OpenBSD IPv6 Home Internet Gateway with AT&T Fibre

There is a way to bypass the AT&T Gateway using the following method (with hardware)

https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500...

Many have gone down the agonizing process of searching for the best way to coexist with this abomination of networking gear that AT&T has given us.

Let me save you all some heartache, and you'll be able to throw the BGW320 in the trash - literally.

Read this documentation:

https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500...

https://docs.google.com/document/d/1gcT0sJKLmV816LK0lROCoywk...

Here is the modified SFP (there are cheaper ones out there, but I couldn't wait any longer): https://ecin.ca/custom-xgs-pon-sfp-stick-module-xgspon-ont-w...

Join this Discord for support: https://discord.gg/8311-886329492438671420

The BGW320 units are absolutely horrible. They're riddled with bugs, and there's no way to communicate with humans at AT&T who either understand the bugs or who know how to communicate with other people at AT&T to address them.

One incredibly annoying problem is that even if you're paying for static IPs and expect static IPv6, you can't route IPv6 without DHCPv6 being turned on (the settings are on or off for IPv6, for DHCPv6, and for DHCPv6 Prefix Delegation). You can turn on DHCPv6 on the BGW320, then you can statically configure IPv6 without ever running or using DHCPv6 and it'll work, but you can't turn off DHCPv6 and use static configurations, even though the setting for IPv6 is "On".

While this isn't a big issue because I control the public segment of my network, it's both annoying and unprofessional that this issue exists. It also makes it impossible to use a devices you have less control over with IPv6 without using their DNS hijacking servers and without using their search domain, since you can't configure the BGW320 to provide custom DNS servers, nor set a custom search domain.

A more egregious problem is that all traffic, both IPv4 and IPv6, goes through the state table of the BGW320, even when you're not doing NAT, and even when you turn off all of the "firewall" things (although "Reflexive ACL" has to be on, else IPv6 won't work). This can be seen when you go to "Diagnostics", then "NAT Table" in the BGW320's web interface. That's right - you can see NAT entries for every connection made.

This caused all sorts of problems until I figured out this was why connections were constantly getting dropped on a busy network. 8192 state table entries might be fine for an individual, but for a small business, with lots of clients, and with machines on the static IPs that the BGW320 routes, it was constantly overflowing.

I'd love to see a straightforward way to turn the BGW320 in to a bridge so we don't have all these ridiculous issues. In the meanwhile, anyone who has one of these should definitely take the advice of OP to "put your LAN behind a secure and trustworthy firewall" :)

If you're fortunate enough to have the older BGW210 you can bypass it without specialized hardware by having your router proxy the authentication requests.

https://pyther.net/2020/05/03/bypass-att-gateway-openwrt.htm...

pfSense and OPNsense are great FreeBSD-based options if you want to use pf without needing to craft your own pf.conf.

Also it's possible to extract the certs from some BGW models to use with wpa_supplicant and bypass the BGW completely.