Anybody ues AT&T Gigabit Fiber with Mikrotik RouterOS?

networknoob88 · Mon Jul 23, 2018 11:43 pm

I'm about to have AT&T Fiber 1000 installed for use with my new CCR1009-7G. The AT&T modem/gateway is a terrible piece of equipment with no bridge-mode and has low NAT table limit. Yet, the AT&T fiber uses some authentication protocol that requires a certificate installed in their own gateway so one cannot simply plug the AT&T line into a real router and call it a day.

Ubiquiti EdgeRouter users have come up with ways to enable bridge mode by routing the authentication traffic through the AT&T gateway, while routing the Internet traffic through the router, effectively bypassing the gateway and realizing true bridge mode. A sample guide can be seen here.

Since MT/RouterOS, especially the CCR, is a much more powerful and sophisticated router, I believe it should be capable of achieving the same bypass. Unfortunately I'm fairly new at this whole networking thing and am really just in the "guide following" stage. I wonder if anyone here has experience with RouterOS + AT&T Fiber bypass.

Thanks!

pcunite · Tue Jan 15, 2019 9:14 pm

UPDATE

Please read my new article on this subject. This thread is no longer current.

.

anav · Tue Jan 15, 2019 9:27 pm

You dont need the att modem/gateway because its not really a modem at least for the internet, all it does is provide a ready made vlan setting for you.

I have my mickrotik directly connected to the ONT, ONT to me means fiber to ethernet modem. Its this device that needs to be registered to your account for ethernet etc....
If that is your case you should be able to do the same. For example our internet on bell uses VLAN35.

The so called modem/gateway of which you speak has been off gathering dust for years. If I used TV from the provider I would have needed it to negotiate the TV vlan, multicast and Q0s protocols, but one can use the router to do that as well but tis complicated. I was close to doing that on an older Zyxel Router as they had recently upgraded software to handle the QoS packets but unfortunately the upgrade included all facets of router use EXCEPT INITIAL CONTACT and handshaking where I needed it the most LOL. I have no doubt its all doable with Mikrotik but I have since cancelled provided TV and gone full digital streaming (only need internet).

pcunite · Tue Jan 15, 2019 11:03 pm

You don't need the att modem/gateway because its not really a modem at least for the internet, all it does is provide a ready made vlan setting for you. I have my MikroTik directly connected to the ONT, ONT to me means fiber to ethernet modem. Its this device that needs to be registered to your account for ethernet etc. If that is your case you should be able to do the same. For example our internet on bell uses VLAN35.

That is what I thought. Could you translate this for me? I'll do the work, just wondering if it makes sense to you.

pcunite · Wed Jan 16, 2019 4:21 pm

This post by rajl explains it in more technical detail.

AT&T's supplied Residential Gateway, aka RG router (an BGW210-700 in my case) use embedded certificates and the EAPOL protocol to authenticate with their ONT (Alcatel-Lucent G-010G-A) and to their upstream equipment.

Thus, at least initially, the sending of EAPOL packets to the RG and ONT must occur. Then you can do work arounds to send everything else to your MikroTik. Here is an interesting solution.

anav · Wed Jan 16, 2019 6:12 pm

pcunite, I havent read the links but its highly likely that that authentication is strictly for the TV or perhaps TV, telephone services.
I use VOIP for home phone and digital streaming so I dont care.
I did have TV temporarily and when I did I used the modem gateway for the initial connection and then routed the internet through my router and used the Cable connectors on the modem gateway to carry TV signal to the house (thus I used it but not for internet). The initial connection was for the TV signal and not the internet.

Will go read the links now.

Okay the obvious challenge from the first link is ATT uses vlan0, my Bell fiber is using vlan35.
In my case, the technician, when I refused the all in one box. Used the available phone jack on the new ONT, to program it.
Then he phoned in and authorized the number of the box or vice versa given a number over the phone from central he plugged a number into the ONT.
So the ONT is coded appropriately and no modem/gateway device is required.
I just plug my router in creating vlan35 and magic!!

I would be curious in your setup if you did the same thing.
Setup the mikrotik with the same gateway information (assuming you have a way of sniffing traffic to get your IP and gateway IP etc) plug it all in and the unplug the cable from the ONT from the att device into your ether1 (for example) and see if it you get connectivity??

The only thing you may require is to spoof the mack of your modem gateway onto the mikrotik if there is some reason it checks this periodically etc.......

Its not clear if you require TV or just internet. If just internet call ATT and just say you want an ONT for internet and they should be able to set it up.

trace323 · Wed Jan 16, 2019 10:20 pm

My friend has AT&T Giga Fiber. he had to set their device to bridge mode and it worked without issues.

pcunite · Sat Jan 19, 2019 12:36 am

UPDATE

Please read my new article on this subject. This thread is no longer current.

.
.
.

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

Example rule table switching for better performance. If your hardware supports it.

# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

sebastia · Sat Jan 19, 2019 12:52 am

/interface ethernet switch rule ...
unfortunately 4011 doesn't do that in hardware: https://wiki.mikrotik.com/wiki/Manual:S ... troduction

why not use a cheap Tik with better switch in front? (or instead of 4011 altogether...) ex hAP ac2

Medikit · Tue Feb 05, 2019 6:12 pm

I tried this with gigabit internet using my RB3011 including your switch rule. Speed is still reduced (getting about 450/450 max), I'm not sure if it's a hardware limitation. CPU-used maxes at 50% during a speed test and cpu-used-per-cpu at up to 90%, 5%.

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance. How to make this work on the RB4011?
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

inmultec · Wed Feb 06, 2019 8:34 am

pcunite, I have att fiber 1gb with tv... how do I keep the tv running and use my rb3011 to do the internet stuff.. any ideas.

Also, there is a mention of a vlan0 but in the set up I dont see it mentioned, is that te vpid 111?

I have taken my uverse boxes to my other location (outside the US) and have them working via eoip and bridging that with a port connected to another lan port from the gateway/modem... I do other heavy lifting with my fiber connection and I do feel there is some latency issues probably because of the limited nat muscle of the 210-700.

inmultec · Wed Feb 06, 2019 3:32 pm

Did you have to setup any vlan0 if so where, how?

Did you turn on fasttrak?

I am willing to go to a CCR1009 or CCR1016-12G if that's what it takes to make it to 1gbps, but I need to also run uverse TV...

I tried this with gigabit internet using my RB3011 including your switch rule. Speed is still reduced (getting about 450/450 max), I'm not sure if it's a hardware limitation. CPU-used maxes at 50% during a speed test and cpu-used-per-cpu at up to 90%, 5%.

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance. How to make this work on the RB4011?
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

pcunite · Wed Feb 06, 2019 5:00 pm

@inmultec,

The configuration I've posted is exactly what I'm doing. Give it a try and I'll help you work out any issues. With regards to TV service, I don't have that. This posts seem to indicate that IGMP is needed to make that work.

inmultec · Wed Feb 06, 2019 5:57 pm

Thanks. I will give it a test run when I am there... That nat table on the att modems slows down right with alot of usage? I have a vpn server running on the mtk and have many friends and fam using it to get geolocation workaround, alot of netflixing and directvnow.... I want raw power on this connection. I can use a stronger mtk if need be... but I don't want to lose Uverse TV.... anyone? hehe

@inmultec,

The configuration I've posted is exactly what I'm doing. Give it a try and I'll help you work out any issues. With regards to TV service, I don't have that. This posts seem to indicate that IGMP is needed to make that work.

