Community discussions

MUM Europe 2020
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:27 pm

Title:
Bypassing AT&T Residential Gateways with MikroTik

Welcome:
If you have AT&T FTTH service and would like to use your MikroTik hardware to its fullest potential, this article is for you. Discover how to connect directly to the Fiber ONT device, bypassing other middleware hardware. The AT&T provided Residential Gateway, aka the ATT RG router, might be one of: BGW210-700, BGW320-505, NVG589, NVG599, NVG510, 5268AC, or any new models that might come out. These devices do provide value and are required if using IPTV or VoIP service. For pure Internet only service, however, they are not needed.

Why Bypass?
When it comes to a network rack or data closet, it is very frustrating to be forced into adding unnecessary hardware which will only take up space, use more power, generate heat, and become a point of failure in the network. Also, the best firewall and NAT device is a MikroTik! We want it to be the first thing that a packet must traverse. In this article we show you the how to do just that. Note that at all times we respect the AT&T network. This does not enable features you didn't pay for. This article is a benefit to their subscribers. Not everyone is incapable of managing their own on-premises equipment. AT&T has allowed this method to exist for those who are responsible with it.

Hardware and Software requirements:
Faster hardware usually results in a better experience. If you have 1GB Fiber service or higher, consider using the RB4011, CCR1009*, or other higher end models. For slower speeds, the RB3011 and hAP ac² are appropriate. The configurations presented here were tested with the RB4011. The recommended RouterOS firmware for any model should be version 6.46 or higher. Note: at this time, only the RB4011 is recommended.

Bypass Methods:
There are two methods presented here which are known as the Bridge Method and the Supplicant Method. These are explored in detail in the posts below. Choose the method that best meets your needs and application. A lot of individuals have contributed to this effort resulting in what we have today which include: devicelocksmith, aus, brianlan, maczrool, wojo, and others.

Technical Overview:
The nature of how this works is a little more technical than perhaps what you're used to dealing with. I will largely repeat what aus has already written, but making changes to suit this article. Essentially, in a stock setting with the ATT RG as the first and only device connected directly to the Fiber ONT, we have:

  • ATT RG boots up
  • Initializing traffic to the ONT uses the 802.1X standard following the EAP-TLS Authentication Protocol (EAPOL). This is a fancy way of saying that there are unique encryption keys stored on the ATT RG that request authorization to connect and pass standard packets beyond the ONT.
  • After authentication, the Fiber ONT device will send ethernet frames as Cisco priority tagged frames. These follow the typical Dot1q (802.1Q) standard but with 0 set as the VLAN ID and some 802.1P bits set. There is not yet a requirement to reply with 802.1P packets.
  • With traffic tagged correctly, an ethernet port (its MAC address must match values in the encryption key) is given an IP address via DHCP. When the lease is issued, the WAN setup handshaking is complete. LAN traffic can now be routed.

This process takes only a few moments but must be allowed to occur or you can emulate it exactly. Therefore, this article shows you how to bridge the 802.1X EAP-TLS traffic by allowing the ATT RG to do its thing, or you may natively import the encryption keys onto your MikroTik and utilize the Dot1x client interface. The choice is yours.
Last edited by pcunite on Tue Jan 28, 2020 3:23 pm, edited 17 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:28 pm

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.

BridgeMethod.png

Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Fri Dec 20, 2019 9:44 pm, edited 6 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:30 pm

Supplicant Method

Overview:
This option is the preferred way because the ATT RG can be stowed away while MikroTik hardware performs all necessary tasks. All that is required are valid certificates extracted from your ATT RG and a native supplicant client. MikroTik includes this client via their Dot1x interface which provides the wpa_supplicant feature.

SupplicantMethod.png

Details:
Our diagram looks like any normal routing configuration. Really, the only thing unique about this option is that we use a Dot1x client on our yellow ether1 WAN port. The purple ports are all bridged using typical RouterOS syntax. The ether1 MAC address is set to that of your AT RG certs and gets configured as a DHCP client. We must also import certificate files. Beyond that, the Dot1x handles the EAP-TLS authentication. A very straight forward configuration.

