Bypassing Google Fiber

Published by Matt Clemons on

Google doesn’t allow you to bridge their network box so you would have to double NAT and double port forward.

Default:

fiber_line --> fiber_to_ethernet_jack --> Google_Network_Box

The Google Fiber network box powers the fiber to Ethernet jack via Power over Ethernet. You need a PoE injector unless you have a PoE switch. I just have a regular old Cisco 3750G.

Injectors are anywhere from 5 to 30 bucks on Amazon for a single line. Traffic from the fiber jack is tagged as VLAN 2 with a 802.1p bit of 3. IGMP has 802.1p of 6 and DHCP traffic has IP 802.1p of 2. I also had to block IPv6 to the network box so it would pass to pfSense.

New:

fiber_line --> fiber_to_ethernet_jack <--> PoE_Injector --> Cisco_3750G 
                                                               |  | |__> Google_Network_Box
                                                               |  |____> pfSense
                                                               |_______> Cisco_ASA

Create VLAN 2 if you don’t have it already, and name it.

vlan 2
  name GOOGLE_FIBER

Create a few ACLs. One to block IPv6 to the Google Network box.

ipv6 access-list DENY_IPV6
  deny ipv6 any any

And two to match DHCP and IGMP traffic.

access-list 100 permit igmp any any
access-list 101 permit udp any eq bootpc any eq bootps

Now we get into some good old fashioned QoS. The order is “Class Map”, “Policy Map”, “Service Policy”.

Create a class map for DHCP and IGMP.

class-map match-all IGMP
  match access-group 100
class-map match-all DHCP
  match access-group 101

Create a policy map for QoS.

policy-map GOOGLE_FIBER
  class DHCP
    set precedence 2
  class IGMP
    set precedence 6
  class class-default
    set precedence 3

Configure the port for the Fiber Jack to be a trunk on VLAN 2 with a CoS of 3.

interface GigabitEthernet1/0/1
  description GOOGLE_FIBER_JACK
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 2
  switchport mode trunk 
  mls qos cos 3

Configure the port for the network box on VLAN 2, deny IPv6, and add the QoS Service Policy.

interface GigabitEthernet1/0/2
  description GOOGLE_FIBER_NETWORK_BOX
  switchport access vlan 2
  ipv6 traffic-filter DENY_IPV6 in
  mls qos cos 2
  mls qos cos override
  service-policy input GOOGLE_FIBER

Configure the pfSense or any additional device’s WAN port on the switch.

interface GigabitEthernet1/0/3
  description PFSENSE_WAN_PORT
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 2
  switchport mode trunk
  mls qos cos 3

Set the pfSense WAN port to be on VLAN 2.

Go to Interfaces / Assignments / VLANs and create VLAN 2 with CoS of 3.

Next go to Interfaces / Assignments and assign VLAN 2 to the WAN.

May need to reboot the Google box and play with DHCP renewals on pf or another firewall/router. And if you don’t have google TV, you don’t even need the network box now.

This config has been working great for me.

Enjoy!

Categories: Networking

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Linux

Cleared SAA-C02

I started with acloud.guru AWS Certified Solutions Architect Associate course. https://acloudguru.com/course/aws-certified-solutions-architect-associate-saa-c02 If you get the pro subscription, you get access to labs without having to create your own AWS accounts. I think it’s 50 bucks Read more…

Networking

Easy IPv6

Threw together a pres on the easiest way to learn IPv6 I could come up with. IPv6_Pres Enjoy, if you’re into this type of stuff.

Networking

Defeating MITM

There are a number of things needed to stop ARP poisoning properly in a Cisco environment. DHCP snooping Trusted ports Dynamic ARP inspection A filter for static IPs DHCP snooping prevents rogue DHCP servers and Read more…