find default-name=ether1 ] mac-address=D0:39:B3:XX:XX:XX
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
/certificate settings
set crl-use=no
/interface dot1x client
add anon-identity=D0:39:B3:XX:XX:XX certificate=\
Client_00XXXXXX6-22XXXXXX.pem_0 eap-methods=eap-tls identity=\
D0:39:B3:XX:XX:XX interface=ether1
/ip address
add address=68.4.19.94/27 interface=ether2 network=68.4.19.64
/ip dhcp-client
add disabled=no interface=ether1
add default-route-distance=1 disabled=no interface=bonding1
/ipv6 address
add address=2600:1700:390:c51::1 advertise=no interface=ether2
/ipv6 dhcp-client
add add-default-route=yes interface=ether10 pool-name=att pool-prefix-length=60 \
request=address,prefix
/ipv6 route
add distance=1 dst-address=2600:1700:390:c50::/60 gateway=\
2600:1700:390:cc51::90
 
planetcoop
Member Candidate
Member Candidate
Posts: 136
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 3:19 am

I have just tested the config on the 3011 and dont seem to be able to get the vlan0 working like the rb4011 does. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 6:04 am

I have just tested a config on the 3011 and it don't seem to be able to get the vlan0 working like the rb4011 does. :(

You'll have to do something like this:

/interface ethernet switch port
set ether1 vlan-mode=fallback
 
planetcoop
Member Candidate
Member Candidate
Posts: 136
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 9:15 am

i have tested that with no better results. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 4:14 pm

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 8:44 pm

Thanks for all your help. Today I received the RB4011 and everything works as expected, at the first try.
 
planetcoop
Member Candidate
Member Candidate
Posts: 136
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 12:14 am

i have purchased a second 4011 for the new cert supplicant method. Works like a charm every time. :)
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 3:52 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 4:03 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 7:10 am

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 6:29 pm

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!

agree, RB4011 up and running smooth here, thx all for the assist!
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jan 16, 2020 11:06 am

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.


BridgeMethod.png


Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours. We're cord-cutters so no internet is a bit rough, and frankly I don't trust her to try to restart the modem or router.

Any idea why RB4011 on 6.46.1 is consecutively since late December needing reboots every seven days?

Some pics below:

January 7th:
Image

January 15th:
Image

Image





PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T Mikrotik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 7:09 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 9:45 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
Thank you for the reply, is buying the certs themselves possible or do I need to specifically buy a NVG510 with specific firmware or has downgrading become easier?

Thanks again for replying, really appreciate it.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 5:07 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

You can purchase certs off eBay.
Last edited by pcunite on Tue May 05, 2020 9:37 pm, edited 3 times in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 9:21 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
I sent the email, thank you
Last edited by archerious on Wed May 13, 2020 7:40 pm, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:31 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
I am an idiot. I barely realized, duh, .der isn't .pem....lol. Sorry, long day at work and I'm dumb.
Last edited by archerious on Thu May 14, 2020 12:33 am, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:49 am

This is amazing. 802.1x method was incredibly easily once converted to .pem.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 5:03 pm

This is amazing. 802.1x method was incredibly easily once converted to .pem.

Enjoy! It is a really nice solution.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 6:23 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 8:29 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:24 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:30 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
That's the most common way, the NVG589 are like $20-$40 on ebay used. You could buy one and extract the certs. Once you have the .Der files you then use a tool to convert them to .pem files. Then you follow Pcunite's guide to add the keys to the Mikrotik router.
Last edited by archerious on Mon Feb 10, 2020 8:04 am, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
Aerowinder
just joined
Posts: 16
Joined: Fri Jan 31, 2020 4:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 06, 2020 2:08 am

Greetings all,

Supplicant method working here on my RB4011. Using the device as a pass through to my virtualized pfSense firewall. Thanks to everyone who helped me get to this point.

By the way, finding NVG589s on eBay for $5-$15 isn't exactly easy. I placed a couple bids, put in a couple best offers, and lost them all. I think the person selling the pre-extracted certs is buying all the cheap units to turn a profit.

I'm posting my..... completed..... config here in case it could help someone in the future. Remember, that this is only for a PASSTHROUGH connection. The firewall rules are NOT secure if this is your edge device:
#MikroTik RB4011 - Router OS 6.46.2 - Home
#v1, 2020-02-05 - Initial release.




---------- STEP 1 ----------

Factory reset the router. No defaults. Clean slate.

Note that this setup (firewall rules, mostly) will NOT be secure. It allows incoming connections! It is intended to be used as a pass-through device ONLY!

Connect eth1 to trusted port on UniFi switch.
Connect eth9 to WAN port on UniFi switch.
Connect eth10 to to ONT directly.