Medikit · Thu Feb 07, 2019 1:40 am

I forgot I deleted my fasttrak rules when I applied this new script. I just added these rules: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

Unfortunately still ~450/450

Edit: I did not change the VLAN to 0. I assume this method bypasses that.

Did you have to setup any vlan0 if so where, how?

Did you turn on fasttrak?

I am willing to go to a CCR1009 or CCR1016-12G if that's what it takes to make it to 1gbps, but I need to also run uverse TV...

nitrag · Sat Feb 09, 2019 7:07 pm

Following. I use the pseudo-bridge on AT&T gateway and max out at around 600. Would enjoy the full Gig....

Medikit · Wed Feb 27, 2019 4:41 pm

Just wanted to update: I performed bandwidth test from my router (87.121.0.45, neterra/neterra) and average Tx/Rx was 555/899. Note that CPU usage was up to 100% during this testing. I think the RB3011 isn't cutting it since Hardware offloading does not work with these settings for this router. I'm considering buying a CCR1009.

Edit: I want to add that as above I am only seeing 450/450 max from my connected devices whereas the router itself clearly can hit a gigabit as above though with 100% CPU usage. Seems like a hardware limitation to me.

nescafe2002 · Wed Feb 27, 2019 4:55 pm

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester?

Even though RB3011 can handle 1Gpbs NAT traffic easily?

Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, therefore the bandwith test should not be used to measure traffic capacity of the device itself.

anav · Wed Feb 27, 2019 6:00 pm

No worries medkit, since that RB3011 seems really underpowered for your Huge network and I have a much smaller network please feel free to send it my way, I will pay postage.

Medikit · Wed Feb 27, 2019 8:17 pm

You are considering buying a new device because it cannot saturate the connection using the built-in bandwith tester?

Even though RB3011 can handle 1Gpbs NAT traffic easily?

Keep in mind that the device has to actually generate the traffic and cannot use any of the hardware offload functions, therefore the bandwith test should not be used to measure traffic capacity of the device itself.

So I'm only getting 450 mbps max on my desktops (see above posts) but 900mbps on the built-in bandwidth tester. If the Router could handle VLAN/switching more efficiently I think it wouldn't be a problem.

No worries medkit, since that RB3011 seems really underpowered for your Huge network and I have a much smaller network please feel free to send it my way, I will pay postage.

Trying to sell it at the moment. I am being a little ridiculous since my network is not that big and I could just use AT&T's supplied router but damn it, I want to use my own router.

Edit: Using an RB4011 now and speeds are great, 940/940 from my desktop.

november · Mon Apr 08, 2019 7:07 pm

One thing I haven't seen mentioned in this thread.

Do you still need to set the RG into bypass mode or should I reset that to defaults, too?

I'm going to apply this config today when I get home, so if anything I'll be able to test and pass on any additional info I find.

pcunite · Tue Apr 09, 2019 8:38 pm

Do you still need to set the RG into bypass mode or should I reset that to defaults, too?

Don't know, I think it does not matter what the RG is doing if you intend to power it off. Disable the Wifi feature would be at least one suggestion.

phin · Sat Apr 13, 2019 8:01 pm

Well was able to get mine going pretty easily on the RB3011. I am getting 900+ speeds, though it is taxing the CPU pretty hard. Would be awesome if we got VLAN/BONDING hw-offload in the furture.

My steps were pretty simple.

Kept my current Firewall configuration, which has fasttrak on the top and a pretty simple configuration, nothing to far out of stock other then my vpn tunnel stuff and some NAT firewall rules for some services.

Setup a bridge for wlan, placed both ether1 and ether 2 on. ONT into ether1, RB into ether2.

Setup vlan tagging on the bridge and placed pvid to 1. Frame type is admit all. STP set to none.

I then setup the switch rules as follows:

/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Works as expected. Survives reboots.

Only thing i am trying to possibly sort out, is to disable using vlan filtering on the bridge and somehow get it working on the switch chip level. One can hope.

archerious · Thu May 23, 2019 5:44 pm

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

Example rule table switching for better performance. If your hardware supports it.

# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Thank you for this guide, unfortunately I am only getting 111mbps on the upload with my CCR-1009 bandwidth tests.

Actual downloads (such as torrents) rarely exceed 100/60 despite being on the 1000/1000 AT&T Fiber plan. Gateway is BGW-210. If I connect everything directly to BGW-210 I can seed 939mbps upload easily on the same busy torrents (Game of Thrones).

EDIT: Somehow fast path was checked off.....

. I'm stupid.

bitstorm · Fri May 31, 2019 8:45 am

Well was able to get mine going pretty easily on the RB3011. I am getting 900+ speeds, though it is taxing the CPU pretty hard. Would be awesome if we got VLAN/BONDING hw-offload in the furture.

My steps were pretty simple.

Kept my current Firewall configuration, which has fasttrak on the top and a pretty simple configuration, nothing to far out of stock other then my vpn tunnel stuff and some NAT firewall rules for some services.

Setup a bridge for wlan, placed both ether1 and ether 2 on. ONT into ether1, RB into ether2.

Setup vlan tagging on the bridge and placed pvid to 1. Frame type is admit all. STP set to none.

I then setup the switch rules as follows:

/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Works as expected. Survives reboots.

Only thing i am trying to possibly sort out, is to disable using vlan filtering on the bridge and somehow get it working on the switch chip level. One can hope.

So you didn't have to use the scripts, etc from above? Just a simple, bridge + vlan + switch rules? We're looking at getting ATT Fiber in a couple months, and would like to make this work with an rb4011 at full gigabit. I'm assuming with the 4011's CPU will probably be closer to 60% under load compared to the rb3011 maxing out? I'd rather have the extra headroom if that's the case.

I'm also considering picking up a static IP block, do you think I'll have any issue with that? I'd like to just throw a couple more ports into the WAN bridge and let the servers use the static IPs. Seems like that should be doable? Is there a specific gateway I should request? I found a post on r/homelab that recommended asking the tech to install a BGW210-700 Gateway.

https://www.reddit.com/r/homelab/commen ... _ip_block/

botcoder · Tue Jun 04, 2019 12:27 am

Hello,

Thanks for the instructions. I just got an RB4011 today. Just wanted a clarification with this method. ether2 connection is between the ATT RG ONT port and Mikrotik ? Asking because another user in the same thread reported success without an RG being involved. I am guessing if there is no TV service then EAPOL isn't involved ?

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

Example rule table switching for better performance. If your hardware supports it.

# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

botcoder · Thu Jun 06, 2019 10:23 pm

I tried the method posted by @pcunite and I ran into some issues. ether1,ether2 on bridge with pvid=111. On my router broadband light and service light lit up green but I was not getting DHCP on ether1. Settings seemed ok. vlan_filtering=yes, admit-all set.

