ATT Uverse RG Bypass (0.2 BTC)

bbrendon

@nedyah700 Bummer. I tried you solution, but it didn't work on my system.

I reviewed your script which is significantly different from mine. I don't have anything about wpa_supplicant.

My system has been working great for many years and I'm foggy on the details of how I made it all work :/

netnerdy

@nedyah700 yes it is stock igb.

If you want to get rid of ngeth, you need something that strips the vlan 0 from the network packets. This could be running pfsense under esxi and use a virtual network adapter set to “vlan 0” or plug a switch between your ONT and your pfsense, which is what I do.

nedyah700

@stephenw10

You are correct. Despite showing loaded in kldstat it did not attach.

With my compiled igb module I don't get any of the iflib lines but with both the stock and compiled em module I still get

dev.igb.5.iflib.driver_version: 7.6.1-k

I can try to re-compile?

stephenw10

Mmm, hard to say since it's em not igb.... doesn't override the in-kernel igb....which is actually just em.

But it's not iflib so I would imagine it isn't affected by the same issue. I'm not sure it's worth the effort.

We know this is an issue with the e1000 driver in 22.01/2.6 and netgraph/VLAN0.

Steve

nedyah700

@stephenw10

ha! Yea I thought about that and tried just naming it if_igb.ko but that had the same result so who knows.

Anyways, hope the fix makes it in a future release. Appreciate it!

nedyah700

@stephenw10 just an FYI someone else used the combined em driver for an em based NIC and it resolved the issue for them.

bk150

are there any updates on this one? is there a chance the newer driver could make it into 2.6.1?

stephenw10

Not as the default since it's a non-iflib driver. What was tested here at least.

If the alternative Intel driver was available via ports if could be made available potentially.

The 'correct' solution here is to fix whatever broke netgraph support in the iflib driver. If that hasn't already happened.

Steve

nedyah700

I believe a fix for the iflib driver is available. Tracked in this Redmine regression. https://redmine.pfsense.org/issues/12821?next_issue_id=12820

Hope we can get that incorporated into the next release!

@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):

Not as the default since it's a non-iflib driver. What was tested here at least.

If the alternative Intel driver was available via ports if could be made available potentially.

The 'correct' solution here is to fix whatever broke netgraph support in the iflib driver. If that hasn't already happened.

Steve

stephenw10

Oh, yup that is in main so 2.7 snapshots now:
https://github.com/pfsense/FreeBSD-src/commit/9c762cc125c0c2dae9fbf49cc526bb97c14b54a4
So it looks like we are waiting for someone to test it in a 2.7 snap and provide some feedback.

Steve

nedyah700

Ah! I missed the comitt. I'll try and give it a shot this weekend.

Thanks!

@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):

Oh, yup that is in main so 2.7 snapshots now:
https://github.com/pfsense/FreeBSD-src/commit/9c762cc125c0c2dae9fbf49cc526bb97c14b54a4
So it looks like we are waiting for someone to test it in a 2.7 snap and provide some feedback.

Steve

@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):

Oh, yup that is in main so 2.7 snapshots now:
https://github.com/pfsense/FreeBSD-src/commit/9c762cc125c0c2dae9fbf49cc526bb97c14b54a4
So it looks like we are waiting for someone to test it in a 2.7 snap and provide some feedback.

Steve

timtrace

Guys, I’m having a hell of a time rolling back from 2.6.0 to 2.5.2 with bypass mode.

I made a USB with the 2.5.2 image, and put /config/config.xml on the FAT32 partition. The config was taken immediately before the upgrade, where the bypass had been happily chugging along for a year or more.

I ran through the installer, and when it rebooted I pulled the USB. pf happily booted into a fresh config. Ugh.

I rebooted with the USB plugged in, and used the BIOS boot selector to choose the internal disk. This time it picked up the config, but it complained that it couldn’t find pfatt.sh and negth0.

What do I need to do to get up and running again?

