Unifi OS – AT&T XGS-PON Gateway Bypass

/ server / Leave a Comment / 3 minutes of reading

Last updated on March 16th, 2025 02:37 pm EDT

Table Of Contents
  1. Summary
  2. Prerequisite
  3. Persisting WAS-110 Access (SNAT)
  4. Assigning a Routable IPv6 Address to Your Unifi Console
  5. Important Notes
  6. Conclusion

Summary

Bypassing your AT&T gateway with a WAS-110 and connecting through your Unifi Console unlocks significant control over your network. However, you’ll likely encounter two persistent issues: losing access to the WAS-110 GUI after reboots, and your Unifi Console lacking functional IPv6 connectivity despite receiving a 2001:506 prefix address (while your LAN devices work fine). Let’s dive into the “why” and how to fix it via the command line.

Prerequisite

  • A working network connection through your bypassed ONT.
  • Your Unifi Console successfully distributing IPv4 and IPv6 to your LAN clients.
  • The on_boot script installed on your Unifi Console.

Persisting WAS-110 Access (SNAT)

Cause

If you initially configured your WAS-110 with the 8311 community firmware using the SNAT method (as described on pon.wiki), you’ll notice that the SNAT rule doesn’t survive reboots. This means you lose access to the WAS-110 GUI. If you used Static Route method, then you should already have access to WAS-110 interface and might not have IPv6 address, you can skip to that section

Why? The SNAT rule and local IP assignment need to be re-applied after each reboot.

Solutions
  1. Manual Reconfiguration: Log in via SSH and re-apply the SNAT rule and IP address.
  2. Automated Script (Recommended): Use a bash script executed at boot via on_boot script.
Manual Reconfiguration

If you want to run your own file, just include this line should work:
ip addr add "$wan_local_ip4" dev "$wan_iface"
Note:
"$wan_local_ip4" should be your local IP address (typically 192.168.11.2/24)
"$wan_iface" should be the interface you plug your WAS-110 to, the port number starts from 0 so it is eth9 for port 10 on your Unifi Console.

Using a Script (10-patch-network.sh)
  • The script, located at https://github.com/szhu25/misc/blob/main/10-patch-network.sh, automates this process.
  • Configuration:
    • Line 19: Defines your network interface (e.g., eth9 for port 10).
    • Line 20: Sets the IPv4 address for WAS-110 access (e.g., 192.168.11.2).
    • Lines 48-60: Ensure the IPv4 address is correctly set, preventing duplicates or failures.
  • Policy Based Route: You can move the iptables part of the script into a policy based route in the Unifi GUI for more flexibility. However, the local IP address assignment still requires the command line.
Policy based route example

Assigning a Routable IPv6 Address to Your Unifi Console

Cause

When using the AT&T gateway as your ONT, it receives a 2001:506 prefix (non-routable) and a /60 IPv6 subnet. Before bypassing, you could use workaround like this to get IPv6 LAN working but you sacrifice some IPv6 features through Unifi. After bypassing, your Unifi Console directly receives the non-routable 2001:506 address, while your LAN correctly receives IPv6 from your /60 subnet. This causes issues like failing speed tests on the Unifi console, because it is trying to use the non-routable address.

Solutions
  • Manual Reconfiguration: Log in via SSH and apply the IPv6 address.
  • Automated Script (Recommended): Use a bash script executed at boot via on_boot script.
Manual Reconfiguration

If you want to run your own file, just include this line should work:
ip addr add "$wan_global_ip6" dev "$wan_iface"
Note:
"$wan_global_ip6" should be the IPv6 address you wish to assign to your Unifi console
"$wan_iface" should be the interface you plug your WAS-110 to, the port number starts from 0 so it is eth9 for port 10 on your Unifi Console.

Using a Script (10-patch-network.sh)
  • The script, located at https://github.com/szhu25/misc/blob/main/10-patch-network.sh, automates this process.
  • Configuration:
    • Line 19: Defines your network interface (e.g., eth9 for port 10).
    • Line 21: Sets the routable IPv6 address (ensure it’s not within a LAN subnet).
    • lines 62-74: Ensures the IPv6 address is correctly set, preventing duplicates or failures.

Important Notes

  • Replace "ipv4_test_target", "ipv6_test_target", "$wan_local_ip4", "$wan_global_ip6", and "$wan_iface" with your specific values.
  • Choosing an IPv6 address outside your LAN subnets is crucial to avoid conflicts.
  • Using the script automates the process, making it persist through reboots.
  • Always proceed with caution when modifying network settings.

Conclusion

By using the 10-patch-network.sh script, you can effectively persist WAS-110 access and assign a routable IPv6 address to your Unifi Console after bypassing the AT&T gateway. This ensures a more stable and functional network.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top