Community discussions

MikroTik App
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:27 pm

Title:
Bypassing AT&T Residential Gateways with MikroTik

Welcome:
If you have AT&T FTTH service and would like to use your MikroTik hardware to its fullest potential, this article is for you. Discover how to connect directly to the Fiber ONT device, bypassing other middleware hardware. The AT&T provided Residential Gateway, aka the ATT RG router, might be one of: BGW210-700, BGW320-505, NVG589, NVG599, 5268AC, or any new models that might come out. These devices do provide value and are required if using VoIP service (IPTV requires IGMP-Proxy). For pure Internet only service, however, the gateways are not needed.

Why Bypass?
When it comes to a network rack or data closet, it is very frustrating to be forced into adding unnecessary hardware which will only take up space, use more power, generate heat, and become a point of failure in the network. Also, the best firewall and NAT device is a MikroTik! We want it to be the first thing that a packet must traverse. In this article we show you the how to do just that. Note that at all times we respect the AT&T network. This does not enable features you didn't pay for. This article is a benefit to their subscribers. Not everyone is incapable of managing their own on-premises equipment. AT&T has allowed this method to exist for those who are responsible with it.

Hardware and Software requirements:
Faster hardware usually results in a better experience. If you have 1GB Fiber service or higher, consider using the RB4011, RB5009, CCR2004*, or other higher end models. The configurations presented here were tested with the RB4011 on DHCP residential service. The recommended RouterOS firmware for any model should be version 6.48.6+ or 7.6+.

Bypass Methods:
There are two methods presented here which are known as the Bridge Method and the Supplicant Method. These are explored in detail in the posts below. Choose the method that best meets your needs and application. A lot of individuals have contributed to this effort resulting in what we have today which include: devicelocksmith, aus, brianlan, maczrool, wojo, and others. Note that some ATT locations are being upgraded to support XGS-PON. This means that the bypass methods shown here will not work.

Technical Overview:
The nature of how this works is a little more technical than perhaps what you're used to dealing with. I will largely repeat what aus has already written, but making changes to suit this article. Essentially, in a stock setting with the ATT RG as the first and only device connected directly to the Fiber ONT, we have:

  • ATT RG boots up
  • Initializing traffic to the ONT uses the 802.1X standard following the EAP-TLS Authentication Protocol (EAPOL). This is a fancy way of saying that there are unique encryption keys stored on the ATT RG that request authorization to connect and pass standard packets beyond the ONT.
  • After authentication, the Fiber ONT device will send ethernet frames as Cisco priority tagged frames. These follow the typical Dot1q (802.1Q) standard but with 0 set as the VLAN ID and some 802.1P bits set. There is not yet a requirement to reply with 802.1P packets.
  • With traffic tagged correctly, an ethernet port (its MAC address must match values in the encryption key) is given an IP address via DHCP. When the lease is issued, the WAN setup handshaking is complete. LAN traffic can now be routed.

This process takes only a few moments but must be allowed to occur or you can emulate it exactly. Therefore, this article shows you how to bridge the 802.1X EAP-TLS traffic by allowing the ATT RG to do its thing, or you may natively import the encryption keys onto your MikroTik and utilize the Dot1x client interface. The choice is yours.
Last edited by pcunite on Wed Feb 15, 2023 4:23 pm, edited 28 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:28 pm

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.

BridgeMethod.png

Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Fri Dec 20, 2019 9:44 pm, edited 6 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:30 pm

Supplicant Method

Overview:
This option is the preferred way because the ATT RG can be stowed away while MikroTik hardware performs all necessary tasks. All that is required are valid certificates extracted from your ATT RG and a native supplicant client. MikroTik includes this client via their Dot1x interface which provides the wpa_supplicant feature.

SupplicantMethod.png

Details:
Our diagram looks like any normal routing configuration. Really, the only thing unique about this option is that we use a Dot1x client on our yellow ether1 WAN port. The purple ports are all bridged using typical RouterOS syntax. The ether1 MAC address is set to that of your AT RG certs and gets configured as a DHCP client. We must also import certificate files. Beyond that, the Dot1x handles the EAP-TLS authentication. A very straight forward configuration.

1. Manually Set the System Clock:
Set the clock, under System / Clock to be the correct time and date. This is a requirement of the Dot1x client otherwise you will get rejected, connecting, and authenticated without server error loops.

2. Import Certificate Files:
After you have obtained your certificate files, use the Winbox GUI tool and navigate to the Files menu. Drag and drop your files therein. Next, open the System / Certificates menu. Under the Certificates tab, click import and load your files. If possible, import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. You will now have approximately six new certificate files in your store. If you double click on an entry, you can see key usage information from the Key Usage tab. You will want to identify the one with tls client capability. Also in the General tab, you need a Common Name value as a MAC address, and that has Trusted checked. This is the correct key to use with Dot1x later.

3. Configure your WAN port:
For ROS v6 we'll use ether1 in this example. Set it to be a standalone port, not part of a bridge etc. Run the following command, using your Common Name MAC address value: /interface ethernet set [ find default-name=ether1 ] mac-address=AA:BB:CC:DD:EE:FF. Next, setup a DHCP client on ether1, example command: /ip dhcp-client interface=ether1 add disabled=no. Some RouterBoard models also require the following command: /interface ethernet switch port set ether1 vlan-mode=fallback so that they will not drop packets coming from the ONT that have a VLAN id of 0.

For ROS v7 series firmware, we change the above slightly by needing to create a bridge to manage the ether1 interface. So, create a bridge BR_ATT setting protocol none, vlan filtering enabled, and ingress filtering can be unchecked. Then add ether1 to this bridge. Example commands: /interface bridge add name=BR_ATT ingress-filtering=no protocol-mode=none vlan-filtering=yes. /interface bridge port add bridge=BR_ATT ingress-filtering=no interface=ether1. Next, you need to enable a DHCP client on BR_ATT, instead of simply using ether1 as ROS v6 does. The mac address of the bridge will assume ether1 underlying mac address.

4. Configure the Do1x interface:
This is easy enough in the GUI, but I'll show the command line. Note that you specify the file name that had tls client capability. Set the identity fields to be the correct MAC address (without the colons). Command: /interface dot1x client add interface=ether1 certificate=Client_myfile.pem eap-methods=eap-tls identity=AABBCCDDEEFF.

Conclusion:
At this point everything is ready. Configure the rest of your MikroTik as desired, then reboot the unit. Plug ether1 directly into the Fiber ONT. In the Dot1x GUI, you will note the Status field. After about 30 seconds, it will read authenticated then you'll have an IP address on ether1 or BR_ATT.
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Thu Dec 29, 2022 3:03 pm, edited 16 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 4:32 pm

Reserved
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 20, 2019 10:45 pm

Reserved
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 4:05 pm

Hi, thanks for this tutorial, and the hard work. I tried this new method with my router, I'm waiting for the new one, I think I got authorization but for some reason I never have an ip address. The message that I received under the dot1.x is authenticated without server . Any idea. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:13 pm

I think I have authorization but for some reason I never get an ip address. The message that I received under the dot1.x is authenticated without server . Any idea?

I'm very new to this, so I don't know all the edge cases yet. The Dot1x documentation mentions it and states access to the port is granted without communication with server. Not sure what that means. Can you do a packet capture on the traffic? Makes me think that perhaps you need a certain VLAN tag. Do you have business or residential service? Also, turn off everything, the Fiber ONT too for a few minutes. Then boot up again.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 21, 2019 5:18 pm

I have a residential account, I'm going to try with the new Mikrotik when it arrive. Right now I'm using my old one for this test. Like you told me before under powered maybe is the router because is the model crs109-8G. The new one is the CCR1009. Thanks
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:59 am

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.

On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.

The entire setup is as follows:

Replace the following with your values:
  • bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
  • ether3-ont - the interface connected directly to the ONT
  • 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you've uploaded
  • name_of_cert - upload your cert bundle and select this in the dot1x settings

Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=00:00:00:00:00:00

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont

/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no

This is the script that I run every 5 seconds, which is probably overkill, but it doesn't write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I'll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"

:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]

#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"

:if ($dot1xStatus = "authenticated") do={
  :if ($portDisabled) do={
    :log warn "$scriptName: authenticated, enabling bridge"
    /interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
} else={
  :if (!$portDisabled) do={
    :log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
    /interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
}

For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup

Finally place your DHCP on the "bridge-ont" interface. I'm able to pull both IPv4 and a /60 of IPv6, which I've split up into three /64 subnets for my private network, IoT and guest networks.
Last edited by wojo on Thu Dec 24, 2020 7:48 pm, edited 1 time in total.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:25 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:33 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks
I think I've hit that when something was wrong with the certs or dot1x setup. Can you show your configuration with MACs scrubbed and such for dot1x and certificate settings?

Also -- I can't remember entirely if it was required but I did import the entire cert chain as well as disable the CRL.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:34 am

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks

Yes, I just tested my system again (resetting everything for testing) and get the same error. I'll be tracking this down. For now, set your system clock to the correct time. Also, make sure, under System Certificates, that your Client key is KT.

Interestingly, when I restore my system from backup, everything works. So, there is something stored in the backup file, that simply enables an ether1 interface to just work without putting into bridge, then removing, as wojo is having to.
Last edited by pcunite on Sun Dec 22, 2019 4:39 am, edited 1 time in total.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:39 am

This is part of my config without the Dotx1 check. I imported the 3 certificates (CA_00..., Client_00.., PrivateKey_PKCS1_00..) that was created when using the utility for create the wpa_supplicant.conf

interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7

/interface bridge settings
set use-ip-firewall=yes
/interface dot1x client
add anon-identity=xxxxxxxxxxxx certificate=Client_cert.pem_0 \
eap-methods=eap-tls identity=xxxxxxxxxxxx interface=ether1
Last edited by jack2020 on Sun Dec 22, 2019 5:05 am, edited 1 time in total.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:59 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:03 am

I change the clock with right date and time, import the certificates again, use the one with KT with the DOTx . And the same message. Thanks

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:08 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:09 am

I remove the WAN Bridge, ether1 is alone, the only bridge that I have is for the LAN. Do I need to remove the LAN_Bridge and create a new one for the LAN?

No, the LAN side is fine. What we are doing is fairly advanced here. I understand it must be confusing for you. We are only talking about WAN interfaces.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 5:12 am

OK, eth1 is alone without any WAN_Bridge. And no WAN_Bridge. I'm going to try the Dotx Script. Thanks
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:34 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:35 am

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer.
I got bit by the same thing when first starting as well, until I started throwing reboots and disconnects at the situation.

Well... the scripts aren't ideal, but are fast and seem to be reliable so far. Like you said, the ONT doesn't seem to ask for reauth once up, ever.

If dot1x ever reports it's not auth'd the script will at least try to let it do it again by taking the interface out of the bridge. I'm just scared if the ONT decides to unauth without a link drop/status change, nothing would not notice.

In order to catch that situation, would need to test the gateway and try bouncing or something I guess.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:46 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:08 am

Well, after going around and around with this, I was finally able to get it to work with only using ether1. The system time must be correct. Set that, then reboot.
And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll run through the EPOL process and then grab an IP?

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:13 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:18 am

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly.
My time is correct and synced via NTP.

Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the mikrotik. It's a known issue of Mikrotik to not handle VLAN 0 like other hardware out there, so I'm thinking your ONT is not setting that VLAN tag of 0.

Also, what is the model of ONT?

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:21 am

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.
Same model here.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 8:36 am

My time is correct and synced via NTP. Can you get some captures on the wire to see if your IP traffic is encapsulated with VLAN 0 by hooking up wireshark to the MikroTik.

Replying to this again, going to take a break for now. However, please test the following:

  • Do a System / Reset Configuration unchecking No Default Configuration.
  • Reboot
  • Set the System / Clock manually to ensure the correct time, right now.
  • Import your certs
  • Then apply a setup script that looks something like below. Note the order of things to keep auto mac assignments sane.
  • Reboot

# dec/21/2019 23:11:39 by RouterOS 6.46.1
# model = RB4011iGS+

/system identity
set name=Router

# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on
# yadda yadda

# WAN Port, now set the MAC to your cert MAC on ether1
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes

# reboot

 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 2:22 pm

Hi, I followed the last instruction and keep the same message "Authorized without server". Maybe my area have another kind of configuration or the Mikrotik RB4011iGS+ works different than my CCR1009-7G-1C(tile). Something curious is if I change my mac address in the Dotx using both format 000000000000 or 00:00:00:00:00:00 or removing it from the field anon-identity or changing eap-method to None. I always received the "Authorized without server".

Note: I have at&t fiber residential account from 2017, my public ip always stay the same never change basic Internet.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 4:50 pm

Here is my capture. Please make one for your WAN interface, so we can compare. Go to Tools / Packet Sniffer. Under the General tab set the File Name to be something.pcap. Under the Filter tab, set the Interface, then Direction any. Then press Start. When done press Stop then download the file from the Files menu. Next, load the pcap file into Wireshark. To hide things, use a display filter like this at the top !(ip.addr == 1.2.3.4). Then photoshop the rest.

Wireshark Notes:
Right click on a column name at the top, choose Column Preferences, then Columns. Now, you can add a new column. I added 802.1Q VLAN id and set the label for it.

Notes about Starting a capture
My ether1 is my WAN port. It is not part of a bridge. So, I disabled the interface. Then I re-enabled it, and then pressed Start in the packet sniffer to get this capture. I think the packet sniffer tool may have an issue with disabled interfaces. That's why I did it like this.

capture.png
You do not have the required permissions to view the files attached to this post.
Last edited by pcunite on Sun Dec 22, 2019 10:38 pm, edited 1 time in total.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:29 pm

Here's my capture. This is on my ether3-ont interface with no bridge. As you can see it goes through EPOL successfully and then when I broadcast for DHCP I get an offer back on VLAN 0. The only way I've been able to process those incoming packets (incl. all subsequent IP packets) is to place that interface on a bridge alone and enable VLAN Filtering to strip VLAN 0.

Screen Shot 2019-12-22 at 11.49.17.png

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows processing of those VLAN 0 tagged packets whereas in my situation I have a raw CPU connection and cannot.

I've tried all combos of IP mangle to set DSCP to fix the packets, but it's not early enough in the pipeline. In fact I never even see any packets match my rules when they are VLAN 0.
You do not have the required permissions to view the files attached to this post.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 7:51 pm

...
Last edited by jack2020 on Sun Dec 22, 2019 11:16 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:00 pm

One thought -- it looks like you are on a RB4011iGS+ (block diagram) which has two RTL8367 switch chips. The CCR1009-7G-1C-1S+PC (block diagram) does not have any. Perhaps that architecture is what allows for the processing of those VLAN 0 tagged packets, whereas in my situation, I have a raw CPU connection and cannot.

Thank you for the packet capture, very interesting. Your switch chip observation may have some truth to it. Whenever I export settings from an RB4011, the following appear in the results. So, it seems that VLAN 0 is the default. However, why would VLAN type packets not appear in the capture, as yours does? One way to know if ATT is doing this or its the MikroTik's is for me to test with a CCR1009. I don't have one at this time.

# This always appears when exporting configurations on an RB4011
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:01 pm

Update: see your post about the switch config, yeah that's exactly what I'm thinking. Here's my post I was just about to hit Submit on:

OK, my theory seems like it could be correct. I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT. To test this, I took a managed switch (a TL-SG2216 I had around) that had VLAN capabilities and set it up with the following:

  • ports 1 (ONT), 2 (Mikrotik) on VLAN 2, PVID 2, untagged -- VLAN 2 is an arbitrary choice, just the next free one but doesn't matter
  • all other ports on VLAN 1 (default), PVID 2, untagged

This forces my switch to accept accept the frames and strip the VLAN tag before sending to my Mikrotik. The result looks like this:

Screen Shot 2019-12-22 at 14.24.23.png

Notice that the DSCP header is unchanged, but the VLAN 0 tag has been removed.

This is a simpler setup without any scripts and running both dot1x and DHCP/everything else on the single port, no bridge. My CPU usage is around 1% now without the bridge, and it seems I may be getting slightly better speeds (was getting ~high 90s before, but who knows with the stuff between me and the test file):

/dev/null 26%[============> ] 268.57M 105MB/s
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Dec 22, 2019 10:44 pm

I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT.

I updated my capture post to show DSCP.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 2:07 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:05 pm

I tried the bridge_ont option and for some reason my authorization fails, I think something is wrong with this certificate. On lines 14,18,21 the system ask for my real ip address? I include my wireshark image. Thanks with any idea.
I also tried the configuration without the bridge and I have no request for EAPOL.

Let's work on EAPOL first, then we can work on ARP and DHCP. You'll need to see an EAPOL Start, then finally an EAP Success. It takes about 30 seconds or so for that to happen. So, let's start from the beginning for you. Since you have a CCR1009, wojo has discovered that ultimately you'll need use the Bridge option. However, for testing, I only want to work on EAPOL first, so we're going to use the bare interface method for now. In wireshark, please turn on the columns for VLAN (802.1Q) and DSCP (IP DSCP Value). Use the display filter: eapol || dhcp.

Do the following:

  • Install firmware 6.46.1. Reboot. Then also the secondary part via the /system routerboard upgrade command. Reboot. Then reset everything via System / Reset Configuration unchecking No Default Configuration. Reboot. Now you have a base configuration.
  • Set the System / Clock manually to ensure the correct time.
  • Import the certs in the following order: CA, Client, then the PK. After importing, click Settings and uncheck CRL Download and Use CRL. Note the KT key with a MAC address for its Common Name.
  • Finally, implement this script (adjust with your values). Keep your overall configuration simple, very few firewall rules, etc. We don't care about that right now, we just want to see the EAP Success value in the capture.