So I tried a different approach and for others who are interested in getting this to work on an RB4011 with the AT&T RG this works very well and I haven't seen a connection drop in 48 hours.

- if you have a spare switch connect ONT and RG to switch. Let EAPOL authentication go through. (Green on RG on Broadband+Service LEDS)
- on Mikrotik, create a bridge with only one port on it <ether1>. PVID can be default. vlan-filtering is yes and admit-all=yes. Run dhcp-client with peer-dns set to no (I prefer not to use ATTs)
- Set MAC to MAC of RG on the interface
- Ensure firewall rules specify the newly created bridge (I just added the bridge to my WAN interface list as my firewall rules already specify this list)
- Disconnect ONT cable from switch and connect it to ether1. Check if DHCP is received on the interface (ip->dhcp-client on web interface)
- Turn RG off.
My ONT is battery backed. But if I lose the connection then simply connect RG and ONT to switch-re-authenticate and re-connect ONT cable back to Mikrotik.

I am getting 940/900 consistently on speedtest.net on my main PC downstairs (connected by approximately a 100ft Cat5e). I am also seeing similar high Tx/Rx numbers on the bridge interface on the web mgmt page. I also have a CRS326 to connect in front in a router on a stick setup since I have about 15-20 cat5e connections at home (currently PC is connected directly to router port 3)

vikinggeek · Sat Jul 06, 2019 1:45 am

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?

vikinggeek · Thu Jul 11, 2019 10:24 am

Wanted to report back that with the 6.45.1 upgrade the DHCPv6 client is working on the dual stack AT&T GPON network. I now have access to the entire /60! What I have learned from getting IPv6 on AT&T and Comcast network is to mix dynamic and static subnets i.e. let the client communicate with the ISP and initiate routing and assign static addresses to the VLANs on my network. Since the subnet assignment does not appear to ever change unless there is a MAC change, it is much more stable than the dynamic assignment of addresses which is the default behavior for the Mikrotik.

vikinggeek · Thu Jul 11, 2019 10:55 am

I'm still stuck on the 802.1X question. To simply the issue, I'm looking for a solution to the following sequence:
(the Residential Gateway (RG) is attached to port A, the ONT to port B, and whatever network you have is routed over the bridge)

The RG initiates a 802.1/X EAPOL-START from port A.
If the packet matches an 802.1/X type (which is does), it is passed to the ONT interface. If it does not, the packet is discarded. This prevents our RG from initiating DHCP.
The packet is then bridged through ROS to the ONT port B
The ONT should then see and respond to the EAPOL-START, which is passed back through ROS to the RG. At this point, the 802.1X authentication should be complete
The MAC address of the RG is spoofed on the bridge and the ROS DHCP clients (IPv4 & IPv6) request a DHCP lease from the ONT

I'm hoping that the 802.1x support in 6.45.1 will allow processing of the EAPOL-START packet, but I understand that there is a challenge since both the RG and the bridge potentially have the same Mac address. Today we achieve this by disabling the RG port and then clone the MAC address onto the bridge before a DHCP request is issued.

Any pointers would be appreciated.

tomm · Tue Jul 30, 2019 5:51 am

Hi all! I have AT&T fiber and I'm in need a new router and was wondering about Ubiquiti Edgerouter 4 vs a Mikrotik RB3011 (yes I realize this is a Mikrotik forum).

I have a rackmount server on my home network I use for development, like a workstation. I don't want to use it as a router in case I need to shut it down or something.

So I'm looking for something that I can use as a VPN as well. Better than port forwarding.

Would the RB3011 get the full gig up/down? I know the ER-4 and even ER Lite have good bandwidth, but I can't find much about the RB3011... especially when it comes to AT&T fiber. You folks look like you have a good handle on it though

Big bonus if I can eliminate that AT&T router too! Thanks!

vikinggeek · Tue Jul 30, 2019 3:59 pm

We are standardized on the CCR line with UBNT APs, as this gives us the headroom we need on 1Gb/s. Firewall rules, VPNs, OSPF, etc. quickly adds up.

wojo · Thu Aug 01, 2019 1:57 am

I'm able to authenticate with the ONT using the dot1x 802.11x support on my CCR1009, just took disabling CRL, setting both the identity and anonymous identity to the MAC on the certs and then importing the entire cert chain. Probably can enable the CRL if the supplemental certs are there, not sure.

However... I cannot get dot1x to work on a bridged interface! This is necessary as that's how I strip the VLAN 0 tagged frames due to the 802.1p priority being set. It stops after the EAP exchange for identity, before the certs start flying over the wire.

You can see and pile on to my post regarding that specific feature being broken here: viewtopic.php?f=2&t=150700&p=742476

Once fixed or a workaround is found, it should be possible to have a complete solution without a switch chip and without having the RG even plugged in.

vikinggeek · Thu Aug 01, 2019 4:08 pm

@wojo - I saw your other post earlier and figured out that you made some progress THANK YOU! Did you also file a ticket with support?

wojo · Thu Aug 01, 2019 8:29 pm

@wojo - I saw your other post earlier and figured out that you made some progress THANK YOU! Did you also file a ticket with support?

I didn't, thought it wasn't provided to the built in license types after 30 days. I'll give it a shot though.

mejiacalle · Thu Aug 15, 2019 11:37 pm

Hello,

I am completely new to Mikrotik hardware and I have the PACE 5268AC (AT&T Fiber 1 Gig). Can someone please let me know the steps and Mikrotik hardware to get in order to bypass the AT&T gateway without impacting speed (apparently the PACE has a DMZ bug, that impacts the speed)? I have PACE 5268AC firmware 11.1.0.531418.

Thanks,

inmultec · Fri Aug 16, 2019 3:37 pm

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.

wojo · Fri Aug 16, 2019 4:19 pm

That's a good tip to get a the better router for sure.

I'm still working on the solution for Mikrotik, just need to get back to it have a lot of other things that popped up.

berzerker · Fri Aug 16, 2019 4:47 pm

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?

Would it be possible for you to release what you have? I wouldn't need IPv6, but interested to see if your method is better than the original one posted.

mejiacalle · Fri Aug 16, 2019 10:06 pm

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.

Thanks for the recommendation! After obtaining the replacement modem, what hardware do you recommend? What do you have in your setup, note that I am just using INTERNET service. No need for TV or Telephone from AT&T.

Regards,

vikinggeek · Sat Aug 17, 2019 2:19 am

I have successfully implemented the bypass method both to a stand-alone ONT (bypassing a BGW210) as well as using a SFP fiber module to a Ciena eMUX 5150 series (bypassing a NVG595) and it is running very well. Additionally, I have created a script that automates the startup in case of a reboot (e.g. running out of UPS power). Before I release the scripts (based heavily upon work by @pcunite, THANK YOU!) I would like to enhance the solution. I have two questions:

1) In v6.45.1 there is now support for 802.1x or dot1x. I found a solution for pfSense that allows the RD to stay connected at all times and provide the 802.1x authentication when the ISP e.g. sends a certificate update. https://github.com/aus/pfatt. Any suggestion how to achieve this in ROS?

