For Aussie users : Getting pfSense to work with Telstra Cable

Aussie_Bear · Nov 24, 2005, 6:56 AM

I'm not sure what the problem is, but pfSense doesn't seem to load
BPAlogin. (client required to make Telstra Cable work)…Maybe it was
left off the boot list?

The following is a temporary solution.

In WebGUI => Diagnostics => Edit File
Then, paste the following in the entry block...
(we're creating a bpalogin.conf file, I got the contents for this
from the BPAlogin source code for UNIX).

**# Default debug level is 1. Values range from 0-2 with 0 being silent

All information goes to the syslog.

#debuglevel 1

The user name you have for your BPA account

username xxxxx

Your BPA password

password xxxxxxxxx

The default auth server is "sm-server" You can override this value, but

you would only do this if you have not set your default domain correctly

in your /etc/resolv.conf

authserver dce-server

You can override the default domain if you have your

resolv.conf set to not include the BPA domains.

Domain is different in every state

qld.bigpond.net.au for Queensland users

nsw.bigpond.net.au for New South Wales users

vic.bigpond.net.au for Victorian users

sa.bigpond.net.au for South Australian users

wa.bigpond.net.au for Western Australian users

authdomain nsw.bigpond.net.au

The loginprog will be executed whenever BPALogin connects successfully

you could have it run a script to start a firewall, etc. The first

parm to the program will be the port number

#connectedprog /etc/rc.d/rc.masq
#disconnectedprog /etc/rc.d/rc.masq

If you want to bind BPALogin to a specific address rather than all

sockets, you can do that here.

#localaddress 0.0.0.0

You can now define the listen port instead of a random port

This will help with firewalls.

localport 5050

Logging can be sent to syslog or stdout.

#logging syslog

Set the minimum heartbeat interval. This can protect against

DoS attacks.

minheartbeatinterval 60

Set the maximum heartbeat interval. Sometimes the DCE server will not

send a heartbeat for a long time (i.e. longer than seven minutes) but

the connection is still open. BPALogin will normally treat this as a

failed connection unless you raise the maximum interval.

#maxheartbeatinterval 420**

Then save this as…
=> /usr/local/etc/bpalogin.conf

Log-in to your pfSense box (you need keyboard and monitor)
Select the 8th option => Shell

Change directory to where bpalogin application resides...
=> cd /usr/sbin

Run bpalogin application...
=> bpalogin -c /usr/local/etc/bpalogin.conf
(You're just telling bpalogin where the configuration file is, when it loads.)

Now if you look on the STATUS => SYSTEM LOGS, you will see this.

Nov 24 13:28:31 bpalogin[10127]: Logged on as xxxxx - successful at Thu Nov 24 13:28:31 2005
Nov 24 13:28:31 bpalogin[10127]: Listening on port 5050
Nov 24 13:28:31 bpalogin[10127]: Auth host = dce-server.nsw.bigpond.net.au:5050
Nov 24 13:28:31 bpalogin[10127]: BPALogin v2.0.2 - portable BigPond Broadband login client

Now the connection should work with Telstra Cable.

If not, be sure to add filter rules that open port 5050 UDP/TCP on IP of login server.
(say for NSW, its 61.9.192.13 … See the ozcableguy.com link below for the one in your state.)

I've talked to Scott about this issue, and I'm willing to help test bpalogin for
pfSense. I think bpalogin was left off the boot list, but not sure...(?)

(I'm not in any way a BSD guru. I'm a newbie, but a newbie that likes
to dig around a bit to solve issues). :)

PS : If you are not sure what you need to enter for BPAlogin or WebGUI entry...
Look here => http://www.ozcableguy.com/dns.html

NOTE : This is just a terminology thing...
Login Servers (in link) => Authentication Server (in pfSense)
DNS Suffixes (in link) => Authentication Domain (in pfSense)

lsf · Nov 25, 2005, 5:28 AM

I had a look at this, and it seems bpalogin in fully implemented. What happens when you configure it via gui ?
I don't see anything wrong with the existing code.

function interfaces_wan_bigpond_configure($curwanip) {
        global $config, $g;

        $bpcfg = $config['bigpond'];

        if (!$curwanip) {
                /* IP address not configured yet, exit */
                return 0;
        }

        /* kill bpalogin */
        killbyname("bpalogin");

        /* wait a moment */
        sleep(1);

        /* get the default domain */
        $nfd = @fopen("{$g['varetc_path']}/defaultdomain.conf", "r");
        if ($nfd) {
                $defaultdomain = trim(fgets($nfd));
                fclose($nfd);
        }