1. Manually Set the System Clock:
Set the clock, under System / Clock to be the correct time and date. This is a requirement of the Dot1x client otherwise you will get rejected, connecting, and authenticated without server error loops.

2. Import Certificate Files:
After you have obtained your certificate files, use the Winbox GUI tool and navigate to the Files menu. Drag and drop your files therein. Next, open the System / Certificates menu. Under the Certificates tab, click import and load your files. If possible, import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. You will now have approximately six new certificate files in your store. If you double click on an entry, you can see key usage information from the Key Usage tab. You will want to identify the one with tls client capability. Also in the General tab, you need a Common Name value as a MAC address, and that has Trusted checked. This is the correct key to use with Dot1x later.

3. Configure your WAN port:
We'll use ether1 in this example. Set it to be a standalone port, not part of a bridge etc. Run the following command, using your Common Name MAC address: /interface ethernet set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00. Next, setup a DHCP client on ether1, example command: /ip dhcp-client interface=ether1 add disabled=no. Some RouterBoard models also require the following command: /interface ethernet switch port set ether1 vlan-mode=fallback so that they will not drop packets coming from the ONT that have a VLAN id of 0.

4. Configure the Do1x interface:
This is easy enough in the GUI, but I'll show the command line. Note that you specify the file name that had tls client capability. Set the identity fields to be the MAC address (without the colons). Command: /interface dot1x client add interface=ether1 certificate=Client_myfile.pem eap-methods=eap-tls identity=000000000000.

Conclusion:
At this point everything is ready. Configure the rest of your MikroTik as desired, then reboot the unit. Plug ether1 directly into the Fiber ONT. In the Dot1x GUI, you will note the Status field. After about 30 seconds, it will read authenticated then you'll have an IP address on ether1.
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Tue Dec 24, 2019 12:28 am, edited 14 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:32 pm

Reserved
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 10:45 pm

Reserved
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 4:05 pm

Hi, thanks for this tutorial, and the hard work. I tried this new method with my router, I'm waiting for the new one, I think I got authorization but for some reason I never have an ip address. The message that I received under the dot1.x is authenticated without server . Any idea. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:13 pm

I think I have authorization but for some reason I never get an ip address. The message that I received under the dot1.x is authenticated without server . Any idea?

I'm very new to this, so I don't know all the edge cases yet. The Dot1x documentation mentions it and states access to the port is granted without communication with server. Not sure what that means. Can you do a packet capture on the traffic? Makes me think that perhaps you need a certain VLAN tag. Do you have business or residential service? Also, turn off everything, the Fiber ONT too for a few minutes. Then boot up again.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:18 pm

I have a residential account, I'm going to try with the new Mikrotik when it arrive. Right now I'm using my old one for this test. Like you told me before under powered maybe is the router because is the model crs109-8G. The new one is the CCR1009. Thanks
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:59 am

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.

On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.

The entire setup is as follows:

Replace the following with your values:
  • bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
  • ether3-ont - the interface connected directly to the ONT
  • 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you've uploaded
  • name_of_cert - upload your cert bundle and select this in the dot1x settings

Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=44:E1:37:C4:C8:E1

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont

/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no

This is the script that I run every 5 seconds, which is probably overkill, but it doesn't write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I'll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"

:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]

#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"

:if ($dot1xStatus = "authenticated") do={
  :if ($portDisabled) do={
    :log warn "$scriptName: authenticated, enabling bridge"
    /interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
} else={
  :if (!$portDisabled) do={
    :log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
    /interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
}

For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup

Finally place your DHCP on the "bridge-ont" interface. I'm able to pull both IPv4 and a /60 of IPv6, which I've split up into three /64 subnets for my private network, IoT and guest networks.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:25 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:33 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
I think I've hit that when something was wrong with the certs or dot1x setup. Can you show your configuration with MACs scrubbed and such for dot1x and certificate settings?

