Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

Bypassing AT&T Fiber Gateway with Edgerouter Lite (newbie version)

**EDIT** Been meaning to update but just got busy. As everyone stated previously it's not an ideal application for fiber customers. Bridging definitely limits. So if you're bored and want a puzzle.. by all means.


To start I would like to say that this is an expansion/clarification geared to my fellow newbies. The credit goes to: 


bzsparks: https://community.ubnt.com/t5/EdgeMAX/Using-an-Ubiquiti-Edgerouter-with-AT-amp-T-Gigapower-fiber/td-p/1696604

0xpebbles: http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits

jhyda: https://strscrm.io/bypassing-gigapowers-provided-modem.html

ryanc & users: https://www.dslreports.com/forum/r30708210-AT-T-Residential-Gateway-Bypass-True-bridge-mode

Now that everyone has received their standing ovations, let's get to work!




(1) AT&T Modem : I have the NVG599 others have the newer AC model

(1) EdgeMax Router: I will be using the EdgeRouter Lite

(1) terminal application to SSH into, if you don't have one you can either use the one that comes in the webui for the EdgeRouter Lite. I like the actual app so I can see the magic happen. You can download something like putty here: 





Here's my NVG 599



and my fiber jack



Here's how I'll connect the EdgeRouter Lite: 


Console: won't need it so let's skip

eth0: this goes to your LAN switch

eth1: this is where the ONT will plug into

eth2: this is where you'll plug the AT&T modem into its ONT port


Now tthat I know where everything is. Let's start!


1.) Before unplugging anythingI head over to my computer and bring up the browser. We are going to visit the AT&T modem's web page by typing its IP and then hit enter: 


Screen Shot 2017-03-11 at 10.06.51 AM.png


it should bring up a page like: 



There's a lot of options, as you can see but we won't need to make any adjustments. This modem is here just to authenticate with AT&T, nothing more. So now you'll click on Broadband because we need some information: 





Photo: portforward.com **I forgot to get this screenshot and once I bypassed I was no longer able to surf to this page without flipping everything back. I was lazy and opted for a google image.


2.) From this page, you'll want to take a screenshot or write it down as we'll need the broadband IPV4 address and MAC address.


3.) connected my computer to eth0 of the EdgeRouter lite


4.) disconnected ONT from the AT&T modem/Gateway and placed that into eth1 of the EdgeRouter lite.


5.) disconnected anything else from the AT&T modem/Gateway except for power


6.) Grabbed an ethernet cable and plug into eth2 of the Edge Router light to the ONT of the AT&T modem/Gateway


Once done everything looks like: 




 Now that we have everything setup, we can now open up putty or whatever app you like for SSH.


7.)Set my computer's interface to static: 



IP =
Subnet =
Gateway =


8.)Brought up my browser and entered the gateway IP and hit enter



 9.) Logged in using ubnt for user and ubnt for password (we'll change the login to be more secure at the end), and you should get something like


Screen Shot 2017-03-11 at 9.01.01 AM.png**I made it small so because we don't need to do anything here but just watch the pretty colors.


10.) pulled up terminal



ssh ubnt@

11.) entered config mode



12.) created the bridge interface


set interfaces bridge br0

13.) With the interface now created we bridge eth1 & eth2 (AT&T Suff)


set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0

14.) Now let's give that newly created interface an IP. This IP is usually obtained by DHCP, but I manually typed it in because from what I've read AT&T doesn't change IP's unless they do a major change. So let head to our screenshot or our piece of paper where you wrote down from step one: 

**We want the Broadband IPV4 and Gateway IPV4 Address


set interfaces bridge br0 vif 0 address (YOUR IPV4 Address goes here)
set protocols static route next-hop (YOUR Gateway IPV4 Address goes here)


15.) Now let's save our new config (not really necessary, but if you don't  you'll get an error stating that there is no interface br0, but it saves it anyway. Didn't want to confuse ya'll.



16.) Next two commands allow us to get to the internet using that new interface


set service nat rule 5000 outbound-interface br0.0
set service nat rule 5000 type masquerade

Alright! now let's get our nerd goggles on and go into the EdgeRouter Lite as root



17.) typed in 


sudo bash


 18.) then we enter the command to push all authentication traffic over to the new interface (bridge)



echo 8 > /sys/class/net/br0/bridge/group_fwd_mask

19.) Now we specify what type of traffic with these 4 commands 


ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP


20.) Now we'll bring down the newly created interface, spoof the mac address from the AT&T modem/gateway (again from step one) and then bring it back up



ip link set br0.0 down
ip link set br0.0 address a1:b2:c3:d4:e5:f6
ip link set br0.0 up

That's it! But our job is not done. If the Edgerouter lite reboots or loses power and then you'll have to do steps 17 and on over again. Who has time for that? Now let's create a script to do that for us!



