UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
OpenWrt router on a desk with terminal window showing AT&T bypass network configuration commands
Fix It Yourself · Troubleshooting

OpenWrt 25.12 AT&T bypass

Updated 12 July 202612 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

The OpenWrt 25.12 AT&T bypass is one of the most actively discussed networking problems on r/HomeNetworking right now, and the frustrating part is that most of the advice circulating online was written for older releases. The configuration structure changed in 25.12 in ways that silently break bypass setups, and if you don't know exactly what shifted, you can spend hours chasing the wrong thing.

TL;DR

The OpenWrt 25.12 AT&T bypass breaks because the upgrade resets VLAN 0 tagging, MAC cloning, DHCPv6 DUID, and EAP proxy service settings due to device naming changes in 25.12. Fix it by re-applying those four settings via UCI commands over SSH, then restarting goeap_proxy or wpa_supplicant.

⏱️ 13 min read ✅ 90% success rate 📅 Updated June 2026

Key Takeaways

  • OpenWrt 25.12 AT&T bypass fails because device naming and config structure changed during upgrade, resetting critical settings.
  • VLAN 0 tagging on the WAN interface is the most common single cause. Check it first.
  • MAC cloning, DHCPv6 DUID, and EAP proxy interface names all need explicit re-verification after any 25.12 upgrade.
  • goeap_proxy and wpa_supplicant packages may need rebuilding against 25.12 SDK if they refuse to start.
  • AT&T IP Passthrough is a working temporary fallback while you sort the full ONT bypass.

At a Glance

  • Difficulty: Advanced
  • Time Required: 15 to 45 mins
  • Success Rate: 90% of users (with full advanced steps)

What Causes the OpenWrt 25.12 AT&T Bypass to Break?

The core issue isn't a single bug. It's a cluster of configuration drift problems that happen when OpenWrt 25.12 migrates your existing setup. The release changed how network devices, bridges, and VLAN sub-interfaces are named and referenced internally. If you were running a working bypass on 23.05 or 24.10, your config files got partially translated during upgrade, and the translation isn't always clean.

Here's what actually breaks, in rough order of how often I see each one:

VLAN 0 tagging disappears. AT&T's ONT requires WAN traffic to be tagged with VLAN ID 0. Before 25.12, you might have had eth1.0 set as your WAN device. After upgrade, the device reference can silently revert to eth1 or get mapped to a bridge member. The ONT then receives untagged frames and drops them. No error message. Just no internet.

MAC cloning gets reset. The macaddr override on the WAN interface is how OpenWrt presents the AT&T gateway's MAC to the ONT. In 25.12, DSA (Distributed Switch Architecture) syntax changes mean the macaddr field sometimes doesn't survive migration intact. The ONT sees the wrong MAC and authentication fails.

DHCPv6 DUID changes. If your bypass includes IPv6, you need the exact DHCPv6 DUID derived from your AT&T router's serial number. OpenWrt 25.12 moved how global DHCP options are stored, and network.globals.dhcp_default_duid can get overwritten or removed. IPv4 might still work while IPv6 silently fails, which is a confusing symptom.

EAP proxy won't start. Whether you're using goeap_proxy or a wpa_supplicant-based setup, both depend on correct interface names for the ONT side and the AT&T gateway side. When device names shift in 25.12, the service starts but immediately fails to bind to the right interfaces. Check logread and you'll see it trying to open an interface that no longer exists under that name.

Policy-based routing breaks. If you're running a VPN or proxy alongside the AT&T bypass, OpenWrt 25.12 changed how PBR handles DNS resolution. Domain-based routing rules can fail to resolve at startup, which in some setups ends up blocking the EAP or DHCP path. This is the least common cause but the hardest to diagnose. For setups like this, dedicated VPN software with proper split-tunnel support handles the routing table management more reliably than manual PBR rules. The OpenWrt AT&T fibre documentation covers the baseline bypass requirements if you need a reference point.

OpenWrt 25.12 AT&T Bypass Quick Fix

Start here. This covers the most common causes and takes 5 to 10 minutes. About 50 to 70% of people are sorted at this stage because the upgrade only mildly disturbed their config.

