NAT Table of BGW210-700 Modem/Router

If you have recently upgraded to OpnSense 20.1, or are thinking about doing that, please be aware that some of the netgraph kernel modules are no longer loaded by default. This will break your config upon reboot. There is a workaround. See the bottom of this post.

This method works on the ARRIS NVG589, NVG599 and BGW210-700 residential gateways

Why

Let me start this post with the reason one might want to bypass the Arris BGW210-700 provided by AT&T for U-Verse customers. AT&T offers the U-Verse service for customers who want to subscribe to their television, phone, and Internet offerings. This device is capable of providing and managing all of those services in one box. Customers like myself, who only subscribe to their fiber Internet, also receive this modem/router or a similar device. This modem seems to be popular for those on a business plan as well. So, this appears to be a fairly capable device. Why would anyone want to bypass it?

The reason many users would consider bypassing this device is two-fold, in my opinion. First, the router capability of this system is limited. This is true for all routers provided by ISPs and for many consumer grade devices on the market, which typically only provide protection from the “outside” world through the use of NAT. NAT, or network address translation, is a way of masking your internal network addresses from the Internet. It was created as a response to the concern that there would eventually be a lack of available IPv4 addresses with which to connect devices to the Internet. It allows the router, connected to the Internet with an IPv4 address, to route traffic to and from devices behind it without the need for additional IPv4 addresses.

bgw210-700

Over time, this became a method of protecting the internal network from external threats. What many users really want is a packet filtering firewall with full control of the packets entering and leaving their networks. Packet filtering firewalls also make use of NAT, so no functionality is lost. This creates a much more robust and customization posture in relation to the Internet connection. However, packet filtering is just one aspect of customization that users desire.

A second feature that users are looking for when considering a bypass of provided ISP hardware is the ability to extend the hardware limitations of the product. As seen in the image above, the BGW210 is limited to 8,192 sessions. That might sound like a large number, but we live in a time where some applications create and maintain many sessions. Consider a service like Bittorrent, which will create connections to many peers and maintain those connections over the lifetime of a download. This can quickly fill us a session table and the device will stop accepting connections, inbound or outbound. There is no firmware fix or workaround that will increase this session limited.

It is important to note that the process described in this post is not the same as “IP Passthrough”, a mode provided by AT&T to put your own firewall or router behind the “residential gateway” provided by AT&T. In IP Passthrough mode, you are still limited by the hardware NAT session table and you are also in-line behind the firewall which exists on the residential gateway. The work around described here basically uses the residential gateway only to initiate the authentication with AT&T’s ONT fiber interface. This means that as a fiber Internet customer, you will end up with your firewall directly connected to AT&T’s fiber network without going through the residential gateway at all. This workaround will also survive power outages and manual restarting of the residential firewall or your own router/firewall.

How

Many smart people have looked for ways to go around the residential gateway. In every case, it has been determined that one must use the provided gateway. Due to the way AT&T handles authentication with their ONT device, the residential gateway is required to do the authentication. This is simply because the certificated used are only located on the gateway. I have read of a couple of users who successfully pulled the certificates off the residential gateways, but this is an extremely advanced process and could break if AT&T changes certificates in the future.

Considering all the points above, lets explain how this process works. Since I was not the smart person that figured all of this out, I am going to link to the original work that I used to get my system going. I do not take credit for any of this, but I am extremely thankful for those who did the work to make this possible. Please review the following link: https://github.com/aus/pfatt

Basically, what this process does is hang the residential gateway off an interface of the pfSense firewall so that it can talk to the ONT device. However, the residential gateway is only allowed to do authentication over 802.1X, nothing else. Netgraph is utilized to create a virtual interface for the authentication traffic and to tag traffic with VLAN0. This VLAN tagging is evidently due to a restriction on the AT&T side requiring all traffic routed to the Internet to be tagged this way.

Per the developer’s description, this is why we must use netgraph:

First, it's against RFC to bridge 802.1/X traffic and it is not supported. Second, tagging traffic as VLAN0 is not supported through the standard interfaces.

When (Conclusion)

The obvious question is, “Why haven’t you tried this yet”? This process works and I can tell you that I am very happy with this solution. While this is not for the novice, the process is well-documented. For those who have been running their own open source firewalls for some time, this really should not be a difficult modification. In my opinion, the most difficult aspect of this process was installing the kernel module for BSD. Once again, this is well documented.

You should keep in mind that you are installing a kernel module for BSD, but you are doing it on a pfSense build. Therefore, future firewall updates could break the netgraph configuration causing you to have to redo the steps provided. This is something that has to be considered, but one must also consider how often updates come out from pfSense. If you are a user who is concerned with limitations of the session count through the gateway, this is a good idea. I have run with and without this configuration without trouble and I host services and download a lot. So, it may not be required for you.

As a geek, I like to play around with my network and try out new options. Using this bypass in no way impacted my speeds. With or without this configuration, I consistently sit around 930Mbps up and down. Before you decide to take these steps, I would advise you to do as I did and find some posts about the positives and negatives and make your own decision. I also want to note that this process works even if you purchased a block of static IPs from AT&T. I have 5 useable static IPs that I use for web services and VPN and this process works perfectly. I look forward to your comments and thoughts and I appreciate you taking time to read this post.

If you have upgraded to, or are considering upgrading to version 20.1 of OpnSense, you will need to create a file and add the modules you need loaded for netgraph to work properly as some of the required kernel modules are no longer added by default. Create a file /boot/loader.conf.local and in it, put the following:

netgraph_load=”YES”

ng_UI_load=”YES”

ng_async_load=”YES”

ng_bpf_load=”YES”

ng_bridge_load=”YES”

ng_car_load=”YES”

ng_cisco_load=”YES”

ng_deflate_load=”YES”

ng_echo_load=”YES”

ng_eiface_load=”YES”

ng_ether_load=”YES”

ng_frame_relay_load=”YES”

ng_hole_load=”YES”

ng_iface_load=”YES”

ng_ksocket_load=”YES”

ng_l2tp_load=”YES”

ng_lmi_load=”YES”

ng_mppc_load=”YES”

ng_one2many_load=”YES”

ng_pipe_load=”YES”

ng_ppp_load=”YES”

ng_pppoe_load=”YES”

ng_pptpgre_load=”YES”

ng_pred1_load=”YES”

ng_rfc1490_load=”YES”

ng_socket_load=”YES”

ng_tcpmss_load=”YES”

ng_tee_load=”YES”

ng_tty_load=”YES”

ng_vjc_load=”YES”

ng_vlan_load=”YES”

I saw a discussion on the OPNSense forums discussing this recent change. We will follow and update our readers if there are new advancements in the conversation.

Like this: Like Loading...