Also -- I can't remember entirely if it was required but I did import the entire cert chain as well as disable the CRL.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:34 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks

Yes, I just tested my system again (resetting everything for testing) and get the same error. I'll be tracking this down. For now, set your system clock to the correct time. Also, make sure, under System Certificates, that your Client key is KT.

Interestingly, when I restore my system from backup, everything works. So, there is something stored in the backup file, that simply enables an ether1 interface to just work without putting into bridge, then removing, as wojo is having to.
Last edited by pcunite on Sun Dec 22, 2019 4:39 am, edited 1 time in total.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:39 am

This is part of my config without the Dotx1 check. I imported the 3 certificates (CA_00..., Client_00.., PrivateKey_PKCS1_00..) that was created when using the utility for create the wpa_supplicant.conf

interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7

/interface bridge settings
set use-ip-firewall=yes
/interface dot1x client
add anon-identity=xxxxxxxxxxxx certificate=Client_cert.pem_0 \
eap-methods=eap-tls identity=xxxxxxxxxxxx interface=ether1
Last edited by jack2020 on Sun Dec 22, 2019 5:05 am, edited 1 time in total.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:59 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:03 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:08 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:09 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?

No, the LAN side is fine. What we are doing is fairly advanced here. I understand it must be confusing for you. We are only talking about WAN interfaces.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:12 am

OK, eth1 is alone without any WAN_Bridge. And no WAN_Bridge. I'm going to try the Dotx Script. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:34 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:35 am

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
I got bit by the same thing when first starting as well, until I started throwing reboots and disconnects at the situation.

Well... the scripts aren't ideal, but are fast and seem to be reliable so far. Like you said, the ONT doesn't seem to ask for reauth once up, ever.

If dot1x ever reports it's not auth'd the script will at least try to let it do it again by taking the interface out of the bridge. I'm just scared if the ONT decides to unauth without a link drop/status change, nothing would not notice.

In order to catch that situation, would need to test the gateway and try bouncing or something I guess.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:46 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:08 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:13 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:18 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:21 am

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
Same model here.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:36 am

My time is correct and synced via NTP. Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the MikroTik.

Replying to this again, going to take a break for now. However, please test the following:

  • Do a System / Reset Configuration unchecking No Default Configuration.
  • Reboot
  • Set the System / Clock manually to ensure the correct time, right now.
  • Import your certs
  • Then apply a setup script that looks something like below. Note the order of things to keep auto mac assignments sane.
  • Reboot

# dec/21/2019 23:11:39 by RouterOS 6.46.1
# model = RB4011iGS+

/system identity
set name=Router

# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on
# yadda yadda

# WAN Port, now set the MAC to your cert MAC on ether1
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes

# reboot

 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:22 pm

Hi, I followed the last instruction and keep the same message "Authorized without server". Maybe my area have another kind of configuration or the Mikrotik RB4011iGS+ works different than my CCR1009-7G-1C(tile). Something curious is if I change my mac address in the Dotx using both format 000000000000 or 00:00:00:00:00:00 or removing it from the field anon-identity or changing eap-method to None. I always received the "Authorized without server".

Note: I have at&t fiber residential account from 2017, my public ip always stay the same never change basic Internet.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:50 pm

Here is my capture. Please make one for your WAN interface, so we can compare. Go to Tools / Packet Sniffer. Under the General tab set the File Name to be something.pcap. Under the Filter tab, set the Interface, then Direction any. Then press Start. When done press Stop then download the file from the Files menu. Next, load the pcap file into Wireshark. To hide things, use a display filter like this at the top !(ip.addr == 1.2.3.4). Then photoshop the rest.