---------- STEP 1 END ----------




---------- STEP 2 ----------

/interface ethernet
set ether1 name=eth1-MGMT
set ether9 name=eth9-DMZ
set ether10 name=eth10-ONT

/ip address
add interface=eth1-MGMT address=10.10.1.2/16
add interface=eth9-DMZ address=10.1.10.1/29

/interface list
add name=MGMT
add name=DMZ
add name=ONT

/interface list member
add list=MGMT interface=eth1-MGMT
add list=DMZ interface=eth9-DMZ
add list=ONT interface=eth10-ONT

/ip dhcp-client
add interface=eth10-ONT disabled=no

/ip pool
add name=pool_dmz ranges=10.1.10.3-10.1.10.6

/ip dhcp-server
add name=dhcp_dmz interface=eth9-DMZ address-pool=pool_dmz disabled=no

/ip dhcp-server network
add address=10.1.10.0/29 gateway=10.1.10.1 netmask=29

/ip dhcp-server lease
add address=10.1.10.2 mac-address=<PFSENSE WAN MAC> server=dhcp_dmz

/ip firewall filter
#forward
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack all forwarded established/related connections. Reduces CPU usage significantly."
add chain=forward action=drop connection-state=invalid comment="Drop invalid forwarded connections."
#input
add chain=input action=accept in-interface-list=MGMT comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from MGMT port."
add chain=input action=accept in-interface-list=DMZ comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from DMZ port."
add chain=input action=drop comment="Drop remaining traffic to router itself."
#output

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=ONT comment="Send all traffic: DMZ -> ONT"
add chain=dstnat action=dst-nat in-interface-list=ONT to-addresses=10.1.10.2 comment="Send all traffic: ONT -> DMZ"

/interface ethernet
set eth10-ONT mac-address=<RG MAC>

---------- STEP 2 END ----------




---------- STEP 3 ----------

You can now reconnect with WinBox to IP address: 10.10.1.2.

At this time, you need to upload your gateway certificates to the router. Do this via WinBox > Files. There should be 3 files. A CA, a PK, and a Client.

---------- STEP 3 END ----------




---------- STEP 4 ----------

/certificate
import name=Client_XXXXXXXXXX.pem passphrase=""

/certificate settings
set crl-download=no
set crl-use=no

/interface dot1x client
add interface=eth10-ONT certificate=Client_XXXXXXXXXX.pem eap-methods=eap-tls identity=<RG MAC>

---------- STEP 4 END ----------
If anyone can be bothered to read through it, and see something I've left out, please let me know.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 06, 2020 2:31 am

Greetings all,

Supplicant method working here on my RB4011. Using the device as a pass through to my virtualized pfSense firewall. Thanks to everyone who helped me get to this point.

By the way, finding NVG589s on eBay for $5-$15 isn't exactly easy. I placed a couple bids, put in a couple best offers, and lost them all. I think the person selling the pre-extracted certs is buying all the cheap units to turn a profit.

I'm posting my..... completed..... config here in case it could help someone in the future. Remember, that this is only for a PASSTHROUGH connection. The firewall rules are NOT secure if this is your edge device:
#MikroTik RB4011 - Router OS 6.46.2 - Home
#v1, 2020-02-05 - Initial release.




---------- STEP 1 ----------

Factory reset the router. No defaults. Clean slate.

Note that this setup (firewall rules, mostly) will NOT be secure. It allows incoming connections! It is intended to be used as a pass-through device ONLY!

Connect eth1 to trusted port on UniFi switch.
Connect eth9 to WAN port on UniFi switch.
Connect eth10 to to ONT directly.

---------- STEP 1 END ----------




---------- STEP 2 ----------

/interface ethernet
set ether1 name=eth1-MGMT
set ether9 name=eth9-DMZ
set ether10 name=eth10-ONT

/ip address
add interface=eth1-MGMT address=10.10.1.2/16
add interface=eth9-DMZ address=10.1.10.1/29

/interface list
add name=MGMT
add name=DMZ
add name=ONT

/interface list member
add list=MGMT interface=eth1-MGMT
add list=DMZ interface=eth9-DMZ
add list=ONT interface=eth10-ONT

/ip dhcp-client
add interface=eth10-ONT disabled=no

/ip pool
add name=pool_dmz ranges=10.1.10.3-10.1.10.6

/ip dhcp-server
add name=dhcp_dmz interface=eth9-DMZ address-pool=pool_dmz disabled=no

/ip dhcp-server network
add address=10.1.10.0/29 gateway=10.1.10.1 netmask=29

/ip dhcp-server lease
add address=10.1.10.2 mac-address=<PFSENSE WAN MAC> server=dhcp_dmz

/ip firewall filter
#forward
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack all forwarded established/related connections. Reduces CPU usage significantly."
add chain=forward action=drop connection-state=invalid comment="Drop invalid forwarded connections."
#input
add chain=input action=accept in-interface-list=MGMT comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from MGMT port."
add chain=input action=accept in-interface-list=DMZ comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from DMZ port."
add chain=input action=drop comment="Drop remaining traffic to router itself."
#output

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=ONT comment="Send all traffic: DMZ -> ONT"
add chain=dstnat action=dst-nat in-interface-list=ONT to-addresses=10.1.10.2 comment="Send all traffic: ONT -> DMZ"

/interface ethernet
set eth10-ONT mac-address=<RG MAC>

---------- STEP 2 END ----------




---------- STEP 3 ----------

You can now reconnect with WinBox to IP address: 10.10.1.2.

At this time, you need to upload your gateway certificates to the router. Do this via WinBox > Files. There should be 3 files. A CA, a PK, and a Client.

---------- STEP 3 END ----------




---------- STEP 4 ----------

/certificate
import name=Client_XXXXXXXXXX.pem passphrase=""

/certificate settings
set crl-download=no
set crl-use=no

/interface dot1x client
add interface=eth10-ONT certificate=Client_XXXXXXXXXX.pem eap-methods=eap-tls identity=<RG MAC>

---------- STEP 4 END ----------
If anyone can be bothered to read through it, and see something I've left out, please let me know.
Yeah I bought a NVG589 recently, with shipping it was $26. Not a bad price but not as inexpensive.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
Medikit
just joined
Posts: 5
Joined: Tue Feb 05, 2019 6:08 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 3:55 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

I ran into some challenges, for example I couldn't find mfg.dat and none of the mounting commands would work. I followed a lead here: https://github.com/aus/pfatt/issues/14 and renamed my mtdblock4 to mfg.dat so perhaps I just created a garbage file and converted it using mfg_dat_decode along with the actual .der files. Not sure if anyone knows where to find the mfg.dat on the NVG510 or how to mount /mfg/.

