[ale] isp questions

Derek Atkins derek at ihtfp.com
Tue Jun 16 09:47:31 EDT 2020 

Hi,

Alex Carver via Ale <ale at ale.org> writes:

> On 2020-06-15 15:18, Sam Rakowski via Ale wrote:
[snip]
>> Things aren't quite as easy as just plugging your pfSense box into
>> the ONT. The box provided does some 802.1x authentication with a
>> cert in the router before the port is enabled, but from what I've
>> read, once it does that, the port is enabled. I've read online, but
>> haven't had the time yet to do this, but if you have an extra port
>> on your pfSense box, you can proxy the 802.1x packets from the box
>> through to the ONT, then use that as your WAN connection.
>> 
>> If you have any luck doing that, please send me/the list a quick
>> write-up and that might spur me into action :) It is possible
>> though, from what I've heard.
>
> Yes their modem firmware disables pure bridging.  You can run a firewall
> behind it with a static IP (I do) but all your packets go through the
> internal connection tracking table first as if it was being NATted.  I
> had one of their older modems and the connection tracking table was
> super small and would fill up quickly because it's shared with all the
> other connections going through including the random network probes.
> The newer modem has a larger table but it still behaves the same way,
> acting like it's trying to NAT your static but passing the traffic on
> anyway.
>
> The one thing I've done is modify the table expiration time so that it
> doesn't completely fill up.  It seems to have helped for the most part.
>  It's not ideal and kind of infuriating when the stock modem firmware
> understands how to bridge but AT&T completely hosed it.

So...  I've got AT&T 1G fiber with a /29 static IP network, and I also
tunnel a class-C network that I own.  I was hitting this NAT-table limit
often.  Even worse, it's an attack vector -- someone from the outside
can flood your network and fill up the NAT table which then drops you
off the network.

LUCKILY, there *IS* a solution to this if you're willing to add a little
bit of hardware:

http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits

Basically, you add a "magic box" that sits between the ONT and AT&T
modem but shunts all your real traffic to your firewall.  So it
basically looks like:

                         +------- AT&T Modem
[ONT] --- [ Magic Box ] <
                         +------- Firewall ----  Your Network

This allows the modem to properly authenticate your network to AT&T, but
it is no longer in the critical path of your data.

I use a Unifi ER-X as the magic box.   I'm actually using this
configuration now and it works great!  I still get 900+mbps from
speedtest, so the ER-X definitely can keep up!

Good luck and enjoy!

-derek
-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the Ale mailing list