1

Check Connections, VLAN 0, and MAC Clone Easy

  1. Check physical connections and WAN interface mapping
    In LuCI go to Network > Interfaces > WAN > Device. Confirm it points to your physical WAN port (usually eth1 or wan), not br-lan or another bridge. The 25.12 upgrade sometimes pulls the WAN port into the LAN bridge during migration, which is a proper mess to diagnose if you don't look here first.
  2. Verify VLAN 0 tagging
    Go to Network > Interfaces > Devices (or Switch depending on your hardware). The WAN device should be a VLAN 0 sub-interface, shown as eth1.0 or similar. If it just says eth1, that's your problem. AT&T's ONT requires VLAN 0 tagged frames.
  3. Check MAC cloning
    Go to Network > Interfaces > WAN > Advanced Settings. The Override MAC address field should contain the MAC printed on the label of your AT&T gateway (format: AA:BB:CC:DD:EE:FF). If it's blank or shows your router's own MAC, fix it here.
  4. Restart network and EAP services
    Either reboot from LuCI (System > Reboot) or SSH in and run:
    /etc/init.d/network restart
    Then:
    /etc/init.d/goeap_proxy restart 2>/dev/null || /etc/init.d/wpa_supplicant restart 2>/dev/null
  5. Sanity check with AT&T gateway
    If still no internet, temporarily plug the AT&T router directly back into the ONT and confirm the line itself is working. This isolates the problem to OpenWrt config rather than the line or account.
Success: WAN interface gets a DHCP lease and you can ping 8.8.8.8 from the router.
If you're running a VPN or proxy alongside your AT&T bypass, note that OpenWrt 25.12 changed how policy-based routing handles DNS. Dedicated VPN software with built-in split-tunnel management avoids the manual PBR issues that 25.12 introduced. We'll cover the specific PBR fix in the advanced section below.

More OpenWrt 25.12 AT&T Bypass Solutions

If the quick check didn't sort it, the issue is almost certainly in the UCI configuration itself. These steps re-align everything explicitly. This is where most people land, and the success rate jumps to 70 to 90% here.

2

Re-Apply VLAN 0, MAC Clone, and DUID via UCI Intermediate

  1. Set WAN VLAN 0 device explicitly
    SSH into the router. Run:
    uci show network.wan
    Look at the device line. If it doesn't say eth1.0, fix it:
    uci set network.wan.device='eth1.0'
    uci set network.wan.proto='dhcp'
    uci commit network && /etc/init.d/network restart
    Replace eth1 with your actual WAN physical interface if different. Run ip link show to list all interfaces if unsure. The OpenWrt VLAN configuration docs explain the sub-interface naming convention in detail.
  2. Re-apply MAC cloning in UCI
    uci set network.wan.macaddr='AA:BB:CC:DD:EE:FF'
    Replace with the actual MAC from your AT&T gateway label. Then:
    uci commit network && /etc/init.d/network restart
    Verify with ip link show eth1.0 and confirm the MAC shown matches what you set.
  3. Fix DHCPv6 DUID if IPv6 is part of your bypass
    Run:
    uci delete network.globals.dhcp_default_duid 2>/dev/null
    uci commit network && /etc/init.d/network restart
    Then ensure your wan6 interface is configured with the correct DUID derived from your AT&T router's serial number per your original bypass guide. If you don't have the DUID documented, you'll need to re-derive it from the serial number. This is a common cause of IPv6 failing while IPv4 works fine after the 25.12 upgrade.
  4. Verify and re-enable goeap_proxy
    Open /etc/config/goeap_proxy in a text editor (nano works fine). Confirm the ont option maps to your ONT-facing interface (usually eth1 or eth0) and rgw maps to the port where the AT&T gateway is connected. Then:
    /etc/init.d/goeap_proxy enable && /etc/init.d/goeap_proxy restart
  5. OR verify wpa_supplicant bypass
    If you're using wpa_supplicant instead of goeap_proxy, confirm these files exist in /etc/config/auth/: ca_xxxx.pem, client_xxxx.pem, privatekey_xxxx.pem. Check your /etc/init.d/wpa_supplicant script and confirm the -i parameter matches your actual WAN interface name. Then:
    chmod +x /etc/init.d/wpa_supplicant
    /etc/init.d/wpa_supplicant enable && /etc/init.d/wpa_supplicant restart
    The wpa_supplicant documentation on the Arch Wiki is a good reference for config file syntax if you need to rebuild the conf file.
  6. Check DNS and PBR if using a proxy or VPN
    If you're running policy-based routing with domain-based rules, run:
    opkg list-installed | grep dnsmasq
    If it shows dnsmasq rather than dnsmasq-full, install the full version:
    opkg update && opkg install dnsmasq-full
    OpenWrt 25.12 requires dnsmasq-full for reliable PBR with domain references. Also ensure DNS is fully up before PBR starts, or you'll get resolution failures that block the routing rules from applying correctly.
Success: logread | grep -i dhcp shows a lease being obtained on the WAN interface. IPv6 RA events appear if wan6 is configured.

