A lot of people seem to have put a lot of effort into bypassing the residential gateway that AT&T forces you to use with their fiber service, from MAC spoofing to copying authentication certs onto their own equipment. This guy recommends simply purchasing a block of static IPs from AT&T and connecting your router to one of those IPs via the residential gateway, effectively bypassing it altogether and causing it to function as a “multi-port modem”.
Is this really as simple as he says it is?
I’m still learning a lot about networking, but what I do know is that I would really like to keep AT&T out of my home’s network.
Network engineer here (worked in the ISP field for 9 years). This guy’s advice is terrible. DSL/Fiber networks do not rely on terminating equipment to police traffic, or monitor traffic, or to do anything other than the bare minimum necessary to get you connected.
The reason they require you to connect via the residential gateway is because it’s got built-in diagnostics and administrative controls which enable their support agents to access your device and interrogate it for configuration problems. BY FAR the most expensive resource an internet customer consumes is that guy you talk to when your service isn’t working, so they invest extra money to ensure that the device they provide gives support the tools to identify problems quickly.
Think about it like this: Putting traffic controls into every DSL/Fiber subscriber’s home portal would be like posting a traffic cop to every house’s driveway in order to route around an accident on the freeway thirty miles away. If you don’t want your ISP to know where your traffic is going, use a VPN, but the only thing that changes is that instead of the FBI tracing you via AT&T, they’ll send the court order to NordVPN, or whatever other bunch of hustlers you’re paying for “privacy”.
I would really like to keep AT&T out of my home’s network.
AT&T isn’t snooping your internal network, if the home portal had that capability, they’d have to worry about the support guys trawling home drives looking for porn, and I assure you that John Stankey doesn’t want a piece of that press conference.
Let me guess, they won’t allow you to put it into bridge mode?
Well basically if you have multiple IP addresses, you can give your own router a dedicated IP but the AT&T modem will still be the next hop router. I’m not sure what they’re doing since I’m no American but they could still do some stuff to the traffic.
I believe all AT+T gateways can be reduced to just a gateway (or darn close). And I think most people aren’t trying to escape AT+T wholly, but more just trying to bleed the highest performance and closest to raw internet they can. Then using self equipment they either trust more or have already configured (my case) and don’t want to end up with double NAT.
In my case, the gateway had to use IP Passthrough, so the first device plugged in would be given the public IP in like a DMZ mode almost. I say almost because if I plug something else into a LAN port it gets a LAN IP from the gateway/router that isn’t from my LAN but still works to the internet and the management screen if the gateway/router. So the box is still a router, but has been told not to router/mask anything that comes to it unsolicited, just pass it along to device 1 to be handled. Note, almost all of your internet traffic is solicited, you’ve performed some outbound action causing a response back to you (you solicited it).
AT&T isn’t snooping your internal network, if the home portal had that capability, they’d have to worry about the support guys trawling home drives looking for porn, and I assure you that John Stankey doesn’t want a piece of that press conference.
This used to be a problem in the early 2000’s (CEO Ed Whitacre), when we still had real 5E switches and support frames with Plain Old Telephone networks. We had to take training for how to perform routine audits of what diagnostics were used and how records were accessed by who. Every year some jealous dumb ass tech in the wireline NOCs would start stalking his exwife or girlfriend, looking up her call records, or even tapping calls. We would have meetings with the Union Rep and the dude would get fired. No one wants that kind of press.
You always need a next hop so that’s not unusual or a hardship. My U-verse gateway has what is effectively bridge mode at least for the “supplemental” addresses (a static block) perhaps like the (I don’t go there) video shows, but indeed the device remains the gateway. Alas mine is an older model (Pace 5268AC) so it might not represent what can currently be accomplished though it seems likely. Also a firewall is on by default but that can be changed.
AT&T fiber lets you put the gateway in “IP Passthrough” mode, which is close enough to bridge mode that I’ve never noticed a difference. People get all up in arms about the requirement to use AT&T’s gateway and I’ve never understood why. You have to pay the $10/month anyway.
I just have my ONT in IP Passthrough and my EdgeRouter gets the public IP.
Thanks. I’ve seen this method but don’t understand why the switch is necessary. Why not just spoof the MAC of the router and connect it directly to the ONT?
I was a voice tech at AT&T many years ago. I creeped out my wife by listening to her at work once. But…
She also worked at AT&T in another office (I think as a TG5 handling account codes and stuff with reps).
Anyway, their office phones went down several times a day. I kept telling her that her bosses needed to open a trouble ticket with internal support. But they never would. So it was kind of like the dentist’s kids who have a mouthful of cavities. Big ol’ Ma Bell couldn’t even look at their own phone issues.
I was a little tired of hearing it every evening and a little curious. So when I had a chance, I looked up their circuit ID and started my usual testing. I knew she was regularly on the phone so I checked a few channels. Found her right away.
Got home that evening and asked if she was always so syrupy sweet talking to the reps. She looked at me odd. I said she sure was nice talking to the rep in TX about his account code requests. She was NOT happy! But we still laugh about it to this day.
Turned out the PBX timing was off and slipping. Stupid PBX admin - which was internally supported! Idiots.
If the equipment doesn’t have the features you want.
You then do take on the responsibility to admin it well for years: make sure it’s patched against security vulnerabilities, and you don’t make mistakes in setting it up. Basically, you’re taking over the job that your ISP used to do for you.
Yeah normally most with most providers, all you need to do is spoof the MAC of their equipment. But AT&T still uses 802.1x authentication which the cert is loaded on their Gateways. So the ONT needs the Gateway to authenticate. But it only needs to do this once.
So you still need to spoof their MAC on your router and follow the below steps:
Have both the ONT and Gateway (both powered off) connected to the switch
Power On the ONT and wait a few secs, you’ll see the lights cycle on the ONT.
Power On the Gateway and wait until the internet light is solid green. When the light is solid green that means that connection has authenticated.
Disconnect the Gateway from the Switch and now you can you plug your router with the spoof MAC and IPs will be handled off to your router.
The only Con is if your Switch and/or ONT loses power and you’ll have to redo the above steps all over again.
My connection has been up and running for like a year.
This sounds easy enough, thanks. I’m just confused why you need the switch instead of just unplugging the cable from the gateway after the authentication and plugging it into the router. Do you know if it’s possible?
The only downside to this method for me is I can’t spoof my MAC with my Eero system, so I will need to either transition or use something in front of the Eero.
I’m just confused why you need the switch instead of just unplugging the cable from the gateway after the authentication and plugging it into the router. Do you know if it’s possible?
OK that’s the other Con. I guess I forgot to mention it.
So I already mention if you lose power you have to re do those steps again.
The other Con is, if the ONT loses network connectivity, like unplugging the network cable then it has to re-auth again.
So the whole point of having the switch is to keep that network port up to ONT. So when you run through process of authenticating with both the ONT and Gateway connected to the switch. When you remove the Gateway from the switch, the port of the ONT is still up, then you add your router to a port on that switch.
I’m not familiar with the Eero. So they don’t have an option where you can use a different MAC address??