July 23rd, 2024

OpenBSD IPv6 Home Internet Gateway with AT&T Fibre

Setting up an OpenBSD IPv6 home internet gateway with AT&T Fiber offers improved performance, security, and flexibility compared to ISP-provided gateways. The guide covers hardware, installation, configuration steps, including firewall rules, packet forwarding, network interfaces, DHCP, and AT&T BGW320 setup for passthrough mode, along with managing external IPv6 addresses effectively.

Read original articleLink Icon
OpenBSD IPv6 Home Internet Gateway with AT&T Fibre

This article discusses setting up an OpenBSD IPv6 home internet gateway using AT&T Fiber. It highlights the limitations of ISP-provided home gateways and the benefits of creating a custom setup for better performance, security, and flexibility. The guide covers hardware recommendations, installation steps, configuration details including setting up pf.conf for firewall rules, enabling packet forwarding, configuring network interfaces, setting up DHCP for IPv4 addressing, and configuring the AT&T BGW320 gateway for passthrough mode. It also explains how to handle external IPv6 addresses using dhcpcd and slaacd. The article provides detailed instructions and commands for each step, ensuring a secure and functional home internet gateway setup.

Link Icon 6 comments
By @apearson - 5 months
There is a way to bypass the AT&T Gateway using the following method (with hardware)

https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500...

By @fakebizprez - 5 months
Many have gone down the agonizing process of searching for the best way to coexist with this abomination of networking gear that AT&T has given us.

Let me save you all some heartache, and you'll be able to throw the BGW320 in the trash - literally.

Read this documentation:

https://pon.wiki/guides/masquerade-as-the-att-inc-bgw320-500...

https://docs.google.com/document/d/1gcT0sJKLmV816LK0lROCoywk...

Here is the modified SFP (there are cheaper ones out there, but I couldn't wait any longer): https://ecin.ca/custom-xgs-pon-sfp-stick-module-xgspon-ont-w...

Join this Discord for support: https://discord.gg/8311-886329492438671420

By @johnklos - 5 months
The BGW320 units are absolutely horrible. They're riddled with bugs, and there's no way to communicate with humans at AT&T who either understand the bugs or who know how to communicate with other people at AT&T to address them.

One incredibly annoying problem is that even if you're paying for static IPs and expect static IPv6, you can't route IPv6 without DHCPv6 being turned on (the settings are on or off for IPv6, for DHCPv6, and for DHCPv6 Prefix Delegation). You can turn on DHCPv6 on the BGW320, then you can statically configure IPv6 without ever running or using DHCPv6 and it'll work, but you can't turn off DHCPv6 and use static configurations, even though the setting for IPv6 is "On".

While this isn't a big issue because I control the public segment of my network, it's both annoying and unprofessional that this issue exists. It also makes it impossible to use a devices you have less control over with IPv6 without using their DNS hijacking servers and without using their search domain, since you can't configure the BGW320 to provide custom DNS servers, nor set a custom search domain.

A more egregious problem is that all traffic, both IPv4 and IPv6, goes through the state table of the BGW320, even when you're not doing NAT, and even when you turn off all of the "firewall" things (although "Reflexive ACL" has to be on, else IPv6 won't work). This can be seen when you go to "Diagnostics", then "NAT Table" in the BGW320's web interface. That's right - you can see NAT entries for every connection made.

This caused all sorts of problems until I figured out this was why connections were constantly getting dropped on a busy network. 8192 state table entries might be fine for an individual, but for a small business, with lots of clients, and with machines on the static IPs that the BGW320 routes, it was constantly overflowing.

I'd love to see a straightforward way to turn the BGW320 in to a bridge so we don't have all these ridiculous issues. In the meanwhile, anyone who has one of these should definitely take the advice of OP to "put your LAN behind a secure and trustworthy firewall" :)

By @silotis - 5 months
If you're fortunate enough to have the older BGW210 you can bypass it without specialized hardware by having your router proxy the authentication requests.

https://pyther.net/2020/05/03/bypass-att-gateway-openwrt.htm...

By @mwpmaybe - 5 months
pfSense and OPNsense are great FreeBSD-based options if you want to use pf without needing to craft your own pf.conf.

Also it's possible to extract the certs from some BGW models to use with wpa_supplicant and bypass the BGW completely.