2) On my network, I'm running IPv6 to support team members that cannot get static IPv4 addresses any longer. At the latest node, AT&T have implemented dual stack or native IPv6. The IPv6 address is assigned dynamically (appears to be tied to the base IPv4 address or MAC address), but has not changed for the entire time including replacing the BGW210. The address is not assigned via DHCP IPv6. I have taken the /60 found on the BGW210 and statically assigned the subnets including the router address (which in IPv4 world is assign by DHCP). However, I would like to let the Mikrotik obtain this address. I assume that registering the fe80:: address for the upstream router interface would be good enough(?), but how is the /60 subnet being detected? Any clues what is going on or how to find out?
Would it be possible for you to release what you have? I wouldn't need IPv6, but interested to see if your method is better than the original one posted.

I'll put together something over the weekend. What config/instruction are you looking for; the one for Cienna or ONT? For the Cienna we feed the traffic via fiber directly to our CCRs via the SFP port. The ONT version is connected on the direct ethernet CPU port (ports 5-8). Both versions now support IPv6 (though we need to use 6to4 for the Cienna due to the config on the MUX)

vikinggeek · Sat Aug 17, 2019 2:25 am

First thing Iwould do is call ATT and tell them to send new modem an ask for a 210-700.. I did this because yes the Pace one slows down after some use and you gotta be rebooting it. I think the process would be the same though.
Thanks for the recommendation! After obtaining the replacement modem, what hardware do you recommend? What do you have in your setup, note that I am just using INTERNET service. No need for TV or Telephone from AT&T.

Regards,

I would stay away from either boxes (though the BGW210-700 seems to be better). As you can observe from these discussions, bypassing is the way to go. If you are on a 1G plan, CCR is probably what you are looking for to handle VPN, firewall rules, etc. You will also need to need some good quality APs for your WiFi. Most folks turn off the WiFi on the T supplied equipment as it lacks range and device compatibility.

technoredneck · Wed Aug 28, 2019 10:44 pm

Howdy folks. I've got this very bypass setup and working great on my CCR1009, but I can't for the life of me get the IPTV from Uverse to work any longer than around 10-20 seconds before freezing. I've taken a look at several of the links in this thread and I've tried all manners of new firewall rules, but none seem to help. Anybody have any specific suggestions?

***Update***
I've got the IPTV working now, but I think I need to tighten up the firewall rules a bit still. Ultimately, I'd like to get all of the IPTV stuff in my home segregated on it's own VLAN, but I've got several of the wireless TV Receivers...so that gets things more complicated than they already are. Thanks anyway guys for all of the info in this thread!

robbz · Wed Sep 11, 2019 1:46 am

Hey everyone!

I guess I haven't really said anything in this thread, but I used these instructions (slightly modified) to get my RB4011 up and running without the BGW. It was running just fine for about a month - and I've gotten some serious speeds (1Gbps/1Gpbs easy) through the RB4011, with like 10% cpu use. Good stuff, just proves you don't need anything more powerful (I have a CCR1009-8G-1S-1S+ sitting and collecting dust, got it for some testing purposes a couple of years back and didn't realize I had it still until I've already got the 4011 installed and running.

Anywho, to the issue I am having the past day. Connection cut out, and had to restart RB, ONT and BGW, a couple of hours after, same thing happen - and seems to be happening multiple time/day. I don't know if anyone else had any of this happen the last day - but here I am.

So, I was thinking, it might be time to work out a way to forward all auth/cert requests to the BGW, not just during startup, meaning this would - no matter what - always respond and continue working. Has anyone been working on this? If so, I am willing to work together to get this completed/resolved. If not, anyone has some insight to how this is handled by AT&T/BGW RG? Before I start dumping traffic and looking...

robbz · Wed Sep 11, 2019 1:59 am

Ok, so I read through the full thread and man, there's already two people working in this. vikinggeek and wojo. Did you guys ever put anything togethers? Should we combine forces to get this resolved - one and for all?

vikinggeek · Wed Sep 11, 2019 2:41 am

Apologize for the lateness posting my scripts (been traveling for the past few weeks). The script I use will automatically reboot the router if it detect loss of connectivity. Will post soon (promise)

@robbz: Regarding the problem you describe, I had something similar happening in July. It turned out to be the fiber connector going into the ONT. The tech concluded that the "crimp on" connector was to blame, (old school guy) replaced the connector with the true and tried epoxy glue method connector. No problem since then. He got the hint due to the very high error rate on the fiber.

robbz · Wed Sep 11, 2019 6:45 pm

Vikinggeek, thanks for the update.

I was thinking something like pass through all auth packets no matter when - or - just move the auth to the RB. Anyone with insight into how the auth works?

vikinggeek · Wed Sep 11, 2019 7:48 pm

The authentication method is fairly well known by now. There is a nice solution for pfSense. https://github.com/aus/pfatt. For this to work:

802.1x from a bridge has to be working. See @wojo post viewtopic.php?p=742598 (Everybody should +1 that thread)
You need to get hold of a certificate. (Google is your friend)

The longer term solution is for T to let us connect directly to the ONT/eMux without the legacy DSL auth mechanism. I'm working on that to

robbz · Wed Sep 11, 2019 11:14 pm

Gotcha, yeah, I spent some time reading all this through last night too.

The certificate is hard coded on the BGW. Seems there's a tool that we can use to extract that: https://www.devicelocksmith.com/2018/12 ... g-and.html

There are a lot of people that has this down and working on Ubiquiti routers.. We should be able to do the same. Also another thread related: viewtopic.php?t=147901

robbz · Wed Sep 11, 2019 11:39 pm

Another post that sucessfully done this without using "pfatt" on pfsense. https://www.dslreports.com/forum/r32474 ... -w-PFSense

I will need to research more to come up with anything. Either way - where did you find a cert for bgw210? I think I'll end up extracting. BTW: are these not specific to the devices/mac?

wojo · Sun Sep 15, 2019 1:16 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.

robbz · Sun Sep 15, 2019 8:12 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.

Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.

wojo · Mon Sep 16, 2019 4:57 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.

Correct, the certs do authenticate but I'm unable to get traffic to also go at the same time unless I change how it is bridged. I'm going to continue to bang on this.

robbz · Wed Sep 18, 2019 2:08 am

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.
Does that mean you successfully do auth through RB and have the certs installed on the RB?

Seems the dot1x is what we need, just haven't tried it yet. I have certs now that I can use so definitely want to try it but since my internet connection is being used by the whole household - I may need to switch back to my old connection and a different router before I move forward with this.
Correct, the certs do authenticate but I'm unable to get traffic to also go at the same time unless I change how it is bridged. I'm going to continue to bang on this.

Sounds interesting. Do you have a config you can share?

robbz · Wed Sep 18, 2019 2:11 am

btw, saw in this thread: viewtopic.php?f=2&t=150700&p=749673#p749673

That you're able to auth on a bare interface but not if interface is part of a bridge. Just for curiosity sake - why does it need to be part of a bridge?

shiromar · Mon Sep 23, 2019 1:28 am

Just moved from a fios market to a t market. I was using an rb3011 and maxing out the 1g. Reading over this thread is it safe to assume that if I wanted to plug directly to the ont, I should consider a different router?

vsixnetworks · Sat Sep 28, 2019 2:27 am

I have got authentication working (green light until 180sec is up) but cannot, for the life of me, get DHCP-Client to pull an address. I thought it may have been the RG (BGW210-700) stealing my ACK before the MikroTik was finished booting, so I set it in IP Passthrough (manual/static allocation) and each time see “Broadband UP, No IP address) on the modem during the 180 seconds.

