PfSense + AT&T Gigapower (PACE 5268ac) - 802.1x bridge



  • Hi all,

    I recently got AT&T Gigapower 1000/1000 and the modem/gateway that they provide doesn't provide true bridge mode, only dmz+ mode, which is bound by the gateway's NAT table. This results in sometimes terrible performance from some machines. I was using a Ubiquiti USG but recently switched over to pfSense in a ESXi VM and have been happy with it so far. I'd like to build a physical box and migrate my pfSense configuration to it, but I'd also like to know if it's possible to do something in pfSense like in the following articles:

    https://strscrm.io/bypassing-gigapowers-provided-modem.html
    https://www.dslreports.com/forum/r30708210-

    I know you can do bridging and mac address spoofing in pfSense, but I'm not sure about the packet redirection over the bridges.

    Any ideas?

    Thanks!



  • Did you ever get this working on pfsense?



  • No, unfortunately I gave up and currently just run the PACE modem in DMZ+ mode.



  • I just saw a post yesterday on dslreports.com from a guy that wrote python script to proxy the authentication packets between the WAN port of your new router to the PACE wan port. Its called eap_proxy.py

    so for example:
    eth0 > LAN
    eth1 > Pace WAN port
    eth2 > ATT ONT port (WAN)

    so you run the script     ```

    python eap_proxy.py eth1 eth2

    
    This solution requires a minimum of 3 ports to work however I wasn't able to make it work reliably.
    The script listens to both the WAN port and the pace router looking for 802.x authentication packets and resends them on the other interface.  The script seems to work but I was not able to get an IP via DHCP on the wan.
    
    So I'm using a 4-nic Qotom celeron based box with ubuntu and iptables and the bridging technique outlined in the threads you linked.


  • Why go through all the trouble when DMZ+ works quite well?



  • @Davewolfs:

    Why go through all the trouble when DMZ+ works like crap with the 8000 connection limit in the NAT table on the AT&T router?

    There- fixed that for you.



  • @Davewolfs:

    Why go through all the trouble when DMZ+ works quite well?

    some network services doesnt like Double NAT.

    it happens a lot in online games that had a anti-tampering protection on it, it just fails for some reason. You may also have problems running over a some sort of VoIP service.



  • @RobF:

    So I'm using a 4-nic Qotom celeron based box with ubuntu and iptables and the bridging technique outlined in the threads you linked.

    Can you elaborate on this? So you are now using a dedicated box only for bypassing and then to pfsense?



  • I know you can do bridging and mac address spoofing in pfSense, but I'm not sure about the packet redirection over the bridges.

    Please call the support od the AT&T company and ask fpr their devices able  to use together with the AT&T GIGAPOWER 
    it could be only the Pace 5268AC you are using but with some luck you could also go with the Arris NVG599
    from AT&T. If so, do it, this device is still offering a so called "IP passthrough mode" and then you will be able to place
    all of your own devices firewall behind that "mode" or router. Link to that conversation: DSL-reports

    Question:
    But does ATT Gigapower allow authentication from a third party user owned router or does it have to go secondary to their own?
    Answer:
    You must use their router.  There is a kludged "IP Passthrough" mode to allow you to put your own router behind it though.