How to bypass the AT&T Fiber residential gateway

Deacon

TXCTG
Advanced User
Lifetime Premium Member
Joined
Nov 13, 2016
Messages
11,704
Reaction score
16,328
Location
Hill Country, TX
AT&T Fiber is awful. Or rather, their hardware is awful. Their routing and peering choices are highly questionable, too. But if you can at least get past their stupid “residential gateway” junk, you might at least stand a chance of having a less painful experience. I have an Arris BGW210 (specifically Arris BGW210-700) and the AT&T Internet 1000 along with AT&T U-verse TV, also junk hardware.

Anyway, you’ll see stuff about bridge mode and IP pass through and cascade router settings. And it’s all crap. At no point do you get to take control of your own internet connection.

I finally found the way around it and thought I’d share here in case it helps anyone else. For reference, the whole residential gateway thing is a sham. Everything is just IP based, as it should be. They just retain control and the option to charge you continuously for junk equipment forever.

First, you’ll need a powered switch of some sort, your own router, and a couple of CAT5E or greater network cables. The ONT (Optical Network Terminal) is that thing on the wall where the fiber terminates and has a network cable to feed into the ONT port on the RG. Instead, plug that network cable from the ONT into the powered switch. Then take the other network cable and connect the switch to the RG.

When the RG is up and running, connect to the RG admin pages (generally just type 192.168.1.254 in your browser), and make note of the MAC address. In your own router, set the internet connection to clone that MAC. Then unplug the cable from the back of the RG, and plug it into the WAN port of your router.

Et voilà! If you did it right, the ONT shouldn’t drop the connection because the switch makes it think it’s still running. And your router takes then over in place of the residential gateway junk.

Just remember you have to do it all over again if the power ever goes out. So make sure you have a battery backup UPS set up.
 
Last edited:

GoWFO

If you have to go... GoWFO!
Advanced User
Lifetime Premium Member
Joined
Jul 21, 2016
Messages
1,221
Reaction score
1,295
Age
54
Location
Centre of the Canadian Universe
Very Cool, you found a way to do that.
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
I use this method: https://www.reddit.com/r/PFSENSE/comments/bfxp3j
It uses PFSense and NetGraph to only connect their gateway for EAP authentication and then unplugs it from the network.

Unfortunately the project just got DMCA’ed off Github because they recently pivoted to either de-soldering or leveraging a root exploit on the firmware to extract the EAP certificates off the device :(
 

Deacon

TXCTG
Advanced User
Lifetime Premium Member
Joined
Nov 13, 2016
Messages
11,704
Reaction score
16,328
Location
Hill Country, TX
My method is simpler, quicker, and easier, and it requires no special knowledge, action, or equipment :)
Post automatically merged:

PS No joke, it’s made a massive difference in my internet satisfaction In general and browsing experience in particular. Browsing RDF was so painful that I would switch my phones WiFi off and use LTE. Now I don’t have to. My ASUS RT-AC88U with the latest Merlin firmware is doing a great job, and my VPN access is working properly again like it used to.

I used to have rural electric co-op provided fiber at 150Mbps up/down. And I miss it compared to this gigabit fiber. It was far simpler and cleaner and didn’t route my packets all over creation before finally meandering time their destination. But eliminating the poorly performing residential gateway crap helped a ton. It’s still not as good, but it’s way better, livable at least.
 
Last edited:

STS-134

Advanced User
Premium Member
Joined
Mar 6, 2014
Messages
9,681
Reaction score
10,388
Location
Saratoga, CA
AT&T Fiber is awful.
I use this method:
:yousuck:
**Shakes fist at people who can actually get fiber in the first place** :mad:
:)

I'm still stuck on crappy Comcast, and AT&T only offers their even crappier U-Verse product here, which is even worse than Comcast. AT&T is a damned joke, check this out (yes, this is literally their ONLY offer):

AT&T Internet Offers.jpg
 

Deacon

TXCTG
Advanced User
Lifetime Premium Member
Joined
Nov 13, 2016
Messages
11,704
Reaction score
16,328
Location
Hill Country, TX
@STS-134 it still amazes me when the Bay Area isn’t already blanketed in google fiber or whatever. That looks like the same copper DSL U-verse offering I had in San Antonio like 8 years ago that I ditched pretty quickly not because of “speed” (I could only otherwise get 20Mbps RoadRunner cable) but because even then their residential gateway was junk and larger downloads would randomly stall forever. Similar problems with this gigabit fiber until I bypassed their hardware.
 