Running a CCR1009. Only changes I made to config were eth1 = combo1 and eth2 = eth1 since I’m running a CCR rather than a RB.

Any ideas?? I have a static allocation but I can’t find a next-hop. AT&T documentation says the last address in the /29 should be RG and the remaining usable addresses are assignable. No room for a Default-Gateway?

vikinggeek · Sat Sep 28, 2019 2:38 am

You need to make sure that the BGW first has DHCPv4 working. The address obtained from the OLT (CO equipment) is a "dynamic" address that is actually bound to your profile and acts more like a static address.

I've assigned the static addresses given by AT&T (/29) to a VLAN and connect my fixed address gear to this. Since the OLT routes all the static traffic via the "dynamic" address you get full control and in fact gain an IP address since the router does not need to take up one of the static addresses.

However, all this is dependent upon that the RG is getting the "dynamic" IP address via DHCP. The MAC swap will not work unless this is possible. The DHCPv6 call typically takes a little longer, but you will get the link local address (fe80) eventually. The exception to this is when you are behind an eMUX (not ONT) where you have to do a 6-to-4 configuration.

Hope this helps.

vsixnetworks · Sat Sep 28, 2019 2:49 am

You need to make sure that the BGW first has DHCPv4 working. The address obtained from the OLT (CO equipment) is a "dynamic" address that is actually bound to your profile and acts more like a static address.

I've assigned the static addresses given by AT&T (/29) to a VLAN and connect my fixed address gear to this. Since the OLT routes all the static traffic via the "dynamic" address you get full control and in fact gain an IP address since the router does not need to take up one of the static addresses.

However, all this is dependent upon that the RG is getting the "dynamic" IP address via DHCP. The MAC swap will not work unless this is possible. The DHCPv6 call typically takes a little longer, but you will get the link local address (fe80) eventually. The exception to this is when you are behind an eMUX (not ONT) where you have to do a 6-to-4 configuration.

Hope this helps.

I did verify that the RG is obtaining a DHCPv4 and v6 (native) address. The CCR is not, unfortunately. Would you mind sharing with me (privately) your configuration for your static block? I understand the theory but am brand new at Tik. Got my first device, CCR, today.

vsixnetworks · Sat Sep 28, 2019 3:06 am

You need to make sure that the BGW first has DHCPv4 working. The address obtained from the OLT (CO equipment) is a "dynamic" address that is actually bound to your profile and acts more like a static address.

I've assigned the static addresses given by AT&T (/29) to a VLAN and connect my fixed address gear to this. Since the OLT routes all the static traffic via the "dynamic" address you get full control and in fact gain an IP address since the router does not need to take up one of the static addresses.

However, all this is dependent upon that the RG is getting the "dynamic" IP address via DHCP. The MAC swap will not work unless this is possible. The DHCPv6 call typically takes a little longer, but you will get the link local address (fe80) eventually. The exception to this is when you are behind an eMUX (not ONT) where you have to do a 6-to-4 configuration.

Hope this helps.
I did verify that the RG is obtaining a DHCPv4 and v6 (native) address. The CCR is not, unfortunately. Would you mind sharing with me (privately) your configuration for your static block? I understand the theory but am brand new at Tik. Got my first device, CCR, today.

Just now understood what you were saying. Your static block is a separate VLAN off to the side which is routed via the dynamic address learned via DHCP. Great. Will bang my head against this for a while longer tonight.

vikinggeek · Sat Sep 28, 2019 3:10 am

There is not much to it regarding configuration of the static block:
1) Create the bridge for the internal networks
2) Create a VLAN and name it whatever you want
3) Assign the AT&T provided subnet addresses to the VLAN
4) Create firewall rules to let whatever traffic you want to go to the static IP devices e.g. http/s
5) Create a srcnat rule that accepts the static traffic and not send it through your masquerade/nat table.

I'm still working on a pdf with the full explanation of all this. However, if you are behind an ONT, the original write up indicates using a VLAN on the WAN side. This is not correct for a residential ONT configuration (applies only in the eMUX case).

Here's the part that runs when the router boots ( I've also have scripts that verify every 5 minutes that it is working) (This script needs cleanup using variables for easier maintenance)

# OnRebootATT_WAN

:log info "Script: Starting OnRebootATT_WAN";
:delay 1

:log info "Script: Enable Virtual switch for ONT port and ATT GW";
/interface bridge set bridge-att-wan auto-mac=yes pvid=1

:log info "Script: Ensure ATT GW port (ether7) is visible to ONT";
/interface ethernet enable e7-ATT-Modem

:log info "Script: Sleep for 2 minutes to allow fiber and ATT GW time to sync";
:delay 120

:log info "Script: Ensure ATT GW is NOT visible to ONT";
/interface ethernet disable e7-ATT-Modem

:log info "Script: Bridge interfaces fiber";
/interface bridge set bridge-att-wan admin-mac=<your BGW MAC> auto-mac=no
:log info "Script: Authentication and sync complete";

vsixnetworks · Sat Sep 28, 2019 6:22 pm

There is not much to it regarding configuration of the static block:
1) Create the bridge for the internal networks
2) Create a VLAN and name it whatever you want
3) Assign the AT&T provided subnet addresses to the VLAN
4) Create firewall rules to let whatever traffic you want to go to the static IP devices e.g. http/s
5) Create a srcnat rule that accepts the static traffic and not send it through your masquerade/nat table.

I'm still working on a pdf with the full explanation of all this. However, if you are behind an ONT, the original write up indicates using a VLAN on the WAN side. This is not correct for a residential ONT configuration (applies only in the eMUX case).

Here's the part that runs when the router boots ( I've also have scripts that verify every 5 minutes that it is working) (This script needs cleanup using variables for easier maintenance)
Code: Select all
# OnRebootATT_WAN

:log info "Script: Starting OnRebootATT_WAN";
:delay 1

:log info "Script: Enable Virtual switch for ONT port and ATT GW";
/interface bridge set bridge-att-wan auto-mac=yes pvid=1

:log info "Script: Ensure ATT GW port (ether7) is visible to ONT";
/interface ethernet enable e7-ATT-Modem

:log info "Script: Sleep for 2 minutes to allow fiber and ATT GW time to sync";
:delay 120

:log info "Script: Ensure ATT GW is NOT visible to ONT";
/interface ethernet disable e7-ATT-Modem

:log info "Script: Bridge interfaces fiber";
/interface bridge set bridge-att-wan admin-mac=<your BGW MAC> auto-mac=no
:log info "Script: Authentication and sync complete";

I ended up getting it to work last night. Your script gave me some insight as to what the issue was. For some reason PCUnite's script didn't work off the bat for me, I had to manually remove the "admin-mac" from the BRIDGE_WAN during authentication phase. Once the 180 seconds is up, and the port is disabled, manually add the "admin-mac" to the BRIDGE_WAN and it picks up a v4 address instantly. However, I am unable to get it to pull a v6 address. It did once, but without prefix. I added the with prefix /60 arguments and can't get it to pull anymore - even if I revert back.

