Hardware for AT&T fiber
-
I have been using the older Netgates for firewalls over the years. I'm moving to a location with AT&T fiber. I have read many post about the PIA to get it working without their equipment in the middle. I understand the process and it sounds solid.
My question relates to the hardware solution. The 6100 series is out of my price range. Best I can tell, I need a switch that supports SFP+ and will deal with the VLAN0 issue to connect AT&Ts fiber and then go 1G to my existing Netgate. If I'm correct, I'm looking for suggestions. Does the MikroTik CRS305-1G-4S+IN running switchOS or routerOS work? I can't find any info about it passing VLAN0.
-
Will it work with a 1G SFP? If so, I could use my current setup that works with Google fiber
-
@CyberTiVo Not an answer to you question. Just my thoughts on the by-pass.
I have ATT fiber and a 7100. I get about 980 up and down using DMZ mode. The only downside I have found is the state table on the ATT POS is small and I crashed it a few times. My solution was to set the pfSense state table a little lower. It has not crashed since.
My speed testing has not shown a relevant speed difference, so for me it is not worth the trouble to do the by-pass. -
@AndyRH Do you happen to know what that limit is? I know there is one, and long, long ago we decided it was too small for us.
However we moved a client with a 3100 to AT&T fiber using pass through and they have been fine.
Side note: all our client PCs connect in, and at the time those were new connections potentially every few seconds in "fast" mode. Those overran our original router, hence our switch to m0n0wall and then pfSense.
-
Thanks for the input; So, DMZ mode works fine? not too concerned about speed; I was worried about having double NATting issues; also, I don't trust AT&T to not get in the way; I run many IPSEC tunnels; did I mention I don't trust AT&T, lol
-
@CyberTiVo said in Hardware for AT&T fiber:
did I mention I don't trust AT&T
I suspect our trust is equal.
I run a WG tunnel to a friend's house with no issues and several PIA tunnels for other stuff.
DMZ mode removes double NAT. It is like it is not there, pfSense has the outside address as it's WAN address.
The only oddity is twice ATT has decided I needed WiFi and turned it back on. They do seem to not like it when asked why my Wifi is off and I answer, "Because I want good WiFi." -
Sounds like I can start with DMZ mode and see how things go; thanks for the comments
-
Have some connectivity; it's working but slowly; AT&T wireless is good, but internal (wireless/wired), not so much; pfSense thinks my Gateway is down 100% (gateway monitor); not sure what magic is going on with bridge/DMZ mode; I assume I have to turn their wireless off to avoid having 2 devices with the same Public IP?
-
@CyberTiVo I turned off the ATT WiFi in favor of my APs.
I do currently connect the ATT router to my switch and from there to the WAN side of pfSense. The "ATT Network" that I built is a 2 port VLAN on the switch, there are other benefits to this arrangement.
If you setup pfSense as the device for the DMZ, it will be the only one to get the public address, any other devices on the ATT router will be NATed and get 192.168.1.0/24 addresses.
What address range did you use for LAN? It cannot be the same range as the ATT router uses, which is default 192.168.1.0/24. I always choose even subnets, such as 192.168.42.0/24. -
yes but, if the ATT WiFi is still on, devices get an IP in 192.168.1.0/24 and then they get NATted to something; I know it sounds crazy, but I haven't had a chance yet to turn off their WiFi (family is killing me)
WAN of pfSense is in a LAN port on the router; IP Passthrough to the MAC of pfSense WAN, DHCP on WAN gets the correct IP and as I mentioned I can get out; my internal net is 172.19.0.0/16
I can web to the ATT device on 192.168.1.254 from LAN
Should be able to turn off WiFi in an hour or so and see what happens -
speed good now, but the gateway still shows down; trace route shows 1st hop is ATT (192.168.1.254) then *****
probably not playing nice -
Try setting the monitoring IP to something external, it will give you better data anyway.
Edit the gateway in System > Routing > Gateways. Try using 8.8.8.8 or 1.1.1.1 etc.