/system identity set name=EAPOLTEST

# Create your LAN Bridge first
/interface bridge add name=BR_LAN protocol-mode=none vlan-filtering=no

# Add ports
/interface bridge port
add bridge=BR_LAN interface=ether2
# and so on yadda yadda

# WAN Port, set the MAC to your cert MAC on ether1
/interface ethernet set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00

# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no

# turn on the DHCP client
/ip dhcp-client add disabled=no interface=ether1

# turn on the Dot1x interface, use your MAC
/interface dot1x client add certificate=Client_Cert.pem_0 eap-methods=eap-tls anon-identity=123 identity=123 interface=ether1

# setup your firewall
/ip firewall filter
# yadda yadda

# NAT
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 comment="Default masq"

#reboot, turn turn on Packet Sniffer tool
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 5:59 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.
My first interface is combo1, then I have ether1....ether7
The RouterOS is 6.46.1

/system identity
set name=Mikrotik
# Create your LAN Bridge first
/interface bridge
add name=BR_LAN protocol-mode=none vlan-filtering=no
# Add their ports
/interface bridge port
add bridge=BR_LAN interface=ether1
add bridge=BR_LAN interface=ether2
add bridge=BR_LAN interface=ether3
add bridge=BR_LAN interface=ether4
add bridge=BR_LAN interface=ether5
add bridge=BR_LAN interface=ether6
add bridge=BR_LAN interface=ether7
# WAN Port, now set the MAC to your cert MAC on combo1
/interface ethernet
set [ find default-name=combo1 ] mac-address=:00:00:00:00:00
# IMPORT YOUR CERTS, then turn these off
/certificate settings set crl-download=no crl-use=no
# turn on the DHCP client
/ip dhcp-client
add disabled=no interface=combo1
# turn on the Dot1x interface, use your MAC
/interface dot1x client
add certificate=Client_000000-000000000000.pem_0 eap-methods=eap-tls anon-identity=000000000000 identity=000000000000 interface=combo1
# setup your firewall
/ip firewall filter
# yadda yadda
# NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=combo1 comment="Default masq"
# turn on VLAN if desired
#/interface bridge set BR_LAN vlan-filtering=yes
# reboot

And this is the result:Image
Last edited by jack2020 on Mon Dec 23, 2019 6:04 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:03 pm

Here is my configuration with my modification. I removed the real MAC address for this post.

For the wireshark output, please put the VLAN and DSCP values to the left of the Info column, so we can see them.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:50 pm

Here is with the info requested. This one is without the Bridge. I see no activity for the authentication only EAPOL start and failure.
Image
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 6:54 pm

This one with the Bridge.
Image
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:07 pm

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post.

Hmm, the EPOL process is failing for sure. You get the identity request, but the tik doesn't even try to respond.

Could you use "export hide-sensitive" and also mask the MACs so we can see the exact config? I haven't tested all these combos of potential errors, they are just from memory but I believe I saw that status when one of these was wrong. Ensure that:
  • the certificate imported has KT flags (aka has the private key in addition to the public key, and also is trusted)
  • the rest of the cert chain is installed, 5 additional certs for me (Motorola Intermediate, Motorola Root CA, System Infrastructure Root CA, ATT Services Inc Root CA and Frontier-RootCA)
  • on dot1x the identity and anon-identity MACs are set to the cert MAC (your example doesn't have the colons, just from your redaction?)
  • the interface has the MAC address overridden to the cert MAC via the CLI
  • the cert MAC is correct (see commands below)
  • dot1x use-crl must be no
  • the MAC address is not on any other interface (I've done that while testing with many different ports, moving stuff around)
  • system clock is correct
  • that port is connected directly to ONT, and power cycle the ONT just in case

Check certificate CN for the MAC:

# openssl x509 -in Client-xxx.pem -text | grep Subject
        Subject: C=US, O=Motorola, Inc., CN=00:00:00:00:00:00/serialNumber=xxx
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 7:40 pm

- The certificate imported has the KT flags.
- I imported the first 3 certificates and then I finished with 6 certificates under certificates, including the Client with the KT flag.
- on my dot1x I tried both, with colon and without it. Same result.
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
- In the dot1x I uncheck both options for crl.
- The system clock and date are right.
- The port is connected to the ONT, and some of my test I power cycle the ONT.
- My config with the bridge "The bridge, interface and dot1x info". Like you posted before.
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 8:01 pm

Just for info I have at&t fiber 300MB with Directv plan. I have no idea if they manage that account different.
For my Certificates I used the mfg_dat_decode utility for linux and for windows. Same result
My first at&t modem was a Pace and then I change it for a Motorola NVG589 the one that I have now.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 9:41 pm

Well, I have some more info. It seems that @jack2020 is correct, there can be a configuration to where a bare interface or even a bridge, will not be able to process EAPOL with a good certificate. Acting on wojo's switch chip theory, I am testing with a hEX Poe Lite. Just to see what would happen. It has the Atheros8227 switch chip which seems different from the others. With this unit, I'm having the same issues that jack2020 is having. My capture for reference.

Atheros8327.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:36 pm

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 23, 2019 11:57 pm

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 3:31 am

...
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
...
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no

Ugh, it should have at least done dot1x successfully when standalone. In bridge mode though, the combo1 interface needs the MAC from the certificate. 802.1x is done on the interface level, not the bridge (in fact only works when disabled from the bridge per my script).

I'm lost :( You have the same router and it doesn't work like it does for me. Right now I'm stripping packets with another switch, but don't understand why it isn't working for you.

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback

Good find. Other thing that may work is "vlan-header=always-strip" to get rid of the VLAN tag entirely as well.

I have a RB750Gr3 which doesn't have VLAN capabilities on the switch, so I'd have to resort to bridge VLAN filtering and do it in software or my current method (a VLAN switch to strip it before the CCR1009).

What's interesting with devices that support hardware switch VLAN is these two things:

  • if it supports vlan-mode (and probably vlan-header) then you can fix up the packets marked with VLAN 0 and process them
  • if it supports VLAN rules on the switch, you can do fancy things like hook the ONT to port 1, forward ethertype = 0x888E (EAPOL) to port 2 on the RG, and the rest to the Mikrotik
    /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
    /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Still lost why jack2020 can't get it to work on the same exact model I have, the CCR1009-7G-1C (without switches). Hmm.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:12 am

Thanks for the update. Need to find the equivalent of that command, if not I'm going to return this router.

There is probably a way to process VLAN 0 with the CCR1009. I just don't own one to test. In the Winbox GUI (version 3.20), do you even have a Switch menu? Some of the older CCR's did have switch chips. The new ones do not.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 5:24 am

No Switch option this is my menu
Image
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 7:10 am

No Switch option, this is my menu.

Okay, well that makes sense as their is no switch chip. Hmmm, I don't yet know how to accept anything over the WAN interface on the CCR1009. As wojo has explained, a carefully constructed bridge with vlan-filtering=yes should do it. But I don't know why it fails for you. If you can, please try using a RB4011 and see how it responds on your Fiber ONT.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 2:08 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.
 
jweek
just joined
Posts: 6
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 24, 2019 10:51 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 2:17 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.
 
jweek
just joined
Posts: 6
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 7:35 pm

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me know. Using certs extracted from a nvg589 and EAP-TLS credentials decoder from devicelocksmith. My service is att residential fiber 1gig with a BGW210-700 and Alcatel-Lucent G-240G-A ONT.

John

Well this is interesting, same configuration and service as me.

If you don't mind sending your certs to me via PM, I can try loading them and see if I can ensure they work. Mine are known working so this could be interesting to just verify it's not that.

I'll also do an export of my config for you and strip anything not related so you can load it directly and just change the certs.

Other than that we will have controlled all other internal variables.

Wojo,

Sounds like a great plan! I can't seem to figure out how to pm here, so if you could pm me your config, I'll load it with my certs and give it a try. If that doesn't work, I'll send you my certs for testing.

Thanks,

John
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:26 pm

Someone, please test with a CCR1009 (the new one without any switch chips), and see how you fair.
Last edited by pcunite on Tue May 05, 2020 9:39 pm, edited 1 time in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 9:33 pm

After all I returned it and bought an RB4011. Wish everything works fine when I receive the new model.

I will help you!
: - )
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 25, 2019 11:55 pm

Thanks for all the help received. Just waiting for the other router to arrive, I hope that by putting everything as indicated in the instructions, it will work on the first attempt and nothing special in my area.
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 5:40 pm

is this configuration specific to the RB4011 with the vlan0 att RG bypass or suplicant?

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
You do not have the required permissions to view the files attached to this post.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 6:07 pm

Is this configuration specific to the RB4011 with the vlan0 att RG bypass or supplicant?
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
etc...

I don't follow your question. The default values on an RB4011, for whatever reason as determined by MikroTik, do set default-vlan-id to a 0. It appears to help with our requirements. Is it working for you?
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 27, 2019 9:22 pm

its working great. i have been able to dhcp the wan interface and statically set a second port to my lan block range. I have also been able to request the ipv6 delegation /60 and statically assign addresses to interfaces and route accordingly.

I am using the supplicant method on a rb4011 to act as the carrier L3 hand-off and then whatever is behind it can be physical or virtual in a static block range.

Great work here, here is my short anonymous configuration (don't forget to secure your device and network):

/interface ethernet
set [ find default-name=ether1 ] mac-address=D0:39:B3:XX:XX:XX
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
/certificate settings
set crl-use=no
/interface dot1x client
add anon-identity=D0:39:B3:XX:XX:XX certificate=\
Client_00XXXXXX6-22XXXXXX.pem_0 eap-methods=eap-tls identity=\
D0:39:B3:XX:XX:XX interface=ether1
/ip address
add address=68.4.19.94/27 interface=ether2 network=68.4.19.64
/ip dhcp-client
add disabled=no interface=ether1
add default-route-distance=1 disabled=no interface=bonding1
/ipv6 address
add address=2600:1700:390:c51::1 advertise=no interface=ether2
/ipv6 dhcp-client
add add-default-route=yes interface=ether10 pool-name=att pool-prefix-length=60 \
request=address,prefix
/ipv6 route
add distance=1 dst-address=2600:1700:390:c50::/60 gateway=\
2600:1700:390:cc51::90
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 3:19 am

I have just tested the config on the 3011 and dont seem to be able to get the vlan0 working like the rb4011 does. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 6:04 am

I have just tested a config on the 3011 and it don't seem to be able to get the vlan0 working like the rb4011 does. :(

You'll have to do something like this:

/interface ethernet switch port
set ether1 vlan-mode=fallback
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 9:15 am

i have tested that with no better results. :(
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 4:14 pm

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
 
jack2020
newbie
Posts: 43
Joined: Sat Aug 17, 2019 4:47 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Dec 28, 2019 8:44 pm

Thanks for all your help. Today I received the RB4011 and everything works as expected, at the first try.
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 12:14 am

i have purchased a second 4011 for the new cert supplicant method. Works like a charm every time. :)
 
jweek
just joined
Posts: 6
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 3:52 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 30, 2019 4:03 am

i have tested that with no better results. :(

Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to.
I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr and purchase something else.
I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 7:10 am

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!
 
jweek
just joined
Posts: 6
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 04, 2020 6:29 pm

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags.

Set up the RB4011 today and all is going smooth, no longer need to play tricks with the script or external switch. A much simpler setup, and cheaper than the CCR1009 as well!

agree, RB4011 up and running smooth here, thx all for the assist!
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jan 16, 2020 11:06 am

Bridge Method

Overview:
If you know anything about this option, then you know it has gone by several names: dumb switch bypass, eap-proxy, VLAN bypass, and true bridge mode. Well, they all share a common configuration in that they allow the ATT RG to handle the EAP-TLS protocol. After that, the RG can be powered down and removed. However, in the event of planned reboots or power failures, the ATT RG must be plugged back in. Naturally, the ATT RG can be allowed to stay powered on and ready as needed. Some have used special power adapters to turn the RG on and off automatically.


BridgeMethod.png


Details:
The diagram shows a yellow WAN bridge and a purple LAN bridge. The yellow bridge has temporary ports that enable the ATT RG to be nearly directly connected to the Fiber ONT. The bridge's MAC address is thus the same as the RG. After EAP-TLS authentication occurs, the ether2 port is set to disabled. Standard routing and firewalling can then occur. The ATT RG can be removed or left on as desired.

Scripting:
MikroTik is powered by RouterOS. So, we can create bridges, add or remove ports, turn things on and off, all automatically with the included scripting ability. We are able to do a lot with a single hardware device. This method therefore uses some special scripts to accomplish our goal. Apply this script to your hardware.

##################################################################################################
# ABOUT:
#
# AT&T Residential Gateway Bypass using only a single MikroTik. No separate hardware or switch
# needed. Automatic recovery from reboot or power loss.
#
# Tested on the RB4011
#
# Date:   12-20-2019
# Topic:  https://forum.mikrotik.com/viewtopic.php?t=154954
#
##################################################################################################


##################################################################################################
# HOW TO INSTALL:
#
# 1) Reset MikroTik (/system reset-configuration) and reboot.
#
# 2) Edit "admin-mac=00:00:00:00:00:00" below to be your ATT RG MAC address.
#
# 3) With only the MikroTik turned on and nothing plugged in, apply this config file.
#
# 4) Next, turn everything else on and plug everything in.
#    ONT               <-> ether1
#    ATT RG ONT Port   <-> ether2
#    Your PCs etc.     <-> ether3~ether10
#
# 5) Reboot the MikroTik. The included script takes 3 minutes for automatic RG and ONT sycing.
##################################################################################################

# We will create two bridges. One for the LAN and the other for the WAN.
/interface bridge

# LAN
add name=Bridge_LAN protocol-mode=none

# WAN
# Set the WAN MAC (admin-mac) to be your ATT's RG MAC.
# We set the pvid parameter to a unique VLAN tag. A cheap way to keep incoming ONT and outgoing ether1 packets from seeing duplicate MACs.
# This way, only the ONT and ATT RG will see each other, not the momma Bridge with the duplicate MAC.
add name=Bridge_WAN admin-mac=00:00:00:00:00:00 pvid=111 auto-mac=no igmp-snooping=yes protocol-mode=none vlan-filtering=yes

# Add ports to each bridge
/interface bridge port

# WAN
add bridge=Bridge_WAN interface=ether1
add bridge=Bridge_WAN interface=ether2

# LAN
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10

# Ready a DHCP client to pull an IP from the ATT ONT
/ip dhcp-client add dhcp-options=clientid disabled=no interface=Bridge_WAN use-peer-dns=no use-peer-ntp=no

# Add the script that enables automatic recovery from reboot or power loss
/system scheduler add name=OnRebootATT start-time=startup on-event=":delay 30\r\n/system script run OnRebootATT"
/system script add name=OnRebootATT source="#\_OnRebootATT\r\n\r\n:log info \"Script: Starting OnRebootStartATTRG\";\r\n:delay 5\r\n\r\n:log info \"Script: Enable Virtual switch for ONT and ATT RG\";\r\n/interface bridge set Bridge_WAN pvid=111\r\n\r\n:log info \"Script: Ensure ATT RG ether2 is visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=1\r\n/interface ethernet enable ether2\r\n\r\n:log info \"Script: Sleep for 3 minutes to allow ONT and ATT RG time to sync\";\r\n:delay 180\r\n\r\n:log info \"Script: Ensure ATT RG is NOT visible to ONT\";\r\n/interface bridge port set bridge=Bridge_WAN [find interface=ether2] pvid=222\r\n/interface ethernet disable ether2\r\n\r\n:log info \"Script: ONT and ATT RG should be in sync. Virtual Switch shutting down. Enjoy your router.\";\r\n/interface bridge set Bridge_WAN pvid=1\r\n"

# Standard MikroTik LAN configuration stuff. Modify to suit your LAN preferences
/ip pool add name=pool_LAN ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip address add address=192.168.88.1/24 interface=Bridge_LAN
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes servers="9.9.9.9,8.8.8.8"

# Sample Firewall
/ip firewall filter
add chain=input action=accept   connection-state=established,related comment="Allow established related"
add chain=input action=accept   in-interface=Bridge_LAN comment="Allow LAN"
add chain=input action=accept   protocol=icmp comment="Allow Ping"
add chain=input action=drop     comment="Drop all other input"
add chain=forward action=accept connection-state=established,related comment="Allow established related"
add chain=forward action=accept connection-state=new in-interface=Bridge_LAN comment="Allow LAN"
add chain=forward action=accept connection-nat-state=dstnat in-interface=Bridge_WAN comment="Allow port forwards"
add chain=forward action=drop   comment="Drop all other forward"

# Sample masquerade
/ip firewall nat add action=masquerade chain=srcnat comment="Default masq" out-interface=Bridge_WAN

# Example rule table switching for better performance if hardware support (RB3011, CCR1009).
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours. We're cord-cutters so no internet is a bit rough, and frankly I don't trust her to try to restart the modem or router.

Any idea why RB4011 on 6.46.1 is consecutively since late December needing reboots every seven days?