I have a feeling this may be a DUID issue? It cannot be manually set on Tik, apparently, and mine has decided to use the burned-in mac address of the combo1 port.

vikinggeek · Sat Sep 28, 2019 10:57 pm

No issues with the DHCPv6 on my end. Been running IPv6 for almost two years. Have you checked the "Rapid Commit" in the DHCPv6? I have it enabled, and I only ask for prefix (and I don't provide a hint). I've seen some instances where the OLT provides a 2001 address to the WAN interface. You should only have a link local address fe80 that your CCR use to route back to the CO.

Pls check in your routing table that you see ::/0 (default route) associated with the link local address.

vikinggeek · Sat Sep 28, 2019 11:02 pm

You should also check your BGW status page to make sure that you are in an area where you have dual stack IP. In my area you will find both dual stack and 6RD. If you are in a 6RD, you need to configure the 6-to-4 interface on the Mikrotik.

vsixnetworks · Sun Sep 29, 2019 4:40 am

No issues with the DHCPv6 on my end. Been running IPv6 for almost two years. Have you checked the "Rapid Commit" in the DHCPv6? I have it enabled, and I only ask for prefix (and I don't provide a hint). I've seen some instances where the OLT provides a 2001 address to the WAN interface. You should only have a link local address fe80 that your CCR use to route back to the CO.

Pls check in your routing table that you see ::/0 (default route) associated with the link local address.

I'm not able to take the internet down tonight, but I will check first thing tomorrow morning what the BGW (RG) is receiving. I do have a link-local address but it's just an EUI-64 - no route in the routing table. I know the one time my CCR pulled an address, it was a 2001 address on the BRIDGE_WAN. No prefix included. That's when I modified the request and have been broke since.

Here's an export of my IPv6 config and status of a few things. Thanks for all your help, by the way.

[admin@MikroTik] /ipv6> export
# sep/28/2019 21:32:52 by RouterOS 6.45.6
# model = CCR1009-7G-1C
/ipv6 dhcp-client
add add-default-route=yes interface=BRIDGE_WAN pool-name=pool_LANv6 \
    pool-prefix-length=60 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment="Allow established related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=BRIDGE_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmpv6
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new \
    in-interface=BRIDGE_LAN
add action=drop chain=forward comment="Drop all other forward"
add action=accept chain=input comment="Allow established related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=BRIDGE_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmpv6
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new \
    in-interface=BRIDGE_LAN
[admin@MikroTik] /ipv6 address> print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
 #    ADDRESS                                     FROM-POOL INTERFACE   ADVERTISE
 0 DL fe80::ca52:61ff:fe60:cc51/64                          BRIDGE_WAN  no       
 1 DL fe80::764d:28ff:fec7:6b5f/64                          BRIDGE_LAN  no       
[admin@MikroTik] /ipv6 dhcp-client> print
Flags: D - dynamic, X - disabled, I - invalid 
 #    INTERFACE                    STATUS             REQUEST                    
 0    BRIDGE_WAN                   searching...       prefix                     
[admin@MikroTik] /ipv6 route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable 
 #      DST-ADDRESS              GATEWAY                  DISTANCE

vsixnetworks · Sun Sep 29, 2019 5:37 am

You should also check your BGW status page to make sure that you are in an area where you have dual stack IP. In my area you will find both dual stack and 6RD. If you are in a 6RD, you need to configure the 6-to-4 interface on the Mikrotik.

Nevermind, I got it. Must have been a firewall rule blocking DHCPv6, because I removed them all and instantly pulled an address. I specified address + prefix (/60) [no hint] for those looking at this in the future. The address that I got assigned on the BRIDGE_WAN was a 2001:: address that only made it about two hops out, for whatever reason. I disabled the address request and just assigned a /64 out of the /60 to my BRIDGE_LAN and enabled advertisement for the LAN clients.

Everything is running smoothly now from what I can tell. No issues besides the fact I only get about 300Mbps down, while ~900Mbps up - for some reason. Any suggestions? I wasn't able to get the "/interface ethernet switch" commands to work on my CCR1009. Says something about "input does not match any value of port".

vikinggeek · Tue Oct 01, 2019 2:49 am

The address that I got assigned on the BRIDGE_WAN was a 2001:: address that only made it about two hops out, for whatever reason.

My understanding is that AT&T uses the 2001:: address for some of the set top box communication. Your observation is correct, it does not go outside AT&T's network and is useless as a global address.

No issues besides the fact I only get about 300Mbps down, while ~900Mbps up - for some reason.

I would not have been happy if I only got 300Mbps on a 1Gbps plan

I've had the same problem and it has often come down to two issues. You will need to get a site tech to come out:

Bad fiber connector - most techs are using the clamp on connector. After a couple of ONT changes, it does not hold up. Make sure that the tech uses the glue kit. If this is the problem, the tech should be able to see a high error rate when diagnosing from the PFP
Problems in the CO, particularly with the OLT. Not common, but when it happens, prepare to spend a lot of time diagnosing the issue. You need to have the tech onsite communicating with the NOC, talking to the #800 is pointless in this situation. If you stay calm, the AT&T people in the NOC in TX are first rate and really nice working with.

For the speed issue, you will need to connect your BGW and have a modern laptop/PC with a CAT6 cable connected. You also need to demonstrate the problem using AT&T's speed test http://speedtest.att.com/speedtest/

I wasn't able to get the "/interface ethernet switch" commands to work on my CCR1009.

Not sure why you would mess with the switch chip on the CCR1009. If you look at the block diagram, the switch is constrained by a 1Gbps path i.e. the 4 ports must share 1Gbps! Try instead one of the excellent 10G SFP+ cables to link up with a good switch and let the CCR1009 be the excellent router it can be.

rockum · Wed Oct 02, 2019 3:17 am

I would love to try pcunite's method, but I had a few noob questions regarding customizing his config file.

Could I use 10.10.10.1 as the MikroTik LAN address? The AT&T modem/gateway did not allow it. (I don't have TV or phone).

I have a server that gets quite a good bit of traffic from a small IP range and that throws up DOS attack triggers that are causing problems with the AT&T device. Is that something that I can whitelist on the MikroTik? I would like that address to be 10.10.10.3 and have most if not all incoming traffic routed to it (route indicated in blue in diagram). I generally use DMZ with the internet service provider routers I have used in the past. I am in the process of upgrading and migrating the content to a newer server, so it also needs to have some incoming traffic allowed for testing.

The Ethernet runs drawn with orange lines are long runs to other parts of the house. I could not easily run more lines to those spots. is using multiple switches in the path ok?

I also read about fast track and wondered what it was and if I needed to modify the config file pcunite posted to use it.

Thanks for any advice in advance.\

vikinggeek · Thu Oct 03, 2019 9:53 am

This thread is mainly for discussions about how to bypass the AT&T residential gateways (RGs). General configuration questions are probably better handled in other treads.

Could I use 10.10.10.1 as the MikroTik LAN address? The AT&T modem/gateway did not allow it. (I don't have TV or phone).