STS-134

Advanced User
Premium Member
Joined
Mar 6, 2014
Messages
9,681
Reaction score
10,388
Location
Saratoga, CA
@STS-134 it still amazes me when the Bay Area isn’t already blanketed in google fiber or whatever. That looks like the same copper DSL U-verse offering I had in San Antonio like 8 years ago that I ditched pretty quickly not because of “speed” (I could only otherwise get 20Mbps RoadRunner cable) but because even then their residential gateway was junk and larger downloads would randomly stall forever. Similar problems with this gigabit fiber until I bypassed their hardware.
AT&T has rolled out fiber to parts of Mountain View, Sunnyvale, Santa Clara, Cupertino, and San Jose. But Saratoga/Monte Sereno/Los Gatos? Nope. Google Fiber apparently does provide service to parts of San Jose, but expansion was permanently suspended in 2016. They apparently switched to wireless service which is extremely lame and not a substitute for real fiber. Having services provided via underground conduits is nice because it doesn't clutter up the sky, but they really have to do something about the ridiculous costs they pass on to end customers for upgrades. I once asked PG&E about 3 phase service and they said that the transformer isn't even on my street and they'd have to stop traffic and dig up the whole street all the way back to the transformer, and estimated costs "in the 6 figures". :rolleyes: Now see, if they had just put wiring for 3 phase service to all buildings in the first place (or conduits big enough for it, through which they could run extra wiring), they wouldn't have this problem. And if AT&T had run conduits through which they could pull fiber or whatever else in the future, they wouldn't have this problem either. And now their solution is to punish end users for their lack of planning.

What does AT&T fiber charge for static IPs? I wonder if this little device swap trick would work for static IP addresses too. Comcast requires a special gateway for static IPv4 addresses and still does IPv6 addresses by DHCP-PD, which is kind of annoying. So my pfSense box is configured to do static IPv4 and DHCP-PD IPv6 simultaneously.
 
Last edited:

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
BTW, the AT&T Fiber "Residential Gateway" is a joke. It's definitely the thing that's holding back an otherwise excellent connection. The RG has a 8000 connection NAT table limit, purely software enforced by sysctl. The device has plenty of resources to support more simultaneous connections (it only takes about 16MB of RAM to track 1 million connections). Unfortunately in Linux, when you reach about half of that NAT table limit, Linux starts adaptively lowering the NAT table expiration time especially for UDP connections, which can result in UDP VPNs dropping out after just a few seconds of inactivity, and SSH connections terminating after 20-30s of inactivity.

Furthermore, the "bridge" mode isn't a true bypass of the box. The box 1:1 NATs the public IP to a port on the LAN side, but that still consumes NAT Table entries.

This is ultimately what drove me to bypass their box. Comcast's modems also play similar tricks, but they actually manage to do it well enough that it's transparent, so I had no desire to hack their cable modems.
 

RaggedEdge

RDForum owner and Rdtalk.org Founder
Administrator
Corgi Lovers
Advanced User
Lifetime Premium Member
Joined
Mar 26, 2018
Messages
1,857
Reaction score
4,777
Location
Middle Tennessee
AT&T has rolled out fiber to parts of Mountain View, Sunnyvale, Santa Clara, Cupertino, and San Jose. But Saratoga/Monte Sereno/Los Gatos? Nope. Google Fiber apparently does provide service to parts of San Jose, but expansion was permanently suspended in 2016. They apparently switched to wireless service which is extremely lame and not a substitute for real fiber. Having services provided via underground conduits is nice because it doesn't clutter up the sky, but they really have to do something about the ridiculous costs they pass on to end customers for upgrades. I once asked PG&E about 3 phase service and they said that the transformer isn't even on my street and they'd have to stop traffic and dig up the whole street all the way back to the transformer, and estimated costs "in the 6 figures". :rolleyes: Now see, if they had just put wiring for 3 phase service to all buildings in the first place (or conduits big enough for it, through which they could run extra wiring), they wouldn't have this problem. And if AT&T had run conduits through which they could pull fiber or whatever else in the future, they wouldn't have this problem either. And now their solution is to punish end users for their lack of planning.