Wireshark Notes:
Right click on a column name at the top, choose Column Preferences, then Columns. Now, you can add a new column. I added 802.1Q VLAN id and set the label for it.

Notes about Starting a capture
My ether1 is my WAN port. It is not part of a bridge. So, I disabled the interface. Then I re-enabled it, and then pressed Start in the packet sniffer to get this capture. I think the packet sniffer tool may have an issue with disabled interfaces. That's why I did it like this.

capture.png
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Sun Dec 22, 2019 10:38 pm, edited 1 time in total.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:29 pm

Here's my capture. This is on my ether3-ont interface with no bridge. As you can see it goes through EPOL successfully and then when I broadcast for DHCP I get an offer back on VLAN 0. The only way I've been able to process those incoming packets (incl. all subsequent IP packets) is to place that interface on a bridge alone and enable VLAN Filtering to strip VLAN 0.

Screen Shot 2019-12-22 at 11.49.17.png

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows processing of those VLAN 0 tagged packets whereas in my situation I have a raw CPU connection and cannot.

I've tried all combos of IP mangle to set DSCP to fix the packets, but it's not early enough in the pipeline. In fact I never even see any packets match my rules when they are VLAN 0.
You do not have the required permissions to view the files attached to this post.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:51 pm

...
Last edited by jack2020 on Sun Dec 22, 2019 11:16 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:00 pm

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows for the processing of those VLAN 0 tagged packets, whereas in my situation, I have a raw CPU connection and cannot.

Thank you for the packet capture, very interesting. Your switch chip observation may have some truth to it. Whenever I export settings from an RB4011, the following appear in the results. So, it seems that VLAN 0 is the default. However, why would VLAN type packets not appear in the capture, as yours does? One way to know if ATT is doing this or its the MikroTik's is for me to test with a CCR1009. I don't have one at this time.

# This always appears when exporting configurations on an RB4011
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:01 pm

Update: see your post about the switch config, yeah that's exactly what I'm thinking. Here's my post I was just about to hit Submit on:

OK, my theory seems like it could be correct. I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT. To test this, I took a managed switch (a TL-SG2216 I had around) that had VLAN capabilities and set it up with the following:

  • ports 1 (ONT), 2 (Mikrotik) on VLAN 2, PVID 2, untagged -- VLAN 2 is an arbitrary choice, just the next free one but doesn't matter
  • all other ports on VLAN 1 (default), PVID 2, untagged

This forces my switch to accept accept the frames and strip the VLAN tag before sending to my Mikrotik. The result looks like this:

Screen Shot 2019-12-22 at 14.24.23.png

Notice that the DSCP header is unchanged, but the VLAN 0 tag has been removed.

This is a simpler setup without any scripts and running both dot1x and DHCP/everything else on the single port, no bridge. My CPU usage is around 1% now without the bridge, and it seems I may be getting slightly better speeds (was getting ~high 90s before, but who knows with the stuff between me and the test file):

/dev/null 26%[============> ] 268.57M 105MB/s
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:44 pm

I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT.

I updated my capture post to show DSCP.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 2:07 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:05 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.

Let's work on EAPOL first, then we can work on ARP and DHCP. You'll need to see an EAPOL Start, then finally an EAP Success. It takes about 30 seconds or so for that to happen. So, let's start from the beginning for you. Since you have a CCR1009, wojo has discovered that ultimately you'll need use the Bridge option. However, for testing, I only want to work on EAPOL first, so we're going to use the bare interface method for now. In wireshark, please turn on the columns for VLAN (802.1Q) and DSCP (IP DSCP Value). Use the display filter: eapol || dhcp.

Do the following:

  • Install firmware 6.46.1. Reboot. Then also the secondary part via the /system routerboard upgrade command. Reboot. Then reset everything via System / Reset Configuration unchecking No Default Configuration. Reboot. Now you have a base configuration.
  • Set the System / Clock manually to ensure the correct time.
  • Import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. Note the KT key with a MAC address for its Common Name.
  • Finally, implement this script (adjust with your values). Keep your overall configuration simple, very few firewall rules, etc. We don't care about that right now, we just want to see the EAP Success value in the capture.

