[ale] AT&T fiber and IPv6?

Derek Atkins derek at ihtfp.com
Sun Feb 13 11:21:21 EST 2022


Hi,

Yes, the ONT is the Optical Network Terminal.  It's a small box that
converts the fiber to ethernet, which then plugs into your network.  AT&T
requires their box to authenticate over the ON to bring your network
online.  And yes, an ER-4 is the Edgerouter 4.  I had an ER-X in place,
but it can't switch fast enough to keep up with a fully-loaded 1Gbps
symmetric service (but the ER-4 can).

The biggest issue I have had with the AT&T devices (and note that I also
have a /29 of static IPv4 with them) is that even when using my static
IPs, If I go through their gateway then I am subject to their NAT Table
size limitations (and the added latency of their box).  This was the
primary reason I went with an architecture to remove their box from my
data path:  to remove their NAT table limits.  The fact that it also
removed about 10ms of latency is just an added bonus.

I've never used a UDM Pro.  It's certainly possible that you could set up
the EAP Proxy service there.  The fact that it uses SFP shouldn't make a
difference, but you will need 1000BaseT ethernet for the ONT input.

Beyond that, I cannot really talk about the stability or reliability of
their IPv6.  Like I said in my first post, I found that IPv6 performance
wasn't as good as IPv4, but that was "by eye".  I can't really find a good
way to measure that because speedtest is a false test (it only tests from
your device to the other end of the fiber, effectively), and fast.com
(which is a more realistic measurement) doesn't do IPv6.  And I turned it
off because facetime stopped working (but again, I suspect that's due to
firewall issues).  (FYI, I still do the DHCPv6-PD; I just turned off the
announcement of the delegation onto my LAN network).

I elided the fact that I have two Edgerouter products on my network; I've
got an ER-Pro8 behind the ER-4, so that is likely part of my facetime
firewall issue.  I just didn't spend a lot of time on it.

-derek

On Sun, February 13, 2022 10:47 am, James Sumners (ALE) wrote:
> Let’s assume I’ve only ever picked up fiber cable and never actually
> installed or managed a network with it. From your diagram, I am picking up
> that the ONT is the device where the fiber terminates in my house, and the
> ER-4 is an Ubiquiti Edge Router.
>
> I am likely to be getting an Ubiquiti UDM Pro to replace my pfSense box
> (given that I no longer need to care about tracking total bytes across the
> WAN interface). This gateway device has SFP+ ports. Would those factor
> into your diagram in any way?
>
> How does using the AT&T gateway device as an authenticator only device
> change the IPv6 reliability?
>
> On February 13, 2022 at 09:43:29, Derek Atkins
> (derek at ihtfp.com(mailto:derek at ihtfp.com)) wrote:
>
>> Just a small correction -- while AT&T does require their box to be
>> online
>> for 802.1x authentication, you can absolutely design a network where the
>> AT&T box is not in the data path! Indeed, I've done that here. Basically
>> my network looks like:
>>
>> --fiber-- [ONT] ---- [ ER-4 ] --- LAN
>> |
>> [AT&T Box]
>>
>> Using EAP Proxy and some firewall rules allows this to work and -- viola
>> -- AT&T box is no longer involved in your day-to-day data usage.
>>
>> -derek
>>
>> On Sun, February 13, 2022 9:23 am, James Sumners \(ALE\) via Ale wrote:
>> > Sounding a lot like I’ll be hoping Comcast actually tries to compete
>> now
>> > that AT&T has brought actual broadband to my area. 😔
>> >
>> >
>> > On February 12, 2022 at 19:17:58, Bryan L. Gay (ale at bryangay.com)
>> wrote:
>> >
>> > I had both Comcast and AT&T Fiber for years in Kennesaw. I was never
>> able
>> > to get IPv6 delegation working reliably on AT&T, even after they
>> stopped
>> > doing 6rd. I have Comcast now at the new place, 1.2Gbps downlink, and
>> have
>> > never had an issue with Comcast's IPv6. AT&T just never seemed to get
>> > their act together. While having 1Gbps symmetric over IPv4 was great,
>> and
>> > it was less expensive, I'm happily on Comcast, now. AT&T requires you
>> use
>> > their gateway, which introduces other recurring problems. On Comcast,
>> I
>> > own my own DOCSIS dumb modem.
>> >
>> > On Fri, Feb 11, 2022, 17:06 James Sumners (ALE) via Ale <ale at ale.org>
>> > wrote:
>> >
>> >
>> > Earlier today AT&T attached some fiber to the pole directly across the
>> > street from my driveway. I’m sure it will take them another month or
>> two
>> > to activate the line, but I want to go ahead and solicit some
>> knowledge
>> > from you folks.
>> >
>> > Currently, I’m on Comcast (plain residential). I despise the business,
>> but
>> > their network people are top notch and have rolled out a nice stable
>> IPv6
>> > network. They assign my WAN interface a `/128` and allow network
>> > assignments via a `/64` or `/60` prefix delegation over DHCPv6. The
>> `/60`
>> > allows me to create multiple VLANs in my house for things like IoT
>> devices
>> > separate from my primary devices.
>> >
>> > Does anyone have experience with AT&T’s IPv6 implementation? Would
>> > switching to them be mostly transparent in this regard? Are there any
>> > “gotchas” that I should be aware of?
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > https://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > https://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek at ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the Ale mailing list