Can someone with Sonic via AT&T share their setup in terms of equipment

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
15 posts Page 1 of 2
by bubba198 » Sat Aug 01, 2020 9:58 am
Hi everyone,

Can someone with Sonic via AT&T please share their setup in terms of equipment?

I know we always start with the wall-mounted white plastic brick ONT provided by AT&T. That's a given.

Then what? I hear AT&T "requires" that the only device facing their ONT is their BGW210-700, again provided by AT&T.

Then what? The Sonic router or your own router? That would be my guess.

My core question is how does AT&T configure their BGW210-700 in the Sonic scenario? Is it some kind of bridge where the next downstream box gets the DHCP provided public IP or does BGW210-700 do NAT and then NAT again on your own box or Sonic's router?

Thank you
by cfritze64 » Sat Aug 01, 2020 10:25 am
We have a two story house with a semi-finished basement.

The BGW210 router is in the basement.
- Wifi from the BGW210 provides reasonable wifi service to the back half of our main floor.
- Son's gaming computer (basement bedroom) and our AppleTV (main floor) are connected directly via Ethernet cables.
- an Ethernet cable reaches to our top floor, where it connects to an Apple Airport Extreme that is in bridge mode and creates a wifi network with the same name and password credentials as the BGW210 network. This serves to upstairs bedrooms and because the AAE is towards the front of the house, also provides good wifi coverage to the parts of the main floor not served well by the BGW's wifi signal. (Before I had access to a cable run to the top floor, we used powerline adapters to make the connection between AAE and GBW). - Another line from the switch goes an old airport express in the kitchen that serves some powered bluetooth speakers. That device is AirPlay only, it doesn't broadcast a wifi signal.
by bubba198 » Sat Aug 01, 2020 10:35 am
@cfritze64 thank you that's super helpful, thank you!
by Sonic Guest » Sat Aug 01, 2020 11:22 pm
Sonic doesn't give you their own router in addition to AT&T's. You just get AT&T ONT and CPE.

You have some options.
  • Use your BGW210 as your primary router and connect all your devices to it. That's the default.
  • Connect your own router and set the device as IP-Passthrough and the BGW210 will "bridge" your WAN address to your router's WAN port. Connect all your devices downstream to your own router. If you perform a traceroute, you should notice your packets will pass to your router and then to the BGW210 before it leaves your home. This is the "double-NAT" most people talk about. I don't know what the CPE is doing but it's sort of a hybrid double-NAT. Port forwards will work correctly but all your packets will go through the BGW210's anemic 8K sessions table. Create more than the sessions limit and you will no longer be able to use the internet until other sessions are closed.
  • Replace AT&T's CPE with a pfSense- or Ubiquiti-based firewall. There are several ways to do it but the first is to obtain a certificate from an AT&T router. As these certificates are unique to each device, many purchase one from eBay, root it, then import into the firewall. Look through the U-verse forums at
I went with the second option but instead of the BGW210 which I received, I purchased a Pace 5268ac and use DMZ-Plus. The 5268ac doesn't have the double-NAT behavior and its sessions table is twice as large, although I've found that its sessions table doesn't limit my connection. The 5268ac has a really slow webUI but since I hardly use it, it's not a problem. I also disable the CPE's WiFI because I have my own.

I'm still hopeful Sonic will eventually build their fiber network here in the East Bay and I don't want to bother with using pfSense/Ubiquiti. Sonic-based CPEs have true bridge mode and hopefully at that time I will also have the option of returning it.
by bubba198 » Mon Aug 03, 2020 12:22 pm
@Sonic Guest - that is very interesting, specifically "Replace AT&T's CPE with a pfSense- or Ubiquiti-based firewall."

I say interesting since I know for a fact from an AT&T GigaPower customer that AT&T will NOT allow people to use anything which faces their ONT directly other than the router they provide - BGW210.

That confidential customer has shared that it isn't a simple MAC address filter, there's custom firmware on BGW210 and nothing would get a public IP that one would connect to their ONT directly other than the provided BGW210

Your answer directly contradicts that and I am not remotely implying that one is right or wrong, I just would like to get to the bottom of this issue.

Could it be that Sonic re-sold service DOES allow the end user to connect their own box to AT&T's ONT while native service does not?

Do note that AT&T does POTS differently from Sonic. In the Sonic case the POTS interfaces are coming out of the Adran ONT. In the AT&T case they come out of the BGW210 and said custom firmware also connects to the AT&T mobile app to a point where slight configuration change on the BGW210 triggers customer alert on the AT&T mobile app so what one sees from the management UI is just a tip of an iceberg.

Thank you
by larns576 » Mon Aug 03, 2020 5:49 pm
I believe he's talking about copying the auth certificate to another router. Some info here ... 0348dd39a8
by Sonic Guest » Mon Aug 03, 2020 11:12 pm
The people who created this bypass state it works only with FTTH services. The "custom" software uses 802.1x certificate authentication and allows a subscriber to obtain an IP. AT&T's resold services' infrastructure are the same as their regular services. Only their SLAs are different and resold services from Sonic are treated as business accounts with no data caps and supposedly no data collection/retention.
by wwwong » Mon Aug 03, 2020 11:42 pm
I use the BGW210 in IP Passthrough mode to my Ubiquiti USG. Then it's routed to HP Switches (regular and PoE) and Ubiquiti APs. I have disabled almost everything in the BGW210.
by bubba198 » Tue Aug 04, 2020 7:34 am
@wwong thank you, how's performance? One of my goals was to get input from everyone and figure out how AT&T is doing TLS over Ethernet for any ONT facing device which right now is their BGW210; I totally get it that it can be bypassed,

It is worth mentioning that native Sonic fiber does no such thing and one can connect anything to Sonic's Adtran ONT and there are no gimmicks, no TLS, no auth -- you get a normal public IP dhcp-assigned to your own device. Good work Sonic!
by gtwrek » Tue Aug 04, 2020 8:05 am
I'm an ATT fiber customer. My ATT provided gateway is the Pace. A common use case model for some users is to bypass most of the functions in the server provided router, and use their own instead - basically a bridge mode. Unfortunately, this isn't supported by most providers anymore. What's used instead is something called DMZPlus mode. Doubly unfortunate, ATT has completely broken the firmware upgrades on recent Pace versions, and this mode is broken.

I use the methods documented here to completely bypass the Pace.

It's hacky, but works. After the initial authentication, I've had the Pace turned off for 6-8 months, and my router does everything.


15 posts Page 1 of 2

Who is online

In total there are 10 users online :: 1 registered, 0 hidden and 9 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Google [Bot] and 9 guests