Minimum hardware to do symmetric gigabit wan + pass 802.1x traffic to AT&T?
-
So you’re basically saying all you did is to put your new box in the Gateway’s DMZ, and you were good to go? No extra setup?
Basically, yeah. I actually have static IPs, so I just went into the AT&T router setup and told it to give my pfSense box a static IP, and selected Firewall: Disabled, which automatically puts it in "DMZ+" mode.
The only weird thing I had to do was to set it up the LAN on 192.168.2.x (instead of the default 192.168.1.x). For some reason (I think because AT&T's device uses the 192.168.1.x range by default) I couldn't ping the pfSense box on the LAN (even thought I got an IP from DHCP). Another valid solution could have been to put AT&T's device on 192.168.0.x, but I foresaw this eventually confusing their support techs, and/or giving them a reason not to assist me.What version of pfSense are you running?
2.4.0-RELEASE (amd64)
I get 1gb/1gb from wan to lan on ATT network which is bridged not routed. CPU barely breaks a sweat.
Are you on fiber-to-the-home by chance? If so, did you use the "pass the authentication over a bridge" hack described here: https://strscrm.io/bypassing-gigapowers-provided-modem.html?
A dual core machine with a very high single thread rating will likely outperform a 4 core or 8 core machine with a higher over all benchmark but lower per thread ratings in most cases.
…
passmark on the E7500 I'm running in Florida is only 1876 and handles gigabit traffic with ease.
Single Thread rating: Single Thread Rating: 1204Now I'm wondering why that Celeron box I built didn't perform despite having a single-thread rating of 1659. Maybe I was just testing it at a bad time, or against a slow/distant speedtest server. Who knows…
In the end it all works out though: My parents will get a new Windows PC, and I'll probably end up virtualizing this Xeon box and consolidating several other power sucking devices into one.
-
So you’re basically saying all you did is to put your new box in the Gateway’s DMZ, and you were good to go? No extra setup?
Basically, yeah. I actually have static IPs, so I just went into the AT&T router setup and told it to give my pfSense box a static IP, and selected Firewall: Disabled, which automatically puts it in "DMZ+" mode.
The only weird thing I had to do was to set it up the LAN on 192.168.2.x (instead of the default 192.168.1.x). For some reason (I think because AT&T's device uses the 192.168.1.x range by default) I couldn't ping the pfSense box on the LAN (even thought I got an IP from DHCP). Another valid solution could have been to put AT&T's device on 192.168.0.x, but I foresaw this eventually confusing their support techs, and/or giving them a reason not to assist me.What version of pfSense are you running?
2.4.0-RELEASE (amd64)
I get 1gb/1gb from wan to lan on ATT network which is bridged not routed. CPU barely breaks a sweat.
Are you on fiber-to-the-home by chance? If so, did you use the "pass the authentication over a bridge" hack described here: https://strscrm.io/bypassing-gigapowers-provided-modem.html?
A dual core machine with a very high single thread rating will likely outperform a 4 core or 8 core machine with a higher over all benchmark but lower per thread ratings in most cases.
…
passmark on the E7500 I'm running in Florida is only 1876 and handles gigabit traffic with ease.
Single Thread rating: Single Thread Rating: 1204Now I'm wondering why that Celeron box I built didn't perform despite having a single-thread rating of 1659. Maybe I was just testing it at a bad time, or against a slow/distant speedtest server. Who knows…
In the end it all works out though: My parents will get a new Windows PC, and I'll probably end up virtualizing this Xeon box and consolidating several other power sucking devices into one.
You mentioned having static IPs, did you purchase those from ATT?
-
You can purchase static IPs from att, but you don't have to.
I have my att ftth gateway set in IP passthrough with all firewalling "features" turned off and did not purchase any static IPs. pfSense gets WAN address and functions just as it did with a cable modem. The only difference is one extra hop because of the gateway and latency and throughput is far better and more consistent than I've ever seen across multiple cable providers in multiple states.