/system identity set name=EAPOLTEST

# Create your LAN Bridge first
/interface bridge add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on yadda yadda

# WAN Port, set the MAC to your cert MAC on ether1
/interface ethernet set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=123 identity=123 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

#reboot, turn turn on Packet Sniffer tool
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:59 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.
My first interface is combo1, then I have ether1....ether7
The RouterOS is 6.46.1

/system identity
set name=Mikrotik
# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no
# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether1
add bridge=BR_LAN interface=ether2
add bridge=BR_LAN interface=ether3
add bridge=BR_LAN interface=ether4
add bridge=BR_LAN interface=ether5
add bridge=BR_LAN interface=ether6
add bridge=BR_LAN interface=ether7
# WAN Port, now set the MAC to your cert MAC on combo1
/interface ethernet
set [ find default-name=combo1 ] mac-address=:00:00:00:00:00
# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no
# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=combo1
# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_000000-000000000000.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=combo1
# setup your firewall
/ip firewall filter
# yadda yadda
# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1 comment="Default masq"
# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes
# reboot

And this is the result:Image
Last edited by jack2020 on Mon Dec 23, 2019 6:04 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:03 pm

Here is my configuration with my modification. I removed the real MAC address for this post.

For the wireshark output, please put the VLAN and DSCP values to the left of the Info column, so we can see them.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:50 pm

Here is with the info requested. This one is without the Bridge. I see no activity for the authentication only EAPOL start and failure.
Image
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:54 pm

This one with the Bridge.
Image
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:07 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.

Hmm, the EPOL process is failing for sure. You get the identity request, but the tik doesn't even try to respond.

Could you use "export hide-sensitive" and also mask the MACs so we can see the exact config? I haven't tested all these combos of potential errors, they are just from memory but I believe I saw that status when one of these was wrong. Ensure that:
  • the certificate imported has KT flags (aka has the private key in addition to the public key, and also is trusted)
  • the rest of the cert chain is installed, 5 additional certs for me (Motorola Intermediate, Motorola Root CA, System Infrastructure Root CA, ATT Services Inc Root CA and Frontier-RootCA)
  • on dot1x the identity and anon-identity MACs are set to the cert MAC (your example doesn't have the colons, just from your redaction?)
  • the interface has the MAC address overridden to the cert MAC via the CLI
  • the cert MAC is correct (see commands below)
  • dot1x use-crl must be no
  • the MAC address is not on any other interface (I've done that while testing with many different ports, moving stuff around)
  • system clock is correct
  • that port is connected directly to ONT, and power cycle the ONT just in case

Check certificate CN for the MAC:

# openssl x509 -in Client-xxx.pem -text | grep Subject
        Subject: C=US, O=Motorola, Inc., CN=00:00:00:00:00:00/serialNumber=xxx
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:40 pm

- The certificate imported has the KT flags.
- I imported the first 3 certificates and then I finished with 6 certificates under certificates, including the Client with the KT flag.
- on my dot1x I tried both, with colon and without it. Same result.
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
- In the dot1x I uncheck both options for crl.
- The system clock and date are right.
- The port is connected to the ONT, and some of my test I power cycle the ONT.
- My config with the bridge "The bridge, interface and dot1x info". Like you posted before.
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 8:01 pm

Just for info I have at&t fiber 300MB with Directv plan. I have no idea if they manage that account different.
For my Certificates I used the mfg_dat_decode utility for linux and for windows. Same result
My first at&t modem was a Pace and then I change it for a Motorola NVG589 the one that I have now.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 9:41 pm

Well, I have some more info. It seems that @jack2020 is correct, there can be a configuration to where a bare interface or even a bridge, will not be able to process EAPOL with a good certificate. Acting on wojo's switch chip theory, I am testing with a hEX Poe Lite. Just to see what would happen. It has the Atheros8227 switch chip which seems different from the others. With this unit, I'm having the same issues that jack2020 is having. My capture for reference.