Some pics below:

January 7th:
Image

January 15th:
Image

Image





PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T Mikrotik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 7:09 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 17, 2020 9:45 pm

Thank you for your hard work, I want to report a possible bug or perhaps it's AT&T causing this, but lately I can't even go past seven days of uptime before getting "rebinding" or "searching". I then need to restart the router and AT&T Gateway. Since I work night-shift my wife has been inconvenienced with no internet for hours.

Any idea why the RB4011 on 6.46.1, is consecutively since late December, needing reboots every seven days?

PS: One thing that I noticed is the AT&T gateway has a green light then under it a red light with the AT&T MikroTik bridge bypass. However with Ubiquiti's EAP Proxy method it would have two green lights on the AT&T gateway. Not sure if perhaps the issue is simply caused by the EAP-Proxy method allowing authentication more times or well tbh it's out of my scope.

The EAP-Proxy method can handle any issues that occur on AT&T's end which is why some people like it. The MikroTik script is not perfect in that regard because it effectively cuts off the RG Gateway after EAP. The script also does not check to see if the internet is still up. Would not be hard to add a ping check to a DNS server, reboot if you can't get a reply to improve it. That would restart EAP and get you going.

However, I recommended getting certs. Buy used off eBay. They work very well and handle all situations, like when the ONT loses power (maybe AT&T is working in your neighborhood?). If you don't want to go the cert route, you need to improve the script by making it reboot when it can't get an IP.
Thank you for the reply, is buying the certs themselves possible or do I need to specifically buy a NVG510 with specific firmware or has downgrading become easier?

Thanks again for replying, really appreciate it.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 5:07 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

You can purchase certs off eBay.
Last edited by pcunite on Tue May 05, 2020 9:37 pm, edited 3 times in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 18, 2020 9:21 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
I sent the email, thank you
Last edited by archerious on Wed May 13, 2020 7:40 pm, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:31 am

... is buying the certs themselves possible or do I need to specifically buy a NVG510 ... ?

Send me an email at:
I am an idiot. I barely realized, duh, .der isn't .pem....lol. Sorry, long day at work and I'm dumb.
Last edited by archerious on Thu May 14, 2020 12:33 am, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 7:49 am

This is amazing. 802.1x method was incredibly easily once converted to .pem.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jan 21, 2020 5:03 pm

This is amazing. 802.1x method was incredibly easily once converted to .pem.

Enjoy! It is a really nice solution.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 6:23 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 8:29 am

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:24 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 24, 2020 9:30 pm

Would either method work with a hex RB750Gr3?

If I went the supplicant route where do I find certificates to use? I searched eBay and google but only found how they are extracted on older boxes. I have a 5268ac.
I'm running wpa_supplicant on Mikrotik and tested on ER4. It worked. You can use a NVG589's keys even if att provided a BGW210. Eap-tls only auths the device.

The AAA server simply whitelists most gateway models and the actual subscriber level auth is done by SLID or ONT's serial number.

TLDR: The keys can be for a NVG589 and work even if AT&T gave you a BGW210 or 5268AC.
How do I find these keys? Maybe I’m not searching the right terms or do I need to buy an old NVG box and extract keys myself?
That's the most common way, the NVG589 are like $20-$40 on ebay used. You could buy one and extract the certs. Once you have the .Der files you then use a tool to convert them to .pem files. Then you follow Pcunite's guide to add the keys to the Mikrotik router.
Last edited by archerious on Mon Feb 10, 2020 8:04 am, edited 1 time in total.
 
Aerowinder
newbie
Posts: 27
Joined: Fri Jan 31, 2020 4:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 06, 2020 2:08 am

Greetings all,

Supplicant method working here on my RB4011. Using the device as a pass through to my virtualized pfSense firewall. Thanks to everyone who helped me get to this point.

By the way, finding NVG589s on eBay for $5-$15 isn't exactly easy. I placed a couple bids, put in a couple best offers, and lost them all. I think the person selling the pre-extracted certs is buying all the cheap units to turn a profit.

I'm posting my..... completed..... config here in case it could help someone in the future. Remember, that this is only for a PASSTHROUGH connection. The firewall rules are NOT secure if this is your edge device:
#MikroTik RB4011 - Router OS 6.46.2 - Home
#v1, 2020-02-05 - Initial release.




---------- STEP 1 ----------

Factory reset the router. No defaults. Clean slate.

Note that this setup (firewall rules, mostly) will NOT be secure. It allows incoming connections! It is intended to be used as a pass-through device ONLY!

Connect eth1 to trusted port on UniFi switch.
Connect eth9 to WAN port on UniFi switch.
Connect eth10 to to ONT directly.

---------- STEP 1 END ----------




---------- STEP 2 ----------

/interface ethernet
set ether1 name=eth1-MGMT
set ether9 name=eth9-DMZ
set ether10 name=eth10-ONT

/ip address
add interface=eth1-MGMT address=10.10.1.2/16
add interface=eth9-DMZ address=10.1.10.1/29

/interface list
add name=MGMT
add name=DMZ
add name=ONT

/interface list member
add list=MGMT interface=eth1-MGMT
add list=DMZ interface=eth9-DMZ
add list=ONT interface=eth10-ONT

/ip dhcp-client
add interface=eth10-ONT disabled=no

/ip pool
add name=pool_dmz ranges=10.1.10.3-10.1.10.6

/ip dhcp-server
add name=dhcp_dmz interface=eth9-DMZ address-pool=pool_dmz disabled=no

/ip dhcp-server network
add address=10.1.10.0/29 gateway=10.1.10.1 netmask=29

/ip dhcp-server lease
add address=10.1.10.2 mac-address=<PFSENSE WAN MAC> server=dhcp_dmz

/ip firewall filter
#forward
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack all forwarded established/related connections. Reduces CPU usage significantly."
add chain=forward action=drop connection-state=invalid comment="Drop invalid forwarded connections."
#input
add chain=input action=accept in-interface-list=MGMT comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from MGMT port."
add chain=input action=accept in-interface-list=DMZ comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from DMZ port."
add chain=input action=drop comment="Drop remaining traffic to router itself."
#output

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=ONT comment="Send all traffic: DMZ -> ONT"
add chain=dstnat action=dst-nat in-interface-list=ONT to-addresses=10.1.10.2 comment="Send all traffic: ONT -> DMZ"

/interface ethernet
set eth10-ONT mac-address=<RG MAC>

---------- STEP 2 END ----------




---------- STEP 3 ----------

You can now reconnect with WinBox to IP address: 10.10.1.2.

At this time, you need to upload your gateway certificates to the router. Do this via WinBox > Files. There should be 3 files. A CA, a PK, and a Client.

---------- STEP 3 END ----------




---------- STEP 4 ----------

/certificate
import name=Client_XXXXXXXXXX.pem passphrase=""

/certificate settings
set crl-download=no
set crl-use=no

/interface dot1x client
add interface=eth10-ONT certificate=Client_XXXXXXXXXX.pem eap-methods=eap-tls identity=<RG MAC>

---------- STEP 4 END ----------
If anyone can be bothered to read through it, and see something I've left out, please let me know.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 06, 2020 2:31 am

Greetings all,

Supplicant method working here on my RB4011. Using the device as a pass through to my virtualized pfSense firewall. Thanks to everyone who helped me get to this point.

By the way, finding NVG589s on eBay for $5-$15 isn't exactly easy. I placed a couple bids, put in a couple best offers, and lost them all. I think the person selling the pre-extracted certs is buying all the cheap units to turn a profit.

I'm posting my..... completed..... config here in case it could help someone in the future. Remember, that this is only for a PASSTHROUGH connection. The firewall rules are NOT secure if this is your edge device:
#MikroTik RB4011 - Router OS 6.46.2 - Home
#v1, 2020-02-05 - Initial release.




---------- STEP 1 ----------

Factory reset the router. No defaults. Clean slate.

Note that this setup (firewall rules, mostly) will NOT be secure. It allows incoming connections! It is intended to be used as a pass-through device ONLY!

Connect eth1 to trusted port on UniFi switch.
Connect eth9 to WAN port on UniFi switch.
Connect eth10 to to ONT directly.

---------- STEP 1 END ----------




---------- STEP 2 ----------

/interface ethernet
set ether1 name=eth1-MGMT
set ether9 name=eth9-DMZ
set ether10 name=eth10-ONT

/ip address
add interface=eth1-MGMT address=10.10.1.2/16
add interface=eth9-DMZ address=10.1.10.1/29

/interface list
add name=MGMT
add name=DMZ
add name=ONT

/interface list member
add list=MGMT interface=eth1-MGMT
add list=DMZ interface=eth9-DMZ
add list=ONT interface=eth10-ONT

/ip dhcp-client
add interface=eth10-ONT disabled=no

/ip pool
add name=pool_dmz ranges=10.1.10.3-10.1.10.6

/ip dhcp-server
add name=dhcp_dmz interface=eth9-DMZ address-pool=pool_dmz disabled=no

/ip dhcp-server network
add address=10.1.10.0/29 gateway=10.1.10.1 netmask=29

/ip dhcp-server lease
add address=10.1.10.2 mac-address=<PFSENSE WAN MAC> server=dhcp_dmz

/ip firewall filter
#forward
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack all forwarded established/related connections. Reduces CPU usage significantly."
add chain=forward action=drop connection-state=invalid comment="Drop invalid forwarded connections."
#input
add chain=input action=accept in-interface-list=MGMT comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from MGMT port."
add chain=input action=accept in-interface-list=DMZ comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from DMZ port."
add chain=input action=drop comment="Drop remaining traffic to router itself."
#output

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=ONT comment="Send all traffic: DMZ -> ONT"
add chain=dstnat action=dst-nat in-interface-list=ONT to-addresses=10.1.10.2 comment="Send all traffic: ONT -> DMZ"

/interface ethernet
set eth10-ONT mac-address=<RG MAC>

---------- STEP 2 END ----------




---------- STEP 3 ----------

You can now reconnect with WinBox to IP address: 10.10.1.2.

At this time, you need to upload your gateway certificates to the router. Do this via WinBox > Files. There should be 3 files. A CA, a PK, and a Client.

---------- STEP 3 END ----------




---------- STEP 4 ----------

/certificate
import name=Client_XXXXXXXXXX.pem passphrase=""

/certificate settings
set crl-download=no
set crl-use=no

/interface dot1x client
add interface=eth10-ONT certificate=Client_XXXXXXXXXX.pem eap-methods=eap-tls identity=<RG MAC>

---------- STEP 4 END ----------
If anyone can be bothered to read through it, and see something I've left out, please let me know.
Yeah I bought a NVG589 recently, with shipping it was $26. Not a bad price but not as inexpensive.
 
Medikit
just joined
Posts: 5
Joined: Tue Feb 05, 2019 6:08 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 3:55 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

I ran into some challenges, for example I couldn't find mfg.dat and none of the mounting commands would work. I followed a lead here: https://github.com/aus/pfatt/issues/14 and renamed my mtdblock4 to mfg.dat so perhaps I just created a garbage file and converted it using mfg_dat_decode along with the actual .der files. Not sure if anyone knows where to find the mfg.dat on the NVG510 or how to mount /mfg/.

My next step is likely to pick up an NVG589 if I can't try anything else with the NVG510.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 7:58 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

I ran into some challenges, for example I couldn't find mfg.dat and none of the mounting commands would work. I followed a lead here: https://github.com/aus/pfatt/issues/14 and renamed my mtdblock4 to mfg.dat so perhaps I just created a garbage file and converted it using mfg_dat_decode along with the actual .der files. Not sure if anyone knows where to find the mfg.dat on the NVG510 or how to mount /mfg/.

My next step is likely to pick up an NVG589 if I can't try anything else with the NVG510.
I'd highly recommend NVG589, a buddie of mine reported nothing but problems when trying to use NVG510 certs for his Fiber service.

No proof......just speculation, but I suspect the AAA server is kicking NVG510 certs in some areas already. Heaven forbid if that happens to the NVG589 802.1x certs.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Feb 10, 2020 4:23 pm

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
 
Al4nw31
just joined
Posts: 3
Joined: Fri Feb 14, 2020 6:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 7:57 am

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 1:17 pm

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
Did you use the flash programmer method or downgrade 9.2.2h0d83 method to extract the certs?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 3:05 pm

I can't get a lease. Applied fallback VLAN and it still doesn't work.

The RB750Gr3 uses a MT7621 switch chip. The Atheros8227 chips need fallback mode set. For the other types, you might try a different setting. Until MikroTik has a consistent firmware across the hardware lines, we will have to guess at what to do. Your certs are fine, see if you can get the vlan 0 working, otherwise, the RB4011 is preferred.
 
Al4nw31
just joined
Posts: 3
Joined: Fri Feb 14, 2020 6:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 14, 2020 6:28 pm

Just extracted NVG589 certs and tried to authenticate using a RB750Gr3 but I can't get a lease. Certs are authenticating properly though. Applied fallback VLAN and it still doesn't work. Are there any other workarounds possible? May look to get a RB4011 to be honest.
Did you use the flash programmer method or downgrade 9.2.2h0d83 method to extract the certs?
I downgraded.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 6:55 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
Really? Dang...back to eBay. I thought other threads and topics said either work?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 8:33 am

I tried this on an RB4011 using certs from an NVG510. Unfortunately I kept getting "rejected" after "authenticating", I did make sure I set the clock properly.

The certs from the NVG510 work for VDSL, but not for fiber service.
Really? Dang...back to eBay. I thought other threads and topics said either work?
I only managed with NVG589, bought four on eBay, was able to rip certs from two with the github method. Other two are not able prob have to desolder NAND and then put on flash programmer to dump the mfg.dat.
 
Oosik411
just joined
Posts: 4
Joined: Fri Jan 24, 2020 6:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 10:16 pm

I wonder if the NVG510 doesn't work due to how old it is and the certs have expired. Ebay looks picked clean as of recent. Be nice if ATT just let us use our own equipment.

Any ideas why the RB750GR3 doesn't handle certificates well? Other options out of my price range, was hoping to utilize this small wired router.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 27, 2020 11:03 pm

I wonder if the NVG510 doesn't work due to how old it is and the certs have expired. Ebay looks picked clean as of recent. Be nice if ATT just let us use our own equipment.

Any ideas why the RB750GR3 doesn't handle certificates well? Other options out of my price range, was hoping to utilize this small wired router.
I suspect it's due to how VLAN 0 is handled based on my experience using wpa_supplicant on Ubiquiti's ER4 before switching to RB4011.
 
mikrohero
just joined
Posts: 1
Joined: Sat Feb 29, 2020 2:16 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 2:48 am

perhaps a stupid question but is the only advantage of going with the supplicant method to prevent having the actual ATT Gateway powered on and active at all times? Seems like a lot of expense/hassle for me to return the Hex S router and Ubiquiti WAP I just bought, then buy a Mikrotik RB4011, then scour eBay for an NVG589 to extract certs. If the only advantage I'm gaining is to not have to use the ATT Gateway, I might just stick to the bridge method. However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway...is that still the case with this "dumb bridge" method?

OP, thanks a LOT for your research and time...seriously wonderful!
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 10:45 pm

is the only advantage of going with the supplicant method to prevent having the actual ATT Gateway powered on and active at all times?

Basically, yes. If you are willing to keep the ATT RG powered up, then its a very good method.
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 129
Joined: Tue Feb 04, 2020 5:58 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Feb 29, 2020 11:36 pm


@pcunite What about this?
However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway...is that still the case with this "dumb bridge" method?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Mar 01, 2020 3:23 am

@pcunite What about this?
However, my concern is that in other posts, I saw that the "bridge" method ATT offers out of the box forces you to use their small NAT tables on the ATT gateway ... is that still the case with this "dumb bridge" method?

The bridge method, as shown at the beginning of this thread, does not use the NAT tables of the ATT RG. After EAPOL, the ATT RG is disconnected via automatic disabling of the port it is connected to. I can't speak for other bridge methods posted on the internet.
 
User avatar
Paul9cf22ad1
newbie
Posts: 37
Joined: Sun Mar 12, 2017 11:40 pm
Location: Seattle, WA

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Mar 03, 2020 11:21 pm

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback
I think I have a similar issue, that No IP Address Acquired with an RB3011. So, I'm hoping I'm not messing up this thread. I'm not an expert, so posted in the Beginner Basics section, but saw this thread and tried the above. Unfortunately, it didn't help.

Cable Modem > RB3011 > PC
The RB3011 does not acquire an IP and no errors in the log. If I put in an old Netgear or WRT router in place of the RB3011, they get an IP.

Cable Modem> NetGear > Switch > RB3011 > PC
The RB3011 gets an IP from the NetGear. I think because I didn't clear the RB3011 settings there are conflicts and I can't get to the internet. But the RB3011 doesn't seem totally bricked. Is my problem the same or similar enough to this thread's issue?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Mar 05, 2020 11:48 pm

Is IPv6 possible? I know the Ubiquiti users have it with wpa_supplicant but it seems to be a little wonky.

My job has me working from home lately and the VPN they use apparently is having some minor issues since it tries to connect me via both ipv4 and ipv6.

