Bypassing Gigapower’s Provided “Modem”

AT&T Gigapower

I recently managed to get AT&T Gigapower. Google Fiber is coming to my city which suddenly means the fiber that’s been buried 200 feet from my house since 2002 became worthwhile to activate. The AT&T techs (yes two) were both great guys and had everything installed in a few hours. They set me up with a Pace 5268AC Gateway. Normally that wouldn’t be terrible but there’s a few problems with this thing:

  • No bridge mode
  • DMZ-Plus still has a firewall in front of it with a rather small nat table
  • Couldn’t use my public ip block with my own router to avoid #1 and #2

I like my bits raw off the wire. Don’t touch them please. I’ll bang them myself.

After googling I ran across this forum posting and this blog posting describing a few methods to get around having to use a U-Verse modem. Those postings are for the DSL U-Verse offering but the same theory applies. I also found a post on reddit which I can’t google again where a user there had also bypassed his modem. I got a bit more information from him. Anyways enough rambling.

Bypassing the modem

For this you’ll need:

  • Your favorite linux distro
  • A machine with 3 NICs in it. One for the ONT, one for the modem, one for your LAN
  • The mac address of your modem. You can find this in the web interface for it.

Install arch linux on the machine. Wire up your ONT, modem, and LAN interfaces. If you have a machine with a dual port intel nic and an onboard realtek or otherwise (like I have) I suggest using the realtek nic as the interface for the modem. It won’t be passing anything near gigabit speed through it.

I used netctl to do the configuration of the networks. Here are my configs:


Description='Private Interface'


Description='ATT Modem Interface'


Description='ONT Interface'

You’ll also need to bridge the ONT-modem networks:


Description="Bridge ONT to Modem"
BindsToInterfaces=(ont modem)

Since the modem uses 802.1x to authenticate with AT&T’s network the bridge needs to be tweaked to allow 802.1x traffic to pass:

echo 8 > /sys/class/net/br-att/bridge/group_fwd_mask

Once that’s done, reboot the modem. I’d suggest doing

tcpdump -vvv -ei br-att

This will allow you to see what VLAN the modem negotiates which we need in the next part. Though I’m pretty sure it’s always 0 for Gigapower customers.

Once that’s done we need to set up a VLAN on the ONT interface, copy the ip address from the modem and copy the modem’s mac address:

ip link add link ont name ont.0 type vlan id 0
macchanger -m xx:xx:xx:xx:xx:xx ont.0
ifconfig ont.0 x.x.x.x netmask x.x.x.0
ip route add default via xx.xx.x.1

With that you should have internet access. I’ve been told to drop ipv4 and ipv6 traffic from crossing the bridge:

ebtables -t broute -A BROUTING -i br-att -p ipv4 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i br-att -p ipv6 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i br-att -p arp -j redirect --redirect-target DROP

I don’t have this automated. If someone else can come up with a way to do that. That’d be great.