A few months ago I wrote a guide to bypassing the AT&T fiber modem using a UniFi USG, and I’ve since upgraded to the UniFi Dream Machine Pro and wanted to write an updated guide since the process is a bit different.
To recap, the AT&T router/gateway has no true bridge mode, so it’s incompatible with the UDM Pro’s DHCP and my current home network. I’d end up in a double NAT situation unless I let AT&T’s modem handle everything like DHCP, firewall, port forwarding, etc. Not ideal!
Unfortunately the RG (that’s what AT&T calls the modem) authenticates with the AT&T fiber network with a special hard-coded certificate unique to each modem, so you can’t just throw the RG into a bin and plug your USG directly into the fiber ONT. It’ll fail the handshake and never go online. Unless you follow this guide. 🙂
Before you start
First we need a rooted NVG589 modem. AT&T may not have supplied you with this model (I was given a Pace 5268AC), but they can be found on eBay sometimes. Follow this guide that details rooting the device and extracting the needed certificate files.
OR you can do what I did and purchase the rooted files. For about $40 I was able to instantly move to the next step without waiting for a modem to ship and bumbling through rooting the device. A seller called maczrool on eBay sells unique rooted certificates and seems to have a lot of them.
In order to move forward you need the following files from your rooted RG (or eBay):
- The MAC address of the rooted device (printed on the back of the RG, or included with the files from eBay)
- The IP address, username, and password of your UniFi controller. In this guide I’m using
10.0.1.5for the IP and
adminfor the username.
First we need to enable SSH access to the UDMP (UniFi Dream Machine Pro), which is configured differently from other UniFi products.
First navigate to the IP or hostname of your UDMP (ex: 192.168.1.1)
Then go to Advanced and toggle SSH on. You will also need to set a SSH password, so do that next and hit Confirm.
Open a terminal window and copy your 4 certificate files to the UDMP. Replace
192.168.1.1 with your UDMP’s IP address. Your username is
root and the password is the password you set in Step 1.
# switch to the directory where you saved your files $ cd /path/to/*.pem # copy the PEM files to the UDMP using SCP $ scp ./*.pem firstname.lastname@example.org:/tmp/ # copy wpa_supplicant.conf to the UDMP using SCP $ scp ./wpa_supplicant.conf email@example.com:/tmp/
Next SSH into your UDMP, and move the files to their final place.
# ssh into the UDMP $ ssh firstname.lastname@example.org # create the certificate directory mkdir /mnt/data/podman/wpa_supplicant/ # copy files into the new directory $ cp -arfv /tmp/*pem /tmp/wpa_supplicant.conf /mnt/data/podman/wpa_supplicant/
We need to modify the
wpa_supplicant.conf file with the correct file paths of your
.pem certificate files. Run each of these commands only once!
$ sed -i 's,ca_cert=",ca_cert="/etc/wpa_supplicant/conf/,g' /mnt/data/podman/wpa_supplicant/wpa_supplicant.conf $ sed -i 's,client_cert=",client_cert="/etc/wpa_supplicant/conf/,g' /mnt/data/podman/wpa_supplicant/wpa_supplicant.conf $ sed -i 's,private_key=",private_key="/etc/wpa_supplicant/conf/,g' /mnt/data/podman/wpa_supplicant/wpa_supplicant.conf
We need to install the wpa_supplicant-udmpro Docker image by pbrah, which will authenticate requests to the AT&T fiber network. There are instructions in the GitHub repo, and I am reproducing them here with some added detail.
Assuming your UDMP is connected to the internet via the RG and that your RG is attached to Port 8 (the ethernet WAN port, not the SFP+ port), run this command to download the Docker image:
$ podman run --privileged --network=host --name=wpa_supplicant-udmpro -v /mnt/data/podman/wpa_supplicant/:/etc/wpa_supplicant/conf/ --log-driver=k8s-file --restart always -d -ti pbrah/wpa_supplicant-udmpro:v1.0 -Dwired -ieth8 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf
Only if your RG is attached to Port 10 (the SFP+ WAN port) run this command instead:
$ podman run --privileged --network=host --name=wpa_supplicant-udmpro -v /mnt/data/podman/wpa_supplicant/:/etc/wpa_supplicant/conf/ --log-driver=k8s-file --restart always -d -ti pbrah/wpa_supplicant-udmpro:v1.0 -Dwired -ieth10 -c/etc/wpa_supplicant/conf/wpa_supplicant.conf
We’re in the home stretch! We need to make sure the Docker image runs every time the UDMP is rebooted. Fortunately there’s a UDMP Boot Script on GitHub that we can use for exactly this purpose.
SSH into the UDMP and download the script:
# SSH into your UDM $ ssh email@example.com # start UniFi OS shell $ unifi-os shell # download udm-boot_1.0.1-1_all.deb and install it $ curl -L https://raw.githubusercontent.com/boostchicken/udm-utilities/master/on-boot-script/packages/udm-boot_1.0.1-1_all.deb -o udm-boot_1.0.1-1_all.deb $ dpkg -i udm-boot_1.0.1-1_all.deb $ exit
We need to create a small shell script to finish up.
$ nano /mnt/data/on_boot.d/10-wpa_supplicant.sh
Copy and paste this snippet into nano:
#!/bin/sh podman start wpa_supplicant-udmpro
then press Ctrl O then Ctrl X to save and close.
We need to make the script we just created executable, too.
chmod +x /mnt/data/on_boot.d/10-wpa_supplicant.sh
Now reboot your UDMP and plug the ethernet cable from your fiber ONT directly into the WAN port of your UDMP. It’ll take a few minutes to boot up. Once it’s back online, you should have internet connectivity! You can also check it’s working by SSHing back into the UDM and viewing the Docker logs:
$ ssh firstname.lastname@example.org $ podman logs -f wpa_supplicant-udmpro
If you see output like this, then it’s definitely working!
... eth8: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=Michigan/L=Southfield/O=ATT Services Inc/OU=OCATS/CN=aut03pltnca.pltnca.sbcglobal.net' hash=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX eth8: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:aut03pltnca.pltnca.sbcglobal.net eth8: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully ...
Press Ctrl C to close the log viewer.