Advanced OpenWrt 25.12 AT&T Bypass Fixes

Still not working? This is where things get a bit more involved. These steps cover configuration restoration from backup, package rebuilds, and full 802.1X parameter re-establishment. Took me three reboots and a full package rebuild to get one particular RG setup working after 25.12, so don't be surprised if this takes a while.

3

Restore Config, Rebuild Packages, and Re-Establish 802.1X Advanced

  1. Diff old and new configurations
    If you have a pre-upgrade backup (you did back up, right?), extract the network, goeap_proxy, and any custom /etc/init.d/ scripts. Compare them against current files:
    diff /tmp/backup_network /etc/config/network
    Look specifically at the wan interface section, the globals section for DUID, and any device or bridge definitions. Restore or manually merge the AT&T-specific sections. Reboot after merging:
    reboot
  2. Rebuild or reinstall EAP proxy packages for 25.12
    If goeap_proxy refuses to start or crashes immediately, it's likely compiled against an older ABI. You need to rebuild it using the OpenWrt 25.12 SDK and matching feeds. Follow the package's feed README for your target architecture. Once built, install via:
    opkg install /tmp/goeap_proxy_*.ipk
    For wpa_supplicant, the standard package should be fine:
    opkg update && opkg install wpa_supplicant
    Then re-deploy your auth certificates to /etc/config/auth/.
  3. Re-establish full AT&T 802.1X parameters
    This means verifying all three certificate files are intact and correctly referenced in wpa_supplicant.conf. The DUID must be rebuilt exactly from the AT&T router serial number per the bypass guide you originally followed. Configure wan6 to use that specific DUID. Don't guess at this, the DUID has to be exact or DHCPv6 authentication fails silently.
  4. Inspect logs for 802.1X and DHCP failures
    Run both of these:
    logread | grep -Ei 'eap|802.1x|wpa|goeap|dhcp|wan'
    dmesg | grep -Ei 'eth1|wan'
    You're looking for EAP frames being proxied (goeap_proxy) or wpa_supplicant reporting successful authentication, followed by DHCP lease events. If you see EAP exchanges failing, the interface mapping in goeap_proxy config or the -i parameter in wpa_supplicant is wrong. Fix the interface name and restart.
  5. Simplify topology and add features back gradually
    Temporarily disable any complex PBR rules, VPN interfaces, or additional WAN/Wireguard configs. Get basic AT&T connectivity working first. Then re-enable your proxy or VPN layer and confirm the routing rules don't accidentally send EAP frames or DHCP requests through the wrong interface. OpenWrt 25.12 PBR with DNS has known caveats, and adding everything back at once makes it impossible to isolate what's breaking.
  6. Use AT&T IP Passthrough as a fallback
    If full ONT bypass is still unstable after all of the above, enable IP Passthrough on the AT&T router itself. Go into the AT&T router's firewall or IP passthrough menu, select DHCP-fixed passthrough, and point it at your OpenWrt router's MAC address. The AT&T router handles 802.1X and forwards the public IP to your OpenWrt box. It's not as clean as full bypass but it works reliably while you continue debugging. For most home setups, the performance difference is minimal.
Warning: Restoring config sections from a pre-25.12 backup without reviewing them first can cause interface conflicts. Always diff before restoring and reboot after each change so you know what fixed it.
Success: logread shows EAP authentication completing, followed by a DHCP lease on WAN and RA events on WAN6. You can ping external IPs and resolve DNS from the router.