My next step is likely to pick up an NVG589 if I can't try anything else with the NVG510.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 7:58 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

I ran into some challenges, for example I couldn't find mfg.dat and none of the mounting commands would work. I followed a lead here: https://github.com/aus/pfatt/issues/14 and renamed my mtdblock4 to mfg.dat so perhaps I just created a garbage file and converted it using mfg_dat_decode along with the actual .der files. Not sure if anyone knows where to find the mfg.dat on the NVG510 or how to mount /mfg/.

My next step is likely to pick up an NVG589 if I can't try anything else with the NVG510.
I'd highly recommend NVG589, a buddie of mine reported nothing but problems when trying to use NVG510 certs for his Fiber service.

No proof......just speculation, but I suspect the AAA server is kicking NVG510 certs in some areas already. Heaven forbid if that happens to the NVG589 802.1x certs.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 4:23 pm

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
 
Al4nw31
just joined
Posts: 2
Joined: Fri Feb 14, 2020 6:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 7:57 am

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 1:17 pm

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
Did you use the flash programmer method or downgrade 9.2.2h0d83 method to extract the certs?
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 3:05 pm

I can't get a lease. Applied fallback VLAN and it still doesn't work.

The RB750Gr3 uses a MT7621 switch chip. The Atheros8227 chips need fallback mode set. For the other types, you might try a different setting. Until MikroTik has a consistent firmware across the hardware lines, we will have to guess at what to do. Your certs are fine, see if you can get the vlan 0 working, otherwise, the RB4011 is preferred.
 
Al4nw31
just joined
Posts: 2
Joined: Fri Feb 14, 2020 6:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 6:28 pm

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
Did you use the flash programmer method or downgrade 9.2.2h0d83 method to extract the certs?
I downgraded.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 6:55 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
Really? Dang...back to eBay. I thought other threads and topics said either work?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 8:33 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
Really? Dang...back to eBay. I thought other threads and topics said either work?
I only managed with NVG589, bought four on eBay, was able to rip certs from two with the github method. Other two are not able prob have to desolder NAND and then put on flash programmer to dump the mfg.dat.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 10:16 pm

I wonder if the NVG510 doesn't work due to how old it is and the certs have expired. Ebay looks picked clean as of recent. Be nice if ATT just let us use our own equipment.

Any ideas why the RB750GR3 doesn't handle certificates well? Other options out of my price range, was hoping to utilize this small wired router.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 11:03 pm

I wonder if the NVG510 doesn't work due to how old it is and the certs have expired. Ebay looks picked clean as of recent. Be nice if ATT just let us use our own equipment.

Any ideas why the RB750GR3 doesn't handle certificates well? Other options out of my price range, was hoping to utilize this small wired router.
I suspect it's due to how VLAN 0 is handled based on my experience using wpa_supplicant on Ubiquiti's ER4 before switching to RB4011.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
mikrohero
just joined
Posts: 1
Joined: Sat Feb 29, 2020 2:16 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 2:48 am

perhaps a stupid question but is the only advantage of going with the supplicant method to prevent having the actual ATT Gateway powered on and active at all times? Seems like a lot of expense/hassle for me to return the Hex S router and Ubiquiti WAP I just bought, then buy a Mikrotik RB4011, then scour eBay for an NVG589 to extract certs. If the only advantage I'm gaining is to not have to use the ATT Gateway, I might just stick to the bridge method. However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway...is that still the case with this "dumb bridge" method?

OP, thanks a LOT for your research and time...seriously wonderful!
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 10:45 pm

is the only advantage of going with the supplicant method to prevent having the actual ATT Gateway powered on and active at all times?

Basically, yes. If you are willing to keep the ATT RG powered up, then its a very good method.
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 11:36 pm


@pcunite What about this?
However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway...is that still the case with this "dumb bridge" method?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Mar 01, 2020 3:23 am

@pcunite What about this?
However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway ... is that still the case with this "dumb bridge" method?

The bridge method, as shown at the beginning of this thread, does not use the NAT tables of the ATT RG. After EAPOL, the ATT RG is disconnected via automatic disabling of the port it is connected to. I can't speak for other bridge methods posted on the internet.
 
User avatar
Paul9cf22ad1
newbie
Posts: 37
Joined: Sun Mar 12, 2017 11:40 pm
Location: Seattle, WA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Mar 03, 2020 11:21 pm

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback
I think I have a similar issue, that No IP Address Acquired with an RB3011. So, I'm hoping I'm not messing up this thread. I'm not an expert, so posted in the Beginner Basics section, but saw this thread and tried the above. Unfortunately, it didn't help.

Cable Modem > RB3011 > PC
The RB3011 does not acquire an IP and no errors in the log. If I put in an old Netgear or WRT router in place of the RB3011, they get an IP.

Cable Modem> NetGear > Switch > RB3011 > PC
The RB3011 gets an IP from the NetGear. I think because I didn't clear the RB3011 settings there are conflicts and I can't get to the internet. But the RB3011 doesn't seem totally bricked. Is my problem the same or similar enough to this thread's issue?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Mar 05, 2020 11:48 pm

Is IPv6 possible? I know the Ubiquiti users have it with wpa_supplicant but it seems to be a little wonky.