EdIT: Stupid me had ipv6 disabled under packages, had to enable it and reboot. Then I just added ipv6 dhcp-client and tested. So far it seems to be working fine.
 
nitrag
just joined
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Mar 19, 2020 4:22 pm

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Anon-Identity in Dot1x are your Gatways MAC Address, with colons.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Last edited by nitrag on Mon Apr 27, 2020 8:31 pm, edited 1 time in total.
 
abiv
just joined
Posts: 24
Joined: Sat Nov 23, 2019 4:51 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Apr 07, 2020 3:03 am

Anyone know why sometimes when connection dies, replugging in the AT&T router would re-establish connection but only at 500mbit speed? I have to reboot Mikrotik router to get back to 1000mbit

(I'm using the bridge method, I power down the AT&T router after it authenticates)
 
SupermanSC
just joined
Posts: 7
Joined: Tue Feb 18, 2020 5:15 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Apr 15, 2020 9:20 am

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Non-Identity in Dot1x are your Gatways MAC Address.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Hi Nitrag, could you possibly export your config with hide-sensitive? There's discrepancies throughout this thread on the Dot1X config. The primary post says to only use Identity, however many seem to also be specifying Non-Identity - some are using colons in the Mac, others aren't. I've tried it all and they all fail. I authenticate with Dot1X fine, however I never receive an IP address. I'm using an RB4011.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Apr 19, 2020 1:24 pm

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.

That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.

On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.

The entire setup is as follows:

Replace the following with your values:
  • bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
  • ether3-ont - the interface connected directly to the ONT
  • 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you've uploaded
  • name_of_cert - upload your cert bundle and select this in the dot1x settings

Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=44:E1:37:C4:C8:E1

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont

/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no

This is the script that I run every 5 seconds, which is probably overkill, but it doesn't write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I'll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"

:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]

#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"

:if ($dot1xStatus = "authenticated") do={
  :if ($portDisabled) do={
    :log warn "$scriptName: authenticated, enabling bridge"
    /interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
} else={
  :if (!$portDisabled) do={
    :log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
    /interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
  }
}

For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup

Finally place your DHCP on the "bridge-ont" interface. I'm able to pull both IPv4 and a /60 of IPv6, which I've split up into three /64 subnets for my private network, IoT and guest networks.
Can you show me a screenshot of what it looks like under your DHCPv6 client? If I request a /60 it doesn't work, I have to set pool prefix length to /64 for it to work. Also your IPv6 address list would be helpful, censoring out most of it all is fine I just need to see what I'm doing wrong.
 
trekbike
just joined
Posts: 6
Joined: Fri Nov 01, 2013 10:38 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Apr 25, 2020 4:21 am

Good evening all,

I have had several Mikrotik products over the last seven years and an AT&T fiber-to-the-premise customer for about a year now... I currently have the RB4011 so I was very happy to read about this option of complete removal of the AT&T gateway from the mix. I have read this post almost completely (or almost) and still have a few questions. The first question is primarily because I am seeing some conflicting information regarding the extraction of certs... My AT&T gateway is the Pace Plc 5268AC which I have seen referenced many times. I have also seen the suggestion to go and buy a NVG589 off eBay and get the certs (keys) from that...

Question 1: Can I get the certs (or keys) out of the AT&T (Pace) gear that I have provisioned and running?

Question 2 is more procedural. How do you export the certs/keys from the gateway OR are they compiled from the (hexidecimal) packet captures obtained with Wireshark?

I learned the hard way to unplug my (Mikrotik) access point to silence it from looking for its gateway in the packet capture... Oops. I also saw Dropbox (on my laptop) doing its typical "discover protocol" a lot so that is just more noise to filter out.

Many thanks to you all!

Tom
 
nitrag
just joined
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Apr 27, 2020 8:30 pm

Thanks for this thread! I got mine working on my RB4011.

@Paul I had issues being authenticated but no IP Address from DHCP as well.

1. Make sure Identity and Non-Identity in Dot1x are your Gatways MAC Address.
2. Set ether1 switch port to fallback AND the vlan-id=0. Although...it seems that it was no longer set to fallback the next morning though. Hmm.
Hi Nitrag, could you possibly export your config with hide-sensitive? There's discrepancies throughout this thread on the Dot1X config. The primary post says to only use Identity, however many seem to also be specifying Non-Identity - some are using colons in the Mac, others aren't. I've tried it all and they all fail. I authenticate with Dot1X fine, however I never receive an IP address. I'm using an RB4011.
Sorry for the late reply, don't have notifications setup.

Dot1x:
Interface: <your external interface>
EAP Mode: EAP TLS
Identity: <MAC address, all uppercase, with colons>
Password: <empty>
Anon-Identity: <same as Identity>
Certificate: <Client certificate>

DCHP Client is nothing special, just default pointed at external interface.
 
mrlane2k
just joined
Posts: 2
Joined: Fri Apr 03, 2020 11:19 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat May 02, 2020 3:25 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 03, 2020 1:14 pm

If anyone is up for sending me a CCR1009 (the new one without any switch chips), I would like to solve this puzzle.
I am, sent PM and email.
 
trekbike
just joined
Posts: 6
Joined: Fri Nov 01, 2013 10:38 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 03, 2020 7:07 pm

Hi,

It has been a week or so since I posted the questions above... I can see my post but now I am wondering if anyone else can. Just hoping for some responses.

Thanks!

Tom
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 04, 2020 1:05 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
 
mrlane2k
just joined
Posts: 2
Joined: Fri Apr 03, 2020 11:19 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 05, 2020 1:31 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 05, 2020 4:54 am

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
Nice!
 
Zips
just joined
Posts: 6
Joined: Sat Feb 11, 2017 6:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:18 pm

Greetings,

First time posting :) long time lurking

I'm trying to bypass ATT&T as well, I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My Mikrotik's router is the CRS125-24G-1S-2HnD and I have tried everything and can not get the modem to Authenticate, I'm always getting authenticated without server and a couple of times Auth was rejected. I don't know what else to try, I know you guys mentioned the port has to be set to fallback and the vlan-id=0 but , how do I do that with this router?
Any help will be appreciated
Thanks

-Z
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:25 pm

I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My MikroTik router is the CRS125-24G-1S-2HnD ... how do I do that with this router?

Only the RB4011 is recommended at this time.
 
Zips
just joined
Posts: 6
Joined: Sat Feb 11, 2017 6:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 6:52 pm

I have the BGW210 and I was able to downgrade the modem back to firmware 1.0.29 and extracted the keys and certs, then upgraded it back to firmware 2.6.4 and it works fine. My MikroTik router is the CRS125-24G-1S-2HnD ... how do I do that with this router?

Only the RB4011 is recommended at this time.
Both, Bridge Method and the Supplicant Method??

Thanks

-Z
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 07, 2020 11:42 pm

Both? The Bridge Method and the Supplicant Method?

I was referring to the Supplicant Method, only the RB4011 is recommended.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 3:25 am

Both? The Bridge Method and the Supplicant Method?

I was referring to the Supplicant Method, only the RB4011 is recommended.
I'm surprised the hex/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?
Last edited by archerious on Fri May 08, 2020 3:28 am, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 3:28 am

...
- When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC.
...
Nothing different than the suggested ones. I also reset the configuration without "Default config".

/interface ethernet set [find name=combo1] mac-address=“DEFAULT MAC ADDRESS”
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=combo1
/interface dot1x client add anon-identity=xx:xx:xx:xx:xx:xx Client_00000-00000000.pem_0 eap-methods=eap-tls identity=xx:xx:xx:xx:xx:xx interface=combo1
/certificate settings set crl-use=no

Ugh, it should have at least done dot1x successfully when standalone. In bridge mode though, the combo1 interface needs the MAC from the certificate. 802.1x is done on the interface level, not the bridge (in fact only works when disabled from the bridge per my script).

I'm lost :( You have the same router and it doesn't work like it does for me. Right now I'm stripping packets with another switch, but don't understand why it isn't working for you.

Update

When working with the Atheros8227 switch chip, you must set vlan-mode=fallback on the WAN port. This enabled me to get the hEX PoE to work. Therefore, it seems that on some MikroTik boards, they will drop ingress packets that have a VLAN id of 0. Thus, you must account for this. Of note, I only use a bare interface. I didn't put the WAN port on a software bridge.

The question now. How to do this on the CCR1009 boards?

# allow ingress packets with VLAN ID 0, to not get dropped
/interface ethernet switch port
set ether1 vlan-mode=fallback

Good find. Other thing that may work is "vlan-header=always-strip" to get rid of the VLAN tag entirely as well.

I have a RB750Gr3 which doesn't have VLAN capabilities on the switch, so I'd have to resort to bridge VLAN filtering and do it in software or my current method (a VLAN switch to strip it before the CCR1009).

What's interesting with devices that support hardware switch VLAN is these two things:

  • if it supports vlan-mode (and probably vlan-header) then you can fix up the packets marked with VLAN 0 and process them
  • if it supports VLAN rules on the switch, you can do fancy things like hook the ONT to port 1, forward ethertype = 0x888E (EAPOL) to port 2 on the RG, and the rest to the Mikrotik
    /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
    /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

Still lost why jack2020 can't get it to work on the same exact model I have, the CCR1009-7G-1C (without switches). Hmm.
What brand and model switch are you using to strip vlan 0? I'm still thinking of going ccr2004 for fun since I have some sfp28 nics.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 6:47 am

I'm surprised the hEX/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?

Recommended just means what most have reported success with. Since the RB4011 is known to work, it is therefore, recommended.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:57 am

I'm surprised the hEX/RB750Gr3 isn't recommended especially for people on 300/300 or 100/100. Does it not work well with wpa_supplicant despite having a switch chip?

Recommended just means what most have reported success with. Since the RB4011 is known to work, it is therefore, recommended.
I understand, for CCRs what model switches have people been using in front it to take care of the vlan 0 tagging?

I tried on my Edgeswitch 10X laying around but it doesn't allow the use of VLAN 0.

Thanks~!
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 6:37 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?

Ask wojo
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 7:40 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766394

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Last edited by wojo on Fri May 08, 2020 9:04 pm, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 8:24 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:05 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:25 pm

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging?
Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 9:49 pm



Ask wojo

Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?

Good luck. They have an 8 port model here too: https://www.tp-link.com/us/business-net ... rt-switch/ at $50.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:10 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:14 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
That's neat. I know in my area it requires vlan 0 and they seem to auth with eap weekly that's why I went for wpa_supplicant method as rebooting weekly sometimes random times to reauth bridge method just wasn't ideal.

Is there a reason for them to even tag vlan 0 other than to be annoying?
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri May 08, 2020 10:32 pm

Is there a reason for them to even tag vlan 0 other than to be annoying?

... I think annoying us may be the reason ;)
 
hapoo
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Wed Apr 24, 2019 1:35 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat May 09, 2020 7:13 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
Not sure what the implication of this is. Would it be possible to do this setup for a Commercial gateway using a RB4011?

I'm interested in setting up a Mikrotik as strictly a modem on a commercial account. Just authorizing the connection and just passing it through without dhcp or nat to another router. Not sure how to go about doing it though.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 10, 2020 2:12 pm

I was able to follow through and get everything setup, dot1x is getting to authenticated, however, I never get an ip through the DHCP client.
I've attached my config below (MAC has been changed from the gateway MAC), any insight into what I am doing wrong would be greatly appreciated.

Thanks!
# may/01/2020 12:01:26 by RouterOS 6.46.6
# software id = QMHQ-Y8J6
#
# model = RB750Gr3
# serial number = 8B0009035633
/interface bridge
add admin-mac=B8:69:F4:D1:3E:C6 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.150-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/certificate settings
set crl-download=no crl-store=system crl-use=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-96868569509824.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.100.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system routerboard mode-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I was looking over your config, can you disable the rules you have now and try pcunite's? It likely doesn't matter but it'll be useful until my hex arrives. Until then I can't test in person.
I setup the wan bridge on ether1 with vlan_filter on, and it fired right up.
My hex arrived and you're correct. Main issue is 802.1x doesn't work with bridge_wan on, I have to turn that off, give it a minute to authenticate, then turn bridge (and thus vlan filtering) back on.

Since it's all software bridging it does affect performance a bit, but it was better than expected.

Image

Image

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

Relevant pics:

Vlan 0:
Image

Bridge_wan working:
Image

Bridge_wan settings:
Image

802.1x/EAP auth rejected if Bridge_WAN on before it auths, need to have bridge_wan off first:
Image

802.1x/EAP authentication successful when bridge_wan off first, then after auth turning bridge_wan on gets an IPv4 via dhcp client.
Image

All in all not bad from this little device, if it was able to remove the headers on the switch chip instead of software it would probably be quicker but 600mbps down is the same as my ER4 would usually get on wpa_supplicant lol and it cost significantly more.
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 10, 2020 9:45 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 3:26 am

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

That's what I did before the RB4011 (or dedicated switch), script located at viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 2:51 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.

Image
Last edited by archerious on Mon May 11, 2020 6:22 pm, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 2:53 pm

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have to manually disable bridge_wan until 802.1x authenticates.

That's what I did before the RB4011 (or dedicated switch), script located at viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284
That's awesome! Thanks, will use that for my nephew's fiber (hex/RB750Gr3 is good enough for him).
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:09 pm




Phew, this is digging back. I did two things with my CCR:

1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

2) using a managed switch, in my case from TP-Link, to strip VLAN tags: viewtopic.php?f=23&t=154954&sid=35ff16c ... 2f#p766284

I decided on the RB4011 as it was less of an overkill than the CCR1009, and also a single device solution. If I went back I still favor #2 as it is simpler. I didn't like scripts or even worse those solutions that require power cycling of switches to get things to work (scary when power goes out, etc).
Thank you so much for the info, what did you have to do on the tp link and which model was it? I tried with a ubnt switch and soon with an older hp switch will try but most don't seem to allow much playing around with vlan 0.

Guess I'll try to just strip header with a switch if all else fails.
Oops, second link was incorrect. Switch model was TL-SG2216, a pretty basic switch around $90 USD and I'm not using super fancy features.
God bless you, thank you will order that switch if I can't get it working without any other. Did you also have to spoof the Mac of the switch or anything like that?

Good luck. They have an 8 port model here too: https://www.tp-link.com/us/business-net ... rt-switch/ at $50.
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.

Speedtest with bridge_lan but removed bridge_wan:

Image

Now the bottom three are speedtests with no bridges at all, just ether1 for WAN and ether2 for LAN:

Image

Image

Image

Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.

Screenshot while running speedtests:

Image
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 941
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:34 pm

........................ ....................
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.
................ ..........................
Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.
@archerious
Yes, when properly configured [Just like You did] the hEX is a very nice little Router that delivers great performance !!!
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon May 11, 2020 6:41 pm

........................ ....................
It's fantastic, literally plug and play, didn't have to change any settings on Tp-link switch. Removed all bridges on hex, and the speeds are honestly just 200-250mbps slower on upload than RB4011, the downstream is line rate. Never went past 35% cpu usage either.
................ ..........................
Hex is honestly pretty amazing, PCUnite it might be worth recommending this with the tp-link for those on a budget (like my nephew) since it's working perfectly. The script provided by wojo also works perfectly for those that don't want to buy the tp-link switch.
@archerious
Yes, when properly configured [Just like You did] the hEX is a very nice little Router that delivers great performance !!!
Thank you :)
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 1:17 am

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.
Thanks for the info. I am only trying to authenticate at this point, so I really shouldn't need LAN setup and firewall rules. My plan actually is to pass the connection to another router. Do you have a WAN bridge? Are you turning it on/off at any point? Do you have a switch stripping tags as I am seeing vlan 0 on all the incoming authentication packets.?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 12:58 pm

I am still getting "rejected" or "authenticated without server" on my RB750Gr3. I am trying to most basic config (see below) just to authenticate.
1) My certs are from my own BGW210-700 and client has KT.
2) Clock is set.
3) RG MAC assigned to ether1

Can you post your basic config (without macs of course)?
# may/10/2020 14:34:39 by RouterOS 6.46.6
# software id = MHJV-FY15
#
# model = RouterBOARD 750G r3
# serial number = 6F39077E64FE
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:00:00:00:00:00
/interface ethernet switch port
set 0 default-vlan-id=0
set 5 default-vlan-id=0
/certificate settings
set crl-download=no crl-use=no
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=\
    Client_001E46-27179080442272.pem_0 eap-methods=eap-tls identity=\
    00:00:00:00:00:00 interface=ether1
Will do soon, but did you make sure to make basic Allow Established and Allow LAN rules in firewall? Otherwise that might be affecting things, also make sure you made vlan0 the fallback for ether1.

EDIT: Config was basically the same but had several firewall rules, yours do not. Use PCUnite's, I am using his, but you'll need to create two interface lists for WAN and LAN.
Thanks for the info. I am only trying to authenticate at this point, so I really shouldn't need LAN setup and firewall rules. My plan actually is to pass the connection to another router. Do you have a WAN bridge? Are you turning it on/off at any point? Do you have a switch stripping tags as I am seeing vlan 0 on all the incoming authentication packets.?
I tested with using a tp-link that was recommended by wojo, and that was easy as pie. If you want to use a software bridge (no switch to strip tags) use the script wojo made:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue May 12, 2020 1:06 pm

I want to clarify with some information provided to me.

The ATT Residential RG sends all outgoing packets as 802.1p (tagged with VLAN 0). Their Commercial gateways sends all outgoing packets as 802.1q PVID 2 (tagged with VLAN 2). These are not always enforced, as I understand it. My residential 1G fiber service does not, for example, force me to emulate what the BGW210 did. Currently, MikroTik does not allow us to set these tags, on a bare interface. If anyone has this figured out, let me know. This issue is why people have problems on non-RB4011 hardware.
My nephew is loving the hEX/RB750Gr3, but my RB4011 showing error under dhcp client.