So far even though I have a dynamic IP, it hasn't changed. If it's anything like my previous cable providers it won't change for a very long time (> 1 year). But we will see.
-
You can purchase static IPs from att, but you don't have to.
I have my att ftth gateway set in IP passthrough with all firewalling "features" turned off and did not purchase any static IPs. pfSense gets WAN address and functions just as it did with a cable modem. The only difference is one extra hop because of the gateway and latency and throughput is far better and more consistent than I've ever seen across multiple cable providers in multiple states.
So far even though I have a dynamic IP, it hasn't changed. If it's anything like my previous cable providers it won't change for a very long time (> 1 year). But we will see.
Gotcha. I’m about to have my choice of Gigabit Ethernet via Suddenlink (cable) or ATT (fiber). I’m unsure which to go with. If I pick Suddenlink, I can use my own modem and I feel use my pfSense box to its fullest potential.
If I pick ATT, I have to use their Gateway, and stick my pfSense box behind it. I am unsure if that’s the best way to get the fastest speeds or use my pfSense box to its fullest postential.
Any thoughts? I’ve heard nothing but horror stories from folks using the ATT Gateways along with their own router behind it. I’ve heard to limits what you can do with pfSense as well.
Dunno if that’s true.
-
I have the Pace modem with Gigapower, and I haven't had any issues using routers or anything else behind it. You just have to make sure you have a set of static IPs, and then assign one to the WAN interface. Unless your a large company or have hundreds of users, there is zero chance you max out the 8-9k NAT table on the gateway they give you.
The one thing I did change is run all of my consoles and even my PC though a router that I dont have doing IPv6, because they tunnel their 6 and it adds significant latency, which i dont like.
-
Again, you do not need to purchase static IPs with att ftth.
None of the gateways have true bridge mode, all of the gateways have some form of half measure that provides pfSense with a public IP. This will be called something along the lines of DMZ+ or ip-passthrough. It doesn't matter to you which mode you get.
What does matter as far as which gateway you get is the NAT table size. Some of the older gateways had much smaller NAT tables, like 2k. The newer gateways are 8k+. You should get a new gateway if you are a new customer.
All gateways, regardless of model or method to get pfSense a public IP will force you to use the gateways NAT table (even though you aren't double NAT), so having that larger NAT table matters.I would recommend you purchase your plan and schedule your installation, tell them you only want a new model with large NAT table.
After the installation is scheduled, login to your account and start an online chat. Tell them your account number and installation confirmation number. Then ask them what model of gateway will be installed. Google that model, if it has a large NAT table then just save the chat transcript.When your installer arrives, BEFORE they do Anything ask to see the gateway that will be installed. Google that model number if it's different than what they promised, if it's also a Large NAT table then you're good. If it is a smaller NAT table, stop the install before it starts, reference your saved chat transcript and tell them you'll only accept the service with a new model that has a large table.
Again, I don't think they even distribute the smaller NAT table models to new customers so it should be a non issue, but better safe than sorry.
Just to reiterate, you don't need to purchase ANY additional services from ATT to get it to work properly without double NAT on pfSense.
The NAT table size, as has already been stated is only an issue for medium to large networks. Your home network, even if relatively large and complex will almost certainly not exhaust that table.
For medium to large networks, or with the older gateways with small NAT tables it is a very real problem. That's why you find all the crazy hacks on how to bypass the gateway. -
Correct. When I was setting this up for the single pfsense I have up on an ATT fiber connection I was assured that a good bridged mode where you get a public IP at the pfsense wan was impossible.
It was very easy and straight forward. The only side effect, which for some may be a deal breaker, is that IPV6 is not convenient to work out because of the way they pass in their tunnels and authenticate it on the modem. I just pass bridged IPV4 and turned off IPV6 at the wan. I have no use for a /64 on my freakin wan.
-
Got it. Thanks everyone!!