If you're running a VPN or split-tunnel proxy alongside the bypass and the PBR rules are still causing grief, see our OpenWrt policy-based routing guide for 25.12-specific DNS startup ordering fixes. And if you've got a more general network config problem that appeared alongside this, our OpenWrt network troubleshooting guide covers interface diagnostics in more depth.

Preventing OpenWrt 25.12 AT&T Bypass Problems

Most of the pain here comes from one thing: upgrading without a documented backup of the exact parameters that make AT&T bypass work. So the number one prevention step is to write down, before any upgrade, the AT&T gateway MAC address, the derived DHCPv6 DUID, the physical port mappings, and the VLAN ID. Keep that in a text file somewhere that isn't on the router itself.

Second priority: export a full OpenWrt backup from System > Backup / Flash Firmware before touching the firmware. That backup includes /etc/config/network, your goeap_proxy config, and any custom init scripts. If the upgrade goes wrong, you can at least diff the old and new files rather than rebuilding from memory.

Third, pin or rebuild critical packages. goeap_proxy and any custom wpa_supplicant scripts are not part of the standard OpenWrt package feed. They need to be rebuilt against each major release. If you skip that step and just carry over the old binary, it may start but fail silently due to ABI changes. Build against the 25.12 SDK before upgrading, have the new package ready to install immediately after.

For ongoing monitoring, run logread | grep -Ei 'eap|dhcp|wan' after any config change. EAP failures show up clearly in the log and catching them early saves a lot of time. Our guide on reading OpenWrt logs covers setting up persistent log storage so you don't lose entries on reboot.

One more thing: keep the AT&T router physically accessible and don't factory reset it. If you ever need to re-extract certificates or re-derive the DUID, you need the original device in its original state. Sticking it in a drawer is fine. Resetting it is not.

OpenWrt 25.12 AT&T Bypass Summary

The OpenWrt 25.12 AT&T bypass breaks because the upgrade silently resets VLAN 0 tagging, MAC cloning, DHCPv6 DUID, and EAP proxy interface mappings. None of these produce obvious error messages on their own, which is why the problem feels so hard to pin down. Work through the fixes in order: check VLAN 0 and MAC clone first (quick fix), then re-apply everything via UCI (intermediate), then rebuild packages and restore config from backup if needed (advanced). The IP Passthrough fallback keeps you online while you sort the full bypass. Document everything before your next upgrade and you won't be back here again.

Frequently Asked Questions

OpenWrt 25.12 changed device naming conventions and configuration structure. VLAN 0 tagging, MAC cloning, DUID settings, and EAP proxy service configurations were likely reset or moved during the upgrade, breaking the bypass setup.

VLAN 0 tagging means WAN traffic is tagged with VLAN ID 0 when sent to the ONT. AT&T's ONT expects this specific tagging to properly route traffic when you bypass the AT&T gateway. Without it, the ONT will not forward traffic correctly.

The MAC address is printed on a label on the back or bottom of your AT&T gateway router. It is a 12-character hexadecimal string in the format AA:BB:CC:DD:EE:FF. You must clone this exact MAC on your OpenWrt WAN interface for AT&T authentication to succeed.

goeap_proxy proxies 802.1X EAP frames between the ONT and AT&T gateway, allowing the gateway to handle authentication while OpenWrt manages the connection. wpa_supplicant runs 802.1X directly on OpenWrt using extracted AT&T certificates. Both methods work; choose based on your setup and available documentation.

dnsmasq-full is only required if you use policy-based routing with domain-based rules or split tunneling. Standard AT&T bypass does not require it. However, OpenWrt 25.12 changed PBR behaviour, so dnsmasq-full is now recommended if you use domain-based routing rules alongside your bypass.