Atheros8327.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:36 pm

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:57 pm

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 3:31 am

...
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
...
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no

Ugh, it should have at least done dot1x successfully when standalone. In bridge mode though, the combo1 interface needs the MAC from the certificate. 802.1x is done on the interface level, not the bridge (in fact only works when disabled from the bridge per my script).

I'm lost :( You have the same router and it doesn't work like it does for me. Right now I'm stripping packets with another switch, but don't understand why it isn't working for you.

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback

Good find. Other thing that may work is "vlan-header=always-strip" to get rid of the VLAN tag entirely as well.

I have a RB750Gr3 which doesn't have VLAN capabilities on the switch, so I'd have to resort to bridge VLAN filtering and do it in software or my current method (a VLAN switch to strip it before the CCR1009).

What's interesting with devices that support hardware switch VLAN is these two things:

  • if it supports vlan-mode (and probably vlan-header) then you can fix up the packets marked with VLAN 0 and process them
  • if it supports VLAN rules on the switch, you can do fancy things like hook the ONT to port 1, forward ethertype = 0x888E (EAPOL) to port 2 on the RG, and the rest to the Mikrotik
    /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
    /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Still lost why jack2020 can't get it to work on the same exact model I have, the CCR1009-7G-1C (without switches). Hmm.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:12 am

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.

There is probably a way to process VLAN 0 with the CCR1009. I just don't own one to test. In the Winbox GUI (version 3.20), do you even have a Switch menu? Some of the older CCR's did have switch chips. The new ones do not.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:24 am

No Switch option this is my menu
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 7:10 am

No Switch option, this is my menu.

Okay, well that makes sense as their is no switch chip. Hmmm, I don't yet know how to accept anything over the WAN interface on the CCR1009. As wojo has explained, a carefully constructed bridge with vlan-filtering=yes should do it. But I don't know why it fails for you. If you can, please try using a RB4011 and see how it responds on your Fiber ONT.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 2:08 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 10:51 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 2:17 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 7:35 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.

Wojo,

Sounds like a great plan! I can't seem to figure out how to pm here, so if you could pm me your config, I'll load it with my certs and give it a try. If that doesn't work, I'll send you my certs for testing.

Thanks,

John
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:26 pm

If anyone is up for sending me a CCR1009 (the new one without any switch chips), I would like to solve this puzzle.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:33 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.

I will help you!
: - )
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 11:55 pm

Thanks for all the help received. Just waiting for the other router to arrive, I hope that by putting everything as indicated in the instructions, it will work on the first attempt and nothing special in my area.
 
planetcoop
Member Candidate
Member Candidate
Posts: 120
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 5:40 pm

is this configuration specific to the RB4011 with the vlan0 att RG bypass or suplicant?

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 6:07 pm

Is this configuration specific to the RB4011 with the vlan0 att RG bypass or supplicant?
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
etc...

I don't follow your question. The default values on an RB4011, for whatever reason as determined by MikroTik, do set default-vlan-id to a 0. It appears to help with our requirements. Is it working for you?
 
planetcoop
Member Candidate
Member Candidate
Posts: 120
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 9:22 pm

its working great. i have been able to dhcp the wan interface and statically set a second port to my lan block range. I have also been able to request the ipv6 delegation /60 and statically assign addresses to interfaces and route accordingly.

I am using the supplicant method on a rb4011 to act as the carrier L3 hand-off and then whatever is behind it can be physical or virtual in a static block range.

