How to bypass ISP router. FTTH Altibox SFP connection

[askd]

Writing this down here for future reference, also took me a while to find out what settings I should use, since my ISP would not tell me what they were doing. Took me a while to realize it was in a VLAN.

Context:
ISP: Altibox
ISP router is connected via SFP.

Got tired of the lack of features, especially for setting up VLAN's.
Also want my own VPN service so I dont have to pay anyone for it.

Bought a Mikrotik RB4011iGS+5HacQ2HnD-IN
Mikrotik has some really powerful hardware and its reasonably priced.

The steps described are the same for any router, but the specifics here are for mikrotik.

Steps described here are assuming you are starting with mikrotiks default config.
Default config summary is attached so you can see what the starting config is.


WARNING you are doing this at your own risk, and I do not in any way recommend you do this. 

After you configure the mikrotik, remember to setup a sinkhole for stray LAN PDUs just in case.

With great power comes great responsibility!

I am not familiar with mikrotiks CLI so i just did this in winbox since i needed this ASAP,
don't use mikrotiks web interface its buggy af (at least on firefox).
 

In winbox, from default config:

1. Bridge > ports
Youll see a list of interfaces under your default bridge.
     remove sfp interface
     add back ether1 interface

2. Interfaces > vlan

    create a new vlan, name it wan-vlan (or whatever, just remember it)
    set vlanid 102 or 101 (can be changed later)
    set interface to sfp

This vlan id is key, its what altibox uses to separate its services. Based on that vlan id you get different dhcp ips. Many people reported that its vlan 101 for internet, but for me it was 102 that was the internet vlan.

3. Interfaces> interface-list

    set WAN to wan-vlan

4. Firewall > NAT

    Set Out. Interface: wan (remove Out. Interface List)
    Rest should be already set, but its:
        chain: srcnat
        action: masquerade

In your firewall make sure filter rule drop all from WAN not DSTNATed is enabled otherwise you WILL leak LAN packets, and your ISP will not be happy, you can cause real headaches, they might just bill you for the hours spend troubleshooting. (not cheap)

5. Set mac address on interface.

You need to set the MAC address of your interface to the MAC address of your ISP's router. On mikrotik you can do this in the terminal.
The command is:
    interface ethernet set interfaceName mac-address= IS:PM:AC:AD:DR

6. IP > DHCP Client

    Change the existing entry for ether1 to wan-vlan make sure Use Peer DNS is checked, and Add Default Route is yes

Use DHCP you might otherwise loose connection at some point if your ISP decides to make some changes.

If you still don't have a internet connection check your WAN ip in the IP > DHCP Client page addresses. If it is not the same as you had from before with the ISP's router change the VLAN ID in Interfaces > VLAN: wan-vlan try VLAN ID 101 and see what IP you get, if you get a new ip but no internet connection, keep trying vlan IDs untill you get your old WAN IP back..

For altibox the WAN IP can be found on their website's administration page for your network.

Ping a something and verify connection.

Now don't forget that sinkhole...
 

TLDR:
Setup a vlan interface vlan id is the key here (101 or 102), attach sfp to it, set the vlan as the wan interface.
Setup dhcp-client on vlan interface.
Set NAT rules.
Make sure you firewall LAN packets (as always).
Check dchp-client IP to see if it matches your old ip try vlan id's untill it does.
Verify and enjoy!


Hope it helps.

  
Default config summary

Endret 9. april 2021 av askd
Forgot change mac address

[NoTrace]

Seems like you haven't configured the IPTV part to get the Altibox TV-decoders working?

I have the same type of setup, but using Ubiquiti EdgeRouter. SFP directly plugged into the EdgeRouter.

Anyways; great to share this with others for future reference

Endret 10. april 2021 av NoTrace

[trrunde]

config for both mikrotik rb4011 and ubiquiti with igmp proxy and dualstack

 

https://github.com/trrunde/routerconfig

[askd]

5 hours ago, NoTrace said:

Seems like you haven't configured the IPTV part to get the Altibox TV-decoders working?

I have the same type of setup, but using Ubiquiti EdgeRouter. SFP directly plugged into the EdgeRouter.

Anyways; great to share this with others for future reference

Yeah I forgot to mention that, i think in my case its vlan id 101. I dont have IPTV, it would require another vlan interface. Once you get this far the addition of another vlan and adding interfaces to it should not be to hard.

Endret 10. april 2021 av askd

[NoTrace]

10 minutes ago, askd said:

Yeah I forgot to mention that, i think in my case its vlan id 101. I dont have IPTV, it would require another vlan interface. Once you get this far the addition of another vlan and adding interfaces to it should not be to hard.

You need the multicast and IGMP Proxy stuff as well. But yeah, most important is getting internet of course