My job has me working from home lately and the VPN they use apparently is having some minor issues since it tries to connect me via both ipv4 and ipv6.

EdIT: Stupid me had ipv6 disabled under packages, had to enable it and reboot. Then I just added ipv6 dhcp-client and tested. So far it seems to be working fine.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Mar 13, 2020 9:26 am

removed
Last edited by archerious on Wed Apr 15, 2020 9:22 pm, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
nitrag
just joined
Posts: 10
Joined: Thu Jun 15, 2017 9:22 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Mar 19, 2020 4:22 pm

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Anon-Identity in Dot1x are your Gatways MAC Address, with colons.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Last edited by nitrag on Mon Apr 27, 2020 8:31 pm, edited 1 time in total.
 
abiv
just joined
Posts: 12
Joined: Sat Nov 23, 2019 4:51 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Apr 07, 2020 3:03 am

Anyone know why sometimes when connection dies, replugging in the AT&T router would re-establish connection but only at 500mbit speed? I have to reboot Mikrotik router to get back to 1000mbit

(I'm using the bridge method, I power down the AT&T router after it authenticates)
 
SupermanSC
just joined
Posts: 6
Joined: Tue Feb 18, 2020 5:15 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Apr 15, 2020 9:20 am

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Non-Identity in Dot1x are your Gatways MAC Address.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Hi Nitrag, could you possibly export your config with hide-sensitive? There's discrepancies throughout this thread on the Dot1X config. The primary post says to only use Identity, however many seem to also be specifying Non-Identity - some are using colons in the Mac, others aren't. I've tried it all and they all fail. I authenticate with Dot1X fine, however I never receive an IP address. I'm using an RB4011.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Apr 19, 2020 1:24 pm

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.

On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.

The entire setup is as follows:

Replace the following with your values:
  • bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
  • ether3-ont - the interface connected directly to the ONT
  • 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you've uploaded
  • name_of_cert - upload your cert bundle and select this in the dot1x settings

Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=44:E1:37:C4:C8:E1

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont

/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no

This is the script that I run every 5 seconds, which is probably overkill, but it doesn't write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I'll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"

:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]

#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"

:if ($dot1xStatus = "authenticated") do={
  :if ($portDisabled) do={
    :log warn "$scriptName: authenticated, enabling bridge"
    /interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
} else={
  :if (!$portDisabled) do={
    :log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
    /interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
}

For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup

Finally place your DHCP on the "bridge-ont" interface. I'm able to pull both IPv4 and a /60 of IPv6, which I've split up into three /64 subnets for my private network, IoT and guest networks.
Can you show me a screenshot of what it looks like under your DHCPv6 client? If I request a /60 it doesn't work, I have to set pool prefix length to /64 for it to work. Also your IPv6 address list would be helpful, censoring out most of it all is fine I just need to see what I'm doing wrong.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
trekbike
just joined
Posts: 6
Joined: Fri Nov 01, 2013 10:38 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Apr 25, 2020 4:21 am

Good evening all,

I have had several Mikrotik products over the last seven years and an AT&T fiber-to-the-premise customer for about a year now... I currently have the RB4011 so I was very happy to read about this option of complete removal of the AT&T gateway from the mix. I have read this post almost completely (or almost) and still have a few questions. The first question is primarily because I am seeing some conflicting information regarding the extraction of certs... My AT&T gateway is the Pace Plc 5268AC which I have seen referenced many times. I have also seen the suggestion to go and buy a NVG589 off eBay and get the certs (keys) from that...

Question 1: Can I get the certs (or keys) out of the AT&T (Pace) gear that I have provisioned and running?

Question 2 is more procedural. How do you export the certs/keys from the gateway OR are they compiled from the (hexidecimal) packet captures obtained with Wireshark?

I learned the hard way to unplug my (Mikrotik) access point to silence it from looking for its gateway in the packet capture... Oops. I also saw Dropbox (on my laptop) doing its typical "discover protocol" a lot so that is just more noise to filter out.

Many thanks to you all!

Tom
 
nitrag
just joined
Posts: 10
Joined: Thu Jun 15, 2017 9:22 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Apr 27, 2020 8:30 pm

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Non-Identity in Dot1x are your Gatways MAC Address.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Hi Nitrag, could you possibly export your config with hide-sensitive? There's discrepancies throughout this thread on the Dot1X config. The primary post says to only use Identity, however many seem to also be specifying Non-Identity - some are using colons in the Mac, others aren't. I've tried it all and they all fail. I authenticate with Dot1X fine, however I never receive an IP address. I'm using an RB4011.
Sorry for the late reply, don't have notifications setup.

Dot1x:
Interface: <your external interface>
EAP Mode: EAP TLS
Identity: <MAC address, all uppercase, with colons>
Password: <empty>
Anon-Identity: <same as Identity>
Certificate: <Client certificate>

DCHP Client is nothing special, just default pointed at external interface.
 
mrlane2k
just joined
Posts: 2
Joined: Fri Apr 03, 2020 11:19 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat May 02, 2020 3:25 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 03, 2020 1:14 pm

If anyone is up for sending me a CCR1009 (the new one without any switch chips), I would like to solve this puzzle.
I am, sent PM and email.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
trekbike
just joined
Posts: 6
Joined: Fri Nov 01, 2013 10:38 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 03, 2020 7:07 pm

Hi,

It has been a week or so since I posted the questions above... I can see my post but now I am wondering if anyone else can. Just hoping for some responses.