All the suggested bypass solutions relies on using a bridge. The addressing scheme for the LAN or VLANs is chosen by the user, so yes.

I have a server that gets quite a good bit of traffic from a small IP range and that throws up DOS attack triggers that are causing problems with the AT&T device. Is that something that I can whitelist on the MikroTik? I would like that address to be 10.10.10.3 and have most if not all incoming traffic routed to it (route indicated in blue in diagram). I generally use DMZ with the internet service provider routers I have used in the past.

The whole point of bypassing the RG is to avoid the situation you are describing, and more.

My recommendation for hosting servers is to buy one or more static IP addresses and configure a separate VLAN with this IP range. Since your account profile in the OLT and routing is using a separate "dynamic" address, you will gain one IP address and have complete control over the traffic to this external network segment via the firewall rules in ROS.

The Ethernet runs drawn with orange lines are long runs to other parts of the house. I could not easily run more lines to those spots. is using multiple switches in the path ok?

LAN side question, not relevant for this thread, but yes.

I also read about fast track and wondered what it was and if I needed to modify the config file pcunite posted to use it.

Again, not specific to this thread, but yes, your router will perform better.

rockum · Mon Oct 07, 2019 7:08 pm

Thanks @vikinggeek. My whole reason for working on this is to bypass the RGW. Sorry if I had a few side questions and misunderstandings. I'm not there yet, but understand Router OS a bit better after a few hours of watching youtube videos and reading more posts.

rockum · Mon Oct 07, 2019 7:10 pm

@vsixnetworks,

Last night I had things working for about an hour, but after a reboot, I coudln't get the RB2011 to pull an IP. It seems like a similar situation to what you described.

I am trying to understand the interaction between your configuration and script. If I understood correctly you posted a scheduled script that runs at boot. Do you use pcunite's configuration unaltered? Is the boot script alone fixing the problem or did you also need to edit the configuration? If you did need to alter the configuration, could you post that as well?

I also wondered what order you powered on your devices. Thanks.

anav · Mon Oct 07, 2019 7:55 pm

My Bell gig fibre does not automatically connect either, when it gets a new Gateway/IP address.
It connects from a DHCP client perpsective but NOT from the routing perpspective.
I have to go into DHPC Clienty Status, pull the new gateway IP and then put that gateway IP into my IP route rules.

vikinggeek · Mon Oct 07, 2019 9:09 pm

Seems like there are a few things going on here....

1) The problem previously discussed in the thread regarding DHCP pertains only to IPv6 (it seems to sometimes be slow). In Northern California, your IPv4 address is assigned through the OLT (there are some older equipment that uses Radius) and it will stay "fixed" unless your profile is forcibly rebuilt. I know other regions uses different topologies. Regarding the router not picking up the DHCP client assigned address, my guess is that the "Add default route" flag is set to "no". If I have multiple ISPs, it is set to "no" and I manage the routing via policy. In single ISP scenarios, it is always set to yes.

2) The main script runs at boot, but I've learned (the hard way) that this is not sufficient since the fiber connection can temporarily be interrupted for all sorts of reasons. I therefore run a separate script kicked off every 6 minutes by the scheduler. It tries to contact a public DNS server, if not successful after 5 minutes, it reboots the router. I've seen improvements on this script to use multiple IP addresses, but this has so far worked for me:

# Begin Setup
local emailAddress "youremail@email.com"
local pingServer 9.9.9.9
# End Setup

:if ([/ping $pingServer interval=5 count=60]=0) do={
    /tool e-mail send to="$emailAddress" subject=" Rebooted $[/system identity get name] $[/system clock get time] $[/system clock get date]" body="Ping server could not be contacted for 5 minutes";
    log info "my ping watchdog is down";
    /system reboot
} else={
    log info "my ping watchdog is up"
}

vsixnetworks · Wed Oct 09, 2019 7:36 am

Anyone have any experience with this sort of configuration, but with a CRS upstream? I'd like to put a CRS in my demarc closet, terminate the ONT to the switch, and pass that connection through another port that's uplinked to my CCR.

Any suggestions due to the vlan filtering?

Thanks,
Chris

nitrag · Tue Oct 15, 2019 4:54 am

Similar to vsixnetworks, I'd like to know if using a RB260GS would be possible. My fiber run is too short to reach my rack. So the RB260GS would just act the dumb switch and 4011 would do all the work? Or would you need a CRS106?

Untitled Diagram (1).jpg

vikinggeek · Tue Oct 15, 2019 8:26 am

If you are on a residential fiber network, it is most likely GPON architecture. To interface any MT equipment, the only solution afaik is to get a GPON SFP module. I have not come across such a module, but in parts of Europe and Canada it is obtainable from third parties. The discussion about configuring the module you can find hereviewtopic.php?t=116364.

One option is to connect the fiber to the ONT and go with an ethernet cable from there. The normal limitations for length applies as it is normal ethernet. Alternatively, you can install your own fiber extension (I belive the connectors are LX type). If you are in a commercial building behind an eMux (e.g. Cienna), you can use a standard SFP fiber module like a 1.25G 1310nm (we use S-31DLC20D) and be directly on the fiber.

My suggestion is to put the router and the RG (e.g. BGW210-700) as the first hop. Hopefully, we soon are able to figure out how to permanently disabling the RG, but the ONT is probably going to be with us for awhile.

vsixnetworks · Tue Oct 15, 2019 4:41 pm

I can see how my post could have been misinterpreted, so for clarity: I'm not trying to bypass the ONT, or buy a GPON SFP module.

All of the CAT5 runs for my apartment lead to the same small utility closet that the ONT is mounted in. There is only room for one device; for now it is my CCR1009. I'm looking at putting a switch in this spot instead so that I may: a) gain a few more ethernet ports and b) do some proper VLAN'ing. A third potential gain would be PoE out, but I don't think any of the CRS fit the bill in that department.

vikinggeek · Tue Oct 15, 2019 9:56 pm

@vsixnetworks - VLAN is your friend since it's layer 2 and you can send anything over it including other VLANS. Create a port on the switch with ingress of a VLAN number of your choice (in the 100's is probably best) where you connect the ONT. Then create a trunk port that you send all the traffic and connect your CCR. The bridge in the CCR will take care of the rest. More detailed instructions about how to configure VLAN can be found here: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN and here: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

For PoE, have you looked at CRS328-24P-4S+RM? Unfortunately, ROS does not support LLDP-Med and until it does we are forced to use a different switch manufacturer.

archerious · Tue Nov 26, 2019 12:52 pm

I really wish their was a script or some detailed way to do this method. One advantage the Ubiquiti crowd has is their medium article on the bypass is so detailed. I'd kill for such a guide with a CCR1009 or RB4011.

With my ER4 I am getting roughly 780/710mbps.

archerious · Fri Nov 29, 2019 9:02 am

Good news folks, you don't need anything else but a MikroTik to bypass the AT&T supplied Residential Gateway (ATT RG). No separate hardware needed!

The one downside (not really) is that the CPU is involved. Because the RB4011 uses the RTL8367 switch chip, it does not have a Rule table. I have a 100Mbps fiber plan which is no trouble for the 1.4Ghz CPU. Please test with your 1Gbps plan.

