[ale] AT&T fiber and IPv6?

James Sumners (ALE) james+ale at sumners.email
Mon Feb 14 16:44:45 EST 2022 

Regarding EAP Proxy on the UDM Pro, this looks promising — https://github.com/pbrah/eap_proxy-udmpro  

Thanks everyone for the information. I definitely have some things to consider and research.  

On February 13, 2022 at 11:21:21, Derek Atkins (derek at ihtfp.com(mailto:derek at ihtfp.com)) wrote:

> Hi,
>  
> Yes, the ONT is the Optical Network Terminal. It's a small box that
> converts the fiber to ethernet, which then plugs into your network. AT&T
> requires their box to authenticate over the ON to bring your network
> online. And yes, an ER-4 is the Edgerouter 4. I had an ER-X in place,
> but it can't switch fast enough to keep up with a fully-loaded 1Gbps
> symmetric service (but the ER-4 can).
>  
> The biggest issue I have had with the AT&T devices (and note that I also
> have a /29 of static IPv4 with them) is that even when using my static
> IPs, If I go through their gateway then I am subject to their NAT Table
> size limitations (and the added latency of their box). This was the
> primary reason I went with an architecture to remove their box from my
> data path: to remove their NAT table limits. The fact that it also
> removed about 10ms of latency is just an added bonus.
>  
> I've never used a UDM Pro. It's certainly possible that you could set up
> the EAP Proxy service there. The fact that it uses SFP shouldn't make a
> difference, but you will need 1000BaseT ethernet for the ONT input.
>  
> Beyond that, I cannot really talk about the stability or reliability of
> their IPv6. Like I said in my first post, I found that IPv6 performance
> wasn't as good as IPv4, but that was "by eye". I can't really find a good
> way to measure that because speedtest is a false test (it only tests from
> your device to the other end of the fiber, effectively), and fast.com
> (which is a more realistic measurement) doesn't do IPv6. And I turned it
> off because facetime stopped working (but again, I suspect that's due to
> firewall issues). (FYI, I still do the DHCPv6-PD; I just turned off the
> announcement of the delegation onto my LAN network).
>  
> I elided the fact that I have two Edgerouter products on my network; I've
> got an ER-Pro8 behind the ER-4, so that is likely part of my facetime
> firewall issue. I just didn't spend a lot of time on it.
>  
> -derek
>  
> On Sun, February 13, 2022 10:47 am, James Sumners (ALE) wrote:
> > Let’s assume I’ve only ever picked up fiber cable and never actually
> > installed or managed a network with it. From your diagram, I am picking up
> > that the ONT is the device where the fiber terminates in my house, and the
> > ER-4 is an Ubiquiti Edge Router.
> >  
> > I am likely to be getting an Ubiquiti UDM Pro to replace my pfSense box
> > (given that I no longer need to care about tracking total bytes across the
> > WAN interface). This gateway device has SFP+ ports. Would those factor
> > into your diagram in any way?
> >  
> > How does using the AT&T gateway device as an authenticator only device
> > change the IPv6 reliability?
> >  
> > On February 13, 2022 at 09:43:29, Derek Atkins
> > (derek at ihtfp.com(mailto:derek at ihtfp.com)) wrote:
> >  
> > > Just a small correction -- while AT&T does require their box to be
> > > online
> > > for 802.1x authentication, you can absolutely design a network where the
> > > AT&T box is not in the data path! Indeed, I've done that here. Basically
> > > my network looks like:
> > >  
> > > --fiber-- [ONT] ---- [ ER-4 ] --- LAN
> > > |
> > > [AT&T Box]
> > >  
> > > Using EAP Proxy and some firewall rules allows this to work and -- viola
> > > -- AT&T box is no longer involved in your day-to-day data usage.
> > >  
> > > -derek
> > >  
> > > On Sun, February 13, 2022 9:23 am, James Sumners \(ALE\) via Ale wrote:
> > > > Sounding a lot like I’ll be hoping Comcast actually tries to compete
> > > now
> > > > that AT&T has brought actual broadband to my area. 😔
> > > >  
> > > >  
> > > > On February 12, 2022 at 19:17:58, Bryan L. Gay (ale at bryangay.com)
> > > wrote:
> > > >  
> > > > I had both Comcast and AT&T Fiber for years in Kennesaw. I was never
> > > able
> > > > to get IPv6 delegation working reliably on AT&T, even after they
> > > stopped
> > > > doing 6rd. I have Comcast now at the new place, 1.2Gbps downlink, and
> > > have
> > > > never had an issue with Comcast's IPv6. AT&T just never seemed to get
> > > > their act together. While having 1Gbps symmetric over IPv4 was great,
> > > and
> > > > it was less expensive, I'm happily on Comcast, now. AT&T requires you
> > > use
> > > > their gateway, which introduces other recurring problems. On Comcast,
> > > I
> > > > own my own DOCSIS dumb modem.
> > > >  
> > > > On Fri, Feb 11, 2022, 17:06 James Sumners (ALE) via Ale <ale at ale.org>
> > > > wrote:
> > > >  
> > > >  
> > > > Earlier today AT&T attached some fiber to the pole directly across the
> > > > street from my driveway. I’m sure it will take them another month or
> > > two
> > > > to activate the line, but I want to go ahead and solicit some
> > > knowledge
> > > > from you folks.
> > > >  
> > > > Currently, I’m on Comcast (plain residential). I despise the business,
> > > but
> > > > their network people are top notch and have rolled out a nice stable
> > > IPv6
> > > > network. They assign my WAN interface a `/128` and allow network
> > > > assignments via a `/64` or `/60` prefix delegation over DHCPv6. The
> > > `/60`
> > > > allows me to create multiple VLANs in my house for things like IoT
> > > devices
> > > > separate from my primary devices.
> > > >  
> > > > Does anyone have experience with AT&T’s IPv6 implementation? Would
> > > > switching to them be mostly transparent in this regard? Are there any
> > > > “gotchas” that I should be aware of?
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > https://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > > > _______________________________________________
> > > > Ale mailing list
> > > > Ale at ale.org
> > > > https://mail.ale.org/mailman/listinfo/ale
> > > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > > http://mail.ale.org/mailman/listinfo
> > > >  
> > >  
> > >  
> > > --
> > > Derek Atkins 617-623-3745
> > > derek at ihtfp.com www.ihtfp.com
> > > Computer and Internet Security Consultant
> > >  
> >  
> >  
>  
>  
> --
> Derek Atkins 617-623-3745
> derek at ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20220214/fe31fd60/attachment.htm>

More information about the Ale mailing list