pfSense AT&T Fiber bypass dual gateway

TLDR

Two functional gateways both connect to ONT and share same LAN, with pfSense handles NAT and DHCP while 5268AC dealing with 802.1x

Setup

Device

• pfSense Netgate 1100 version 22.05
• AT&T U-verse Pace 5268AC

Connection

[AT&T ONT]

   |     {Netgate 1100}    {RG 5268AC}

   |--------[WAN]         [5268AC LAN]-----[LAN Devices/WIFI]

            [LAN]---------[5268AC LAN]

            [OPT]---------[5268AC ONT]

Configuration

Same as previous blog that Netgate 1100 is able to obtain WAN IP, and reach internet

• Sproof AT&T RG MAC
• Link Netgate 1100 WAN and OPT on switch with same Virtual Port ID

[AT&T ONT]

   |        {Netgate 1100}

   |-----------[WAN]

               [LAN]-----------[Switch]

               [OPT]-----------[5268AC ONT]

What is New

• Connect Netgate 1100 LAN to 5268AC LAN
• Use 5268AC LAN as switch
• Disable 5268AC DHCP by setting DHCP pool with only one IP

How it works

Phase 1: 802.1x

1. 5268AC send 802.1x authenticating EAPOL packet to Netgate 1100 OPT
2. Netgate 1100 OPT sees the EAPOL, on same VPID as Netgate 1100 WAN
3. Netgate 1100 internal switch send the packet to AT&T ONT via WAN
4. AT&T ONT received authenticated EAPOL packet, and back to 5268AC
5. AT&T ONT is now established

Phase 2: pfSense DHCP via WAN

1. Netgate 1100 send DHCP via WAN with priority tag 7 packet to internal switch
2. Netgate 1100 WAN and OPT gets the DHCP requests
3. 5268AC drops the unrecognized DHCP request/response
4. AT&T ONT returns valid DHCP response with public IP
5. Netgate 1100 obtain public IP via DHCP response

Phase 3: Life of LAN DHCP

1. LAN device request DHCP
2. 5268AC response DHCP pool full, no IP, no response
3. Netgate 1100 reply DHCP with LAN IP, with Netgate 1100 as the Gateway

Phase 4: Life of Web Request

1. LAN device intent to send packet with external IP as destination
2. LAN device lookup local route and send the packet to Gateway IP, which is Netgate 1100
3. 5268AC swtich forward the packet to Netgate 1100 LAN
4. Netgate 1100 create NAT and states for internal/external IP pair in firewall
5. Packet exit Netgate 1100 WAN reaching AT&T
6. AT&T reply packet back to Netgate 1100 WAN
7. 5268AC receive packet, but drop the packet there is no matching NAT session
8. Netgate 1100 receive packet, matching NAT state, route it back to LAN device

What is the Catch

When 5268AC is giving out DHCP to local device, traffic may still go through 5268AC, causing random packet lost:

• 5268AC and Netgate 1100 both create NAT session with random src port mapped
• src port may be the same, there is no coordination between two gateways
• A packet matching the src port may be picked up by either Gateway, resulting as packet lost

How to Address Packet Lost

Simple as 5268AC disable the DHCP, with no outgoing traffic, with no NAT at all. Packet lost reduced from 5% to 0% after all old DHCP leases expired:

With no NAT session active on 5268AC except some internal NAT session:

Thoughts

• No need to wait on 23.01 with FreeBSD VLAN 0 support
• Reusing 5268AC as switch and AP saves energy and space for separate devices
• 5-30% packet lost is actually not that noticeable as TCP/UDP handles it already
• 5268AC can't disable DHCP is real pain, need to set up a dummy device to exhaust IP pool

pfSense AT&T Fiber bypass with VLAN 0

TLDR

With pfSense 23.01, VLAN 0 is supported in FreeBSD 14. ISP Residential Router(RG) can be bypassed by connect ONT and RG on pfSense switch with WAN using dhcpclient VLAN priority tagging.