[ale] isp questions

Derek Atkins derek at ihtfp.com
Tue Jun 16 14:35:10 EDT 2020


I don't use pfSense, so personally this doesn't apply to me.
My firewall is a Unifi ER-Pro8.

-derek

On Tue, June 16, 2020 9:54 am, Arie Van Willigen wrote:
> This is what I used to pass the 802.1x authentication to the ATT router
> and then have my PFSense Box take over.
>
> https://github.com/uchagani/pfatt
>
> Works like a charm.
>
> Arie van Willigen | Junior Linux Systems Administrator
> Vyne(tm)
>
> From: Ale <ale-bounces at ale.org> On Behalf Of Derek Atkins via Ale
> Sent: Tuesday, June 16, 2020 9:48 AM
> To: Alex Carver via Ale <ale at ale.org>
> Subject: Re: [ale] isp questions
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> Hi,
>
> Alex Carver via Ale <ale at ale.org<mailto:ale at ale.org>> writes:
>
>> On 2020-06-15 15:18, Sam Rakowski via Ale wrote:
> [snip]
>>> Things aren't quite as easy as just plugging your pfSense box into
>>> the ONT. The box provided does some 802.1x authentication with a
>>> cert in the router before the port is enabled, but from what I've
>>> read, once it does that, the port is enabled. I've read online, but
>>> haven't had the time yet to do this, but if you have an extra port
>>> on your pfSense box, you can proxy the 802.1x packets from the box
>>> through to the ONT, then use that as your WAN connection.
>>>
>>> If you have any luck doing that, please send me/the list a quick
>>> write-up and that might spur me into action :) It is possible
>>> though, from what I've heard.
>>
>> Yes their modem firmware disables pure bridging. You can run a firewall
>> behind it with a static IP (I do) but all your packets go through the
>> internal connection tracking table first as if it was being NATted. I
>> had one of their older modems and the connection tracking table was
>> super small and would fill up quickly because it's shared with all the
>> other connections going through including the random network probes.
>> The newer modem has a larger table but it still behaves the same way,
>> acting like it's trying to NAT your static but passing the traffic on
>> anyway.
>>
>> The one thing I've done is modify the table expiration time so that it
>> doesn't completely fill up. It seems to have helped for the most part.
>> It's not ideal and kind of infuriating when the stock modem firmware
>> understands how to bridge but AT&T completely hosed it.
>
> So... I've got AT&T 1G fiber with a /29 static IP network, and I also
> tunnel a class-C network that I own. I was hitting this NAT-table limit
> often. Even worse, it's an attack vector -- someone from the outside
> can flood your network and fill up the NAT table which then drops you
> off the network.
>
> LUCKILY, there *IS* a solution to this if you're willing to add a little
> bit of hardware:
>
> http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits<http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits>
>
> Basically, you add a "magic box" that sits between the ONT and AT&T
> modem but shunts all your real traffic to your firewall. So it
> basically looks like:
>
> +------- AT&T Modem
> [ONT] --- [ Magic Box ] <
> +------- Firewall ---- Your Network
>
> This allows the modem to properly authenticate your network to AT&T, but
> it is no longer in the critical path of your data.
>
> I use a Unifi ER-X as the magic box. I'm actually using this
> configuration now and it works great! I still get 900+mbps from
> speedtest, so the ER-X definitely can keep up!
>
> Good luck and enjoy!
>
> -derek
> --
> Derek Atkins 617-623-3745
> derek at ihtfp.com<mailto:derek at ihtfp.com>
> www.ihtfp.com<http://www.ihtfp.com>
> Computer and Internet Security Consultant
> _______________________________________________
> Ale mailing list
> Ale at ale.org<mailto:Ale at ale.org>
> https://mail.ale.org/mailman/listinfo/ale<https://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo<http://mail.ale.org/mailman/listinfo>
>
> CONFIDENTIALITY NOTICE: THIS TRANSMISSION, INCLUDING ANY ATTACHMENTS, IS
> FOR THE SOLE USE OF THE INTENDED RECIPIENT(S) AND MAY CONTAIN
> CONFIDENTIAL, PROPRIETARY OR LEGALLY PRIVILEGED INFORMATION. IF YOU ARE
> NOT THE INTENDED RECIPIENT OR THE PERSON RESPONSIBLE FOR DELIVERING THIS
> TO THE ADDRESSEE, YOU ARE HEREBY NOTIFIED THAT ANY READING, DISCLOSURE,
> DISTRIBUTION, STORAGE OR COPYING OF THIS COMMUNICATION OR THE INFORMATION
> CONTAINED HEREIN IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS
> COMMUNICATION IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND CONTACT
> OUR PRIVACY OFFICER AT 865-292-0508. IF YOU WERE NOT THE INTENDED
> RECIPIENT, PLEASE DELETE THIS TRANSMISSION FROM YOUR FILES. THANK YOU.
>
>


-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant



More information about the Ale mailing list