ATT Uverse RG Bypass (0.2 BTC)
-
@bk150 said in ATT Uverse RG Bypass (0.2 BTC):
We have a discord that most of the folks from DSLreports have migrated to regarding discussion about AT&T specific bypass methods. There is a working GPON and XGS-PON bypass method. I can't speak much to the GPON method as I have XGS-PON but the XGS-PON method entails simply buying an Azores WAG-D20 and setting a handful of values on it. Once the device gets O5.1 status to the upstream OLT, you can send a DHCP request with the use of Netgraph on pfsense 2.7/23.01.
Hopefully it's not against the rules to post a link to the Discord (dm me if it gets removed): https://discord.gg/6TwFBquMTT
Did some research on this and this doesn't help me as I don't have XGS-PON nor do I have a newer 320 Att supplied RG. If I should ever upgrade to multi-gig service which would require a 320 based integration ONT/RG then I would have to do these GPON stick tricks and upgrade my NIC hardware on my PfSense box to accommodate. Even after that I would still be left having to send wpa_supplicant based authentication over VLAN 0.
At the end of the day we still have to send 802.1x over VLAN 0 which is what historically netgraph has been used for and what we are trying to get away from if possible with this new 2.7 PfSense implementation.
-
@bigjohns97 with the 2.7 devel you don't have to use netgraph anymore. The supplicant is completely unnecessary. The only part you need is the netgraph if you choose not to use 2.7
-
I have the azore wagd20, there are no certs needed. Netgraph is only for vlan0 detection. Once you clone your device to your router. There is not authentication necessary except for AT&t verifying the MAC address
-
https://www.balticnetworks.com/products/azores-1x-10gbe-1x-2-5gbe-intel-based-xgspon-ont
This shows xgspon which to my understanding is not compatible with old gpon installs.
-
@bigjohns97 Yes, that's correct for the xgspon, for regular gpon, all you need is a device with a sfp+ and to change the fiber connected at the ont.
-
@bigjohns97 Help me decide on this product: 2.5GBase-T SFP RJ45 Copper Module, Wiitek 2.5Gb Gigabit SFP to RJ45 Transceivers 100m, Compatible for Cisco SFP-2.5G-T, TP-Link Switch (Have to Pluginto The 2.5G SFP Port) https://a.co/d/j9k53Mscolored text
-
@untamedgorilla @bigjohns97 .. Just a reminder some people using the GPON SFP are still needing to do 802.1X auth, which requires a script still.
-
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
-
@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?
-
@sgc said in ATT Uverse RG Bypass (0.2 BTC):
@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?
Everything I have read so far still states you have to run certificates through WPA on VLAN 0.
-
@untamedgorilla I am and following the discord chat. It's working for me, no certs needed. But, there were at least two people on GPON, who I think were using Lantiq based modules, still needed certs. Maybe they resolved it and I missed it.
-
@nedyah700 Check the pinned messages under the USA #gpon channel and you can see that everyone there says you still have to use the wpa_supp on VLAN 0.
-
This post is deleted! -
I'm using the GPON bypass method with a DFP-34X-2C2 directly in my pfSense 2.4.5 server via a Broadcom BCM57810S SFP card. I have working certs with supplicant method in pfatt.sh. How does this need to be configured to get a DHCP lease on (VLAN 962) now given by the DFP ONT?
I tried setting the ONT_IF="bxe0" which is the NIC of the DFP-34X-2C2 SFP ONT. VLANs don't seem to be enabled until later in the boot process after the wpa_supplicant process, but it obviously wont move forward because it fails EAP Auth.
-
@bulldog5 so if I am understanding what you were trying to do is to stop using the PFAT&T script. And you are still trying to use the script or some type of authorization?
-
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
This is correct, there has been some speculation that using a pcp tag will allow you to get 802.1x auth on VLAN0 but no real instruction on how to do so yet.
You can trying joining the conversation on this thread https://github.com/MonkWho/pfatt/issues/79 and maybe you can get it to work.
-
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?
-
@bigjohns97 I will try posting over there, hopefully i'm making sense.
-
@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?
I wish I had that answer, the one user who got it working was using I believe a realtec NIC but when comparing interface flags we weren't able to find any issues.
So this whole extracted certs where the 802.1x identity matches the MAC spoof vs someone who purchased their certs and the 802.1x identity doesn't match the MAC spoof could be an explanation for why it didn't work for me.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 I will try posting over there, hopefully i'm making sense.
You are making sense, what I would do if I were you would be to separate the two implementations.
Get your setup working with the bypass and the ONT still in line.
Then once that is working try bypassing the ONT with your SFP
-
Mmm, I think that could be a separate problem. I guess if a non-netgraph solution is available that might be applicable to a different VLAN directly.
To use those scripts would need the extracted certs but it looks like you have those @bulldog5?You would certainly need to be running pfSense 23.01/2.7 to use them.
Steve
-
@stephenw10 correct, I have working certs and have had the RGW bypassed for a few years now. Long story short, I want to move the ATT white ONT from the garage, I figured I would just clone it and get rid of it all together. (Extended fiber to server closet and jack straight in to pfsense SFP) so thats where I'm at with this project.
