<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">This is what I used to pass the 802.1x authentication to the ATT router and then have my PFSense Box take over.<br>
<br>
<a href="https://github.com/uchagani/pfatt">https://github.com/uchagani/pfatt</a><br>
<br>
Works like a charm.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:8.0pt"><b><span style="font-family:"Arial",sans-serif;color:#B28ABF">Arie van Willigen</span></b><span style="font-family:"Arial",sans-serif;color:#003399">
</span><span style="font-family:"Arial",sans-serif;color:#7A7B3E">| Junior Linux Systems Administrator</span><b><span style="font-family:"Arial",sans-serif;color:#003399">
</span></b><span style="font-size:3.0pt;font-family:"Arial",sans-serif;color:#003399"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:2.0pt"><b><span style="font-family:"Arial",sans-serif;color:#4D4D4F">Vyne™<o:p></o:p></span></b></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Ale <ale-bounces@ale.org> <b>On Behalf Of </b>Derek Atkins via Ale<br>
<b>Sent:</b> Tuesday, June 16, 2020 9:48 AM<br>
<b>To:</b> Alex Carver via Ale <ale@ale.org><br>
<b>Subject:</b> Re: [ale] isp questions<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:solid #9C6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFEB9C"><span style="font-size:12.0pt;color:#9C6500">CAUTION:</span><span style="font-size:12.0pt;color:black"> This email originated from outside of the organization. Do not click links or open attachments
unless you recognize the sender and know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi,<br>
<br>
Alex Carver via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> writes:<br>
<br>
> On 2020-06-15 15:18, Sam Rakowski via Ale wrote:<br>
[snip]<br>
>> Things aren't quite as easy as just plugging your pfSense box into<br>
>> the ONT. The box provided does some 802.1x authentication with a<br>
>> cert in the router before the port is enabled, but from what I've<br>
>> read, once it does that, the port is enabled. I've read online, but<br>
>> haven't had the time yet to do this, but if you have an extra port<br>
>> on your pfSense box, you can proxy the 802.1x packets from the box<br>
>> through to the ONT, then use that as your WAN connection.<br>
>> <br>
>> If you have any luck doing that, please send me/the list a quick<br>
>> write-up and that might spur me into action :) It is possible<br>
>> though, from what I've heard.<br>
><br>
> Yes their modem firmware disables pure bridging. You can run a firewall<br>
> behind it with a static IP (I do) but all your packets go through the<br>
> internal connection tracking table first as if it was being NATted. I<br>
> had one of their older modems and the connection tracking table was<br>
> super small and would fill up quickly because it's shared with all the<br>
> other connections going through including the random network probes.<br>
> The newer modem has a larger table but it still behaves the same way,<br>
> acting like it's trying to NAT your static but passing the traffic on<br>
> anyway.<br>
><br>
> The one thing I've done is modify the table expiration time so that it<br>
> doesn't completely fill up. It seems to have helped for the most part.<br>
> It's not ideal and kind of infuriating when the stock modem firmware<br>
> understands how to bridge but AT&T completely hosed it.<br>
<br>
So... I've got AT&T 1G fiber with a /29 static IP network, and I also<br>
tunnel a class-C network that I own. I was hitting this NAT-table limit<br>
often. Even worse, it's an attack vector -- someone from the outside<br>
can flood your network and fill up the NAT table which then drops you<br>
off the network.<br>
<br>
LUCKILY, there *IS* a solution to this if you're willing to add a little<br>
bit of hardware:<br>
<br>
<a href="http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits">http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits</a><br>
<br>
Basically, you add a "magic box" that sits between the ONT and AT&T<br>
modem but shunts all your real traffic to your firewall. So it<br>
basically looks like:<br>
<br>
+------- AT&T Modem<br>
[ONT] --- [ Magic Box ] <<br>
+------- Firewall ---- Your Network<br>
<br>
This allows the modem to properly authenticate your network to AT&T, but<br>
it is no longer in the critical path of your data.<br>
<br>
I use a Unifi ER-X as the magic box. I'm actually using this<br>
configuration now and it works great! I still get 900+mbps from<br>
speedtest, so the ER-X definitely can keep up!<br>
<br>
Good luck and enjoy!<br>
<br>
-derek<br>
-- <br>
Derek Atkins 617-623-3745<br>
<a href="mailto:derek@ihtfp.com">derek@ihtfp.com</a> <a href="http://www.ihtfp.com">
www.ihtfp.com</a><br>
Computer and Internet Security Consultant<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size: 6pt; font-family: "Book Antiqua",serif; color: gray;"><br>
CONFIDENTIALITY NOTICE: THIS TRANSMISSION, INCLUDING ANY ATTACHMENTS, IS FOR THE SOLE USE OF THE INTENDED RECIPIENT(S) AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR LEGALLY PRIVILEGED INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT OR THE PERSON RESPONSIBLE
FOR DELIVERING THIS TO THE ADDRESSEE, YOU ARE HEREBY NOTIFIED THAT ANY READING, DISCLOSURE, DISTRIBUTION, STORAGE OR COPYING OF THIS COMMUNICATION OR THE INFORMATION CONTAINED HEREIN IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR,
PLEASE IMMEDIATELY NOTIFY THE SENDER AND CONTACT OUR PRIVACY OFFICER AT 865-292-0508. IF YOU WERE NOT THE INTENDED RECIPIENT, PLEASE DELETE THIS TRANSMISSION FROM YOUR FILES. THANK YOU.
<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div></div>
</body>
</html>