It's working fine based on speedtests and no packet loss, but yet shows "error" under DHCP Client and doesn't show the usual expires after 60 min, it says 5d etc. I don't have any errors in the logs oddly enough. Have you encountered the same error before? If so, should I worry about it or just ignore it?

Image

EDIT: Did a reboot and that seems to have resolved it.
Image
 
technoredneck
just joined
Posts: 3
Joined: Wed Aug 28, 2019 10:40 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 6:08 pm

Man, I've tried everything that I can think of to get the supplicant method to work on my CCR1009, but it's all been a no-go. I tried to duplicate wojo's switch in front method with a TP-Link TL-SG105E, but I couldn't get authenticated with his settings. I ended up actually getting authenticated once when I enabled MTU Vlans and used the ONT interface as an uplink (go figure), but even that wasn't kosher because then I could never get a DHCP address from the network afterwards. At this point, I've given up since whenever I take the Internet down in this house...it's practically World War III. Specifically, I've got a CCR1009-7G-1C-1S+PC for what it's worth. I'd really like to get the RGW out of the way here, but for now...here it sits.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:13 pm

Man, I've tried everything that I can think of to get the supplicant method to work on my CCR1009, but it's all been a no-go. I tried to duplicate wojo's switch in front method with a TP-Link TL-SG105E, but I couldn't get authenticated with his settings. I ended up actually getting authenticated once when I enabled MTU Vlans and used the ONT interface as an uplink (go figure), but even that wasn't kosher because then I could never get a DHCP address from the network afterwards. At this point, I've given up since whenever I take the Internet down in this house...it's practically World War III. Specifically, I've got a CCR1009-7G-1C-1S+PC for what it's worth. I'd really like to get the RGW out of the way here, but for now...here it sits.
That switch might not do VLAN filtering, try this switch from TP-Link if it doesn't work out return it to Amazon. Specifically model T1500G-8T.

To summarize, you are authenticating fine, but you still need a switch or software bridge to remove the vlan headers/strip them, so you can pass traffic through and obtain an IP via dhcp-client.

If you give up it's understandable, but either try the wojo script again or using the switch that wojo and I have it working with. If you sell your CCR1009 you can use the funds to easily cover the cost of a RB4011 if you chose to go that route.

Personally I tried an Aruba 2530 (HPE), Ubiquiti Edgeswitch 10x, and an older tp-link smart switch. None of them worked, except the TP-Link T1500G-8T that wojo recommended.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:30 pm

The limitation that the bridge is not handling VLAN 0 has been present for a while. Has anyone filed a bug report to MT support about the shortcoming? Or is the only option to use a device with the appropriate switch chip?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 7:39 pm

The limitation that the bridge is not handling VLAN 0 has been present for a while. Has anyone filed a bug report to MT support about the shortcoming? Or is the only option to use a device with the appropriate switch chip?
Wojo has a script that can do everything without a switch chip on the router.

That being said using a $49 tp-link in front of an RB750Gr3 works fine. I haven't seen my nephew with issues, personally I might even buy a hEX since the RB4011 I own heats up the small office I work in a little more than I'd like, plus it's overkill for me.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 8:22 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

Image

Image
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:23 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:31 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
Agreed! I am thinking of doing the same, since my RB4011 cooks me sometimes in my small office it would be nice to use the hEX RB750Gr3 + tp-link on hot busy days.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 13, 2020 9:40 pm

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:02 am

The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix?

Its not so much a fix, as it is additional functionality we want.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:36 am

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
If you prefer to not use a software bridge the $49 tp-link works well, if you need to use enterprise gear only tell me which switches you like etc. I tried Aruba and Ubnt in front of the hEX and they didn't work, but I suspect a Mikrotik CRS112 would work fine, just not sure if it'd remove the headers with cpu or the switch chip.

I don't mind buying more gear to test, helps out our bypass/community effort.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 12:39 am

Its not so much a fix, as it is additional functionality we want.
OK, what is the process for getting that to the right people at MT? Contact support and refer back to this thread?
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 1:13 am

Its not so much a fix, as it is additional functionality we want.
OK, what is the process for getting that to the right people at MT? Contact support and refer back to this thread?

I think email is probably the best method. If we pool efforts with a clear description of what we need and get requests in via email so it's know how wide the impact is, we have the best chance probably of getting their attention. Some older posts:

viewtopic.php?t=104169
viewtopic.php?t=63559
viewtopic.php?t=76535
viewtopic.php?t=154834
viewtopic.php?t=150700

Why MikroTik chooses to ignore packets that are priority tagged (but no VLAN, hence VLAN ends up being 0x000) is the root of the cause I believe. There are the following situations that can work:
  • If both the 802.1x and TCP traffic function with the 802.1Q only containing a 802.1P priority tag, everything would be simple and ideal (no bridge). Traffic would be treated as if not tagged by a VLAN with 802.1Q.
  • If attached to a bridge with VLAN filtering, allowing 802.1x to function (which is currently broken)
  • If attached to a bridge without VLAN filtering, it should allow traffic (similar to #1, both situations would allow for VLAN 0 traffic to be treated as non-tagged in terms of 802.1Q VLANs)
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 14, 2020 10:31 am

@wojo - your summary is excellent. I have emailed MT support and we'll find out if there is any chance that we can get a full featured 802.1x solution.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun May 17, 2020 9:50 pm

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage:

It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as my backup on the shelf (along with a TP-Link switch) as a backup. It's more than capable if you can do FastPath.
While I failed to get my CRS112 to strip vlan headers, surprisingly the CSS326 was able to do so without much effort.

Image

Image
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed May 20, 2020 3:16 am

I'm glad you are happy with your equipment, we are running CCRs and need to stay with those. The best option would be for the bridge to be able to strip VLAN 0, but isn't that something MT needs to fix? @Wojo workaround is good, but not the ultimate solution.
Image

My CCR2004 just arrived. Working fine with CSS326 removing the 802.1p tags on port 12, then sending it to the CCR2004 on port 14.

Image

Haven't seen CPU Usage go past 5% when speedtesting with fast-tracking on.

Almost zero fan noise as well.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 21, 2020 8:57 pm

Official Response from MT Support:
Currently, RouterOS interfaces do not accept packets with VLAN-ID 0 and there is no option to create a VLAN interface with VLAN-ID 0. However, there is a possible workaround - add the interface into a bridge with enabled vlan-filtering. VLAN filtering will treat these packets as untagged, but currently, there is no option to force the reply packets to respond with a VLAN-ID 0.

How would you expect to treat VLAN-ID 0 packets in RouterOS? Should we allow the users to configure a special-purpose VLAN interface that accepts these packets? How should RouterOS respond - with or without VLAN-ID 0 header?
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu May 21, 2020 10:01 pm

Official Response from MT Support:
How would you expect to treat VLAN-ID 0 packets in RouterOS? Should we allow the users to configure a special-purpose VLAN interface that accepts these packets? How should RouterOS respond - with or without VLAN-ID 0 header?

Glad to see them thinking about it. I don't yet know the right answer, other than allow for us to send and receive 802.1p packets, of any ID, not just 0. The reason they mention a bridge, is because to enable this across all of their product line, they would need to do it in software, hit the CPU. I would like a way to avoid that, if possible. But I understand this would be a business decision for them.
 
nofdak
just joined
Posts: 12
Joined: Thu May 28, 2020 3:10 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 1:07 am

I just got an RB4011 and got it setup per these instructions perfectly (using the supplicant method). Now I'm attempting to get an IPv6 address and it's just not happening. This is my entire IPv6 config right now:
# jun/02/2020 17:01:27 by RouterOS 6.47
# software id = 168G-AZKL
#
# model = RB4011iGS+
# serial number = DXXXXXXXXXXXXX
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=dhcpv6-pool pool-prefix-length=60 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=reject chain=input connection-state=invalid reject-with=icmp-no-route
add action=accept chain=input protocol=icmpv6
add action=reject chain=input in-interface-list=!LAN log=yes reject-with=icmp-no-route
I'm not able to get an address, or a prefix. The IPv6 web UI just shows "Status: searching..." in the DHCPv6 Client settings. The weird thing is that I was able to get an IPv6 address this morning, but in my attempt to get the IPv6 Server working, I somehow broke the client. I'm not sure if this is related to AT&T or not, but considering the work required to get this to work, that's my suspicion. A related question I have, does the DUID matter? I was previously using pfAtt on pfSense and that required a special DUID workaround to get an IPv6 address. Considering it was working for me at one point, and it's apparently working for some others, my guess is that it's not required, but I'd love confirmation of that.

Does anyone have any suggestions on what I might do to get any sort of IPv6 address or prefix?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 2:50 pm

I just got an RB4011 and got it setup per these instructions perfectly (using the supplicant method). Now I'm attempting to get an IPv6 address and it's just not happening. This is my entire IPv6 config right now:
# jun/02/2020 17:01:27 by RouterOS 6.47
# software id = 168G-AZKL
#
# model = RB4011iGS+
# serial number = DXXXXXXXXXXXXX
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 pool-name=dhcpv6-pool pool-prefix-length=60 request=address,prefix
/ipv6 firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=reject chain=input connection-state=invalid reject-with=icmp-no-route
add action=accept chain=input protocol=icmpv6
add action=reject chain=input in-interface-list=!LAN log=yes reject-with=icmp-no-route
I'm not able to get an address, or a prefix. The IPv6 web UI just shows "Status: searching..." in the DHCPv6 Client settings. The weird thing is that I was able to get an IPv6 address this morning, but in my attempt to get the IPv6 Server working, I somehow broke the client. I'm not sure if this is related to AT&T or not, but considering the work required to get this to work, that's my suspicion. A related question I have, does the DUID matter? I was previously using pfAtt on pfSense and that required a special DUID workaround to get an IPv6 address. Considering it was working for me at one point, and it's apparently working for some others, my guess is that it's not required, but I'd love confirmation of that.

Does anyone have any suggestions on what I might do to get any sort of IPv6 address or prefix?
I think we chatted on reddit, but if not then first thing to do is check ND, in fact have you watched a video that shows ipv6 setup on RouterOS/mikrotik? I'd recommend starting with that since there are quite some differences from pfSense.
 
nofdak
just joined
Posts: 12
Joined: Thu May 28, 2020 3:10 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 03, 2020 4:44 pm

I think we did chat on reddit, unfortunately changing my ND options doesn't seem to have an effect. I've tried changing multiple different settings, disabling/enable IPv6, deleting/recreating the DHCP client settings, etc and for some reason, the Tik can't seem to get an IPv6 address. 24 hours later it's still "Searching...".

Edit: I think I figured it out. My firewall settings were out of order and ICMPv6 was being blocked. When I explicitly passed ICMPv6 first, I got my IPv6 address/delegation. Now I just need to figure out how to setup a DHCPv6 server for my L3 switch.
 
technoredneck
just joined
Posts: 3
Joined: Wed Aug 28, 2019 10:40 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Jun 08, 2020 7:43 pm

I just wanted to chime in and say that I did indeed purchase one of those TP Link T1500G-8T switches and put it in front of my CCR1009 and wam-bam-thank-you-ma'am...everything worked first time. Authenticated and grabbed an IP from AT&T super fast too by the way. I'd say if you've got a CCR, then this is most certainly the way to go unless they change the OS to do what we need on the incoming frames.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Jun 09, 2020 2:42 am

I just wanted to chime in and say that I did indeed purchase one of those TP Link T1500G-8T switches and put it in front of my CCR1009 and wam-bam-thank-you-ma'am...everything worked first time. Authenticated and grabbed an IP from AT&T super fast too by the way. I'd say if you've got a CCR, then this is most certainly the way to go unless they change the OS to do what we need on the incoming frames.
Awesome glad you got it working! :)
 
fmape
just joined
Posts: 2
Joined: Sat Jun 13, 2020 7:20 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jun 13, 2020 7:25 am

I have ATT gigabit fiber at my house, trying to get this working with my HAP AC (for now) and keep running into a "connecting->authenticating->rejected" loop. My ATT router is a BGW210 and I was able to successfully extract the keys from it and import.

I have a few questions:

does case matter in the identity field for hex digits A-F? Should there be colons or shouldn't there? Should the anon identity field be blank? Same as identity?

Also, how close does the clock have to be? I don't have a local NTP server and if the router turns off the clock doesn't run until its plugged back in, so when I plug it in in place of my BGW210 it can be off by many seconds.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jun 17, 2020 7:54 pm

I have ATT gigabit fiber at my house, trying to get this working with my HAP AC (for now) and keep running into a "connecting->authenticating->rejected" loop. My ATT router is a BGW210 and I was able to successfully extract the keys from it and import.

I have a few questions:

does case matter in the identity field for hex digits A-F? Should there be colons or shouldn't there? Should the anon identity field be blank? Same as identity?

Also, how close does the clock have to be? I don't have a local NTP server and if the router turns off the clock doesn't run until its plugged back in, so when I plug it in in place of my BGW210 it can be off by many seconds.
Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
 
fmape
just joined
Posts: 2
Joined: Sat Jun 13, 2020 7:20 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jun 18, 2020 4:29 pm

Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
The clock is correct to within a few seconds, which is as close as I could get it manually. I didn't use a switch, I did set the vlan mode on the port to the ONT (eth1) to `fallback`.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jun 18, 2020 8:17 pm

Did you put a switch in front to remove the 802.1p tags (vlan 0 priority tags)? Is your clock correct? You can set it manually.
The clock is correct to within a few seconds, which is as close as I could get it manually. I didn't use a switch, I did set the vlan mode on the port to the ONT (eth1) to `fallback`.
You'll need to use wojo's script then to handle the vlan 0 p tags in software then.

As the hAP AC and hEX is unable to handle the vlan 0 p tags without either a switch in front or a software bridge via Wojo's script.
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
    \"ether3-ont\"\
    \n:local bridgeOnt \"bridge-ont\"\
    \n\
    \n:local scriptName \"CheckDot1x\"\
    \n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
    \n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
    \n\
    \n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
    \n\
    \n:if (\$dot1xStatus = \"authenticated\") do={\
    \n  :if (\$portDisabled) do={\
    \n    :log warn \"\$scriptName: authenticated, enabling bridge\"\
    \n    /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n} else={\
    \n  :if (!\$portDisabled) do={\
    \n    :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
    \n    /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
    \n  }\
    \n}"
    
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Aug 01, 2020 6:08 am

I can no longer recommend the RB4011 as I've been getting the issue described here with it hitting 100% CPU, freezing up, etc. I'm at very low load (residendial), but still happens what seems like once a month now. Going back to the CCR1009 that I didn't sell, yet, along with the switch.

More at viewtopic.php?f=2&t=149062
 
pgbe
just joined
Posts: 1
Joined: Wed Aug 05, 2020 5:18 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Aug 10, 2020 4:42 am

Dears,,
First thanks for all the instructions on how to bypass the at&t gateway.

I was able to use a Mikrotik HAP AC2 to bypass the BGW210 without having to use a switch to strip the VLAN header.

All that I had to do was to setup the switch1 cpu port under "SWITCH" to "always strip" the VLAN and use the fallback method. It is working flawlessly since last Friday.

Thanks all and good luck!
Working-Mikrotik.jpg
You do not have the required permissions to view the files attached to this post.
 
orl
just joined
Posts: 1
Joined: Mon Aug 17, 2020 10:55 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Aug 17, 2020 11:22 pm

Can someone point me in the right direction as to how to extract the certificates from the gateway? I have a BGW320-505.
 
MugenChikara
just joined
Posts: 3
Joined: Tue Aug 18, 2020 5:51 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Aug 19, 2020 1:48 pm

Hello. I am very novice please bare with me. So I have ATT fiber 1Gb as a service, however, I am sick and tired because the router they have is very slow and I cant even port forward with it as is suppose to. Also, I'm not even getting near the speed I am paying for. I do not understand why you can not use your own router. I want to make something clear, I am not trying to steal nothing, as a matter of fact I pay a lot to att for the service, all I want is to be able to use my own router and get the speed that I am paying for. Hopefully, I get some help because god know I am need it. Like I said very novice.

So I bought the RB4011iGS+RM. I love the router is fast and it has lot of features. As for the att equipment I was given II have an Alcatel G-010G-A which I think is like a modem since this is the one connected to the fiber cable, and the router I have is the Pace 5268AC. I am now following the pcunite's guide to make the RB4011GS+RM router to work as a supplicant and I am confuse in a few steps that I hope someone can clarify to me.

So step 1 is clear I manually put the clock time and the restarted the router so that the Dot1x client can work correctly. Now in step 2 I am confuse so I used the following commands to create the certificates:

/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client

after that I signed them with the following commands:

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

and then I exported with the following commands:

/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=j2sw123co

I do get one of the certificate with the letters KT and trusted however the other 2 certificates do not have the KT letter I thinks is KI and they are not trusted however I used the following command to make them trusted:
set certificate-name trusted=yes

After all the certificate are trusted I also clicked Settings and uncheckCRL Download and Use CRL.

Here is my first questions I did this certificate creation for both the Alcatel G-010G-A when it was connected directly to the port 1 of the RB4011GS+RM, and also to the Pace 5268AC connected to the port 1 of the RB4011GS+RM as is normally connected to the internet with the att equipment. I even had internet I believe as a bridge that way.

So my questions are should I do the certificate for what device, and what mac address of which device should I use in the subsequent steps? or I even read that you need to buy the certificates is that true? does the commands I am using will not create certificates that will work?

Skipping some steps to not make this larger than it already is, I tried with both certificates and when I tried with the Pace5268AC it kind of work meaning it gave me a message authenticated without server, but when I remove the router I do not have internet...

