OPNsense Forum
English Forums => General Discussion => Topic started by: bbpbb on August 11, 2019, 05:43:10 pm
-
so i just got 1gbs ATT fiber (still have cable line too atm).
I'm a quite comfortable with engineering and hardware level firmware stuff, but am a total noob at setting up firewalls and sysadmin stuff and am taking this fiber upgrade as an opportunity to learn and setup legit firewall that will allow me self host things and smarten up my home network with iot segmentation and things like that as well as vpn in and out, etc.
So right now i'm trying out opnsense first (quite frankly appalled by pfsense behavior from drama, from my research). I have it setup on a T620+ HP thin client with a intel 4port nic.
so I've been keen on bypassing the att rwg, and at somepoint I will probably get the credentials out of the rwg by rooting it and doing those steps (https://github.com/aus/pfatt/pull/19#issuecomment-490766858, for anyone interested).
so the methods of bypass are a few:
the dumbswitch method: (https://www.dslreports.com/forum/r32192051-) I tried this method with my netgear r7000 with ddwrt and it worked fine, (except for a limitation to 300mbs up/down due to ddwrt not using some hardware acceleration on the router)
netgraph method: (https://github.com/aus/pfatt) this is not my preferred method as it still requires the rgw to be plugged in all the time.
extracted credentials: have your router authenticate with extracted credentials via wpa supplicant from the firmware of ATT rgw (differen models have different extraction methods) this is probably my preferred endgame when i get a chance to either buy a used gateway to extract, or extract from the provided rgw.
smart switch method: This is basically the same as the dumb switch method, but it's using a managed switch and making sure the ports used are on the same vlan on the managed switch. (here is a thread here where opnfwb describes using this method https://forum.opnsense.org/index.php?topic=7298.0) i guess the issue this get's around is how whatever router you end up using, this does vlan tagging on wan to make the ont happy? I don't have a smart switch I can use for this righ tnow, and this is where I get out of my depth and where my questions are:
so when I do the dumbswitch method with my r7000, it works as expected. I assume this must be that however this router does vlan tagging on wan is what the ONT wants which I think I read around in my research, but i cna't find exactly where I read it, taht the ONT wants a non 0 vlan ? but i'm not sure what i'm even talking about here lol, I think I was reading deep in some thread about someone trying somethign similar and talking about how pfsense does the default vlan taggin on wan
so when I do this same dumb switch method using opnsense on the hp t620 I can't get out to the internet. I suspect it's something to do with the difference in vlan taggin on wan port between opnsense and how my r7000 works. I'm in here hacking around, but am a noob to advanced firewall stuff in general, opnsense, and this fiber bypass stuff.
with all this explanation of what i've been trying and wanting to do, is there something i'm missing or can configure about how opnsense does vlan tagging on the wan port that i can change and make the vlan happy? I think i was reading on a pfsense thing somewhere (that i can't find the link to righ tnow) that it had to do with makign the vlan non 0 to make the ont happy, but that pfsense (and opnsense) i think default to this and can't change it within the admin panel (had to shell into it and do soemthign on the command line).
any tips ideas, woudl be much appreciated
-
alright, well went and got a smart switch and got it working with a smart switch with a vlan like @openfwb. mentioned in his posts.
will work on a more permanent solution soon.
Is the "practical opnsense" book by stubbig available to purchase as an ebook?
-
I can't answer your question regarding the ebook but, I'm glad you got the bypass working with the smart switch method.
I have moved back to ATT service and am still using the same bypass method that you linked to from about a year ago. It still works very well and is completely reliable, I keep it all on a UPS battery backup so the power is stable. I did notice that ATT has reduced their WAN DHCP lease times down to 1 hour. However the bypass has been stable for months.