What does AT&T fiber charge for static IPs? I wonder if this little device swap trick would work for static IP addresses too. Comcast requires a special gateway for static IPv4 addresses and still does IPv6 addresses by DHCP-PD, which is kind of annoying. So my pfSense box is configured to do static IPv4 and DHCP-PD IPv6 simultaneously.
What about Sonic? My brother in law has it and loves it. Supposedly its a solid small business too.
 

STS-134

Advanced User
Premium Member
Joined
Mar 6, 2014
Messages
9,681
Reaction score
10,388
Location
Saratoga, CA
What about Sonic? My brother in law has it and loves it. Supposedly its a solid small business too.
I heard about them, back when they were only a DSL provider. The problem is that no provider will run fiber to every house on my street, unless I pay for nearly all of the costs of digging up the street. Instead of charging the entire neighborhood to do this once and splitting the costs, they want me to foot the entire bill.
 

Deacon

TXCTG
Advanced User
Lifetime Premium Member
Joined
Nov 13, 2016
Messages
11,704
Reaction score
16,328
Location
Hill Country, TX
What does AT&T fiber charge for static IPs?
No clue. I use DynDNS set up in the router itself, so if the IP ever changes, so does the DNS. I’m used to static IPs being either not offered at all (at least without considerable fighting) or else being an annoying and sometimes considerable extra charge, so I’ve been with DynDNS for many years now.

I wonder if this little device swap trick would work for static IP addresses too.
It would, I’m sure. You’d just explicitly specify the WAN IP and subnet on your router rather than leaving it DHCP.

I once asked PG&E about 3 phase service and they said that the transformer isn't even on my street and they'd have to stop traffic and dig up the whole street all the way back to the transformer, and estimated costs "in the 6 figures". :rolleyes:
To be fair to them, 3-phase availability is very unusual in residential neighborhoods, and demand for 3-phase is even rarer. It’s more commercial/industrial in its used in the US at least. What were you hoping to use it for, out of curiosity?


This is ultimately what drove me to bypass their box.
Same here. Totally unacceptable junk. That I am forced to do this simple “hack” move induces much eye rolling and facepalming. It would be nice if I had an inside connection at AT&T, some level 4 tech or something, who could instead allow my own router and not have to worry about it. At least it works, now, though.
 

surprisinguy

Government can only give what it takes...
Advanced User
Lifetime Premium Member
Joined
Mar 10, 2015
Messages
1,647
Reaction score
1,772
Location
North Carolina

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
What about Sonic? My brother in law has it and loves it. Supposedly its a solid small business too.
Sonic is awesome. FWIW Sonic is basically one of the ISPs that took advantage of the breakup of the AT&T monopoly back a few decades ago. Sonic is operating on AT&T's DSL and gigabit fiber lines, they give you their own gateway box and run their own billing / customer service, but the actual network infrastructure is 100% identical to AT&T Fiber.

So in effect, I can get AT&T Fiber service from either Sonic or AT&T. Right now I'm going with AT&T because it's about $20/mo cheaper.

Sonic is absolutely a solid small business and I've had great experiences with their tech support when I used their DSL service. However, at this point, I find internet to be a commodity service, and I don't see the value in paying Sonic 10-20% more to get the exact same identical service.
 

