AT&T Uverse service is a triple-play service (internet, phone, and TV) provided by AT&T - depending on what service is available in your area you may be getting FTTH (Fiber to the Home), FTTN (Fiber to the Node), or VDSL (either bonded or unbonded).
FTTN and VDSL both use VDSL2 connectivity from your house to the network. The advantage with FTTN over FTTH is reduced deployment costs for MDUs (Multiple Dwelling Units, such as duplexes or apartment complexes) - AT&T only has to run fiber to a local node that then serves VDSL2 to the customers.
The problem isn't the service, the problem is with the Residential Gateway that AT&T provides. It's a decently powerful unit that allows for triple play services. However, there are a lot of limitations in the RG, namely the limitation of ~8000 NAT sessions, a poor interface with very limited options, and no true passthrough.
But wait! IP Passthrough? Why not just use that? The problem is if you're using IP Passthrough, the RG still tracks all connections going through the RG. Once you hit the connection limit of 8000 connections, which admittedly is more than most people need, the RG will refuse new connections.
I've also had some instances where the RG will spontaneously reboot or crash and hang when under heavy usage. I needed to explore options on how to bypass the RG and use my own (hopefully more sane) DSL modem that doesn't do any connection tracking is just a pure layer 2 bridge between AT&T's VDSL network and my router.
Doing some research, my particular VDSL service is unbonded so it only uses one pair of copper lines. This is important because the only DSL modem that is supported by OpenWRT is the Netgear DM200, which only supports unbonded VDSL.
If you have bonded VDSL service, this will probably not work for you.
Why do we have to use OpenWRT, and not just use the DM200 in bridge mode with the stock firmware? The reason is because AT&T uses EAPOL authentication instead of every other sane DSL provider that uses PPPoE. There are a few benefits to this, namely authentication is provided by certificates and not usernames and passwords, and also there is no need for MTU shifting.
The downside is that in my testing, the DM200 in bridge mode does not forward EAPOL / 802.1x packets to the DSL link. This is by design in bridged interfaces, but there is a workaround for it. However, testing the workaround did not solve the problem.
The solution was to run wpa_supplicant on the DM200 itself so the DM200 can authenticate using EAPOL, then bridge the DSL line to the Ethernet line so raw layer 2 traffic is sent to my router.
In this configuration, the DM200 does not connection tracking and no firewall. The only purpose of the DM200 is to run wpa_supplicant for authentication, and to bridge the DSL and Ethernet links.
The Netgear DM200 VDSL modem needs to be flashed to use OpenWRT, and some prep work needs to be started before we can take down the AT&T UVerse modem. The reason why we have to use OpenWRT for the DM200 modem is because AT&T uses EAPOL for authentication vs every other DSL provider that uses PPPoE. The stock firmware on the Netgear DM200 does have PPPoE support, but no EAPOL. Additionally, I have tried putting the modem into bridge mode and running wpa_supplicant
on my router, but no EAP packets are forwarded to AT&T's authenticator through the Netgear DM200 modem's bridge. From my tinkering, the Netgear DM200 uses a standard brctl Linux bridge. However, the standard brctl Linux bridge does not forward EAPOL packets due to it's design. It's possible to force the bridge to forward EAPOL packets but in testing this did not work, either with the stock DM200 firmware or OpenWRT firmware.
In this configuration, we are going to be running wpa_supplicant
on the DM200 itself, and bridge the DSL connection to the Ethernet connection. This allows a pure layer 2 bridge between the AT&T DSL network, no MTU shifting, and the DM200 does not use any resources managing or tracking connections besides the layer 2 bridge and running wpa_supplicant
.
eth0
interface to be a DHCP client. wpa-supplicant
ca-certificates
openssh-sftp-server
spTurquoise210-700_1.0.29.bin
tech
, just hit ENTER
. After the last command is executed, the UVerse RG will reboot. curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| echo 28telnet stream tcp nowait root /usr/sbin/telnetd -i -l /bin/nsh > /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -a /var/etc/inetd.d/telnet28|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| pfs -s|" -v --http1.1 https://192.168.1.254:49955/caserver
curl -k -u tech -H "User-Agent: blah" -H "Connection:Keep-Alive" -d "appid=001&set_data=| reboot|" -v --http1.1 https://192.168.1.254:49955/caserver
root
file system as writeablemount -o remount,rw /dev/ubi0 /
mfg
partition which contains the certificatesmount mtd:mfg -t jffs2 /mfg
cp /mfg/mfg.dat /www/att/mfg.dat
tar -zcvf /www/att/certs.tar.gz /etc/rootcert/
mfg_dat_decode
utility that was downloaded earliercerts.tar.gz
archive that was downloaded earliermfg.dat
file into the folder with the mfg_dat_decode binary
certs.tar.gz
into the folder with the mfg_dat_decode
binarymfg_dat_decode
binary, which will extract and create a tar.gz containing certificates and a wpa_supplicant.conf
configuration file.pem
formatted certificates, a sample wpa_supplicant.conf
file, and a readme.txt
file. 99_dsl_eapol.sh
- you can also just click on the link below and download it.#!/bin/sh logger -t DSL "$DSL_NOTIFICATION_TYPE $DSL_INTERFACE_STATUS" if [ "$DSL_NOTIFICATION_TYPE" = "DSL_INTERFACE_STATUS" ] && [ "$DSL_INTERFACE_STATUS" = "UP" ]; then logger -t DSL "DSL interface UP, starting wpa_supplicant..." /usr/sbin/wpa_supplicant -s -B -P /var/run/wpa_supplicant.pid -D wired -i dsl0 -b br-br0 -c /etc/wpa_supplicant/wpa_supplicant.conf ip link set eth0 down sleep 5 ip link set eth0 up fi if [ "$DSL_NOTIFICATION_TYPE" = "DSL_INTERFACE_STATUS" ] && [ "$DSL_INTERFACE_STATUS" = "DOWN" ]; then logger -t DSL "DSL interface DOWN, killing wpa_supplicant..." if [ -e /var/run/wpa_supplicant.pid ]; then kill $(cat /tmp/run/wpa_supplicant.pid) fi ip link set eth0 down fi
wpa_supplicant.conf
file using a text editor. ca_cert
, client_cert
, and private_key
and add /etc/wpa_supplicant/
before the filename. For example: ca_cert="/etc/wpa_supplicant/CA_001E46-27058949910000.pem" client_cert="/etc/wpa_supplicant/Client_001E46-27058949910000.pem" eap=TLS eapol_flags=0 identity="18:9C:27:18:ED:F1" # Internet (ONT) interface MAC address must match this value key_mgmt=IEEE8021X phase1="allow_canned_success=1 tls_disable_time_checks=1" private_key="/etc/wpa_supplicant/PrivateKey_PKCS1_001E46-27058949910000.pem"
root
/etc/wpa_supplicant
wpa_supplicant.conf
file and the three pem
encoded certificates to /etc/wpa_supplicant
99_dsl_eapol.sh
file to /etc/hotplug.d/dsl
and apply 0755 / -rwxr-xr-x permissionseth0
interface and set it to unmanageddsl0
interface and set it to unmanagedbr0
bridge interface with eth0
and dsl0
as slave interfaces, and set it to unmanagedvlan 0
wpa_supplicant
, and you should be able to get a IP address and access the internet!192.168.100.1
or 192.168.5.1
even after it has connected to the ISP network. I tried assigning an IP address to the bridge interface on the DM200, but I still can't access it.ENTER
after connecting will drop you into a root shell.