-
For the:
Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: NoSpeedtest results vary depending on network conditions. Speedtest.net is highly variable and the comcast test is very consistent.
http://speedtest.xfinity.com/results/J98EWA1V1ACVMR0
http://www.speedtest.net/my-result/6738848123
-
None of the gateways have true bridge mode, all of the gateways have some form of half measure that provides pfSense with a public IP. This will be called something along the lines of DMZ+ or ip-passthrough. It doesn't matter to you which mode you get.
What does matter as far as which gateway you get is the NAT table size. Some of the older gateways had much smaller NAT tables, like 2k. The newer gateways are 8k+. You should get a new gateway if you are a new customer.
All gateways, regardless of model or method to get pfSense a public IP will force you to use the gateways NAT table (even though you aren't double NAT), so having that larger NAT table matters.This is 100% correct. Personally, I have the 5268AC passing through the public IP to pfSense with no issues in the 9 months or so I've had it. But I'm on VDSL. The DMZ+ mode also works fine with fiber, but the OP is looking at a workaround that is only available with fiber. It's not a true bridge mode, but it allows the AT&T CPE to handle the 802.1x auth without having to worry about the state table in the AT&T hardware. At least that's how I understand it.
That clarification aside, the hardware required on the pfSense end won't be any different than for any other 1Gbps WAN.
-
Wouldn't it be easier to just get the 802.1x details and auth directly.
-
@johnkeates:
Wouldn't it be easier to just get the 802.1x details and auth directly.
I believe it uses a certificate that is locked to the CPE.
-
Seriously surprised this DSLReports thread isn't mentioned here.. (or did I miss it?)
http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode
-
Seriously surprised this DSLReports thread isn't mentioned here.. (or did I miss it?)
http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode
It is practically what we have already done here.
@johnkeates:
Wouldn't it be easier to just get the 802.1x details and auth directly.
I believe it uses a certificate that is locked to the CPE.
Unless that CPE stores the super secret sauce in some sort of TPM or Secure Enclave nothing prevents you from dumping all of its storage and reading the keys you need.
-
Seriously surprised this DSLReports thread isn't mentioned here.. (or did I miss it?)
http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode
I've been looking around for a clean way to use 3 NICs in the pfSense to accomplish the auth with the python or other scripts but nothing seems to work. The hardware switching with VLANs does indeed work but the pfSense will be setup for a remote site and no one technical enough to redo the process in case of a power outage. Anyone else find a simply solution?
-
[Edit: Oops, I didn't read the entire thread first. You already bought a beefy Poweredge T30 a couple months ago. Woot.]
If that's overkill, what about using something like ESXi to run pfSense (and other services) in a virtual machine? I know it's possible, but is it a good idea (in the eyes of the pfSense community)?
I'll add my two cents to this one. One of the lessons learned at a past company (when we lost power to the datacenter because of catastrophic UPS failure duriing a UPS test on a Monday at noon (go figure…idiots in charge), and recovery took 12-24+ hours... losing millions of $$$) was that critical infrastructure (such as our DNS servers and Domain Controllers) were 100% virtualized. And the back-end storage arrays for all these virtual servers? Since the array lost power abruptly it had to go through a lengthy disk check, which took hours. Meanwhile, since none of the servers that were up and running had any DNS, they were sitting ducks and useless.
Lesson learned: Virtualization is awesome, but don't virtualize 100% of your critical infrastructure. Always have at least one physical device per infrastructure type.
This is probably apples and oranges compared to a home environment, but if you want to virtualize pfSense in ESXi or any other hypervisor, just be aware that if the physical host fails or has to be rebooted (etc), your pfSense router, firewall, DNS, DHCP, and any other critical services will be down during that time. So for highest availability, have at least one physical pfSense device, and feel free to virtualize the others. Or have two virtual pfSense instances on two separate physical ESXi servers.
Totally overkill answer, especially for home. But it was a painful lesson learned and one I will always think about when I implement infrastructure, even at home. :P
-
I've been using the Pace 5268AC in a different configuration using CARP IP Aliases for years with U-verse, but then I upgraded to AT&T Fiber I discovered that the Add Cascade Router option is now working. It appears to be a true IP Pass-through, so I created the following post to help others out:
