I’d been dreaming of getting fiber to my home for over a decade. It was that long ago that I spent my days hooking up ten-gigabit fiber connections to massive file servers at NetApp. I led a successful grassroots effort to lure Google Fiber to Raleigh, because competition can be a great way to spur innovation and investment. You can imagine in 2018 how excited I was to learn that fiber was coming to my neighborhood. While it wasn’t Google, it was AT&T. I swallowed my pride, quietly rescinded my ban of ever doing business with AT&T again, and signed up for their fastest package: symmetrical gigabit fiber. Cost was $80/month initially and thereafter $90/month. I’m sure I’m one of the few in my area who max it out. Hey, geeks gotta geek.
While I’m happy to use up as many AT&T bits as possible, I still don’t entirely trust the company (though I do trust them more than Time Warner Cable (TWC), a.k.a. Spectrum, and this as you know is not saying much). While providing direct access to my home network to a major telco may be a bit on the paranoid side, a number of security vulnerabilities have been discovered with other AT&T devices. Though AT&T might not be snooping around my network, I could not be entirely comfortable that hackers wouldn’t. AT&T’s RGs were discovered to have the built-in ability to do deep packet inspections (DPI) themselves, being able to snoop on the network traffic of its customers. For this and many other reasons, I just don’t trust any devices on my home network that I do not control.
I kept a firewall between TWC and my network for this reason. AT&T wants you to use their device, which they call a “Residential Gateway” or RG, as the firewall. It also acts as a WiFi point, DHCP server, and the like. This may be fine for most people, but I am an uber power user. As an engineer, I want to squeeze the maximum performance out of my networking. I will happily void the warranties on my networking gear. I didn’t spend time tuning my home firewalls for maximum throughput just to discard them when some corporate box comes along. This just won’t do, you see.
The Power User’s approach
My first approach was to switch things over to my TP-Link AC1750 access ponits, running OpenWRT. While my AC1750s could keep up with the slow (300 Mbps) speeds of cable Internet, they were balking at gigabit speeds. The hardware acceleration the AC1750s utilize require proprietary drivers which OpenWRT does not provide. It was time to list them on Craigslist and try something new.
After much research, I purchased an Ubiquiti EdgeRouter Lite 3 (ERL3). It is a fantastic unit that can easily run at gigabit wire speeds (with a small caveat of forgoing deep packet inspection). I can put the ERL behind my Internet connection and, because it is Debian Linux-based, customize it practically any way I want to. Pure heaven! Yet there is still the issue of having to front the ERL by AT&T’s RG box, the Pace 5268AC in my case.
Could I make AT&T’s RG live in harmony with my gear? Yes if safely firewalled, but performance would take a hit. The RG would be doing network address translation (NAT) and then my firewall would be doing it again. This introduces latency and the chance for errors. I use Voice over IP (VoIP) at home, which can be very sensitive to NAT issues. The RG’s wireless signal would also interfere with my home’s existing wireless signals, causing network congestion. I turned off the RG’s WiFi right away. With the RG in bridge mode you could still use your one firewall, passing packets through the RG, but the RG would still be duplicating everything I was already doing. I couldn’t wait to make it completely redundant.
The RG performs one crucial function that can be challenging to duplicate and this is 802.1 network authentication. AT&T usually delivers a residential customer’s fiber into a little box called an optical network termination (ONT). The size of a pack of cigarettes, it takes the fiber signal and converts it to Ethernet, plugging into the RG. The RG is loaded with AT&T’s cryptographic certificates and presents these to AT&T’s switches whenever the ONT link comes up, validating that the device (in this case, the RG) is authorized to connect.
802.1x authentication is usually a one-time thing. Should the ONT never lose its fiber link to the remote switch and also never lose its connection to the RG, the authentication process will not be needed again. This has provided some clever ways to bypass the RG:
- Connecting the RG side by side with the real firewall and using a switch to filter all but 802.1x traffic to it,
- Connecting the ONT to a switch and swapping out the RG for the firewall after the 802.1x authentication is done, or
- Putting AT&T’s certs on your own firewall and making the RG redundant.
Let’s look at each of these approaches.
Filtering all but 802.1x
This has been done by many. By using a VLAN-aware switch, the VLAN2-based 802.1x packets get sent to the RG, which does the auth and then basically gets ignored. I decided this wasn’t an approach I wanted to take since I wanted to unplug the RG completely. For those who want to take this route, there are plenty of Internet resources that step you through it.
Swapping out the RG for your firewall
This is the approach I have been using for years and it’s such a simple method that anyone could do it. Here’s how you do it:
- Check the label on your RG for the RG’s MAC address. A MAC address is a six-digit hexidecimal string that is a unique address for every network device.
- Configure your firewall or router box’s Internet port to “spoof” this MAC address. This will all depend on the type of network gear you are using, so consult your product manual or consult the search engines.
- Place a gigabit switch between your ONT and your RG. This “outside switch” does not have to be a fancy switch or a smart swich. A “dumb” one will do. It could simply be a typical, cheap, 5-port gigabit switch like a Netgear, etc. The important thing is that the switch be at least as fast as your Internet connection.
- Now, with the RG and the firewall presenting the same MAC address, plug in the RG to the outside switch and let it go through the authentication process. You’ll know it’s done when you see the green “Service 2” light go solid.
- Plug your firewall into an open port on the outside switch and remove the RG from the switch.
If you’ve done everything properly, your Internet connection should now be flowing through your firewall and you can set the RG aside.
NOTE: The secret here is to maintain the Ethernet link between the ONT and your outside switch. If for some reason the ONT or your outside switch loses power, the 802.1x authentication process will need to be completed again before you get your connection back. You will need to complete steps 4 & 5 again to restore your connection. For this reason, I place both my ONT and my outside switch on a uninterruptible power supply (UPS). This has been proven highly reliable, with usually only physical damage to AT&T’s cables causing a need to resync.
In part two, I’ll be covering the third way I mentioned, using AT&T’s certs on your own devices.