Thank you!

stephenw10

The script is not stored in the config so you would need to re-upload that. Unless you used the filer package maybe but then you would still need to reinstall that at first boot. But that can't happen until the WAN connects so you'd be in chicken/egg scenario there.

timtrace

@stephenw10, thank you! At the end of the pf install it offers to drop out to a shell, could I copy the script over from USB so it would be in place for the first boot?

stephenw10

Yes, probably. I've never tried to do that though. I'm also not burdened by AT&T.

I would probably install 2.5.2 clean.
Boot into the default install and upload the pfatt scripts.
Restore the config that presumably contains the shellcmds to run it.

Steve

nedyah700

Lucky!

@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):

Yes, probably. I've never tried to do that though. I'm also not burdened by AT&T.

I would probably install 2.5.2 clean.
Boot into the default install and upload the pfatt scripts.
Restore the config that presumably contains the shellcmds to run it.

Steve

timtrace

I’m getting a permissions error even though it’s 555 on the tree and the script. It’s happening if I use the installer shell, and also if I let the misconfigured pf boot and come into it by ssh. What might be happening, please?

sgc

@timtrace said in ATT Uverse RG Bypass (0.2 BTC):

I’m getting a permissions error even though it’s 555 on the tree and the script. It’s happening if I use the installer shell, and also if I let the misconfigured pf boot and come into it by ssh. What might be happening, please?

What folder is the sh in?

nedyah700

@timtrace When I clean installed 2.6.0 (and 22.01 on my pfSense+ Box) absolutely nothing I did allowed my pfatt script to runs successfully from the /cf/conf directory. I ended up moving it to /root/pfatt and everything worked. This seemed to only be an issue once I moved to a ZFS file system but who knows.

timtrace

Thanks, @stephenw10, @nedyah700, @sgc -- that worked!

For posterity :)

If you've been running in BYPASS MODE and want to get right back to it after a reinstall of pfSense and a restore of a backed-up configuration ...

1> Prepare a USB memstick:
https://docs.netgate.com/pfsense/en/latest/install/write-memstick.html

2> Choose your backup config file, make a copy, and rename the copy config.xml

3> Open config.xml in a text editor and change all references to pfatt.sh so they read like this: /root/pfatt/pfatt.sh

4> Put config.xml on the FAT partition on the memstick. Follow these instructions:
https://docs.netgate.com/pfsense/en/latest/backup/restore-during-install.html

5> Make a copy of your backup of pfatt.sh, open that copy in a text editor and make sure the values for ONT_IF, RG_IF, and RG_ETHER_ADDR are appropriate for your environment.

6> Copy the reviewed/edited copy of pfatt.sh to the root of the FAT partition on the memstick.

7> Install pfSense
https://docs.netgate.com/pfsense/en/latest/install/install-walkthrough.html

8> Near the end of the process, the installer will ask if you'd like to open a shell to make any final manual modifications. Answer yes.

9> These next commands will copy pfatt.sh from the memstick to the pfSense volume. They may not be 100% correct for all environments. Google will help you out

mkdir -p /root/pfatt
mkdir -p /mnt/usb
mount -t msdosfs /dev/da0s3 /mnt/usb/
cp /dev/da0s3/pfatt.sh /root/pfatt/pfatt.sh
chmod -R 555 /root/pfatt
exit

10> Reboot your pfSense and profit.

Caveats:

In step 9, the FAT partition on my memstick was /dev/da0s3. Yours may be different. You can start by viewing the output of this command and (probably) appending 3 for the FAT partition. Google can get you the rest of the way if you need help.

camcontrol devlist

For some reason, my installer wouldn't pick up config.xml during the installation process, so, I left my memstick plugged in for the first reboot and used the computer's boot manager to start pfSense from the hard disk. The ECL took over and all was right in the world.

If you're running pfBlockerNG in Python mode, you may have to disable Python in the DNS resolver before your fresh system will download any packages .... including pfBlockerNG. You can re-enable Python mode after everything settles down.

I hope all this typing helps someone out of a bind some day :)