I was really excited when I found out that AT&T was running fiber to our neighborhood. For the last 5 years we’ve been limping along with 5mbps DSL. After the install I started poking around in the provided AT&T gateway, the Arris 5268AC. I was immediately disappointed with the lack of control it provided for my network; specifically absent was the ability to add any additional routes to the route table. I would need this functionality for my site-to-site vpn tunnel. This among other deficiencies led me to research options to add more control. Surprisingly this particular gateway does not provide a true IP pass-through or bridged mode. The closest you can get is the DMZ+ functionality which still sits behind the devices stateful firewall.

After some research I found a few great posts how others have overcome the limitations of the AT&T provided solution. The posts below were great resources when building my configuration.

With this solution, like the others, we utilize the AT&T provided gateway to authenticate our service but nothing more. To accomplish this we will bridge two interfaces allowing 802.1X/EAP traffic to the Arris gateway for authentication while utilizing an additional interface for LAN traffic.

First, we need to pull our connection specific information. You’ll need the following, all available from the AT&T provided gateway. I currently have a static IP provided by AT&T but I believe with a little extra work DHCP should be possible.

IP address

Gateway IP

Gateway MAC address

Once everything is connected as shown above run the following commands:

Create the bridge interface:

set interfaces bridge br0

Add eth1 and eth2 to br0

set interfaces ethernet eth1 bridge-group bridge br0 set interfaces ethernet eth2 bridge-group bridge br0

create a sub-interface on br0 with your static IP.

set interfaces bridge br0 vif 0 address X.X.X.X/X

set your routing

set protocols static route 0.0.0.0/0 next-hop X.X.X.X

define a source NAT masquerade rule for the br0.0 interface

set service nat rule 5000 outbound-interface br0.0 set service nat rule 5000 type masquerade

Next we need to allow the gateway to pass auth traffic through the bridge

echo 8 > /sys/class/net/br0/bridge/group_fwd_mask

Because of the nature of an interface bridge all traffic is copied to both interfaces. Running a tcpdump on the Arris interface shows all ingress and egress traffic. To only allow 802.1X/EAP traffic to the gateway we need to use ebtables.

ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP

Finally, we need to spoof our br0.0 MAC address so that it presents itself as the AT&T gateway. Run these commands as root.

ip link set br0.0 down ip link set br0.0 address XX:XX:XX:XX:XX:XX ip link set br0.0 up

Remember every time that br0.0 is created it needs to have its MAC spoofed, this means on every reboot. To accomplish this we will create a simple script in /config/scripts/post-config.d/

#!/bin/bash echo 8 > /sys/class/net/br0/bridge/group_fwd_mask ip link set br0.0 down ip link set br0.0 address XX:XX:XX:XX:XX:XX ip link set br0.0 up ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP

interfaces

routing table

I hope others find this useful, let me know if you have any questions. Remember tcpdump is your friend when troubleshooting interfaces.