22.01/2.6.0 Upgrade - Broke DHCP on WAN Interface with Custom Startup Script
-
Getting ahead of the comments. I know this not technically supported, but a handful of us out there use this.
The latest's upgrade (confirmed on both 22.01 and 2.6.0) broke a start-up script many of us AT&T Fiber customers use that allows us to use pfSense natively with AT&T.
Essentially, this startup script use either WPA_SUPPLICANT or netgraph (depending on a users configuration) to authenticate with AT&T's ONT. After 802.1X authentication, the script then request an IP. It appears with this update the authentication still works but the DHCP request fails.
Anyone else here having this issue? I looked at the release notes and couldn't see anything obvious (to me at least) that would have broken this script.
GitHub Issue: https://github.com/MonkWho/pfatt/issues/67
I believe this is the part of the script that is failing.
if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." break
And here is a screenshot of my boot-up. MAC Address removed. The DHCPDISCOVER just continues for a few more times then fails out.
-
I am having the same problem did not find this until now I posted too
-
May have figured out a solution.
https://forum.netgate.com/post/1026680
-
@nedyah700 said in 22.01/2.6.0 Upgrade - Broke DHCP on WAN Interface with Custom Startup Script:
MAC Address removed.
Why? Your MAC address is irrelevant off your local connection.
-
@jknott It is my AT&T router MAC address and with they way AT&T authenticates on it's network this being public is not a good idea.
-
I got the certs out again and now it doesn't work I can't get pass the
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "pfatt" "waiting for EAP authorization..."
During all this messing. I deleted my cert, so I had to pull again.=Here is my full script
#!/usr/bin/env shEAP_SUPPLICANT_IDENTITY=""
RG_ETHER_ADDR=""
LOG=/var/log/pfatt.log
ONT_IF="igb0"getTimestamp(){
echo date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"
}DO NOT EDIT BELOW
/usr/bin/logger -st "pfatt" "starting pfatt..."
/usr/bin/logger -st "pfatt" "configuration:"
/usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF"
/usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY"
/usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR"Netgraph cleanup.
/usr/bin/logger -st "pfatt" "resetting netgraph..."
/usr/sbin/ngctl shutdown $ONT_IF: >/dev/null 2>&1
/usr/sbin/ngctl shutdown vlan0: >/dev/null 2>&1
/usr/sbin/ngctl shutdown ngeth0: >/dev/null 2>&1/usr/bin/logger -st "pfatt" "your ONT should be connected to pyshical interface $ONT_IF"
/usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..."
/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
/usr/sbin/ngctl name $ONT_IF:lower vlan0
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
/sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR
/sbin/ifconfig $ONT_IF up
/sbin/ifconfig $ONT_IF promisc/usr/bin/logger -st "pfatt" "starting wpa_supplicant..."
WPA_PARAMS="
set eapol_version 2,
set fast_reauth 1,
ap_scan 0,
add_network,
set_network 0 ca_cert "/root/pfatt/wpa/ca.pem",
set_network 0 client_cert "/root/pfatt/wpa/client.pem",
set_network 0 eap TLS,
set_network 0 eapol_flags 0,
set_network 0 identity "$EAP_SUPPLICANT_IDENTITY",
set_network 0 key_mgmt IEEE8021X,
set_network 0 phase1 "allow_canned_success=1",
set_network 0 private_key "/root/pfatt/wpa/private.pem",
enable_network 0
"
WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"Kill any existing wpa_supplicant process.
PID=$(pgrep -f "wpa_supplicant")
if [ ${PID} > 0 ];
then
/usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
RES=$(kill ${PID})
fiStart wpa_supplicant daemon.
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant")
/usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."Set WPA configuration parameters.
/usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
IFS=","
for STR in ${WPA_PARAMS};
do
STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
RES=$(eval wpa_cli ${STR})
doneCreate variables to check authentication status.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "pfatt" "waiting for EAP authorization..."Check authentication once per 5 seconds for 25 seconds (5 attempts). Continue without authentication if necessary (no WAN).
i=1
until [ "$i" -eq "5" ]
do
sleep 5
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
/usr/bin/logger -st "pfatt" "EAP authorization completed..."IP_STATUS=$(eval ${IP_STATUS_CMD}) if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." sleep 5 /usr/bin/logger -st "pfatt" "set mac address on ngeth0..." /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR break
else
/usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..."
i=$((i+1))
fi
done