Thanks!

Tom
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 04, 2020 1:05 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
mrlane2k
just joined
Posts: 2
Joined: Fri Apr 03, 2020 11:19 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 05, 2020 1:31 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 05, 2020 4:54 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
Nice!
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
Zips
just joined
Posts: 4
Joined: Sat Feb 11, 2017 6:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:18 pm

Greetings,

First time posting :) long time lurking

I'm trying to bypass ATT&T as well, I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My Mikrotik's router is the CRS125-24G-1S-2HnD and I have tried everything and can not get the modem to Authenticate, I'm always getting authenticated without server and a couple of times Auth was rejected. I don't know what else to try, I know you guys mentioned the port has to be set to fallback and the vlan-id=0 but , how do I do that with this router?
Any help will be appreciated
Thanks

-Z
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:25 pm

I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My MikroTik router is the CRS125-24G-1S-2HnD ... how do I do that with this router?

Only the RB4011 is recommended at this time.
 
Zips
just joined
Posts: 4
Joined: Sat Feb 11, 2017 6:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:52 pm

I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My MikroTik router is the CRS125-24G-1S-2HnD ... how do I do that with this router?

Only the RB4011 is recommended at this time.
Both, Bridge Method and the Supplicant Method??

Thanks

-Z
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 11:42 pm

Both? The Bridge Method and the Supplicant Method?

I was referring to the Supplicant Method, only the RB4011 is recommended.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 3:25 am

Both? The Bridge Method and the Supplicant Method?

I was referring to the Supplicant Method, only the RB4011 is recommended.
I'm surprised the hex/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?
Last edited by archerious on Fri May 08, 2020 3:28 am, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 3:28 am

...
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
...
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no

Ugh, it should have at least done dot1x successfully when standalone. In bridge mode though, the combo1 interface needs the MAC from the certificate. 802.1x is done on the interface level, not the bridge (in fact only works when disabled from the bridge per my script).

I'm lost :( You have the same router and it doesn't work like it does for me. Right now I'm stripping packets with another switch, but don't understand why it isn't working for you.

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback

Good find. Other thing that may work is "vlan-header=always-strip" to get rid of the VLAN tag entirely as well.

I have a RB750Gr3 which doesn't have VLAN capabilities on the switch, so I'd have to resort to bridge VLAN filtering and do it in software or my current method (a VLAN switch to strip it before the CCR1009).

What's interesting with devices that support hardware switch VLAN is these two things:

  • if it supports vlan-mode (and probably vlan-header) then you can fix up the packets marked with VLAN 0 and process them
  • if it supports VLAN rules on the switch, you can do fancy things like hook the ONT to port 1, forward ethertype = 0x888E (EAPOL) to port 2 on the RG, and the rest to the Mikrotik
    /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
    /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Still lost why jack2020 can't get it to work on the same exact model I have, the CCR1009-7G-1C (without switches). Hmm.
What brand and model switch are you using to strip vlan 0? I'm still thinking of going ccr2004 for fun since I have some sfp28 nics.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 6:47 am

I'm surprised the hEX/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?

Recommended just means what most have reported success with. Since the RB4011 is known to work, it is therefore, recommended.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:57 am

I'm surprised the hEX/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?

Recommended just means what most have reported success with. Since the RB4011 is known to work, it is therefore, recommended.
I understand, for CCRs what model switches have people been using in front it to take care of the vlan 0 tagging?

I tried on my Edgeswitch 10X laying around but it doesn't allow the use of VLAN 0.

Thanks~!
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 6:37 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?

Ask wojo
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 7:40 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766394

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Last edited by wojo on Fri May 08, 2020 9:04 pm, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 8:24 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:05 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:25 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:49 pm



Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?

Good luck. They have an 8 port model here too: https://www.tp-link.com/us/business-net ... rt-switch/ at $50.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:10 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:14 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
That's neat. I know in my area it requires vlan 0 and they seem to auth with eap weekly that's why I went for wpa_supplicant method as rebooting weekly sometimes random times to reauth bridge method just wasn't ideal.

Is there a reason for them to even tag vlan 0 other than to be annoying?
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:32 pm

Is there a reason for them to even tag vlan 0 other than to be annoying?

... I think annoying us may be the reason ;)
 
hapoo
just joined
Posts: 15
Joined: Wed Apr 24, 2019 1:35 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat May 09, 2020 7:13 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
Not sure what the implication of this is. Would it be possible to do this setup for a Commercial gateway using a RB4011?

I'm interested in setting up a Mikrotik as strictly a modem on a commercial account. Just authorizing the connection and just passing it through without dhcp or nat to another router. Not sure how to go about doing it though.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 10, 2020 2:12 pm

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
My hex arrived and you're correct. Main issue is 802.1x doesn't work with bridge_wan on, I have to turn that off, give it a minute to authenticate, then turn bridge (and thus vlan filtering) back on.

Since it's all software bridging it does affect performance a bit, but it was better than expected.

Image

Image

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

Relevant pics:

Vlan 0:
Image

Bridge_wan working:
Image

Bridge_wan settings:
Image

802.1x/EAP auth rejected if Bridge_WAN on before it auths, need to have bridge_wan off first:
Image

802.1x/EAP authentication successful when bridge_wan off first, then after auth turning bridge_wan on gets an IPv4 via dhcp client.
Image

All in all not bad from this little device, if it was able to remove the headers on the switch chip instead of software it would probably be quicker but 600mbps down is the same as my ER4 would usually get on wpa_supplicant lol and it cost significantly more.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
erickasper
Trainer
Trainer
Posts: 2
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 10, 2020 9:45 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 3:26 am

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

That's what I did before the RB4011 (or dedicated switch), script located at viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 2:51 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.