R4D4RUS3R

PSL +5
Intermediate User
Joined
Dec 29, 2019
Messages
715
Reaction score
759
I use the BGW210 in IP Passthrough to a Netgate firewall with no issues. I used the switch bypass for about 18 months with no issue as well then we had a few power outages and I was out of town once so I just put it back. With the bypass there were no benefits to me versus just using the gateway in passthrough. The NAT table is rarely over 300 since I am just a home user and that is with 4 people at the house actively using the connection. The bypass‘ biggest help when I did it was encrypted DNS but backtracked on that since I prefer to talk to roots. Anyhow, good that you found the bypass, its been around several years at this point but does still work. DSLReports will give you other options as well like the one mentioned earlier in this thread.
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
FWIW given how AT&T has been about this, unless the RDF administration feels otherwise we should probably stick with discussing the less sketchy ways of achieving the RG bypass.

The other methods for either physically extracting or using an exploit to pull private keys out of the box are arguably protected both by DMCA and considered an unauthorized access of a computer system... AT&T seems to be pretty aggressive about going after sites hosting such bypass instructions.
 

STS-134

Advanced User
Premium Member
Joined
Mar 6, 2014
Messages
9,681
Reaction score
10,388
Location
Saratoga, CA
Sonic is absolutely a solid small business and I've had great experiences with their tech support when I used their DSL service. However, at this point, I find internet to be a commodity service, and I don't see the value in paying Sonic 10-20% more to get the exact same identical service.
Why is Sonic more expensive than AT&T? Are their costs higher from leasing the lines? I'd generally feel comfortable supporting the company with the better policies, even if it means paying a bit more, since if everyone did that, AT&T would be forced to change its ways and get rid of those RGs.
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
Why is Sonic more expensive than AT&T? Are their costs higher from leasing the lines? I'd generally feel comfortable supporting the company with the better policies, even if it means paying a bit more, since if everyone did that, AT&T would be forced to change its ways and get rid of those RGs.
I have no idea. I assume because they don't have the volume and they're just rebranding the exact same service so they don't get any cost breaks.

FWiW the policies are no different really -- the Sonic RG is exactly the same boxes as AT&T just with a different sticker on the box. It really just feels like they are re-selling AT&T's Fiber.
 

Deacon

TXCTG
Advanced User
Lifetime Premium Member
Joined
Nov 13, 2016
Messages
11,704
Reaction score
16,328
Location
Hill Country, TX
FWiW the policies are no different really -- the Sonic RG is exactly the same boxes as AT&T just with a different sticker on the box. It really just feels like they are re-selling AT&T's Fiber.
Probably a lot easier to deal with, too. But if they’re forced to force you to use that RG, then there isn’t much point.

PS The whole idea of needing private keys and such is exactly the kind of bloat with no benefit to the end user (or power user at least) that I’m glad to be leaving behind. In the ~24 hours since I bypassed the gateway, my satisfaction levels with my AT&T derive have improved dramatically. If I didn’t have to jump through stupid hoops to get there, it would be far better.
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,306
Reaction score
11,079
Probably a lot easier to deal with, too. But if they’re forced to force you to use that RG, then there isn’t much point.

PS The whole idea of needing private keys and such is exactly the kind of bloat with no benefit to the end user (or power user at least) that I’m glad to be leaving behind. In the ~24 hours since I bypassed the gateway, my satisfaction levels with my AT&T derive have improved dramatically. If I didn’t have to jump through stupid hoops to get there, it would be far better.
Right, with Sonic, if I still have to use the same style RG box I have no reason to switch to them. I don't like AT&T but when you get gigabit fiber they don't impose caps.

But yeah, from what I can tell, they are using 802.1X to authenticate you onto their network, otherwise their fiber network is just arbitrary access. For lower tier customers they also implement speed caps via the RG box.

But yeah if they either made the gateway less stupid like Comcast's, or offered a way for me to use my own wpa supplicant to authenticate on the network, I'd be a lot happier.


Unfortunately with COVID and working at home, I have 3 computers and 5 mobile devices just for work, and when they turn on their IKEv2 VPN, that's about 2000 "connections" per device thanks to AT&T's RV not compiling in a conntrack helper for L2TP.

Sure this isn't the normal "home" user, but it is something a $20 router from China can handle without breaking a sweat. I don't understand why they decided to just plop down a sysctl.conf that artificially cripples the connection.
 

Discord Server

Latest threads

Forum statistics

Threads
86,517
Messages
1,316,245
Members
21,790
Latest member
Correct Map
Top