Firewalla Gold Plus – ATT Fiber Bypass Guide

This is intermediate difficulty guide of setting up a Firewalla Gold Plus Router to directly bypass the ATT Modem from the ONT. There’s a great blog post on how the bypass actually works. This post is more focused on how to do it on the Firewalla device.

Setup SSH

Firewalla has some instructions on how to access your SSH password. This seems to change every time you reboot. This is super important as you’ll likely have to reboot the router several times to configure and test.

Get a gateway’s certificate

You’ll need a gateway’s certificates. You can either extract them from your own device(https://www.dupuis.xyz/bgw210-700-root-and-certs/) or you can purchase them from folks who might have already done this.

Get the wpa_supplicant files

Now the certs that I had were in “.der” format and had various other related files. I needed to convert those files into “.pem” files to be used in wpa_supplicant. There is a conversion tool available to download from devicelocksmith. Now when I attempted to download it on Windows, it reported a virus/trojan warning. I decided to download in a Linux VM instead and run it there. The tool seemed to do as advertised and I still warn people to be careful about what they run and how. Regardless, it was as simple as copying the binary into the folder with the “.der” files and the “mfg.dat” file and run. Now the output also includes a version of wpa_supplicant.conf, which is mostly configured but keep note of additional steps described below.

Setup Scripts

As of January 2023, Firewalla already includes the wpa_supplicant binary, so you don’t need to download it. Use your favorite editor create and modify the following files

/home/pi/att_bypass/wpa_supplicant.conf

Add the `openssl_ciphers` line, because the wpa_supplicant uses a newer version of OpenSSL which gets angry about using old weak certs. You need to include that line or wpa_supplicant will silently not work. The other bolded sections in the code should already be replaced to match your specific files and MAC address.

eapol_version=1 
ap_scan=0 
fast_reauth=1 
openssl_ciphers=DEFAULT@SECLEVEL=0 
network={ 
        ca_cert="/home/pi/wpa/CA_[YOUR_ID].pem" 
        client_cert="/home/pi/wpa/Client_[YOUR_ID].pem" 
        eap=TLS 
        eapol_flags=0 
        identity="YO:UR:MA:CC:AD:DY"
        key_mgmt=IEEE8021X 
        phase1="allow_canned_success=1" 
        private_key="/home/pi/wpa/PrivateKey_PKCS1_[YOUR_ID].pem" 
} 

/home/pi/wpa/dhcp_enter_hook

This script will be put into a folder that will auto-invoke just prior to the WAN device acquiring a DHCP address and will run the wpa_supplicant binary to authenticate and be allowed to acquire an address.

This script attempts to handle idempotency, by seeing if the wpa_supplicant binary is already running. If you are already using the device as a wireless router, this might not work for you and you might want to create a file in the /tmp folder or something that is a bit more flexible. I have other access point devices that handle my WIFI, so I can reliably trust that wpa_supplicant won’t be running. Additionally, this file is a script, so don’t forget to `chmod +x` this file.

Finally, my WAN device to the ONT was on `eth0`, so change the device as needed.

#!/bin/bash
printf '%s %s\n' "$(date ""+%T"")" "Executing dhcp_enter_hook script." >> /home/pi/logs/att_bypass.log
if pgrep -x wpa_supplicant > /dev/null
then
  printf '%s %s\n' "$(date ""+%T"")" "wpa_supplicant is already running." >> /home/pi/logs/att_bypass.log
else
  printf '%s %s\n' "$(date ""+%T"")" "Running wpa_supplicant binary." >> /home/pi/logs/att_bypass.log
  /sbin/wpa_supplicant -d -s -B -Dwired -ieth0 -c/home/pi/wpa/wpa_supplicant.conf
fi

/home/pi/wpa/att_bypass.sh

This is the script that copies the DHCP hook and restarts the DH Client. It’s a good place to test and verify that things are working before the next step.

This has the same idempotency check, so again, if you’re using the Firewalla as a WIFI router, change logic as needed. Also same thing with your WAN device, change as necessary.

#!/bin/bash
if [! pgrep -x wpa_supplicant > /dev/null]
then
  sudo cp /home/pi/wpa/dhcp_enter_hook /etc/dhcp/dhclient-enter-hooks.d/att_bypass
  sudo systemctl restart firerouter_dhclient@eth0
fi

/home/pi/.firewalla/config/user_crontab

Home stretch! This is the last file you’ll need to make sure the script runs at boot. It’s a simple cron job that runs every minute and since the script is idempotent, it’s all OK that it runs every minute!

* * * * * /home/pi/wpa/att_bypass.sh

Why did I do it?

  • More than NAT table limits and homes/offices with tons of VMs/IOT devices and home automation.
  • No ISP device fidgeting with my packets.
  • Single place to open ports and forward.
  • IPV6
  • UPNP
    • XBOX
    • Minecraft
  • I’m into pain.

Final notes

I realize I could have probably written some more sophisticated stuff to specify the ATT device and re-use across all my scripts. I could have written more robust idempotency checks, but I got it working and now I’m off to my next hobby project. I hope this helps some others!


Posted

in

by

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.