Image
Last edited by archerious on Mon May 11, 2020 6:22 pm, edited 1 time in total.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 2:53 pm

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

That's what I did before the RB4011 (or dedicated switch), script located at viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284
That's awesome! Thanks, will use that for my nephew's fiber (hex/RB750Gr3 is good enough for him).
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:09 pm




Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?

Good luck. They have an 8 port model here too: https://www.tp-link.com/us/business-net ... rt-switch/ at $50.
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.

Speedtest with bridge_lan but removed bridge_wan:

Image

Now the bottom three are speedtests with no bridges at all, just ether1 for WAN and ether2 for LAN:

Image

Image

Image

Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.

Screenshot while running speedtests:

Image
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
mozerd
Member
Member
Posts: 410
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:34 pm

........................ ....................
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.
................ ..........................
Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.
@archerious
Yes, when properly configured [Just like You did] the hEX is a very nice little Router that delivers great performance !!!
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:41 pm

........................ ....................
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.
................ ..........................
Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.
@archerious
Yes, when properly configured [Just like You did] the hEX is a very nice little Router that delivers great performance !!!
Thank you :)
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
erickasper
Trainer
Trainer
Posts: 2
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 1:17 am

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.
Thanks for the info. I am only trying to authenticate at this point, so I really shouldn't need LAN setup and firewall rules. My plan actually is to pass the connection to another router. Do you have a WAN bridge? Are you turning it on/off at any point? Do you have a switch stripping tags as I am seeing vlan 0 on all the incoming authentication packets.?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 12:58 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.
Thanks for the info. I am only trying to authenticate at this point, so I really shouldn't need LAN setup and firewall rules. My plan actually is to pass the connection to another router. Do you have a WAN bridge? Are you turning it on/off at any point? Do you have a switch stripping tags as I am seeing vlan 0 on all the incoming authentication packets.?
I tested with using a tp-link that was recommended by wojo, and that was easy as pie. If you want to use a software bridge (no switch to strip tags) use the script wojo made:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 1:06 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
My nephew is loving the hEX/RB750Gr3, but my RB4011 showing error under dhcp client.

It's working fine based on speedtests and no packet loss, but yet shows "error" under DHCP Client and doesn't show the usual expires after 60 min, it says 5d etc. I don't have any errors in the logs oddly enough. Have you encountered the same error before? If so, should I worry about it or just ignore it?

Image

EDIT: Did a reboot and that seems to have resolved it.
Image
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
technoredneck
just joined
Posts: 3
Joined: Wed Aug 28, 2019 10:40 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 6:08 pm

Man, I've tried everything that I can think of to get the supplicant method to work on my CCR1009, but it's all been a no-go. I tried to duplicate wojo's switch in front method with a TP-Link TL-SG105E, but I couldn't get authenticated with his settings. I ended up actually getting authenticated once when I enabled MTU Vlans and used the ONT interface as an uplink (go figure), but even that wasn't kosher because then I could never get a DHCP address from the network afterwards. At this point, I've given up since whenever I take the Internet down in this house...it's practically World War III. Specifically, I've got a CCR1009-7G-1C-1S+PC for what it's worth. I'd really like to get the RGW out of the way here, but for now...here it sits.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:13 pm

Man, I've tried everything that I can think of to get the supplicant method to work on my CCR1009, but it's all been a no-go. I tried to duplicate wojo's switch in front method with a TP-Link TL-SG105E, but I couldn't get authenticated with his settings. I ended up actually getting authenticated once when I enabled MTU Vlans and used the ONT interface as an uplink (go figure), but even that wasn't kosher because then I could never get a DHCP address from the network afterwards. At this point, I've given up since whenever I take the Internet down in this house...it's practically World War III. Specifically, I've got a CCR1009-7G-1C-1S+PC for what it's worth. I'd really like to get the RGW out of the way here, but for now...here it sits.
That switch might not do VLAN filtering, try this switch from TP-Link if it doesn't work out return it to Amazon. Specifically model T1500G-8T.

To summarize, you are authenticating fine, but you still need a switch or software bridge to remove the vlan headers/strip them, so you can pass traffic through and obtain an IP via dhcp-client.

If you give up it's understandable, but either try the wojo script again or using the switch that wojo and I have it working with. If you sell your CCR1009 you can use the funds to easily cover the cost of a RB4011 if you chose to go that route.

Personally I tried an Aruba 2530 (HPE), Ubiquiti Edgeswitch 10x, and an older tp-link smart switch. None of them worked, except the TP-Link T1500G-8T that wojo recommended.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
vikinggeek
newbie
Posts: 30
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:30 pm

The limitation that the bridge is not handling VLAN 0 has been present for a while. Has anyone filed a bug report to MT support about the shortcoming? Or is the only option to use a device with the appropriate switch chip?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:39 pm

The limitation that the bridge is not handling VLAN 0 has been present for a while. Has anyone filed a bug report to MT support about the shortcoming? Or is the only option to use a device with the appropriate switch chip?
Wojo has a script that can do everything without a switch chip on the router.

