[ale] isp questions

Alex Carver agcarver+ale at acarver.net
Tue Jun 16 16:09:08 EDT 2020 

On 2020-06-16 06:47, Derek Atkins wrote:
> Hi,
> 
> Alex Carver via Ale <ale at ale.org> writes:
> 
>> On 2020-06-15 15:18, Sam Rakowski via Ale wrote:
> [snip]
>>> Things aren't quite as easy as just plugging your pfSense box into
>>> the ONT. The box provided does some 802.1x authentication with a
>>> cert in the router before the port is enabled, but from what I've
>>> read, once it does that, the port is enabled. I've read online, but
>>> haven't had the time yet to do this, but if you have an extra port
>>> on your pfSense box, you can proxy the 802.1x packets from the box
>>> through to the ONT, then use that as your WAN connection.
>>>
>>> If you have any luck doing that, please send me/the list a quick
>>> write-up and that might spur me into action :) It is possible
>>> though, from what I've heard.
>>
>> Yes their modem firmware disables pure bridging.  You can run a firewall
>> behind it with a static IP (I do) but all your packets go through the
>> internal connection tracking table first as if it was being NATted.  I
>> had one of their older modems and the connection tracking table was
>> super small and would fill up quickly because it's shared with all the
>> other connections going through including the random network probes.
>> The newer modem has a larger table but it still behaves the same way,
>> acting like it's trying to NAT your static but passing the traffic on
>> anyway.
>>
>> The one thing I've done is modify the table expiration time so that it
>> doesn't completely fill up.  It seems to have helped for the most part.
>>  It's not ideal and kind of infuriating when the stock modem firmware
>> understands how to bridge but AT&T completely hosed it.
> 
> So...  I've got AT&T 1G fiber with a /29 static IP network, and I also
> tunnel a class-C network that I own.  I was hitting this NAT-table limit
> often.  Even worse, it's an attack vector -- someone from the outside
> can flood your network and fill up the NAT table which then drops you
> off the network.
> 
> LUCKILY, there *IS* a solution to this if you're willing to add a little
> bit of hardware:
> 
> http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits
> 
> Basically, you add a "magic box" that sits between the ONT and AT&T
> modem but shunts all your real traffic to your firewall.  So it
> basically looks like:
> 
>                          +------- AT&T Modem
> [ONT] --- [ Magic Box ] <
>                          +------- Firewall ----  Your Network
> 
> This allows the modem to properly authenticate your network to AT&T, but
> it is no longer in the critical path of your data.
> 
> I use a Unifi ER-X as the magic box.   I'm actually using this
> configuration now and it works great!  I still get 900+mbps from
> speedtest, so the ER-X definitely can keep up!
> 
> Good luck and enjoy!
> 

I had seen that some time ago but it only works for the fiber service
where you have the ONT converting to Ethernet.  In my case I only have
copper service over the POTS lines so I can't do that with my service
that's why I resorted to the low expiration time on the connection
tracking table.  I get hammered constantly by probes and was getting
knocked off line fairly regularly with the old modem.

I can't get fiber unless I'm willing to shell out some cash >$10k to run
the fibers.

More information about the Ale mailing list