Netgate Enhances Modem Bridging with pfSense Version 23.05: Direct Connection to Optical Network Terminal Now Possible for AT&T Fiber Customers

Netgate has streamlined the modem bridging process with the introduction of version 23.05 for pfSense. This update will be especially beneficial for AT&T customers with a fiber connection. Now, the spoofed MAC address can be stored directly in the pfSense firewall, and the software will automatically retrieve the relevant certificate from the AT&T modem. As a result, the modem’s actions are constrained, enhancing fail-safety. One key advantage is that the pfSense Firewall can now be directly connected to the Optical Network Terminal. For guidance, here’s a straightforward tutorial:

I personally found the installation process smooth and successful on my first attempt yesterday.

1 Like

Thanks for sharing.

This might work for those who have a separate ONT and GW. ATT Multi-Gig service requires a new GW with a built in SPF port, thus may be a short lived solution.

What if your firewall computer has an SFP(+) port available to use the BiDi module?

If choice allows, I’d chose a card that can service 1.25g, 2.5g, 5g, and 10g modules over one that only allows 1g/10g like a lot of older cards. Would be an interesting experiment, one that I can not try because no one has fiber to home where I live. Our Spectrum cable was unreliable and they would not come to check it. I switched to T Mobile home internet for now, but really wish I could get something that isn’t behind CGNAT and maybe even pay for a static IP.

I just recently switched from Arista/Untangle back to pfSense, and one of the main factors was this new feature. I was very presently surprised how easy this configuration was. The only issue I had was running the recommended DUID generation script. I am not great at coding so I hit a speed bump and couldn’t figure out the issue. To resolve this issue I used this tool: GW DUID Generator and that got me figured out.
All in all a pretty easy configuration, a great step by step guide from Netgate, and for those few of us who have this specific ISP and service a welcomed feature.

For anyone who is curious I have the AT&T Motorola gateway, build my pfSense using a Protecli vault.
Fiber ONT → Port 0 | AT&T Modem WAN (Red) Port → Port 1 | LAN → Port 5