Great work here, here is my short anonymous configuration (don't forget to secure your device and network):

/interface ethernet
set [ find default-name=ether1 ] mac-address=D0:39:B3:XX:XX:XX
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
/certificate settings
set crl-use=no
/interface dot1x client
add anon-identity=D0:39:B3:XX:XX:XX certificate=\
Client_00XXXXXX6-22XXXXXX.pem_0 eap-methods=eap-tls identity=\
D0:39:B3:XX:XX:XX interface=ether1
/ip address
add address=68.4.19.94/27 interface=ether2 network=68.4.19.64
/ip dhcp-client
add disabled=no interface=ether1
add default-route-distance=1 disabled=no interface=bonding1
/ipv6 address
add address=2600:1700:390:c51::1 advertise=no interface=ether2
/ipv6 dhcp-client
add add-default-route=yes interface=ether10 pool-name=att pool-prefix-length=60 \
request=address,prefix
/ipv6 route
add distance=1 dst-address=2600:1700:390:c50::/60 gateway=\
2600:1700:390:cc51::90
 
planetcoop
Member Candidate
Member Candidate
Posts: 120
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 3:19 am

I have just tested the config on the 3011 and dont seem to be able to get the vlan0 working like the rb4011 does. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 6:04 am

I have just tested a config on the 3011 and it don't seem to be able to get the vlan0 working like the rb4011 does. :(

You'll have to do something like this:

/interface ethernet switch port
set ether1 vlan-mode=fallback
 
planetcoop
Member Candidate
Member Candidate
Posts: 120
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 9:15 am

i have tested that with no better results. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 4:14 pm

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
 
jack2020
just joined
Posts: 22
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 8:44 pm

Thanks for all your help. Today I received the RB4011 and everything works as expected, at the first try.
 
planetcoop
Member Candidate
Member Candidate
Posts: 120
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 12:14 am

i have purchased a second 4011 for the new cert supplicant method. Works like a charm every time. :)
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 3:52 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 4:03 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.
 
wojo
newbie
Posts: 29
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 7:10 am

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!
 
jweek
just joined
Posts: 4
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 6:29 pm

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!

agree, RB4011 up and running smooth here, thx all for the assist!
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jan 16, 2020 11:06 am

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.


BridgeMethod.png


Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours. We're cord-cutters so no internet is a bit rough, and frankly I don't trust her to try to restart the modem or router.

Any idea why RB4011 on 6.46.1 is consecutively since late December needing reboots every seven days?

Some pics below:

January 7th:
Image

January 15th:
Image

Image





PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T Mikrotik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 7:09 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 9:45 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
Thank you for the reply, is buying the certs themselves possible or do I need to specifically buy a NVG510 with specific firmware or has downgrading become easier?

Thanks again for replying, really appreciate it.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 5:07 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
pcunite [the email symbol] outlook [the period symbol] com
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 9:21 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
pcunite [the email symbol] outlook [the period symbol] com
I sent the email, thank you
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:31 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
pcunite [the email symbol] outlook [the period symbol] com
I am an idiot. I barely realized, duh, .der isn't .pem....lol. Sorry, long day at work and I'm dumb.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:49 am

This is amazing. 802.1x method was incredibly easily once converted to .pem.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 5:03 pm

This is amazing. 802.1x method was incredibly easily once converted to .pem.

Enjoy! It is a really nice solution.
 
Oosik411
just joined
Posts: 2
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 6:23 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 8:29 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png
 
Oosik411
just joined
Posts: 2
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:24 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
 
archerious
newbie
Posts: 29
Joined: Sun Aug 26, 2018 7:50 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:30 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
That's the most common way, the NVG589 and NVG510 are like $5-$10 on ebay used. You could buy one and extract the certs. Once you have the .Der files you then use a tool to convert them to .pem files. Then you follow Pcunite's guide to add the keys to the Mikrotik router.
RB4011 Former: ER4
CRS309 Former: Ubiquiti XG-16
Edgeswitch 10X
Mikrotik CSS326
AT&T Fiber 1000/1000
https://i.imgur.com/CREztz2.png

Who is online

Users browsing this forum: telepro and 1 guest