Dual lan, bridging and filtering (plus fiber modem / router bypass)



  • I currently have an AT&T gigabit connection via fiber. The router that AT&T provides isn't great, and I would like to bypass their router and have the traffic from the ONT go directly to pfsense. I also have a comcast connection which I would like to use as a secondary / backup WAN, with some of my traffic going to comcast as primary (split my network into 2).

    It seems like AT&T requires the modem in order to authenticate with the ONT and get an IP (using 802.11x and EAP).

    Some folk have managed to bypass the AT&T router by bridging and filtering (using a ubiquiti or a linux box with 3 network ports) i.e. bridging the ONT port to the AT&T router port and only sending 802.11x and EAP traffic, and bridging the ONT port to the LAN / pfsense port and allowing all other traffic (except 802.11x and EAP). In this way, the AT&T router is used for authenticating to the ONT and keeping the connection alive, and pfsense is used for all other routing and network management.

    My pfsense box is a supermicro board with 4 ports. I would like to have the following:

    port 0:  WAN0 (AT&T - connected to ONT)
    port 1:  WAN1 (Comcast - connected to modem)
    port 2: LAN (connected to switch)
    port 3: Bypass (AT&T - connected to router)

    Is there a way I can do this bridging and filtering in pfsense?

    I am thinking I would bridge port 0 (ONT) and port 3 (AT&T router) and only allow 802.11x and EAP traffic to port 3 (and drop everything else). I would also bridge port 0 (ONT) with port 2 (LAN) and allow all traffic except 802.11x and EAP traffic (do I even need to filter here, or can I just allow everything)?

    Questions are:

    1. Is this even possible? I can't seem to find a way to filter 802.11x and EAP traffic. The firewall allows filtering of traffic, but I am only seeing IP filtering and nothing related to 802.11x or EAP.
    2. Would I still need to spoof the mac address of the AT&T router onto the LAN port so traffic going to the ONT appears to be from AT&T router? I don't think that's necessary since the ONT will only see traffic coming from the port 3 MAC, and that won't change.
    3. I haven't even gotten to the part of enabling the second WAN and routing half the network traffic to that…. it depends on whether all of this is even possible.

    Any pointers or suggestions on whether all of this can happen?

    Note, my pfsense knowledge is extremely limited and basic... I just have a default setup right now without much tweaks or changes. All of the above is mostly due to just reading various threads and forums, and I haven't started testing anything of this out yet.

    Thanks!



  • Anyone have any ideas / suggestions?

    I am primarily trying to find a solution for the fiber modem bypass / bridging.

    Should I post this question in a different area?

    Thanks.



  • @ytn:

    Anyone have any ideas / suggestions?

    I am primarily trying to find a solution for the fiber modem bypass / bridging.

    Should I post this question in a different area?

    Thanks.

    I'm looking for the same solution but no one seems to have this worked out perfectly yet on pfSense that I can find.