Self-hosting with AT&T Fiber Internet

Today I got AT&T Fiber Internet installed at my house, and I thought I'd document a few things I observed during and after the install.

They trenched fiber boxes between pairs of houses in my neighborhood. It seems like they have little fiber hubs for 8 houses in a set, and those little hubs connect back to the main neighborhood box with an 8 or 10-strand cable, directly buried in the ground.

Apparently my street's main run was kinked somewhere, and only one of the strands had full signal, so I'm the lucky winner who signed up first, and I get that fiber until they run a new cable underground :)

BGW320 AT&T Internet Gateway - Fiber

The AT&T tech (who was great!) installed an NBS AT&T BGW-320 500 Fiber Gateway, and on the back I spied an SFP port... which unfortunately is used for the fiber connection, so I couldn't just use a DAC between my router and this box.

Instead, I plugged the blue 5 Gbps port into my router's WAN port, and logged into the BGW320-500's admin UI (which is available at http://192.168.1.254).

I wanted the IP address AT&T assigns (which is dynamic unless you add on Static IP addresses starting at $15/month) to be passed through to my own router, so I went to Firewall > IP Passthrough, then I set 'Allocation Mode' to 'Passthrough', 'Passthrough Mode' to 'DHCPS-fixed', and then pasted in the MAC address of my existing router WAN interface.

I saved those changes, and immediately had Internet through my existing router, and checked icanhazip.com, grabbed the IP, ran it through traceroute to confirm there wasn't any extra NAT layer anymore, and then set that IP for all my self-hosted services, like my self-hosted PiVPN instance and my Raspberry Pi Dramble website.

In the future, I may tweak settings a bit more if I find the AT&T Gateway device interfering with performance much (it seems to have its own layers of packet filtering and firewall that may still be touching the packets...).

A few other quick notes:

  • When they do the install, the tech seems to do the 'cable from the box to your house to your gateway location' install, but if you have buried cable, another crew comes later to bury the actual fiber outside the house
  • The whole install for a house that never had fiber took about 2.5 hours (friends in the neighborhood say it varied between 1-3 hours, depending on the complexity of the install).
  • I'm paying $80/month for 1 Gbps symmetric speed now. I was paying $135/month for 1 Gbps down, 40 Mbps up with Spectrum. Good riddance.
  • Currently I'm only measuring 550 Mbps down and 650 Mbps up, tested via 10 Gbps internal LAN and WiFi 6E network right next to my AP. Will continue monitoring my Internet connection with my Raspberry Pi to see if that changes over time.
  • My Raspberry Pi running Wireguard / PiVPN now gives me about 300 Mbps up and down (was previously limited to 35 Mbps up and down due to the slow upload speed on Spectrum!).

If you have any additional ideas or experience with self-hosting behind AT&T Fiber, let me know! I'm just happy to be paying half as much as I was for Charter/Spectrum coax, but getting more than 20x faster upload speeds :)

Update: After investigating the slow speeds a bit, I found out I had enabled QoS for bandwidth limiting on my guest network at some point—that resulted in my poor ASUS RT-AX86U processing so many packets the CPU would overload full-tilt, leading to lower overall performance (even on the main wired Ethernet network). After disabling that, I am getting a full 936 Mbps up and down—the limit of what you can expect over 1 Gbps networking:

Speedtest.net Gigabit AT&T Fiber on ASUS RT-AX86U

Now I'm sorta hoping I can eke out a little more performance if I upgrade to a dual 2.5G router...

Comments

Always interested in flent.org bufferbloat tests (not just waveform), fq_codel effectiveness, and it sounds like you are most likely out of cpu on your router.

That could very well be—the interesting thing is on Coax, it got up to 930 Mbps down (but upload was only 35-40 Mbps), on fiber I haven't broken 750 Mbps yet, but I did see the CPU on the router was getting up there during the bandwidth tests.

Minor typo?
"another crew comes later to buy the actual fiber" ->
"another crew comes later to bury the actual fiber"

One thing about using RP4 for speed testing. The CPU it uses doesn't have the necessary extension to run TLS at full speed so make sure you're not using https sites for benchmarks.

I've had AT&T Fiber for a number of years (currently 2gbps service). I found that early on the first tech to do the installation mucked something up and I had poor bandwidth similar to what you're seeing. They did a second truck roll and the next tech re-ran the fiber and terminated a new connection after going back and forth to the node up the street. There is no reason to not get the full bandwidth you're allocated as the fan-out isn't nearly like what a cable operator does.

Do you know if Frontier home service blocks incoming port 80? Self hosting using cloudflare and dynamic DNS would be interesting read with a service like DNS-O-MATIC or similar.

Great blog post. Found this on Google discover. I have the 1gig plan that’s all my neighborhood gets for the max speed for now here in Sunnyvale California.