For this folks, our nerd goggles aren't enough. Yes. We are reaching for the pocket protector...


Nerd. 2.0


21.) With our terminal or putty session open, let's create our script with this command: 
This creates mask.sh (you can call it whatever you like just make sure to include it)



vi /config/scripts/post-config.d/mask.sh

22.) after you hit enter your terminal or putty screen turns white with colons on the left.  We'll hit 





23.) which allows us then to paste the following




echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
ip link set br0.0 down
ip link set br0.0 address a1:b2:c3:d4:e5:f6
ip link set br0.0 up
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP

24.) now let's give it a glance over, make sure it looks exactly like above. To exit edit mode we hit



25.) and then we 


hold down SHIFT and press ZZ

26.) To make sure we did everything right you should get what we typed in step 23. with this command


cat /config/scripts/post-config.d/mask.sh

27.) if everything matches we can now save everything! Exit from root




28.) commit our changes



29.) and save our config



30.) and exit terminal or putty



You should now see : 

Screen Shot 2017-03-11 at 9.01.01 AM (1).png




To test everything pull up any website and make sure you're able to surf.


31.) now head over to the user's tab in EdgeRouter Lite and either change the password to the ubnt account OR as I would create a whole other account. Log out of ubnt and login with the new, THEN delete ubnt.


EAT THAT AT&T! no more limited NAT tables!



‎03-13-2017 03:25 PM - edited ‎03-13-2017 03:29 PM

You know you can just order static IP addresses and then use the "cascaded router" function of the RG.  It does completely bypass the nat table when you do that.  If you don't use the cascaded router function then your traffic still hits the nat table.  The cascaded router function just creates a static route and passes all traffic.  That also gives you 6 usable IP addresses instead of five.  One public IP for your router to use for NAT and 5 for other devices behind the router if you need them.

on ‎03-14-2017 06:53 AM

Cant you just use the edgerouter to connect directly to your ONT and authenticate?


Im from South Africa so not clued up on AT&T config.


I have my USG connected directly to my fiber ONT and let the USG authenticate using my PPPOE details......

on ‎03-18-2017 08:56 AM

I do not have any fiber connection to my house but would love to. I read in a post that for u-verse, on at&t gateway, you can specify YOUR own personal router under the DMZ Zone and sort of bypass the at&t router functionalities. I do not know if there are any limitations as to what you can do after you set that up. But it has been working for me ever since and no need to deal with double nat.

on ‎04-24-2017 09:33 AM

This is quite an odd setup.


You do indeed need the ATT modem to authenticate since they use the MAC address for policies and authentication.

However, you can setup the NVG into bridge mode turning it into a "modem".






on ‎06-04-2017 04:17 PM

Is bridging now accelerated on the ERL?  If not then you only get about 100Mb/s as I recall.

1Gb/s Gigapower users won't find this acceptable.


I have 3 of the ERLs and I love those units but not for this particular application

on ‎06-05-2017 06:22 PM

Thanks for the write-up!  Is there another router that this would work with, without the 100Mb/s cap?  I was thinking the ER 5 port poe router.  how would the 3 switching ports affect throughput?  Any other options?

‎06-16-2017 01:22 AM - edited ‎06-16-2017 01:23 AM



ERL & ERPOE uses the same processor and has the same non-offloaded bridge interface issue. In short, any interface that is not supported for offloading will have a throughput limitation. I think even the higher end ER and ERPRO has same or similar limitation.


Good thing is IPv4 forward, IPv6 forward, IPSec, VLAN are offload supported. Only bridge/team interfaces are not.

‎08-03-2017 09:57 AM - edited ‎08-03-2017 10:19 AM

So from above, if you assign the the erl or erpro as a cascaded router, disable the AT&T firewall for that device and put it in dmz plus mode. Your traffic going to and from the erl/erpro won't hit the nat issues? Is that correct?

on ‎08-29-2017 08:55 AM

Has anyone figured out how to do this without the bridge?  I saw some write-ups on DLSReports that seemed to suggest you can tear down the bridge after the auth happens, but I didn't quite follow how they were doing it.  I am new to this, and I am still trying to figure out why you have to create the bridge in the first place.  Seems like you could simply toss the auth packets over to the other interface maybe, but I am sure I am missing some crutial detail as to why that wont work.

on ‎09-13-2017 07:11 AM

Just out of curiosity, why is everyone doing so much work to bypass the router they give you? I turned the wifi on it off and used a UBNT AP, other than that its been working great for me. The only thing i've done is purchase a block of public ip's from them ( which was very cheap ) and i use those for my consoles so i dont have to worry about NATing, plus I have a few spares to host things behind it.