ATT Uverse RG Bypass (0.2 BTC)
-
@bigjohns97 I will try posting over there, hopefully i'm making sense.
-
@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?
I wish I had that answer, the one user who got it working was using I believe a realtec NIC but when comparing interface flags we weren't able to find any issues.
So this whole extracted certs where the 802.1x identity matches the MAC spoof vs someone who purchased their certs and the 802.1x identity doesn't match the MAC spoof could be an explanation for why it didn't work for me.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 I will try posting over there, hopefully i'm making sense.
You are making sense, what I would do if I were you would be to separate the two implementations.
Get your setup working with the bypass and the ONT still in line.
Then once that is working try bypassing the ONT with your SFP
-
Mmm, I think that could be a separate problem. I guess if a non-netgraph solution is available that might be applicable to a different VLAN directly.
To use those scripts would need the extracted certs but it looks like you have those @bulldog5?You would certainly need to be running pfSense 23.01/2.7 to use them.
Steve
-
@stephenw10 correct, I have working certs and have had the RGW bypassed for a few years now. Long story short, I want to move the ATT white ONT from the garage, I figured I would just clone it and get rid of it all together. (Extended fiber to server closet and jack straight in to pfsense SFP) so thats where I'm at with this project.
I need a solution to handle VLAN0, but also tagged vlan traffic on the WAN nic.
-
@bulldog5 upgrade to pfsense plus 23.01. that's what I use. I was on the regular beta before the stable pfsense plus came out. It's free. Nothing to really lose.
-
@untamedgorilla Are you saying yours wasn't working, then you upgraded to 23.01 and it works? What is your setup?
-
2.7 and 23.01 have the same capabilities for handling priority tagging and/or VLAN0.
-
@bulldog5 yes. I tried the other sense firewall first. I didn't like it, but when I found out the 2.7 development supported vlan0 I switched back, and then I upgraded to 23.01 because it was a full release. You can use 2.7 or 23.01.
-
@untamedgorilla running 23.01 on a test box, VLAN 0 still seems to be an issue. I've tried running the standard command with the norm in the wpa_supplicant.conf, certs are in place. em0 is my WAN interface, mac is cloned to that of my ATT RGW.
/usr/local/sbin/wpa_supplicant -D wired -i em0 -c /conf/wpa_supplicant.confNo go, get em0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
I've tried setting pcp 0, 1,2 setting PROMISC, ifconfig em0 -vlanhwfilter.
Nothing seems to work. I even have a dumb switch between the WAN port and working ATT ONT currently.pfatt.sh works fine on my current prod pfsense 2.4.5
-
@untamedgorilla following back up on my previous post. VLAN0 is NOT fixed for ATT EAP in pfsense 23.01 from what i can tell in my testing. PCP 0 will let the interface tag all traffic vlan0, that doesn't help the fact that inbound tagged vlan0 EAP packets are ignored. So WPA will never see them and auth.
-
@bulldog5 These are my findings as well, maybe the wpa supplicant code needs to be patched like the dhclient was to be able to communicate over VLAN 0?
-
@bigjohns97 I don't understand the issue about VLAN 0. If you run PFSense in an ESXi VM, the vm code handles the VLAN 0 problem nicely. And there are a lot of benefits in terms of snapshots etc... that come from running virtualized. And for just one host, you can get the free version of ESXi from vmware. No vcenter, but for one machine its not really that helpful.
-
@fresnoboy In this case the guest OS is unaware of the VLAN tags being applied, as for why I don't run virtualized it is too much of a performance hit when doing VPN at 1gbit speeds.
-
@bigjohns97 I would be surprised if there is much of a hit at all running virtualized. ESXi at least passes all the processor extensions through to the guest, so if you have the crypto acceleration, it definitely uses that. I know that's the case with my PFSense VM.
-
@fresnoboy I would consider yourself surprised then :)
This is something I have tried recently using esxi 8.0 and 22.xx as well as 23.01 and while I got the same performance line rate wise the CPU percentage being shown as utilized was 100% utilization.
Whenever I do this on bare metal the CPU utilization is around 20% on the exact same hardware.
I almost want to install a second drive in my server just so I can switch back and forth using BIOS boot options.
But so far I have not found anyone that could point to anything I was doing wrong, just that generic "virtualization shouldn't cause a performance penalty" response.
Which BTW I am that guy as a server admin / engineer of over 25 years I am that dude arguing for virtualization, but I could never get it to not show such CPU utilization when performance this performance benchmark test.
-
@bigjohns97 Count me surprised. Was this true with ESXi 7? 8.0 is a little too much milk for my taste - I only drink wine in hypervisors.
-
No esxi here, but I am using proxmox.
PF + 23.01
I tried all sorts of variations to get rid of the vlan0, including suggestions from https://forum.proxmox.com/threads/how-to-pass-vlan-0-priority-tags-to-pfsense-for-dhcp.112374/ , post #2.
No can do. The only way I can get auth to work is by directly passing the wan nic to the pf vm and using the netgraph/supplicant method. The certs are known good and have been in use for a number of years.
Using 23.01, should it be possible to use wpa_supplicant and have functional wan dhcp without netgraph of any kind?
-
@gpz1100 no, it never was said to work in pfsense 23.01. There is so much bad misinformation on this topic. Freebsd 14 still doesn't handle tagged vlan0 inbound, which is what ATT EAP auth uses via wpa_supplicant. The kernel just discards because BSD doesn't know how to handle.
-
The vlan0 part is not the problem. FreeBSD 14 and pfSense 23.01/2.7 will handle that no problem.
Additionally in 23.01/2.7 priority tagged dhcp traffic will also be passed by bpf which is what was breaking connections to other ISPs. The only exception to that is the e1000 driver (em and igb) where vlan hardware filtering must be disabled due to a bug.But none of that applies to AT&T where the authentication requirement (currently) means you must use the netgraph script and doing so causes other issues. Such as the fact that the iflib e1000 driver doesn't seem to pass traffic with it.