I do self hosting plus use cloudflare to not expose the wan and no need for static ip.

I can’t wait to upgrade to the 2gig plan. My devices are ready to handle it and I’m thinking of self hosting our company website on my NUC that gets 25k page views a month.

Heyo. Great to hear you got the upgrade.

How likely are you to swap out that gateway? It's not easy and officially you can't but it's doable and has been done.

You have the newer setup with a gateway that has an integrated ont. Older setups with the external ont could dump the gateway and connect with their ethernet. It required some 802.1x wired authentication and some "easy" to acquire certificates for said authentication.

But newer setups with the gateway with the internal ont require a different method. You'll need to get a programmable sfp+ fiber thingy and a device with an sfp+ port. But from what I understand there is little or no authentication if you bypass their ont. You'll need to read some info off of their ont and then spoof the sfp+ adapter's mac address along with some other software labels.

dslreports' forums is probably the best place get some basic info while active work and help is best gotten from their discord. It's not my discord so I won't put it on blast here but you can find it on the dslreports' forums threads about att gateway bypass stuff.

On another note if you're looking for a new router to hit that 5 gig speed then servethehome has been reviewing a *ton* of intel based table top routers. And a good number have had four or more 2.5 Gbase-t or 5 Gbase-t copper ethernet ports. I don't recall if any had sfp+ ports. Mikrotik hardware or a used rack mount switch are going to be great and cheap options for getting some sfp+ ports added to your network.

I have yet to see my Ip change on att fiber and I've been a customer for 4 years.

I've had AT&T gig Fiber for about 4 years at my home, and it is astonishing. The price is right, and the reliability is unfathomable -- 99.99% uptime, and speed is always fast, never dipping below 500 Mbps in the times that I've checked. The only downtime was when the when the power went out for 3 hours, because I don't have a UPS lol. Plus, my "dynamic" IP has never changed and I've never paid for a static one. Knock on wood lol. I also use it in passthru with a Unifi setup. It's nice to know that your internet isn't the bottleneck anymore :)

You can bypass their gateway entirely by using wpa_supplicant with the 802.1x certs from an ATT compatible gateway and spoofing your router's MAC to match the gateway's. I extracted my certs from a BGW210 that I purchased off eBay and rooted.

This doesn't work with their newer gateways that are 5 gig ready. Jeff has one of the newer ones so bypass doesn't involve 802.1x auth and instead some sort of ont spoofing on a self programmed sfp+ ont.

The author did not tell the entire truth. I am also moved from spectrum to at&t fiber 1gb.
1. When you setup "IP passthrough" mode from at&t gateway to own router, the performance decreases 66%.
2. At&t blocks most known protocols'inbound ports, such as port 443, 1732, 32 and more ports.
3. Throttling p2p protocols

This isn't true at all.

I have 443 forwarded right now to my Proxmox box and hit it everyday from work or 5g.

Also haven't noticed any problems with the IP Pass-through mode either. I'd like to know where you got that percentage from.

This is 1000% a lie, none of what you said is true of the service. I had their gig service for 3 years no issues and 2 gig service for over a year now running ip passthrough and hosting services on common ports no issues.

Might be time to upgrade the router to a mikrotik or opensense

Make sure you go into your ATT account settings on their website and disable the DNS spying they turn on by default.

It's within your Profile, then Privacy Choices.

Otherwise, I love my ATT Fiber. 55 per month for 300 up and down is fantastic. I set up a IPSEC/Gre tunnel between my parents, my sister and myself to share a TV plan. It makes it seem like we're all on the same "Home Network".

Oh wow... "Allow AT&T to share or sell my personal information" was set to "On". How dumb is that?!

Also turned off the "DNS Error Assist", whatever weird thing that is. Luckily Pi-hole with a passthrough to 1.1.1.1 would also bypass that weird service.

I'd be interested in you doing a video on replacing the ATT fiber gateway with your own hardware and the whole process required to get your hardware auth'd on their network.

I have been a tech with AT&T for 9+ years and have been installing fiber to the prem for 5-6. I can say with absolute certainty that:
1) when your account is created it is assigned a “dynamic” ip address that doesn’t change unless you move, swapping the rg doesn’t even change it. I’m not sure why but believe it has something to do with the RADIUS authorization that AT&T uses to authenticate the rg on the network
2) IP pass through does not throttle your speed at all. If your speed is slower it is something to do with your router

I have exact same BGW320 gateway from AT&T Fiber and the same ASUS RT-AX86U. I never succeed hosting any service. None of my services work outside my local network. Wold you provide how you did to make it work? Been trying for years it seems everything is blocked or somewhere need changing. IP passthrough to router and all day to day tasks work just can't host.