This working sample also has automatic recovery from power loss too!

A complete working, start to finish, example. Instructions and step by step included.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway (BGW210-700 and friends) Bypass using only a single MikroTik. No
# separate hardware or switch needed. Automatic recovery from power loss feature too.
#
# Tested with: RouterOS 6.43.8 on the RB4011
#
# Date: 1-25-2018
##################################################################################################

##################################################################################################
# HOW TO:
#
# 1) Reset MikroTik (/system reset-configuration)
#
# 2) Boot MikroTik first and then apply this config file.
#
# 3) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 4) Reboot the MikroTik to start automatic ATT RG and ONT sycing.
##################################################################################################

# Create two bridges. One for your network and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
# Recall that we don't have a separate switch, the MikroTik is the switch!
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Will want a firewall, naturally
/interface bridge settings set use-ip-firewall=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client for the ATT ONT to provide your IP address to
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Setup automatic recovery from power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add action=accept chain=input comment="Allow established related" connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface=Bridge_LAN
add action=accept chain=input comment="Allow Ping" protocol=icmp
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Allow established related" connection-state=established,related
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface=Bridge_LAN
add action=accept chain=forward comment="Allow port forwards" connection-nat-state=dstnat in-interface=Bridge_WAN
add action=drop chain=forward comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

Example rule table switching for better performance. If your hardware supports it.

# Example rule table switching for better performance.
/interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
/interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Thank you so much for this guide, I did it with my RB4011. It works great, only difference is I replaced Bridge_LAN with sfp-sfpplus1.

I have some questions though, with Ubiquiti the BGW210 would have a solid green power and no other lights on, however mine has a solid red light on broadband and a green power. Is their a chance it could still cause issues? I ask because when I used this on a CCR1009 in the past the connection would go out once or twice a day, while with the Edgerouter 4 the internet went over a month with no downtime. I used Observium and UNMS to check every five seconds for WAN downtime and for UNMS to ping 8.8.8.8 every ten seconds on the Edgerouter 4.

So far the RB4011 is doing really well though.

Thank you again for your work, you should provide a donation link for those of us that benefited and want to give back.

Cheers,
Tom.

Speedtest with RB4011 bypassing AT&T BGW210 Gateway:

jack2020 · Mon Dec 16, 2019 12:34 am

Hi, to all in the forum. I have the Mikrotik CRS109-8G-1S-2hNd, with at&t fiber. The script works perfectly with at&t fiber and I received the IP address from the provider the IPV4 and IPV6. But I have one problem with my connection, my Internet is 300MB, but when I make a speed test I only received 120MB, and the CPU is 100%. When I place the at&t modem in bypass mode and the Mikrotik with default configuration I received 364MB. My question is, do I need to replace my Mikrotik with another model better than the one that I actually have? Any special configuration or script for this Mikrotik model? Thanks with any idea.

pcunite · Mon Dec 16, 2019 5:27 pm

I have the Mikrotik CRS109-8G-1S-2hNd, with AT&T fiber. The script works perfectly ... I have a problem with my connection. My Internet service is 300MB, when I do a speed test I only received 120MB, and the CPU is 100%.

The CRS109 is very under-powered and you will need to consider something like the RB4011.

jack2020 · Tue Dec 17, 2019 5:34 am

Thanks for the info, I need to buy a new one. Any progress with the wpa_supplicant to remove completely the use of the at&t modem?

pcunite · Thu Dec 19, 2019 8:31 pm

Thanks for the info, I need to buy a new one. Any progress with using wpa_supplicant (Dot1x) to completely remove the use of the AT&T RG gateway?

Yes, I have it working now. I will make a new thread showing how to do this.

pcunite · Fri Dec 20, 2019 7:37 pm

Please read my new article on this subject. This thread is no longer current.

Amm0 · Fri Dec 20, 2019 10:37 pm

@pcunite,
Great article. I've followed this thread for a while...writing down the cleaverness here isn't easy.

I'd suggest adding a third option of getting a /29 public IP block (5 IPs) from AT&T to the article. This solution has worked well for me - with the key being to use "Public Subnet Mode" with "Allow Inbound Traffic" enabled on the RG that's singularly connected to a Mikrotik. I can't say for it's not doing any connection tracking but there isn't any firewall or NAT for sure - but my Mikrotik with public IP seems to get full speeds and not have any ports blocked. To be clear, "Public Subnet Mode" is NOT same as "IP passthrough" or "Cascaded Router" features - those must use the RG's firewall.

Anyway the option may be worth mentioning. I'd rather use the ONT directly myself, but the contortions needed, and added complexity, may not be for everyone. $5/month solved it well enough for me.

p.s.
On my RG under "Home Network", "Subnets/DHCP" there the help describes the options as (both enabled in my case):

Public Subnet Mode: Using a public subnet means that IP addresses assigned to LAN clients will be public addresses.

Allow Inbound Traffic: When enabled, connections to LAN-side devices are allowed to be initiated from the WAN side. This opens the LAN devices on the Public Subnet to potentially malicious traffic, so care should be taken to ensure the LAN-side devices are properly protected. (Firewall-enabled)

To be clear, you need to have a /29 block of static IPs on the AT&T fiber account the use this mode however.

pcunite · Fri Dec 20, 2019 10:53 pm

@pcunite,
Great article. I've followed this thread for a while ... writing down the cleverness here isn't easy.

I'd suggest adding a third option, that of getting a /29 public IP block (5 IPs) from AT&T and adding that to the article. This solution has worked well for me - with the key being to use "Public Subnet Mode" with "Allow Inbound Traffic" enabled on the RG that's singularly connected to a MikroTik ... Anyway the option may be worth mentioning. I'd rather use the ONT directly myself, but the contortions needed, and added complexity, may not be for everyone. $5/month solved it well enough for me. To be clear, you need to have ordered a /29 block of static IPs on the AT&T fiber account the use this mode.

Interesting, I did not know that was an option (or if I did, in all the research, forgot about it). This still requires the ATT RG to be powered on, correct? Yes, because it is ONT <-> ATT RG <-> MikroTik? The spirit of the article is about being able to power down the ATT RG, however, you're idea has merit. After all, the whole point in the beginning was to find a true bride mode! Haha.

If you would like to have only a MikroTik on your network, I'll help you get there.

wojo · Sun Dec 22, 2019 3:03 am

With the momentum from pcunite, I did post my setup to his new cleaner thread: viewtopic.php?f=23&t=154954&p=766284#p766284

tl;dr is that I still have the VLAN 0 problem, but it is mitigated by a script I wrote to manage the bridge interface based on dot1x status.

rockum · Tue Dec 24, 2019 8:04 am

Think the RB2011 could handle gigabit fiber?

mkx · Tue Dec 24, 2019 8:46 am

Think the RB2011 could handle gigabit fiber?

In short: not really.

There are reports that RB2011 can route almost Gbps if WAN is "straight" IP as well and if firewall filter rules are next to none. However, if one runs realistic firewall filter rules, then routing speed drops down to less than half a gig and if WAN is not "straight" IP (e.g. if it's PPPoE or tagged VLAN or ...) the throughput drops even further.

Who is online