If you do need other certificates though I wonder if someone can share them with me. Because for what I read they are so expensive and I am afraid I will get fake certificates and lose my money, and I have spend so much money already I am very short right now. Just in case there is a kind soul that would share the certificates this is my email nyxastarte010@gmail.com. Also, for anyone helping me clarifying my doubts thanks a lot before hand.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Aug 28, 2020 11:28 pm

I can no longer recommend the RB4011 as I've been getting the issue described here with it hitting 100% CPU, freezing up, etc. I'm at very low load (residential), but still happens what seems like once a month now. Going back to the CCR1009 that I didn't sell, yet, along with the switch.

Sorry to hear that. There must be a hardware issue with some product runs of the RB4011. I've not seen this personally, so I can attest to the fact that some work correctly.
 
User avatar
maxslug
newbie
Posts: 29
Joined: Sun Aug 30, 2020 7:07 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Sep 01, 2020 3:15 am

Supplicant Mode
Any known working options for the 3011? I'm getting "authenticated without server".

I've tried :
  • wojo's trick to create a bridge and disable it during authentication.
  • switch ether1 vlan mode fallback and strip and combos there of
  • switch1 cpu vlan strip
How would I go about root causing this to the "vlan 0 priority tags" issue and not user error?

Bridge Mode
Good news, I got Bridge Mode to work on a 3011! I'm able to get an external IP address and see traffic using the above.

I am however having some basic config problems where the Upload test on Speedtest.net causes all connections to be dropped (browser, WinBox, etc). I'm guessing I have something wrong w/ my NAT or Firewall, but it's not obvious. I already locked myself out a few times and had to dig up a cisco serial cable and windows XP laptop from the distant past. There were some stale `defcon` firewall rules pointed at LAN that messed me up. Back to debugging the connection issue...

Thanks!!!!
-m
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Sep 03, 2020 11:50 pm

Dears,,
First thanks for all the instructions on how to bypass the at&t gateway.

I was able to use a Mikrotik HAP AC2 to bypass the BGW210 without having to use a switch to strip the VLAN header.

All that I had to do was to setup the switch1 cpu port under "SWITCH" to "always strip" the VLAN and use the fallback method. It is working flawlessly since last Friday.

Thanks all and good luck!

Working-Mikrotik.jpg
Are you using a bridge with vlan filtering? Are you scripting it on/off for authentication?
FYI, the hAP ac2 uses the Atheros 8327 chipset. I had a RB2011 lying around that has the Atheros 8327 on ports 1-5 and an Atheros 8227 on ports 6-10. I was previously able to get it to authenticate by putting falback on the switch port on the 8227 side as others have done (and did the same on a RB951 - also with the 8227 chipset), but those are 100Mb ports. The 8327 needs the switch1 cpu port set to fallback AND always strip for those ports to authenticate.
Something else I have learned wasting tons of my time on this :) is that you do not have to set the interface to the mac address of the device your certs come from, but any traffic (including dhcp) has to come from whatever mac it is set to. I discovered this because I am only trying to use the router as a pass-thru device and I was trying to get dhcp on the device connected to a bridge port. Then I tinkered around with getting a bridge that included the dot1x port to get dhcp and the only way it did was if the bridge had the same mac. I was thinking that once I authenticate, I could change the mac on the dot1x interface, but that bounces the interface, so I am stumped at using this as a pass-thru device.
 
gnommon
just joined
Posts: 7
Joined: Fri Aug 28, 2020 9:21 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Sep 11, 2020 8:31 pm

...
Last edited by gnommon on Mon Sep 14, 2020 12:38 am, edited 1 time in total.
 
gnommon
just joined
Posts: 7
Joined: Fri Aug 28, 2020 9:21 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Sep 14, 2020 12:17 am

Got it to work using Aerowinders config on rb4011 v7.1beta2. When you get "No AAA root server certificates found" in mfg_dat_decode your certs export didnt work, the certs are corrupted.
my certs contained html for some reason.
If you import into the tik, you'll end up with 6 certs in /certificates.
I have the gigabit fiber. Using the speedtest desktop app delivers proper speeds. When I used the browser version, I only got 200mbps so seems the brower is slowing things down.

I plugged in an Asus rt-ax88u using the WAN port into the DMZ port on the rb4011.

Would anyone have some advice how to secure the rb4011 firewall ?
How would I enable a (temp) connection of the router to the internet to allow NTP / SW updates?
#MikroTik RB4011 - Router OS 6.46.2 - Home
#v1, 2020-02-05 - Initial release.




---------- STEP 1 ----------

Factory reset the router. No defaults. Clean slate.

Note that this setup (firewall rules, mostly) will NOT be secure. It allows incoming connections! It is intended to be used as a pass-through device ONLY!

Connect eth1 to trusted port on UniFi switch.
Connect eth9 to WAN port on UniFi switch.
Connect eth10 to to ONT directly.

---------- STEP 1 END ----------




---------- STEP 2 ----------

/interface ethernet
set ether1 name=eth1-MGMT
set ether9 name=eth9-DMZ
set ether10 name=eth10-ONT

/ip address
add interface=eth1-MGMT address=10.10.1.2/16
add interface=eth9-DMZ address=10.1.10.1/29

/interface list
add name=MGMT
add name=DMZ
add name=ONT

/interface list member
add list=MGMT interface=eth1-MGMT
add list=DMZ interface=eth9-DMZ
add list=ONT interface=eth10-ONT

/ip dhcp-client
add interface=eth10-ONT disabled=no

/ip pool
add name=pool_dmz ranges=10.1.10.3-10.1.10.6

/ip dhcp-server
add name=dhcp_dmz interface=eth9-DMZ address-pool=pool_dmz disabled=no

/ip dhcp-server network
add address=10.1.10.0/29 gateway=10.1.10.1 netmask=29

/ip dhcp-server lease
add address=10.1.10.2 mac-address=<PFSENSE WAN MAC> server=dhcp_dmz

/ip firewall filter
#forward
add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack all forwarded established/related connections. Reduces CPU usage significantly."
add chain=forward action=drop connection-state=invalid comment="Drop invalid forwarded connections."
#input
add chain=input action=accept in-interface-list=MGMT comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from MGMT port."
add chain=input action=accept in-interface-list=DMZ comment="!!!LOCAL ACCESS DO NOT DELETE OR DISABLE!!! Allow traffic to router itself from DMZ port."
add chain=input action=drop comment="Drop remaining traffic to router itself."
#output

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=ONT comment="Send all traffic: DMZ -> ONT"
add chain=dstnat action=dst-nat in-interface-list=ONT to-addresses=10.1.10.2 comment="Send all traffic: ONT -> DMZ"

/interface ethernet
set eth10-ONT mac-address=<RG MAC>

---------- STEP 2 END ----------




---------- STEP 3 ----------

You can now reconnect with WinBox to IP address: 10.10.1.2.

At this time, you need to upload your gateway certificates to the router. Do this via WinBox > Files. There should be 3 files. A CA, a PK, and a Client.

---------- STEP 3 END ----------




---------- STEP 4 ----------

/certificate
import name=Client_XXXXXXXXXX.pem passphrase=""

/certificate settings
set crl-download=no
set crl-use=no

/interface dot1x client
add interface=eth10-ONT certificate=Client_XXXXXXXXXX.pem eap-methods=eap-tls identity=<RG MAC>

---------- STEP 4 END ----------
[/quote]
 
zcqian
just joined
Posts: 5
Joined: Thu Jul 30, 2020 9:00 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Sep 15, 2020 7:00 am

Do you guys run into a situation where dot1x is always either connecting or authenticating? I think mine sometimes runs into a timing problem. On my packet capture the EAPOL shows up like Start (10s wait) Request, Response (20s wait), Start, (10s wait), Failure, Request, Response, ...

I'm using the script to move the port in/out of the bridge, on a switch. Then I connect another port on the switch (CRS328) to my actual router (CCR2004). The other parts of my setup shouldn't matter, but I'm just leaving it here in case it does matter.
 
gnommon
just joined
Posts: 7
Joined: Fri Aug 28, 2020 9:21 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Sep 16, 2020 3:56 am

That sounds like an issue with the certificates. I had the same until I re-exported them. Dupuis.xyz has them posted for download as well.
https://www.dupuis.xyz/bgw210-700-root-and-certs/
 
zcqian
just joined
Posts: 5
Joined: Thu Jul 30, 2020 9:00 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Sep 18, 2020 2:21 am

That sounds like an issue with the certificates. I had the same until I re-exported them. Dupuis.xyz has them posted for download as well.
https://www.dupuis.xyz/bgw210-700-root-and-certs/
Mine eventually got back online. From my packet dump I see that EAPOL doesn't even go to TLS handshake. I do have up to date certificates.
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Sep 21, 2020 4:01 pm

Mikrotik has actually listened to all of our emails. v6.48beta40 now accepts vlan 0 on EAP packets only, according to support. I just tried it with a hAP ac2 with no switch vlan mods and it authenticated! It did not authenticate with a bridge, however, though I have to admit, I did not spend much time on that.
 
zcqian
just joined
Posts: 5
Joined: Thu Jul 30, 2020 9:00 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Sep 23, 2020 1:58 am

Mikrotik has actually listened to all of our emails. v6.48beta40 now accepts vlan 0 on EAP packets only, according to support. I just tried it with a hAP ac2 with no switch vlan mods and it authenticated! It did not authenticate with a bridge, however, though I have to admit, I did not spend much time on that.
Interesting... For my AT&T setup, EAP/EAPOL doesn't have the VLAN priority tag, the packets after authentication does.
 
sqrexpress
just joined
Posts: 1
Joined: Wed Sep 30, 2020 6:56 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Sep 30, 2020 7:25 pm

Hello,

I am trying to use a CRS226 switch/router to authenticate the connection using dot1x. The actual firewall is a Sophos XG 210. Got the certificates

All the guides I see in this thread have DOT1x and NAT function inside the on the microtik itself. What I want to do is a bit simpler, where Microtik is just doing dot1x auth and operates like a dumb switch to the actual firewall.

What I would like to do:
Eth0 - ONT port
Eth1 - Sophos XG WAN

The goal is to have microtik eapol auth on eth0 and then bridge the traffic to eth1.

Questions/Problems:
For Sophos XG to DHCP, it needs to use the same MAC that CRS226 uses for EAPOL. This essentially causes duplicate MAC entries.

Ideas/Solutions:
To solve the duplicate Mac issues, we can theoretically use separate vlans.
- Tag EAPOL packets to vlan 99, and put a microtik interface into vlan 99. How to do this in Microtik?
- Take priority tagged packets(vlan 0) and put them in vlan 100 for brining to Sophos XG

Can someone help me figure out how to perform this?
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Oct 02, 2020 10:17 pm

Hello,

I am trying to use a CRS226 switch/router to authenticate the connection using dot1x. The actual firewall is a Sophos XG 210. Got the certificates

All the guides I see in this thread have DOT1x and NAT function inside the on the microtik itself. What I want to do is a bit simpler, where Microtik is just doing dot1x auth and operates like a dumb switch to the actual firewall.

What I would like to do:
Eth0 - ONT port
Eth1 - Sophos XG WAN

The goal is to have microtik eapol auth on eth0 and then bridge the traffic to eth1.

Questions/Problems:
For Sophos XG to DHCP, it needs to use the same MAC that CRS226 uses for EAPOL. This essentially causes duplicate MAC entries.

Ideas/Solutions:
To solve the duplicate Mac issues, we can theoretically use separate vlans.
- Tag EAPOL packets to vlan 99, and put a microtik interface into vlan 99. How to do this in Microtik?
- Take priority tagged packets(vlan 0) and put them in vlan 100 for brining to Sophos XG

Can someone help me figure out how to perform this?
Believe it or not, I have been trying to do the exact same thing. There have been 2 issues that others have been dealing with in this thread and one other to deal with to do what we want to do (which doesn't just apply to Sophos XG, but applies if you want to use another device as your firewall/gateway and just want to use the Mikrotik as a dot1x client/bridge):
1) Priority vlan 0 tags - AT&T sends priority 0 vlan packets (some users get them on EAPOL packets while others get them for everything after authentication). Some Mikrotik devices have been able to strip the priority vlan tags either by default (RB4011) or with switch port vlan mode settings (Atheros 8327 devices need switch1 vlan mode to fallback and vlan header always strip while QCA8337 devices need ether1 (assuming that is your WAN port vlan mode to fallback with no other mods there). For others, switches that strip the vlan in front of the Mikrotik have allowed dot1x authentication. All that said, Mikrotik released v6.48beta40 which will allow EAPOL packets WITH the priority vlan tag to pass, which allows dot1x authentication without all of the aforementioned VLAN.
2) Bridge - if your configuration requires a bridge, dot1x will not authenticate with the bridge enabled. Others in the thread have used a script to enable the bridge after dot1x authentication. I don't see a discussion in the thread as to why authentication fails with the bridge enabled. Quoting Mikrotik, "It seems to be related to what destination MAC address is used for the EAP packets. By the IEEE 802.1x standard, it is possible to use the multicast group address (01:80:C2:00:00:03) or individual destination MAC. In your setup, the individual destination MAC address is used and when the Ethernet interface is added to the bridge, these packets seem to be processed only by the bridge interface instead of Ethernet (where the dot1x client is configured)." They state that they will accommodate for this in an upcoming release and if they did it as fast as they did for the dot1x allowing the vlan 0 packets, it should be fairly soon.
3) MAC address - as you pointed out, the Sophos XG (or whatever device you have connected to the other interface on the bridge) needs to have the same MAC address that the dot1x client. When Mikrotik makes the fix mentioned in item #2, in theory, NAT rules on the bridge (below should fix things up). You would implement these rules leaving the dot1x interface mac address as default, using the original ATT gateway/certs mac address where the 00:00:00:00:00:00 are shown AND on the XG WAN interface. This way the DHCP request packet will have the matching mac address, all traffic that is not EAPOL will go to the Sophos XG (or whatever device you have connected to the other interface on the bridge), all traffic going out of ether1 will have the mac address of the original ATT gateway, AND, most importantly, you will not have any mac address conflicts. Of course, this item is a theory until Mikrotik releases firmware we can try this with.

/interface bridge nat
# Send non-eapol packets to device with ATT gateway mac address
add action=dst-nat chain=dstnat in-interface=ether1 mac-protocol=!0x888E to-dst-mac-address=00:00:00:00:00:00
# Change mac address of all outgoing packets to ATT gateway mac address
add action=src-nat chain=srcnat out-interface=ether1 to-src-mac-address=00:00:00:00:00:00

In the end my COMPLETE config will be 10 lines:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge nat
add action=dst-nat chain=dstnat in-interface=ether1 mac-protocol=!0x888E to-dst-mac-address=00:00:00:00:00:00
add action=src-nat chain=srcnat out-interface=ether1 to-src-mac-address=00:00:00:00:00:00
/interface bridge port
add bridge=bridge1 edge=yes interface=ether1
add bridge=bridge1 interface=ether2
/interface dot1x client
add anon-identity=00:00:00:00:00:00 certificate=YourGatewayCert.pem_0 eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether1

FYI, you can do this using Sophos UTM without a dot1x authentication device because you have more access to the kernel. XG is more restrictive at the kernel level, not allowing installation of 3rd party software.
 
MugenChikara
just joined
Posts: 3
Joined: Tue Aug 18, 2020 5:51 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Oct 07, 2020 9:48 pm

*Sorry I posted this in the wrong microtik forum before here viewtopic.php?f=13&t=143620&p=821127#p821127 this should be here)

OMG guys, I posted several days before.I am very novice in this, however, I tried so much that somehow I have make the supplicant method work using the RB4011GS+RM . I know there is an issue about the VLAN not been able to handle VLAN 0 tags or something like this. However, I want to share exactly what I did so that it might help people struggling as much as I did. I will try to explain even the most simple staff that people take for granted that others people know, but like in my case we have no idea, when we start...

The router I used was the RB4011GS+RM. Please help me polish this instructions as simple and as much as possible so that anyone that uses it even a noob like myself would have been able to accomplish the task. Thanks to anyone that helps.

Before anything for the supplicant method you need to extract the certificates of your ATT RG (this is the big box usually black and that has 4 Ethernet ports, and not the one that is small that only have one Ethernet port(how exactly this is done with the BG210-700 is explained in this following link https://www.dupuis.xyz/bgw210-700-root-and-certs/ . If they take down the website try to look for a copy of the instruction on Reddit or somewhere else (you can also buy them in eBay but I do not know how reliable this is so I do not recommend it).

A summary you need to extract 6 public certificates from your modem(or these public ones can be even found on the internet and it would work if they are the authentic ones of course) and then you need to extract a file called mfg.dat. This is a encrypted file that contains your private certificate key for your ATT RG. After you have extracted those files from your ATT RG you need to use a program made by devicelocksmith that can be found in this following website https://www.devicelocksmith.com/2018/12 ... g-and.html
to convert those files into 3 .pem certificate files that you will then use to import to the Microtik router (make sure you put all the 6 public certificates and the mfg.dat in the same folder of the devicelocksmith program to covert this certificate correctly)

After you have the certificates and from a fresh configuration ( go to system reset configuration dont check anything and apply):

1. Manually Set the System Clock: A note about setting the clock time using the winbox there is two tabs time and manual time zone. In the tab time, first make sure that the time and date are correct with your zone. I have clicked time zone auto-detect and DTS active,however, make sure that the time and date of your computer are also correctly adjusted to your zone. Now in the manual time zone also adjust the time as you just did with the last tab where its says time zone it should be exactly the same as what is in the GMT offset of your time tab.

