ATT Fixed Wireless Gateway Bypass
ATT Fixed Wireless Internet service consists of an Outdoor Antenna with a built-in modem and an ATT Residential Gateway. A Power-over-Ethernet injector is used to power the Antenna/Modem.
A handful of ATT Fiber customers figured out how to bypass the residential gateway. Since the same gateways are used for Fixed Wireless Internet, I wonder if it was possible to do the same.
After some packet captures and testing, I determined the following:
- Nearly all traffic was tagged for vlan 4001 or vlan 4002
- The MAC Address of the Linux router needs to the same as the Residential Gateway (or the modem won’t respond)
- DHCP on VLAN 4001 gave a 192.168.11.x address
- DHCP on VLAN 4002 gave an “Internet” address of 10.x.x.x address (Carrier Grade NAT)
Note: For ATT Fiber, 802.1x Authentication is required between the residential gateway and the modem (ONT). 802.1x Authentication is not used for Fixed Wireless Internet. Be aware of this, if reading other guides.
Optional: I only have a sample size of one device, however I imagine all Fixed Wireless Modems/Antennas are configured the same. If the mac address is printed on your residential gateway, you can probably skip this step.
We need to analyze the traffic between the residential gateway and the modem/antenna to determine which vlans are being used. We can do this by creating a bridge and using tcpdump to look at the traffic flowing between the gateway and modem/antenna.
Make the following connections:
- Residential Gateway Modem port -> Linux Router (enp1s0)
- Modem/Antenna -> Linux Router (enp2s0)
Bring up interfaces:
Create the bridge:
Analyze the traffic:
From the dump, you should be able to identify the vlans being used the mac address of the residential gateway. You may find the mac address printed on the side of the residental gateway.
Tear down the bridge:
Disconnect the residental gateway from the Linux router.
The following configuration uses use the
ip command. Although this example is
Linux specific, the concepts should work on any platform.
The modem/antenna should be directly connected to your Linux router. The residential gateway should be disconnected and powered off.
Bring up the WAN interface:
Create a tagged interface:
Spoof the mac address on the tagged interface:
XX:XX:XX:XX:XX:XX with the mac address of the residental gateway as identified above.
At this point, the connection should be useable and we can attempt to obtain an IPv4 address.
If you get a lease for
192.168.11.x, tear down the tagged interface, and
repeat the steps for any other identified vlans.
If you fail to get a lease, verify the mac address on the tagged interface (enp2s0.4002). The modem/antenna will not respond to traffic from any other mac address.
In my testing, the antenna/modem won’t respond to DHCPv6 requests. The same was true of the residential gateway. This means requests prefix delegations is out of the question and we are left using the Router Advertisement (RA) for IPv6 configuration.
If you configure your Linux router to accept router advertisements, you’ll notice that an IPv6 address won’t get configured, but a default route will.
As you can see in the prefix section,
AdvAutonomous is set to
means the address can not be used for autonomous address configuration.
When the modem/antenna is powered cycle, a new IPv6 prefix is issued. As I want my internal networks to have a consistent IPv6 address, I’ve decided to assign Unique Link-Local Addresses (ULA) to my internal networks. Using the NETMAP extension, I can map my ULAs to the IPv6 prefix assigned by ATT.
Note: The prerouting rule is only included for completeness. It never gets hit, because ATT NATs all outgoing connections and does not allow new incoming connections.
I wrote a small bash script that will request and wait for a Router Advertisement using the ndp binary (mdlayher/ndp) and update ip6tables accordingly. I run the script every 5 minutes via cron. Not the best solution, but works reasonably well. Ideally it’d be nice to have daemon that listens for RAs and takes action when there is a change. Here’s the script: