Bypassing AT&T Residential Gateways with MikroTik
If you have AT&T FTTH service and would like to use your MikroTik hardware to its fullest potential, this article is for you. Discover how to connect directly to the Fiber ONT device, bypassing other middleware hardware. The AT&T provided Residential Gateway, aka the ATT RG router, might be one of: BGW210-700, BGW320-505, NVG589, NVG599, 5268AC, or any new models that might come out. These devices do provide value and are required if using IPTV or VoIP service. For pure Internet only service, however, they are not needed.
When it comes to a network rack or data closet, it is very frustrating to be forced into adding unnecessary hardware which will only take up space, use more power, generate heat, and become a point of failure in the network. Also, the best firewall and NAT device is a MikroTik! We want it to be the first thing that a packet must traverse. In this article we show you the how to do just that. Note that at all times we respect the AT&T network. This does not enable features you didn't pay for. This article is a benefit to their subscribers. Not everyone is incapable of managing their own on-premises equipment. AT&T has allowed this method to exist for those who are responsible with it.
Hardware and Software requirements:
Faster hardware usually results in a better experience. If you have 1GB Fiber service or higher, consider using the RB4011, CCR1009*, or other higher end models. For slower speeds, the RB3011 and hAP ac² are appropriate. The configurations presented here were tested with the RB4011 on DHCP residential service. The recommended RouterOS firmware for any model should be version 6.46 or higher. Note: at this time, only the RB4011 is recommended.
There are two methods presented here which are known as the Bridge Method and the Supplicant Method. These are explored in detail in the posts below. Choose the method that best meets your needs and application. A lot of individuals have contributed to this effort resulting in what we have today which include: devicelocksmith, aus, brianlan, maczrool, wojo, and others. Note that some ATT locations are being upgraded to support XGS-PON. This means that the bypass methods shown here will not work.
The nature of how this works is a little more technical than perhaps what you're used to dealing with. I will largely repeat what aus has already written, but making changes to suit this article. Essentially, in a stock setting with the ATT RG as the first and only device connected directly to the Fiber ONT, we have:
- ATT RG boots up
- Initializing traffic to the ONT uses the 802.1X standard following the EAP-TLS Authentication Protocol (EAPOL). This is a fancy way of saying that there are unique encryption keys stored on the ATT RG that request authorization to connect and pass standard packets beyond the ONT.
- After authentication, the Fiber ONT device will send ethernet frames as Cisco priority tagged frames. These follow the typical Dot1q (802.1Q) standard but with 0 set as the VLAN ID and some 802.1P bits set. There is not yet a requirement to reply with 802.1P packets.
- With traffic tagged correctly, an ethernet port (its MAC address must match values in the encryption key) is given an IP address via DHCP. When the lease is issued, the WAN setup handshaking is complete. LAN traffic can now be routed.
This process takes only a few moments but must be allowed to occur or you can emulate it exactly. Therefore, this article shows you how to bridge the 802.1X EAP-TLS traffic by allowing the ATT RG to do its thing, or you may natively import the encryption keys onto your MikroTik and utilize the Dot1x client interface. The choice is yours.