Using pfSense with ATT BGW210-700 Fiber Gateway and an Orbi Wifi 6 AC4200 Router
Good Afternoon All,
I have some questions surrounding the integration of a pfSense router/firewall appliance into my current setup. I currently have AT&T fiber and am utilizing one of their fiber gateways (BGW210-700); I also wanted to clarify that I have NEVER used pfSense before. The fiber from outside is plugged into an ONT module in my computer room, and from there, the ONT feeds into the ATT gateway. From the internet port on my gateway, I am plugged into my Orbi Wifi 6 AC4200 router. I have been doing some research on how to take the BGW200-710 completely out of the picture using MAC spoofing to spoof the WAN port MAC address of the WAN port of the fiber gateway. I have read other posts where it is not possible to take the fiber GW out of the picture, because it still has to do EAPOL certificate authentication with the ONT in order to process internet traffic. The biggest reason most people want to TRUELY bypass the gateway is because of double NATing, invalid packets/packets being dropped, etc... I have also read that IP passthrough is NOT a true method of bypass.... I guess my overarching question is how do integrate my Orbi Wifi 6 AC4200 router into this setup? Would I be able to integrate a pfSense router into the mix and still be able to utilize my Orbi Wifi 6 router? Would I need to purchase a small switch (NetGear GS108, for example) and do VLAN 802.1Q tagging? My current setup is IP passthrough from the GW to the Orbi router, and I have the Orbi WiFi 6 router setup in AP mode, and allowing the fiber GW to the heavy lifting of processing and routing traffic to the Internet. Any help that any one of you could provide would be greatly appreciated, thanks!
You're kind of hitting a few things here and unfortunately, all of these won't have much to do with pfSense.
I've personally used ATT gigapower fiber in the past and bypassed it, and used pfSense as a primary router on the ATT service. There are many guides on how to bypass the ATT equipment on dslreports forums, I would suggest starting there and getting a better understanding of what you'll need.
In my case, I had two switches. A "smart" switch with a VLAN configured on 3 ports that allowed the ATT gateway to authenticate the fiber port, and then I unplugged the ATT gateway and plugged in the WAN port of the pfSense router. This was simple but, required manual intervention if the fiber jack was ever power cycled (I keep all this stuff on a battery backup, so not an issue there). The second switch is just what you'll use for the stuff on your internal LAN, including any WiFi access points that you want to add in.
Some people have gone to great lengths to extract the ATT certificate and have scripted the authentication process natively to happen if the firewall reboots or if the fiber jack reboots. This is a much slicker and automated setup but, requires a bit more effort and frankly the switch bypass method worked so well I never pursued the certificate extraction method.
I haven't had ATT fiber for a few years now so I'm not sure if they've changed anything on their more recent installs. Given the activity on the forums, it seems quite a few people are still able to get the bypass working via a number of methods. This thread should get you going: https://www.dslreports.com/forum/r32295765-AT-T-Fiber-Any-way-to-bypass-att-modem-using-ASUS-GT-AC5300~start=240
If you do decide to use the wpa_suplicant method then you may have some more pfSense specific questions that some people here may help with. But personally, I would try the switch bypass method first as it's much simpler and easier to troubleshoot if you don't have a detailed background in this stuff.