[ale] isp questions

Arie Van Willigen arie.vanwilligen at vynecorp.com
Tue Jun 16 09:54:34 EDT 2020 

This is what I used to pass the 802.1x authentication to the ATT router and then have my PFSense Box take over.

https://github.com/uchagani/pfatt

Works like a charm.

Arie van Willigen | Junior Linux Systems Administrator
Vyne(tm)

From: Ale <ale-bounces at ale.org> On Behalf Of Derek Atkins via Ale
Sent: Tuesday, June 16, 2020 9:48 AM
To: Alex Carver via Ale <ale at ale.org>
Subject: Re: [ale] isp questions

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi,

Alex Carver via Ale <ale at ale.org<mailto:ale at ale.org>> writes:

> On 2020-06-15 15:18, Sam Rakowski via Ale wrote:
[snip]
>> Things aren't quite as easy as just plugging your pfSense box into
>> the ONT. The box provided does some 802.1x authentication with a
>> cert in the router before the port is enabled, but from what I've
>> read, once it does that, the port is enabled. I've read online, but
>> haven't had the time yet to do this, but if you have an extra port
>> on your pfSense box, you can proxy the 802.1x packets from the box
>> through to the ONT, then use that as your WAN connection.
>>
>> If you have any luck doing that, please send me/the list a quick
>> write-up and that might spur me into action :) It is possible
>> though, from what I've heard.
>
> Yes their modem firmware disables pure bridging. You can run a firewall
> behind it with a static IP (I do) but all your packets go through the
> internal connection tracking table first as if it was being NATted. I
> had one of their older modems and the connection tracking table was
> super small and would fill up quickly because it's shared with all the
> other connections going through including the random network probes.
> The newer modem has a larger table but it still behaves the same way,
> acting like it's trying to NAT your static but passing the traffic on
> anyway.
>
> The one thing I've done is modify the table expiration time so that it
> doesn't completely fill up. It seems to have helped for the most part.
> It's not ideal and kind of infuriating when the stock modem firmware
> understands how to bridge but AT&T completely hosed it.

So... I've got AT&T 1G fiber with a /29 static IP network, and I also
tunnel a class-C network that I own. I was hitting this NAT-table limit
often. Even worse, it's an attack vector -- someone from the outside
can flood your network and fill up the NAT table which then drops you
off the network.

LUCKILY, there *IS* a solution to this if you're willing to add a little
bit of hardware:

http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits<http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits>

Basically, you add a "magic box" that sits between the ONT and AT&T
modem but shunts all your real traffic to your firewall. So it
basically looks like:

+------- AT&T Modem
[ONT] --- [ Magic Box ] <
+------- Firewall ---- Your Network

This allows the modem to properly authenticate your network to AT&T, but
it is no longer in the critical path of your data.

I use a Unifi ER-X as the magic box. I'm actually using this
configuration now and it works great! I still get 900+mbps from
speedtest, so the ER-X definitely can keep up!

Good luck and enjoy!

-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com<mailto:derek at ihtfp.com> www.ihtfp.com<http://www.ihtfp.com>
Computer and Internet Security Consultant
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
https://mail.ale.org/mailman/listinfo/ale<https://mail.ale.org/mailman/listinfo/ale>
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo<http://mail.ale.org/mailman/listinfo>

CONFIDENTIALITY NOTICE: THIS TRANSMISSION, INCLUDING ANY ATTACHMENTS, IS FOR THE SOLE USE OF THE INTENDED RECIPIENT(S) AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR LEGALLY PRIVILEGED INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT OR THE PERSON RESPONSIBLE FOR DELIVERING THIS TO THE ADDRESSEE, YOU ARE HEREBY NOTIFIED THAT ANY READING, DISCLOSURE, DISTRIBUTION, STORAGE OR COPYING OF THIS COMMUNICATION OR THE INFORMATION CONTAINED HEREIN IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND CONTACT OUR PRIVACY OFFICER AT 865-292-0508. IF YOU WERE NOT THE INTENDED RECIPIENT, PLEASE DELETE THIS TRANSMISSION FROM YOUR FILES. THANK YOU.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20200616/f5437016/attachment.html>

More information about the Ale mailing list