That being said using a $49 tp-link in front of an RB750Gr3 works fine. I haven't seen my nephew with issues, personally I might even buy a hEX since the RB4011 I own heats up the small office I work in a little more than I'd like, plus it's overkill for me.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 8:22 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

Image

Image
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:23 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:31 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
Agreed! I am thinking of doing the same, since my RB4011 cooks me sometimes in my small office it would be nice to use the hEX RB750Gr3 + tp-link on hot busy days.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
vikinggeek
newbie
Posts: 30
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:40 pm

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:02 am

The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix?

Its not so much a fix, as it is additional functionality we want.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:36 am

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
If you prefer to not use a software bridge the $49 tp-link works well, if you need to use enterprise gear only tell me which switches you like etc. I tried Aruba and Ubnt in front of the hEX and they didn't work, but I suspect a Mikrotik CRS112 would work fine, just not sure if it'd remove the headers with cpu or the switch chip.

I don't mind buying more gear to test, helps out our bypass/community effort.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
vikinggeek
newbie
Posts: 30
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:39 am

Its not so much a fix, as it is additional functionality we want.
OK, what is the process for getting that to the right people at MT? Contact support and refer back to this thread?
 
wojo
newbie
Posts: 37
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 1:13 am

Its not so much a fix, as it is additional functionality we want.
OK, what is the process for getting that to the right people at MT? Contact support and refer back to this thread?

I think email is probably the best method. If we pool efforts with a clear description of what we need and get requests in via email so it's know how wide the impact is, we have the best chance probably of getting their attention. Some older posts:

viewtopic.php?t=104169
viewtopic.php?t=63559
viewtopic.php?t=76535
viewtopic.php?t=154834
viewtopic.php?t=150700

Why MikroTik chooses to ignore packets that are priority tagged (but no VLAN, hence VLAN ends up being 0x000) is the root of the cause I believe. There are the following situations that can work:
  • If both the 802.1x and TCP traffic function with the 802.1Q only containing a 802.1P priority tag, everything would be simple and ideal (no bridge). Traffic would be treated as if not tagged by a VLAN with 802.1Q.
  • If attached to a bridge with VLAN filtering, allowing 802.1x to function (which is currently broken)
  • If attached to a bridge without VLAN filtering, it should allow traffic (similar to #1, both situations would allow for VLAN 0 traffic to be treated as non-tagged in terms of 802.1Q VLANs)
 
vikinggeek
newbie
Posts: 30
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 10:31 am

@wojo - your summary is excellent. I have emailed MT support and we'll find out if there is any chance that we can get a full featured 802.1x solution.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 17, 2020 9:50 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
While I failed to get my CRS112 to strip vlan headers, surprisingly the CSS326 was able to do so without much effort.

Image

Image
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 20, 2020 3:16 am

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
Image

My CCR2004 just arrived. Working fine with CSS326 removing the 802.1p tags on port 12, then sending it to the CCR2004 on port 14.

Image

Haven't seen CPU Usage go past 5% when speedtesting with fast-tracking on.

Almost zero fan noise as well.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
vikinggeek
newbie
Posts: 30
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 21, 2020 8:57 pm

Official Response from MT Support:
Currently, RouterOS interfaces do not accept packets with VLAN-ID 0 and there is no option to create a VLAN interface with VLAN-ID 0. However, there is a possible workaround - add the interface into a bridge with enabled vlan-filtering. VLAN filtering will treat these packets as untagged, but currently, there is no option to force the reply packets to respond with a VLAN-ID 0.

How would you expect to treat VLAN-ID 0 packets in RouterOS? Should we allow the users to configure a special-purpose VLAN interface that accepts these packets? How should RouterOS respond - with or without VLAN-ID 0 header?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1109
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 21, 2020 10:01 pm

Official Response from MT Support:
How would you expect to treat VLAN-ID 0 packets in RouterOS? Should we allow the users to configure a special-purpose VLAN interface that accepts these packets? How should RouterOS respond - with or without VLAN-ID 0 header?

Glad to see them thinking about it. I don't yet know the right answer, other than allow for us to send and receive 802.1p packets, of any ID, not just 0. The reason they mention a bridge, is because to enable this across all of their product line, they would need to do it in software, hit the CPU. I would like a way to avoid that, if possible. But I understand this would be a business decision for them.
 
nofdak
just joined
Posts: 2
Joined: Thu May 28, 2020 3:10 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 1:07 am

I just got an RB4011 and got it setup per these instructions perfectly (using the supplicant method). Now I'm attempting to get an IPv6 address and it's just not happening. This is my entire IPv6 config right now:
# jun/02/2020 17:01:27 by RouterOS 6.47
# software id = 168G-AZKL
#
# model = RB4011iGS+
# serial number = DXXXXXXXXXXXXX
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=dhcpv6-pool pool-prefix-length=60 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=reject chain=input connection-state=invalid reject-with=icmp-no-route
add action=accept chain=input protocol=icmpv6
add action=reject chain=input in-interface-list=!LAN log=yes reject-with=icmp-no-route
I'm not able to get an address, or a prefix. The IPv6 web UI just shows "Status: searching..." in the DHCPv6 Client settings. The weird thing is that I was able to get an IPv6 address this morning, but in my attempt to get the IPv6 Server working, I somehow broke the client. I'm not sure if this is related to AT&T or not, but considering the work required to get this to work, that's my suspicion. A related question I have, does the DUID matter? I was previously using pfAtt on pfSense and that required a special DUID workaround to get an IPv6 address. Considering it was working for me at one point, and it's apparently working for some others, my guess is that it's not required, but I'd love confirmation of that.

