ATT Uverse RG Bypass (0.2 BTC)
-
@bulldog5 so if I am understanding what you were trying to do is to stop using the PFAT&T script. And you are still trying to use the script or some type of authorization?
-
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
This is correct, there has been some speculation that using a pcp tag will allow you to get 802.1x auth on VLAN0 but no real instruction on how to do so yet.
You can trying joining the conversation on this thread https://github.com/MonkWho/pfatt/issues/79 and maybe you can get it to work.
-
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?
-
@bigjohns97 I will try posting over there, hopefully i'm making sense.
-
@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?
I wish I had that answer, the one user who got it working was using I believe a realtec NIC but when comparing interface flags we weren't able to find any issues.
So this whole extracted certs where the 802.1x identity matches the MAC spoof vs someone who purchased their certs and the 802.1x identity doesn't match the MAC spoof could be an explanation for why it didn't work for me.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 I will try posting over there, hopefully i'm making sense.
You are making sense, what I would do if I were you would be to separate the two implementations.
Get your setup working with the bypass and the ONT still in line.
Then once that is working try bypassing the ONT with your SFP
-
Mmm, I think that could be a separate problem. I guess if a non-netgraph solution is available that might be applicable to a different VLAN directly.
To use those scripts would need the extracted certs but it looks like you have those @bulldog5?You would certainly need to be running pfSense 23.01/2.7 to use them.
Steve
-
@stephenw10 correct, I have working certs and have had the RGW bypassed for a few years now. Long story short, I want to move the ATT white ONT from the garage, I figured I would just clone it and get rid of it all together. (Extended fiber to server closet and jack straight in to pfsense SFP) so thats where I'm at with this project.
I need a solution to handle VLAN0, but also tagged vlan traffic on the WAN nic.
-
@bulldog5 upgrade to pfsense plus 23.01. that's what I use. I was on the regular beta before the stable pfsense plus came out. It's free. Nothing to really lose.
-
@untamedgorilla Are you saying yours wasn't working, then you upgraded to 23.01 and it works? What is your setup?
-
2.7 and 23.01 have the same capabilities for handling priority tagging and/or VLAN0.
-
@bulldog5 yes. I tried the other sense firewall first. I didn't like it, but when I found out the 2.7 development supported vlan0 I switched back, and then I upgraded to 23.01 because it was a full release. You can use 2.7 or 23.01.
-
@untamedgorilla running 23.01 on a test box, VLAN 0 still seems to be an issue. I've tried running the standard command with the norm in the wpa_supplicant.conf, certs are in place. em0 is my WAN interface, mac is cloned to that of my ATT RGW.
/usr/local/sbin/wpa_supplicant -D wired -i em0 -c /conf/wpa_supplicant.confNo go, get em0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
I've tried setting pcp 0, 1,2 setting PROMISC, ifconfig em0 -vlanhwfilter.
Nothing seems to work. I even have a dumb switch between the WAN port and working ATT ONT currently.pfatt.sh works fine on my current prod pfsense 2.4.5
-
@untamedgorilla following back up on my previous post. VLAN0 is NOT fixed for ATT EAP in pfsense 23.01 from what i can tell in my testing. PCP 0 will let the interface tag all traffic vlan0, that doesn't help the fact that inbound tagged vlan0 EAP packets are ignored. So WPA will never see them and auth.
-
@bulldog5 These are my findings as well, maybe the wpa supplicant code needs to be patched like the dhclient was to be able to communicate over VLAN 0?
-
@bigjohns97 I don't understand the issue about VLAN 0. If you run PFSense in an ESXi VM, the vm code handles the VLAN 0 problem nicely. And there are a lot of benefits in terms of snapshots etc... that come from running virtualized. And for just one host, you can get the free version of ESXi from vmware. No vcenter, but for one machine its not really that helpful.
-
@fresnoboy In this case the guest OS is unaware of the VLAN tags being applied, as for why I don't run virtualized it is too much of a performance hit when doing VPN at 1gbit speeds.
-
@bigjohns97 I would be surprised if there is much of a hit at all running virtualized. ESXi at least passes all the processor extensions through to the guest, so if you have the crypto acceleration, it definitely uses that. I know that's the case with my PFSense VM.
-
@fresnoboy I would consider yourself surprised then :)
This is something I have tried recently using esxi 8.0 and 22.xx as well as 23.01 and while I got the same performance line rate wise the CPU percentage being shown as utilized was 100% utilization.
Whenever I do this on bare metal the CPU utilization is around 20% on the exact same hardware.
I almost want to install a second drive in my server just so I can switch back and forth using BIOS boot options.
But so far I have not found anyone that could point to anything I was doing wrong, just that generic "virtualization shouldn't cause a performance penalty" response.
Which BTW I am that guy as a server admin / engineer of over 25 years I am that dude arguing for virtualization, but I could never get it to not show such CPU utilization when performance this performance benchmark test.