2. Import Certificate Files: A note about importing the certificates. First upload them with the winbox to the Microtik router. Then, import them by going to system then certificates then import. Follow the order that this step says. First import the ca.xxxxx.pem certificate when you import this certificate alone you will see that 4 other certificate show up in the certificates. You should have a T initial letter at the beginning of all this certificates meaning they are trusted. if you dont get the T which means trusted something is off and you should see if may be you did not extracted the certificates correctly or anything else. Then, import the clientcertificate.pem when you import this you only get one certificate however instead of a T you should have a KT as an initial so you know you are going in the right direction(between the way this is the certificate that you will later use in the DOTx1 for authentication. Last, import the Privatekey.pem certificate and you will get one more certificate this one also should have a initial T at the beginning. In summary you should end up with 6 certificates when you import the 3 .pem certificates keys and 5 of them should have a T initial at the beginning and one of them a KT initial at the beginning. After, importing them click on setting in the same certificates section ad make sure that both CRL Donwload and USE CRL are uncheked hit apply and then ok and move to the next step.

3. Configure your WAN port: A note here first I did a notepad file and I copied the most basic settings I do not set up firewall or anything so that is a short and clean as possible. After you successfully connect to the internet then you can set up other things like firewall etc. you can name the file whatever you want in the file I have the following: (simply replace the mac address xx:xx:xx:xx:xx:xx with the mac address of your ATT RG in the 3 fields below, and use the exact name that is in your Microtik certificate section for the client.pem file). Save this file. now go to system scripts and hit the blue + tab and in name put anything you want leave the other fields as they are, and in the withe box at the end where it says source copy and paste the settings just below changing what I already noted. Now hit apply then ok then you can close it. You do not need to hit run script.
Code: Select all
interface ethernet
set [ find default-name=ether1 ] mac-address=xx:xx:xx:xx:xx:xx

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0

/certificate settings
set crl-use=no
set crl-download=no

/interface dot1x client
add anon-identity=xx:xx:xx:xx:xx:xx certificate=\
Client_xxxxxx-xxxxxxxxxxxxxx.pem_0 eap-methods=eap-tls identity=\
10:93:97:36:D3:81 interface=ether1

/ip dhcp-client
add disabled=no interface=ether1

/interface ethernet switch port set ether1 vlan-mode=fallback
4. Configure the Dot1x interface: Notes about this. although you can see I added the dot1x in the script in the last step I also used the GUI. So go to winbox then dot1x hit the blue + sign and select interface ether1, then in the identity and anon.identity again put the same mac adress of the ATT RG as you used in the last step. yes the same in both, now in certificate select the certificate that says client.xxxx.xxxxx.pem_0, and lastly in the EAP Methods select EAP TLS . lastly hit apply then OK. Now connect the ONT cable that goes directly from the small box that only have one Ethernet port to the port Ethernet one of the Microtik and connect your PC to any of the other ports. You should get authenticated fairly quickly you dont even have to reboot. If the authentication is trapped in authenticated then connecting loop something is wrong, if the authentication says authenticated without a server something is wrong.

About the speed issue I posted in the last forum I have already resolved. I am getting an average of 750mbs and the adpater display correctly that is capable of 1GB. The issue was that the lapto I was using has a very old NIC card that is only capable of 100mbs and it was nothing to do with the set up or the router. Now the issue remain is that I am pretty sure that I am getting only up to 750mbs is because my ISP is limiting my configuration file to that. If I pay for 1GB should I called and argue with the ISP to be able to at least get to 900mbs or is this speed the throughput usually people with 1GB receive. Is 250mbs to me I think is a lot anyhow I would like to know if this is something that most people get... I think I should call. Advice will be welcome.

Isuued posted in the last post, aLreay solved (Now the only problem I have right now is that although I have 1GB of internet speed I am only getting 100, however, I know is something in the configuration that I did because when I plug it in the PC the maximum speed it says is 100mbs unlike a 1GB when is connected the other way. Now I know the RB4011GS+RM is capable of 1GB speed or so I read in the description when I bought the product. Can someone be so gentle and help me adjust this setting so I can get the full speed I am paying for.)

I would greatly appreciate any help with this. Also, how do I set a good secure firewall. I do not plan on using IPv6. However, how would you set up IPv6 is something that some people is asking about and I also do not know how to do.

Hope this guide help someone and also people help to improve it, and I hope someone can help me adjust the setting so I can get the full speed of 1GB.
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Oct 09, 2020 4:11 am

Clearly I am missing something..

I went into Scripts and hit Add
Typed the code into the "source" box
When I reboot it doesn't run
I tried to do this through terminal but you cant type spaces or anything, and as soon as you get to the line with an = sign it says invalid syntax...
Everything I looked up on scripts makes no mention of this being invalid and I see it used everywhere..
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Oct 09, 2020 7:55 pm

I got the script to work, but now about half my sites dont load and several are very slow.
I can ping 8.8.8.8
I can ping facebook.com
but if i go to facebook.com it wont open..
 
User avatar
gnro
newbie
Posts: 36
Joined: Sun Aug 05, 2018 9:52 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Oct 09, 2020 9:00 pm

I got the script to work, but now about half my sites dont load and several are very slow.
I can ping 8.8.8.8
I can ping facebook.com
but if i go to facebook.com it wont open..
Check your MTU settings.
See https://wiki.mikrotik.com/wiki/Manual:T ... ting_tools
and https://wiki.mikrotik.com/wiki/Manual:L ... figuration
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Oct 19, 2020 8:01 pm

UPDATE -- oops, my connection did a failover to LTE and I thought it was working. Something isn't right because it does authenticate with 802.1x but data packets are still not being processed, unless I filter them with a bridge... which then breaks 802.1x. Was hoping one of the two last bullets on my post viewtopic.php?f=23&t=154954&p=823576#p793236 would have worked, neither do. Won't have time to play with this until later...

Can confirm I'm able to authenticate now with VLAN 0 EPOL packets with 6.48beta48 on my CCR1009 without an external switch to strip them.

*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
 
Zips
just joined
Posts: 6
Joined: Sat Feb 11, 2017 6:09 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Nov 26, 2020 3:57 am

I've been using this method for a long time, but as a tonight, my RB1100x4 won't authenticate anymore, I'll get authenticated without server and nothing has changed, I tried rebooting my router, and nothing tried rebooting the ONT, and nothing, I did try using my AT&T modem and works fine, I downgraded the modem and tried like that as well and It did work running an old firmware, extracted the certs again and copied them over and nada..... I'm running out of ideas or coffee :)

-Zips
 
erickasper
Trainer
Trainer
Posts: 6
Joined: Tue May 30, 2017 4:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 08, 2020 3:23 pm

You can now eliminate your scripts enabling/disabling the bridge because with 6.48beta58 you can now authenticate with the bridge enabled!
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 08, 2020 8:55 pm

You can now eliminate your scripts enabling/disabling the bridge because with 6.48beta58 you can now authenticate with the bridge enabled!
I tried this but it failed, and I haven't revisited to investigate. Can you elaborate on your setup?
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Dec 24, 2020 4:13 am

Now with 6.48 released, has anyone tried the following item? Also going to give it another shot when I won't take down the network for the family right before Christmas and get yelled at ;)

*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
 
jweek
just joined
Posts: 6
Joined: Tue Dec 24, 2019 2:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Dec 24, 2020 7:30 pm

Now with 6.48 released, has anyone tried the following item? Also going to give it another shot when I won't take down the network for the family right before Christmas and get yelled at ;)

*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
Wojo, upgraded my RB4011iGS+ to 6.48, everything is working fine.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Dec 24, 2020 7:51 pm

Now with 6.48 released, has anyone tried the following item? Also going to give it another shot when I won't take down the network for the family right before Christmas and get yelled at ;)

*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;
Wojo, upgraded my RB4011iGS+ to 6.48, everything is working fine.
Okay, also able to now authenticate with dot1x on the interface and pass traffic with the bridge to strip VLAN 0 tags. Woo!

One less piece of hardware and complexity now (was running a TL-SG2216 to strip VLAN 0 as I didn't like the scheduler solution).
 
nitrag
just joined
Posts: 21
Joined: Thu Jun 15, 2017 9:22 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 16, 2021 10:33 pm

Just a heads up, I rebooted my ONT yesterday after 300 days of using this method and I could not authenticate. I then plugged my AT&T Gateway back in and it would not authenticate either after much power cycling troubleshooting. AT&T Advanced Support had to re-"push provisioning" (profile) (with only AT&T gateway connected) for it to begin working again. Once back woking stable with the AT&T Gateway, for safety sake, I also downgraded to 6.47.8 in case 6.48 was causing issues with the VLAN change I saw you guys talking about. My theory is that after so many days of not being able to communicate with my AT&T gateway, the AT&T network invalidates something? Moving forward I have a reminder to reboot ONT+Gateway together every 6 months.

I have not upgraded back to 6.48 and rebooted yet. I won't do this on a weekend where support may be limited in case this was the issue causing authentication to fail.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 16, 2021 10:44 pm

My theory is that after so many days of not being able to communicate with my AT&T gateway, the AT&T network invalidates something?
Really hope that's not the case. I've been running way longer but this could be a regional. Scary.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Jan 17, 2021 12:20 am

Just a heads up, I rebooted my ONT yesterday after 300 days of using this method and I could not authenticate. I then plugged my AT&T Gateway back in and it would not authenticate either after much power cycling troubleshooting. AT&T Advanced Support had to re-"push provisioning" (profile) (with only AT&T gateway connected) for it to begin working again. Once back woking stable with the AT&T Gateway, for safety sake, I also downgraded to 6.47.8 in case 6.48 was causing issues with the VLAN change I saw you guys talking about. My theory is that after so many days of not being able to communicate with my AT&T gateway, the AT&T network invalidates something? Moving forward I have a reminder to reboot ONT+Gateway together every 6 months.

I have not upgraded back to 6.48 and rebooted yet. I won't do this on a weekend where support may be limited in case this was the issue causing authentication to fail.
When I have some free time I'll do this, but to be honest I've gone 7+ months without hooking up my BGW-210 and no issues so far. Before I only was hooking them up to test them, then rip the certs from them.
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Jan 17, 2021 5:53 am

It appears that if your area is updated to XG-PON or XGS-PON (10G), bypass or supplicant methods will stop working. The following dslreports.com thread have additional details:
https://www.dslreports.com/forum/r32839 ... 2-days-ago
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Feb 02, 2021 8:42 am

Sadly my bypass stopped working suddenly, I expected the pon light to be red, but nope was normal.

Restarting did nothing, out of curiosity I connected back the BGW210 after nothing seemed to resolve it, and it's working.

Would seem AT&T introduced the new XGS-PON authentication right at 12am CDT 2/2/2021 in my area.

Screw AT&T.

EDIT: Anyone else in the 77546 or 77598 area lose bypass? South Houston, Friendswood, Webster area ish?
EDIT2: After letting the BGW210 connect I ripped the patch cable and plugged it to the Mikrotik. I have working IPv4 and the Dot1X client shows authenticated. However if ONT is rebooted I am requiring the BGW-210 first, also IPv6 is dead. Hmm......may just use a UPS with the ONT and then continue letting it auth then will take to the RB4011 since I know my Dot1x certs are good (ripped from the same exact BGW210 lol).
EDIT3: Got everything working again, had to switch certs. Bizarre. Strange that the BGW210 works fine, but the certs ripped from it no longer work. Instead using backup NVG589's certs.
Last edited by archerious on Tue Feb 02, 2021 10:12 am, edited 1 time in total.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Feb 02, 2021 10:14 am

Anyone know how to do something similar to this Ubiquiti guys post for Mikrotik?
https://www.dslreports.com/forum/r32512123-
set interfaces ethernet eth0 vif 0 dhcpv6-pd prefix-only
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 0 interface lo host-address '::1'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 0 interface lo prefix-id ':F'
set interfaces ethernet eth0 vif 0 dhcpv6-pd pd 0 interface lo service slaac
The first disables DHCPv6-NA, the rest assigns :F to loopback
I want to avoid my RB4011 getting a 2001 address.

EDIT: Lol I just had to uncheck address and allow peer dns, thus only allowing my RB4011 to pull a prefix. Jesus Christ why am I so incapable of reading basic cli. Now it's working

Image

Image
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Feb 03, 2021 11:05 pm

EDIT3: Got everything working again, had to switch certs. Bizarre. Strange that the BGW210 works fine, but the certs ripped from it no longer work. Instead using backup NVG589's certs.
Well that's weird, you would figure if it was on it would be on for all devices. Maybe XGS-PON only applies to certain generation devices (not sure if that makes sense, haven't read into what the key differences are).
 
douglife
just joined
Posts: 1
Joined: Sun Apr 11, 2021 10:28 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Apr 11, 2021 11:26 pm

Is the hEX S suitable for the bridge method without a switch in front to strip VLAN using the latest firmware?
 
vikinggeek
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Sat Aug 02, 2014 4:14 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Apr 12, 2021 9:55 am

@douglife: My experience is that the subscribed speed is a more significant factor. If you are on the 1G service, only RB4011 and CCR series seems to be able to push enough bits even with a vanilla configuration. Add some firewall rules, VLANS, VPNs, etc. and you need more power than the hEX S can handle.
 
wojo
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Tue Aug 21, 2018 4:37 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Apr 12, 2021 3:51 pm

Not sure what happened yesterday but my bypass on a CCR1009 stopped working. I have two sets of certificates, neither would authenticate. Perhaps like @archerious the certs were blacklisted, and it requires different/newer certs now?

I plugged my BGW210 back in and it also never completed 802.1x auth, was on the phone with AT&T to reset the ONT and also push a provisioning profile back down to the modem since it's been over a year since it was plugged in, then they finally gave up and shipped me a new modem that will be here tomorrow. They told me since the modem was unplugged for so long it probably wouldn't work anymore.

That said, left the BGW210 plugged in and it finally authorized after a few hours.

I'm tempted to give up on the bypass because of the issues with having to plug the modem back in once in a while.
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 15, 2021 9:18 am

Anyone ever compile a guide for setting up IPv6 on AT&T Fiber bypass?
 
planetcoop
Member Candidate
Member Candidate
Posts: 140
Joined: Thu May 15, 2014 2:32 pm
Location: Sacramento, CA

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 3:15 am

Look above at my post #59 I have had great luck with ipv4 and ipv6 on att.
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 9:01 am

Been quite some time but finally got around to rooting and extracting my own Cert from the BGW-210
But I am concerned because after the process I only have one file called cert.tar
And the instructions here say try uploading the three certs in order.. Any tips?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 3068
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 9:18 am

tar file is an uncompressed archive as zip file is compressed one. Try to "untar" it with eg. 7-zip tool.
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 9:32 am

tar file is an uncompressed archive as zip file is compressed one. Try to "untar" it with eg. 7-zip tool.
derp.. that should have been painfully obvious but going through this process made me forget that was a possibility..
Now if I could figure out why the = sign is invalid syntax in the terminal I might be good!
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 10:54 am

Cant get passed dhcp searching..
No traffic on ether1
Am I missing something blatantly obvious in the set up for this since I started with a empty config and only did the guide?
Dot1x gui just cycles between connecting and authenticating
Do I need to set system clock to a specific time zone?

I have a hunch this is the vlan 0 packet issue mentioned above.. I'm on a hapac2
 
Zorb
just joined
Posts: 20
Joined: Fri Oct 09, 2020 1:41 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sun Aug 22, 2021 5:41 pm

Now I'm authenticated without server... Bizarre

Updated the firmware to newest beta
Enabled vlan stripping on switch 1, not sure which fixed it but I am now authenticated.

Seeing traffic on eth1, but I have no internet access still so I reboot router and now I can't find it in winbox. Lovely

Okay.. its randomly working now after redoing this process about 5 times. No clue whats different unless the default config from the new firmware is different from the default config i carried over when updating the first time. Now I just have to figure out a firewall and QoS again
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Aug 25, 2021 12:45 am

Look above at my post #59 I have had great luck with ipv4 and ipv6 on att.
I followed it as much as I could understand but I still have an issue where it's assigning ipv6 meant for other VLANs and then ipv6 is dying.

Image

1875 is supposed to be for VLAN50, 1874 for VLAN45, 1873 for VLAN20, and 1872 for VLAN100.

My PC is on VLAN100 assigned 10.1.1.44, but it is getting an IPV6 address meant for other VLANs too.

Image

Image

Image

Image

Image

Any assistance is appreciated, another issue is randomly the IPv6 will go unbound on DHCPv6 client causing ipv6 to die and many devices to not have internet until I restart them or turn off IPV6.

I don't have that issue with my Ubiquiti UDM but I prefer using MikroTik as the Ubiquiti has it's own issues.
 
ggayan
just joined
Posts: 4
Joined: Fri Jun 27, 2014 5:48 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Dec 06, 2021 12:11 am

Anyone lucky running the supplicant method with RB4011 and the recent RouterOS 7.1 release?

I am getting IPv6 but can't get an IPv4 address.

Update: I was able to get ipv4 by adding the ont ethernet interface to a bridge with vlan filtering on, but ipv6 stopped working. I ended up:

- disabling the bridge with vlan filtering
- set the my public ipv4 and a default route manually

now I get both ipv4 and ipv6 connectivity. I tried searching for vlan-mode=fallback setting in switch settings, but it seems to be non-existent for RB4011 in ROS 7.1.