Does anyone have any suggestions on what I might do to get any sort of IPv6 address or prefix?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 2:50 pm

I just got an RB4011 and got it setup per these instructions perfectly (using the supplicant method). Now I'm attempting to get an IPv6 address and it's just not happening. This is my entire IPv6 config right now:
# jun/02/2020 17:01:27 by RouterOS 6.47
# software id = 168G-AZKL
#
# model = RB4011iGS+
# serial number = DXXXXXXXXXXXXX
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=dhcpv6-pool pool-prefix-length=60 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=reject chain=input connection-state=invalid reject-with=icmp-no-route
add action=accept chain=input protocol=icmpv6
add action=reject chain=input in-interface-list=!LAN log=yes reject-with=icmp-no-route
I'm not able to get an address, or a prefix. The IPv6 web UI just shows "Status: searching..." in the DHCPv6 Client settings. The weird thing is that I was able to get an IPv6 address this morning, but in my attempt to get the IPv6 Server working, I somehow broke the client. I'm not sure if this is related to AT&T or not, but considering the work required to get this to work, that's my suspicion. A related question I have, does the DUID matter? I was previously using pfAtt on pfSense and that required a special DUID workaround to get an IPv6 address. Considering it was working for me at one point, and it's apparently working for some others, my guess is that it's not required, but I'd love confirmation of that.

Does anyone have any suggestions on what I might do to get any sort of IPv6 address or prefix?
I think we chatted on reddit, but if not then first thing to do is check ND, in fact have you watched a video that shows ipv6 setup on RouterOS/mikrotik? I'd recommend starting with that since there are quite some differences from pfSense.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
nofdak
just joined
Posts: 2
Joined: Thu May 28, 2020 3:10 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 4:44 pm

I think we did chat on reddit, unfortunately changing my ND options doesn't seem to have an effect. I've tried changing multiple different settings, disabling/enable IPv6, deleting/recreating the DHCP client settings, etc and for some reason, the Tik can't seem to get an IPv6 address. 24 hours later it's still "Searching...".

Edit: I think I figured it out. My firewall settings were out of order and ICMPv6 was being blocked. When I explicitly passed ICMPv6 first, I got my IPv6 address/delegation. Now I just need to figure out how to setup a DHCPv6 server for my L3 switch.
 
technoredneck
just joined
Posts: 3
Joined: Wed Aug 28, 2019 10:40 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Jun 08, 2020 7:43 pm

I just wanted to chime in and say that I did indeed purchase one of those TP Link T1500G-8T switches and put it in front of my CCR1009 and wam-bam-thank-you-ma'am...everything worked first time. Authenticated and grabbed an IP from AT&T super fast too by the way. I'd say if you've got a CCR, then this is most certainly the way to go unless they change the OS to do what we need on the incoming frames.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jun 09, 2020 2:42 am

I just wanted to chime in and say that I did indeed purchase one of those TP Link T1500G-8T switches and put it in front of my CCR1009 and wam-bam-thank-you-ma'am...everything worked first time. Authenticated and grabbed an IP from AT&T super fast too by the way. I'd say if you've got a CCR, then this is most certainly the way to go unless they change the OS to do what we need on the incoming frames.
Awesome glad you got it working! :)
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
fmape
just joined
Posts: 2
Joined: Sat Jun 13, 2020 7:20 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jun 13, 2020 7:25 am

I have ATT gigabit fiber at my house, trying to get this working with my HAP AC (for now) and keep running into a "connecting->authenticating->rejected" loop. My ATT router is a BGW210 and I was able to successfully extract the keys from it and import.

I have a few questions:

does case matter in the identity field for hex digits A-F? Should there be colons or shouldn't there? Should the anon identity field be blank? Same as identity?

Also, how close does the clock have to be? I don't have a local NTP server and if the router turns off the clock doesn't run until its plugged back in, so when I plug it in in place of my BGW210 it can be off by many seconds.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 17, 2020 7:54 pm

I have ATT gigabit fiber at my house, trying to get this working with my HAP AC (for now) and keep running into a "connecting->authenticating->rejected" loop. My ATT router is a BGW210 and I was able to successfully extract the keys from it and import.

I have a few questions:

does case matter in the identity field for hex digits A-F? Should there be colons or shouldn't there? Should the anon identity field be blank? Same as identity?

Also, how close does the clock have to be? I don't have a local NTP server and if the router turns off the clock doesn't run until its plugged back in, so when I plug it in in place of my BGW210 it can be off by many seconds.
Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png
 
fmape
just joined
Posts: 2
Joined: Sat Jun 13, 2020 7:20 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jun 18, 2020 4:29 pm

Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
The clock is correct to within a few seconds, which is as close as I could get it manually. I didn't use a switch, I did set the vlan mode on the port to the ONT (eth1) to `fallback`.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 120
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jun 18, 2020 8:17 pm

Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
The clock is correct to within a few seconds, which is as close as I could get it manually. I didn't use a switch, I did set the vlan mode on the port to the ONT (eth1) to `fallback`.
You'll need to use wojo's script then to handle the vlan 0 p tags in software then.

As the hAP AC and hEX is unable to handle the vlan 0 p tags without either a switch in front or a software bridge via Wojo's script.
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup
UDM-Pro Former: RB4011, CCR2004, hEX, ER4
Aruba 2930F, CSS326, CRS309, CRS112-PoE Former: Ubiquiti XG-16 & ES-10X
Wireless Wire
AT&T Fiber 1000/1000
http://tlopez.cc/images/hex_is_a_beast.PNG
http://tlopez.cc/images/ccr2004_speedtest.png

Who is online

Users browsing this forum: No registered users and 2 guests