ATT Uverse RG Bypass (0.2 BTC)
-
@fresnoboy said in ATT Uverse RG Bypass (0.2 BTC):
What's that line "How I stopped worrying and learned to love the hypervisor"? :)
Seriously though, the ability to do snapshots and easily restore to a prior state is really helpful. PFSense is usually very stable, but there have been times with the original 2.5.0 upgrade and plugins where being able to recover from a snapshot helped save me (and the family) from extended downtime.
I would love to have snapshots available to me for restores but I just couldn't get over how much the PfSense GUI showed cpu usage when doing speed tests while using ESXi. Without suricata running I only get around 3% CPU during a speed test but with ESXi it was around 30%.
This was passing through the NIC which obviously I would need to give up if I were to trade ngeth for virtualization.
I do run suricata now but honestly don't feel like I really get much from it outside of a bunch of false positives, I do get a great feeling from pfblockerng from a security perspective.
At the end of the day I just felt like running this on ESXi just added complexity and hurt performance enough to a point I wasn't comfortable with.
I may revisit this with something like proxmox where I can dedicate cores but I seem to remember a similar experience when using unraid which I believe is the same hypervisor as proxmox under the covers.
-
Reason my switch is expensive is because it can do multi-
gig. I’m sure you can find cheap gigabit managed switches
that can do mac based vlan from netgear.I also run my pfsense on ESXI for easy backup/restore, but can also do NIC passthrough and so don’t incur the ngeth or ESXI networking cost, which both cost extra cpu.
@stephenw10
Vlan 0 is not out of spec. It’s called “priority tagging”. This mechanism is used to prioritize stuff like VOIP phone packets in switches which support it. The problem arises because there are devices which would like to specify a priority in their ip packets without specifying a vlan id. Check out the link I sent previously, you’ll see mentions of “priority tagging” there. -
I use a Netgear GSS108E "smart" switch between the ONT, ATT RG and PFSENSE.
I have only had to plug in the ATT RG 2 times to re-authenticate so far this year. I have the ONT on Port 1, ATT RG on Port 2 and PFSense on Port 3.
When I need to re-auth, I plug in the ATT RG and login to the switch and change Port 2 VLAN ID to 1, and Port 3 VLAN ID to 2. I wait about 2 mins for the ATT RG to show a service light, then I switch the VLAN Port IDs for Ports 2/3 back to how its shown in the picture and I am back online.
-
I have been using the pfatt script to with no issue. My connection I have 5 static IPs associated with my account. However I have been unable to get the gateway to show online. My Internet appears to work no issue but the gateways section on the dashboard shows Offline 100% loss for my static IP gateway. The DHCP acquired gateway shows online with RTT of 0.6ms and RTTsd of 0.06ms and no packet loss.
My /var/log/pfatt.log file shows:[pfatt.sh] :: pfSense + AT&T U-verse Residential Gateway for true bridge mode [pfatt.sh] :: Configuration: [pfatt.sh] :: ONT_IF: igb2 [pfatt.sh] :: RG_IF: igb3 [pfatt.sh] :: RG_ETHER_ADDR: <removed> [pfatt.sh] :: loading netgraph kernel modules... OK! [pfatt.sh] :: attaching interfaces to ng_ether... OK! [pfatt.sh] :: building netgraph nodes... [pfatt.sh] :: creating ng_one2many... OK! [pfatt.sh] :: creating vlan node and interface... OK! [pfatt.sh] :: defining etf for igb2 (ONT)... OK! [pfatt.sh] :: defining etf for igb3 (RG)... OK! [pfatt.sh] :: bridging etf for igb2 <-> igb3... OK! [pfatt.sh] :: defining filters for EAP traffic... OK! [pfatt.sh] :: enabling one2many links... OK! [pfatt.sh] :: removing waneapfilter:nomatch hook... OK! [pfatt.sh] :: enabling igb3 interface... OK! [pfatt.sh] :: enabling igb2 interface... OK! [pfatt.sh] :: enabling promiscuous mode on igb3... OK! [pfatt.sh] :: enabling promiscuous mode on igb2... OK! [pfatt.sh] :: ngeth0 should now be available to configure as your pfSense WAN [pfatt.sh] :: done!
My biggest issue is I am trying to troubleshoot slow connectivity. Part of my issue is DNS which I am digging into but also wondering if since this gateway is down if that is part of my issue?
Current pfsense firmware is on 2.4.4 -
2.4.4 is ancient.
You wouldn't normally have two WAN gateways like that. One may be a remnant from some older config.
Steve
-
@stephenw10 The WANGW listed above was me trying to add my static IP for my IP block. Would it be better to adjust the ngeth0 interface the script creates and set as Static IP instead of DHCP. Then add my gateway address for the static block that I pay for?
-
Its been my experience that the script is only needed for dhcp and not for static IP. I use the script with frontier fiber and if I set a static IP the script is not needed.
Thanks -
If the subnet is routed to you I would expect to be able to just use it directly.
-
2.6.0 appears to break pfatt.sh. I had to downgrade. Just a heads up to anyone running this bypass.
-
@jasonsansone I'm using Frontier fiber and the netgraph script survived the upgrade process. Just and FYI. Thanks
-
@michaellacroix everything functioned fine? My script survived and executes, but traffic didn't actually route properly across the net graph interface. Is the method and script the same as for AT&T? If not, I would like to compare the code.
-
@jasonsansone I believe its different for frontier, we only need the netgraph script for the vlan tag to get an IP from the dhcp server. I believe ATT also uses some kind of authentication method? Not sure.
-
@jasonsansone said in ATT Uverse RG Bypass (0.2 BTC):
2.6.0 appears to break pfatt.sh. I had to downgrade. Just a heads up to anyone running this bypass.
Can confirm this broke for me as well.
-
@jasonsansone how did you downgrade?
-
@bigjohns97 Reinstall from USB created by 2.5.2 ISO and restore config.
-
@jasonsansone said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 Reinstall from USB created by 2.5.2 ISO and restore config.
OOF, ended up putting the RG back inline.
-
@bigjohns97 does wpa still authenticate? What output do you get for “wpa_cli status” after you disconnect and reconnect the ont ethernet cable?
-
@netnerdy said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 does wpa still authenticate? What output do you get for “wpa_cli status” after you disconnect and reconnect the ont ethernet cable?
Sorry, I had to bring the RG back inline and can no longer troubleshoot this.
-
@netnerdy I use the tether method, not supplicant.
-
@bigjohns97 said in ATT Uverse RG Bypass (0.2 BTC):
@jasonsansone said in ATT Uverse RG Bypass (0.2 BTC):
2.6.0 appears to break pfatt.sh. I had to downgrade. Just a heads up to anyone running this bypass.
Can confirm this broke for me as well.
Does anyone know if this applies to both 2.6.0 and 22.01 plus (or just 2.6.0 confirmed at this time)?