Update 2:

- Lost ipv4 connectivity with manual IP
- Re-created a bridge with vlan filtering for the ont interface, now both ipv4 and ipv6 works fine.

I am not sure what changed in ROS 7.1, but it seems that what used to work, without the ont interface bridge, no longer works.
 
thefrog1394
just joined
Posts: 1
Joined: Wed Dec 08, 2021 2:18 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 08, 2021 2:23 am

Anyone lucky running the supplicant method with RB4011 and the recent RouterOS 7.1 release?

I am getting IPv6 but can't get an IPv4 address.

Update: I was able to get ipv4 by adding the ont ethernet interface to a bridge with vlan filtering on, but ipv6 stopped working. I ended up:

- disabling the bridge with vlan filtering
- set the my public ipv4 and a default route manually

now I get both ipv4 and ipv6 connectivity. I tried searching for vlan-mode=fallback setting in switch settings, but it seems to be non-existent for RB4011 in ROS 7.1.

Update 2:

- Lost ipv4 connectivity with manual IP
- Re-created a bridge with vlan filtering for the ont interface, now both ipv4 and ipv6 works fine.

I am not sure what changed in ROS 7.1, but it seems that what used to work, without the ont interface bridge, no longer works.
I had the same issue on my RB4011 with packets not making it through ether1 after update. Ran through similar steps looking for the vlan-mode=fallback to no avail. Resolved by adding a bridge set with vlan filtering enabled, admit-all. A bit of a pain switching references to ether1 over to the new bridge, but not a huge deal. I have IPv6 disabled (default config for ROS7.1 it appears, at least based on my configuration).

One other note on the 7.1 upgrade - my system date got reset to 1970 which caused an issue with dot1x client connecting initially. Easy fix (just set the date correctly), but something to watch out for.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22183
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 08, 2021 3:59 pm

I wonder if the 2.5Gig Port on the RB5009 will play nicer with such setups (bypasses)?
 
ggayan
just joined
Posts: 4
Joined: Fri Jun 27, 2014 5:48 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Dec 10, 2021 9:07 am

Anyone lucky running the supplicant method with RB4011 and the recent RouterOS 7.1 release?

I am getting IPv6 but can't get an IPv4 address.

Update: I was able to get ipv4 by adding the ont ethernet interface to a bridge with vlan filtering on, but ipv6 stopped working. I ended up:

- disabling the bridge with vlan filtering
- set the my public ipv4 and a default route manually

now I get both ipv4 and ipv6 connectivity. I tried searching for vlan-mode=fallback setting in switch settings, but it seems to be non-existent for RB4011 in ROS 7.1.

Update 2:

- Lost ipv4 connectivity with manual IP
- Re-created a bridge with vlan filtering for the ont interface, now both ipv4 and ipv6 works fine.

I am not sure what changed in ROS 7.1, but it seems that what used to work, without the ont interface bridge, no longer works.
I had the same issue on my RB4011 with packets not making it through ether1 after update. Ran through similar steps looking for the vlan-mode=fallback to no avail. Resolved by adding a bridge set with vlan filtering enabled, admit-all. A bit of a pain switching references to ether1 over to the new bridge, but not a huge deal. I have IPv6 disabled (default config for ROS7.1 it appears, at least based on my configuration).

One other note on the 7.1 upgrade - my system date got reset to 1970 which caused an issue with dot1x client connecting initially. Easy fix (just set the date correctly), but something to watch out for.
I also had this very same issue with the system datetime and Dot1x not authenticating. if you are reading this, make sure you reconfigure the system datetime manually before resetting your whole config 😁
 
Torsten
just joined
Posts: 6
Joined: Sun Jan 31, 2021 11:59 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 08, 2022 4:36 am

Would you mind posting a quick guide or command line to add the bridge for the ROS 7.1 update? Thanks
 
jprz98
just joined
Posts: 1
Joined: Sat Jan 08, 2022 11:24 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jan 08, 2022 11:26 am

Hello all,

I tried obtaining the cert of the BGW210 but was unable to. After some digging I read that after version 2.13 downgrading has become incredibly difficult, I'm currently on 2.15.4. Any help will be appreciated. Thanks
 
Torsten
just joined
Posts: 6
Joined: Sun Jan 31, 2021 11:59 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Jan 13, 2022 1:26 am

Hello all,

I tried obtaining the cert of the BGW210 but was unable to. After some digging I read that after version 2.13 downgrading has become incredibly difficult, I'm currently on 2.15.4. Any help will be appreciated. Thanks
Ebay? $29
 
ggayan
just joined
Posts: 4
Joined: Fri Jun 27, 2014 5:48 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Jan 21, 2022 7:13 pm

Would you mind posting a quick guide or command line to add the bridge for the ROS 7.1 update? Thanks
/interface bridge
add name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge-ont interface=ether1-ont
 
plz001
just joined
Posts: 1
Joined: Wed Jan 26, 2022 3:08 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jan 26, 2022 3:11 pm

so 2.15.4 is not possible to downgrade right? The only way is to get the supplicant file, anyone please share cinegraphyd @ gmail com please

i am using BGW210-700

anyone got it to work this year, I didn't have a choice in my location only att
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 18, 2022 11:28 pm

Would you mind posting a quick guide or command line to add the bridge for the ROS 7.1 update? Thanks
/interface bridge
add name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge-ont interface=ether1-ont
Thinking of going to ROS 7, still on 6.49.2.

Is the bypass stable? IPv4 and IPv6? Or is it so-so?
 
User avatar
archerious
Member Candidate
Member Candidate
Posts: 155
Joined: Sun Aug 26, 2018 7:50 am
Location: USA
Contact:

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Feb 18, 2022 11:29 pm

so 2.15.4 is not possible to downgrade right? The only way is to get the supplicant file, anyone please share cinegraphyd @ gmail com please

i am using BGW210-700

anyone got it to work this year, I didn't have a choice in my location only att
You can just buy a used BGW210 or older model like NVG589/NVG599 off eBay then root to the get the certs from it.
 
JJT211
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Apr 28, 2019 9:01 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Apr 12, 2022 4:51 pm

Is anyone having issues using the Bridge method on 7.2? When I upgraded from 7.1.5, it no longer worked and the DHCP client never received an address. When I downgraded back to 7.1.5, all is fine.
 
jhasty3453
just joined
Posts: 1
Joined: Tue Apr 19, 2022 10:43 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Apr 19, 2022 11:27 pm

I'm trying to get the bridge method setup on my RB750Gr3 running RouterOs v7.2.1 and I'm also having issues with the DHCP client getting stuck "Searching...".

Does anybody know if the guide needs to be updated to get bridge method working with RouterOS v7.2?

Edit: Its working now for me on v7.2.1 after I reset and reapplied the config. I don’t think I made any meaningful changes, but I’ll double check my config to see if I can pinpoint what fixed it.
 
das1996
just joined
Posts: 1
Joined: Mon Apr 25, 2022 2:36 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Mon Apr 25, 2022 2:38 am

Been quite some time but finally got around to rooting and extracting my own Cert from the BGW-210
But I am concerned because after the process I only have one file called cert.tar
And the instructions here say try uploading the three certs in order.. Any tips?
How did you root? My bgw210 updated itself at some point to 2.16.4. None of the downgrades are working.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Jul 20, 2022 9:34 pm

It appears there is a much better bypass now using your own GPON generic stick like this FS branded GPON-ONU-34-20BI module. The generic module will not use OMCI extensions that enable 802.1x authentication. Per the link, you do need to match the OMCI version (0xA0), ONT Hardware version, ONT Software version, Vendor string with Serial Number, and the password ("DEFAULT").

I've not tried it yet, report your success. But this should open up any MikroTik hardware compatibility (with SFP support) and greatly reduce power and equipment needs.
 
abiv
just joined
Posts: 24
Joined: Sat Nov 23, 2019 4:51 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Aug 26, 2022 5:09 am

For the bridge method, if the router supports
# /interface ethernet switch rule add switch=switch1 ports=ether1 mac-protocol=0x888E new-dst-ports=ether2
# /interface ethernet switch rule add switch=switch1 ports=ether2 mac-protocol=0x888E new-dst-ports=ether1

can any of the lines above it be simplified?
 
grahamfairbank
just joined
Posts: 1
Joined: Sun Dec 26, 2021 7:34 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Dec 06, 2022 12:43 am

I've been running ATT -> ONT -> 4011 successfully with the supplicant configuration for about 2 years...
but, have not successfully upgraded to ROS7.

I see notes re: putting ONT side on a bridge - this doesn't work since it can't use the bridge as a dot1x destination, I've tried changing the formatting of the identity field ... no luck.

Any other recommendations, or, does the supplicant config just not work on ROS7?

Only meaningful config...

/interface ethernet
set [ find default-name=ether1 ] mac-address=50:95:51:91:xx:xx
/interface dot1x client
add anon-identity=50:95:51:91:xx:xx certificate=Client_001E46-8860224884xxxx.pem eap-methods=eap-tls identity=50:95:51:91:xx:xx interface=ether1

Thank you!
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Dec 28, 2022 10:59 pm

I tested with both a RB4011 and a RB5009 running ROS v7.6. I can confirm that the supplicant method does work with the following. Create a bridge (aka BR_ATT) with VLAN filtering enabled, admit all, and uncheck ingress filtering. Add the ether1 interface to your new bridge. Setup everything else like normal. This means DHCP client using BR_ATT, and the Dot1X interface using ether1.

The issue with ROS v7.6 is that while Dot1X will work, there is never a DHCP received ack. Example output. When you change to a VLAN enabled bridge, you'll see the ack in the logs. Does anyone know a way to not need the bridge? Seems like it might introduce some overhead. But otherwise, seems to work well.

# dec/28/2022 11:50:14 by RouterOS 7.6
#

 11:32:59 interface,info ether1 link up (speed 1G, full duplex)
 11:32:59 dot1x,packet c ether1 tx EAPOL-Start
 11:33:29 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:1 method:IDENTITY
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:2 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:3 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:4 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:5 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:6 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:7 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Request id:8 method:TLS
 11:33:30 dot1x,packet c ether1 rx EAPOL-Packet EAP-Success id:8
 11:33:30 dot1x,debug c ether1 authorized

 11:48:02 dhcp,debug,packet dhcp-client on ether1 sending discover with id 1234567890 to 255.255.255.255
 11:48:02 dhcp,debug,packet     secs = 13
 11:48:02 dhcp,debug,packet     flags = broadcast
 11:48:02 dhcp,debug,packet     ciaddr = 0.0.0.0
 11:48:02 dhcp,debug,packet     chaddr = AA:BB:CC:DD:EE:FF
 11:48:02 dhcp,debug,packet     Host-Name = "RB5009_TEST"
 11:48:02 dhcp,debug,packet     Msg-Type = discover
 11:48:02 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server,Vendor-Specific
 
 
imlostok
just joined
Posts: 3
Joined: Mon May 22, 2017 3:58 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 02, 2023 2:43 am

Is this working on 7.7? I followed the instructions. I get Auth and I can pull the IP just no internet. I am using the x86 version. Thanks if someone can point me in the right direction.
 
phin
just joined
Posts: 21
Joined: Mon Dec 04, 2017 11:25 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Feb 22, 2023 4:52 pm

It appears there is a much better bypass now using your own GPON generic stick like this FS branded GPON-ONU-34-20BI module. The generic module will not use OMCI extensions that enable 802.1x authentication. Per the link, you do need to match the OMCI version (0xA0), ONT Hardware version, ONT Software version, Vendor string with Serial Number, and the password ("DEFAULT").

I've not tried it yet, report your success. But this should open up any MikroTik hardware compatibility (with SFP support) and greatly reduce power and equipment needs.

Do go on...
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Feb 23, 2023 6:16 am

Do go on ...

I plan to do it soon. In a few weeks or so.
 
pubudeux
just joined
Posts: 10
Joined: Sun Oct 25, 2020 7:54 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Fri Oct 06, 2023 6:44 am

Do go on ...

I plan to do it soon. In a few weeks or so.
Hey - did you ever make any progress on that? Was looking through the thread the SFP module bypass looks very interesting.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1347
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Oct 11, 2023 11:03 pm

Hey - did you ever make any progress on that? Was looking through the thread the SFP module bypass looks very interesting.

Sorry, I've not gotten around to this. I note that the internet says the LEOX LXT-010S-H is best SFP module for this sort of thing.
 
kevinhorner
just joined
Posts: 1
Joined: Wed Nov 01, 2023 1:04 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Nov 01, 2023 1:11 pm

I have bypass going on my 2216 using the bridge and the ssl certs to make VLAN 0 and dot1x work.

If I enable HW Offload on the switch port, traffic will no longer forward properly, I can ping outside addresses from the router terminal but I can not ping from any other device.

Slightly redacted config attached. Why would HW Offload break my configuration?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13105
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bypassing AT&T Residential Gateways with MikroTik

Thu Nov 02, 2023 3:04 pm

Why would HW Offload break my configuration?

Most probably switch chip can not (or is not properly set-up by bridge to) work with required 802.1Q headers. And since WAN port is the only port of that bridge, offloading doesn't make much of a difference, apart from handling 802.1Q headers (which seems to be off anyway) everything else has to be done by CPU.
 
neelc
just joined
Posts: 6
Joined: Fri Apr 12, 2024 12:21 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Jun 01, 2024 2:03 am

The bridge bypass also works for Frontier FiberOptic GPON in Connecticut, which is former AT&T Fiber, but the condo was constructed after the sale. I didn't expect it to work but it did. Years of reading about AT&T Fiber did pay off in the end.

Frontier XGS-PON doesn't have 802.1X, but because of the supply chain issues lower tiers are stuck on GPON for now unless you get a truck roll on "congestion issues".
 
neelc
just joined
Posts: 6
Joined: Fri Apr 12, 2024 12:21 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Sat Sep 07, 2024 1:13 am

As an update to my previous post, while this works great on a CCR2004 on Frontier, it doesn't work on a L009UiGS-RM or a RB4011iGS+RM. The Frontier router never got 802.1X auth. Frontier told me to pound sand when I wanted XGS-PON because they said our area is GPON-only.

Is there a way to get it to work on lower-end RB models?

My CCR2004 is moving to NYC where it's Verizon. Verizon is also buying Frontier. But as my family is keeping the Stamford home I'm hoping Verizon kills the ex-AT&T U-verse platform for good.
 
gfunkdave
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Jan 09, 2018 12:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Tue Oct 15, 2024 10:10 pm

Trying to get this to work on a RB5009. The dot1X client says "authenticated" almost instantly, but the DHCP client just hangs on "searching".
/interface ethernet set [ find default-name=ether8 ] mac-address=AA:BB:CC:DD:EE:FF #my BGW-210 MAC
/interface bridge add ingress-filtering=no name=ATTbridge protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=ATTbridge ingress-filtering=no interface=ether8
/ip dhcp-client add interface=ATTbridge use-peer-dns=no
I've tried changing the DHCP client to the ether8 port instead of the bridge (and removing ether8 from the bridge first) but that didn't help. Can anyone help me troubleshoot? I'm really not sure what might be the issue.
 
gfunkdave
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Jan 09, 2018 12:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Oct 16, 2024 6:16 pm

Update: today I tried again, thinking I might need to delete the DHCP client and re-create it. But today, with the exact same config, the 802.1x status just shows "rejected". The router's clock is correct to within a second or two. I've triple checked the MAC address in the WAN port and in the 802.1x identity field. What could be going on? The logs are not helpful.
 
gfunkdave
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Jan 09, 2018 12:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Oct 16, 2024 10:41 pm

Not sure what changed, but after a reboot I'm once again getting "authenticated" on the dot1x client. I was back to the "not getting an IP address" issue, but then I changed the ethertype on the bridge to 0x9100, and I instantly got an IPv4 address. Yay.

But I can't seem to get an IPv6 delegation. Does anyone know if there are any tricks to getting one without the AT&T gateway?
 
gfunkdave
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Jan 09, 2018 12:05 am

Re: Bypassing AT&T Residential Gateways with MikroTik

Wed Oct 16, 2024 11:11 pm

Aaannnnd once more, with all the answers. This gives everything needed to get fully functioning IPv4 and IPv6 on a RB5009 running 7.16.1 and bypass a BGW-210.

This assumes ether8 is your WAN port connected to the AT&T ONT. "xx:xx:xx:xx:xx:xx" and "xxxxxxxxxxxx" are the MAC of your BGW-210.
/interface bridge add ingress-filtering=no name=ATTbridge protocol-mode=none vlan-filtering=yes ether-type=0x9100
/interface ethernet set [ find default-name=ether8 ] mac-address=xx:xx:xx:xx:xx:xx
/interface bridge port add bridge=ATTbridge ingress-filtering=no interface=ether8
/interface dot1x client add certificate=ATT_Client eap-methods=eap-tls identity=xxxxxxxxxxxx anon-identity=xxxxxxxxxxxx interface=ether8
/ip dhcp-client remove [find interface=ether8]
/ip dhcp-client add interface=ATTbridge use-peer-dns=no
/ipv6 dhcp-client add add-default-route=yes interface=ATTbridge pool-name=ipv6-pool request=address,prefix use-peer-dns=no
/ipv6 address add from-pool=ipv6-pool interface=vlan-lan
/ipv6 address add from-pool=ipv6-pool interface=vlan-guest