I need a solution to handle VLAN0, but also tagged vlan traffic on the WAN nic.
-
@bulldog5 upgrade to pfsense plus 23.01. that's what I use. I was on the regular beta before the stable pfsense plus came out. It's free. Nothing to really lose.
-
@untamedgorilla Are you saying yours wasn't working, then you upgraded to 23.01 and it works? What is your setup?
-
2.7 and 23.01 have the same capabilities for handling priority tagging and/or VLAN0.
-
@bulldog5 yes. I tried the other sense firewall first. I didn't like it, but when I found out the 2.7 development supported vlan0 I switched back, and then I upgraded to 23.01 because it was a full release. You can use 2.7 or 23.01.
-
@untamedgorilla running 23.01 on a test box, VLAN 0 still seems to be an issue. I've tried running the standard command with the norm in the wpa_supplicant.conf, certs are in place. em0 is my WAN interface, mac is cloned to that of my ATT RGW.
/usr/local/sbin/wpa_supplicant -D wired -i em0 -c /conf/wpa_supplicant.confNo go, get em0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
I've tried setting pcp 0, 1,2 setting PROMISC, ifconfig em0 -vlanhwfilter.
Nothing seems to work. I even have a dumb switch between the WAN port and working ATT ONT currently.pfatt.sh works fine on my current prod pfsense 2.4.5
-
@untamedgorilla following back up on my previous post. VLAN0 is NOT fixed for ATT EAP in pfsense 23.01 from what i can tell in my testing. PCP 0 will let the interface tag all traffic vlan0, that doesn't help the fact that inbound tagged vlan0 EAP packets are ignored. So WPA will never see them and auth.
-
@bulldog5 These are my findings as well, maybe the wpa supplicant code needs to be patched like the dhclient was to be able to communicate over VLAN 0?
-
@bigjohns97 I don't understand the issue about VLAN 0. If you run PFSense in an ESXi VM, the vm code handles the VLAN 0 problem nicely. And there are a lot of benefits in terms of snapshots etc... that come from running virtualized. And for just one host, you can get the free version of ESXi from vmware. No vcenter, but for one machine its not really that helpful.
-
@fresnoboy In this case the guest OS is unaware of the VLAN tags being applied, as for why I don't run virtualized it is too much of a performance hit when doing VPN at 1gbit speeds.
-
@bigjohns97 I would be surprised if there is much of a hit at all running virtualized. ESXi at least passes all the processor extensions through to the guest, so if you have the crypto acceleration, it definitely uses that. I know that's the case with my PFSense VM.
-
@fresnoboy I would consider yourself surprised then :)
This is something I have tried recently using esxi 8.0 and 22.xx as well as 23.01 and while I got the same performance line rate wise the CPU percentage being shown as utilized was 100% utilization.
Whenever I do this on bare metal the CPU utilization is around 20% on the exact same hardware.
I almost want to install a second drive in my server just so I can switch back and forth using BIOS boot options.
But so far I have not found anyone that could point to anything I was doing wrong, just that generic "virtualization shouldn't cause a performance penalty" response.
Which BTW I am that guy as a server admin / engineer of over 25 years I am that dude arguing for virtualization, but I could never get it to not show such CPU utilization when performance this performance benchmark test.
-
@bigjohns97 Count me surprised. Was this true with ESXi 7? 8.0 is a little too much milk for my taste - I only drink wine in hypervisors.
-
No esxi here, but I am using proxmox.
PF + 23.01
I tried all sorts of variations to get rid of the vlan0, including suggestions from https://forum.proxmox.com/threads/how-to-pass-vlan-0-priority-tags-to-pfsense-for-dhcp.112374/ , post #2.
No can do. The only way I can get auth to work is by directly passing the wan nic to the pf vm and using the netgraph/supplicant method. The certs are known good and have been in use for a number of years.
Using 23.01, should it be possible to use wpa_supplicant and have functional wan dhcp without netgraph of any kind?
-
@gpz1100 no, it never was said to work in pfsense 23.01. There is so much bad misinformation on this topic. Freebsd 14 still doesn't handle tagged vlan0 inbound, which is what ATT EAP auth uses via wpa_supplicant. The kernel just discards because BSD doesn't know how to handle.
-
The vlan0 part is not the problem. FreeBSD 14 and pfSense 23.01/2.7 will handle that no problem.
Additionally in 23.01/2.7 priority tagged dhcp traffic will also be passed by bpf which is what was breaking connections to other ISPs. The only exception to that is the e1000 driver (em and igb) where vlan hardware filtering must be disabled due to a bug.But none of that applies to AT&T where the authentication requirement (currently) means you must use the netgraph script and doing so causes other issues. Such as the fact that the iflib e1000 driver doesn't seem to pass traffic with it.
-
@stephenw10 so why doesn't it work for ATT? What needs to be changed/fixed? Without netgraph.
-
There's two scenarios. For most users who have the AT&T device still connected something is required to forward the auth traffic to it and responses back and that requires netgraph or some equivalent setup.
If you have extracted the certs and are using WPA directly it might be possible. I have no way to test. I suspect bpf might get in the way still. Also there were reports of WPA for DHCP not working in other situations and since it's not supported in pfSense it's not something that gets tested.Steve