        /* generate bpalogin.conf */
        $fd = fopen("{$g['varetc_path']}/bpalogin.conf", "w");
        if (!$fd) {
                printf("Error: cannot open bpalogin.conf in interfaces_wan_bigpond_configure().\n");
                return 1;
        }

        if (!$bpcfg['authserver'])
                $bpcfg['authserver'] = "dce-server";
        if (!$bpcfg['authdomain'])
                $bpcfg['authdomain'] = $defaultdomain;

        $bpconf = <<<eod<br>username {$bpcfg['username']}
password {$bpcfg['password']}
authserver {$bpcfg['authserver']}
authdomain {$bpcfg['authdomain']}
localport 5050

EOD;

        if ($bpcfg['minheartbeatinterval'])
                $bpconf .= "minheartbeatinterval {$bpcfg['minheartbeatinterval']}\n";

        fwrite($fd, $bpconf);
        fclose($fd);

        /* fire up bpalogin */
        mwexec("/usr/local/sbin/bpalogin -c {$g['varetc_path']}/bpalogin.conf");

        return 0;
}</eod<br>

Aussie_Bear · Nov 25, 2005, 10:41 AM

I agree about the code. I just compared the one you've posted to the M0n0Wall 1.2 code.
They're exactly the same. (They both use interfaces.inc, right?)

It must be something else.

When I use WebGUI, I select bigpond for WAN and add the appropriate details.
I click to apply and save the settings.

On M0n0Wall 1.2, if you look in the System Logs in the Diagnostics section,
you'll see the entry that bpalogin has initialized and you have successfully logged into the
Telstra network.

On pfSense, there's no indication of bpalogin being initialized in System Logs. The only thing
you see is that the DHCP function is working, and you've received your IP, Gateway and the
relevant DNS servers…But no bpalogin!

It should be there, appearing in the System Logs. (this occurs when I manually initialize bpalogin)

I know I'm not the only one experiencing this as I noticed that back in October, someone
else have the same issue.

Something isn't right, but I'm not sure what it is...I wish I were more knowledgeable with pfSense
or M0n0Wall . >:(

Is there a command that allows me to record everything when I boot up or when I change the WAN
from DCHP to bigpond? (I'm hoping we can catch any error messages that could indicate a problem
somewhere).

sullrich · Nov 25, 2005, 7:29 PM

See http://cvstrac.pfsense.com/tktview?tn=702,6 for update instructions. Testers needed!

Aussie_Bear · Nov 27, 2005, 8:31 AM

@sullrich:

See http://cvstrac.pfsense.com/tktview?tn=702,6 for update instructions. Testers needed!

Does version 0.94.12 contain the update from cvs? (I just downloaded this, gonna install it)
Or should I use update instructions anyway? (after installing 0.94.12)

sullrich · Nov 27, 2005, 6:46 PM

@Aussie_Bear:

@sullrich:

See http://cvstrac.pfsense.com/tktview?tn=702,6 for update instructions. Testers needed!

Does version 0.94.12 contain the update from cvs? (I just downloaded this, gonna install it)
Or should I use update instructions anyway? (after installing 0.94.12)

Yes, it should.

Aussie_Bear · Nov 30, 2005, 6:40 AM

This issue has been FIXED in pfSense ver 0.95

NOTE : When setting your pfSense box to work with Telstra Cable, be sure
to put dce-server in the BigPond Authentication Server: entry.

Test Setup
Celeron 1.2Ghz
512MB RDRAM
i820 chipset mobo (ASUS P3C-D)
CD-ROM
Floppy
pfSense 0.95 LiveCD
Telstra Broadband Cable

hoba · Nov 30, 2005, 7:49 AM

A sum up of the needed steps can now be found at the faq: http://faq.pfsense.org/index.php?sid=10900&lang=en&action=artikel&cat=10&id=100&artlang=en

Thanky ou aussi_bear :)

Aussie_Bear · Aug 27, 2006, 1:43 AM

This is an update.

Telstra have announced plans to DUMP their "heartbeat" solution.

What does this mean for pfSense, M0n0Wall, and any other firewall solution?
It means (when the transition is complete), you no longer need to set pfSense to "bigpond" mode.

There will no longer be the need to login via your firewall OR software client. Authentication will be made at the MAC address of the cable modem.

When the change is made (in about 1 to 2 month's time), set your pfsense box to DHCP. (NOT bigpond.)

From a developer's (and a Telstra Cable user's) view, their life is now made easier!

For now, you still need bigpond login client. This should change by the end of September or start of October.

sources:

BigPond Service Announcement
http://www.bigpond.com/edm/crm/2006/1353/1162_M07_migration_eDM.htm

Do I need to do anything to maintain my cable connection?
http://bigpond.custhelp.com/cgi-bin/bigpond.cfg/php/enduser/std_adp.php?p_faqid=12138

For pfSense Devs, you should drop "bigpond" client by November or so.

sullrich · Aug 27, 2006, 2:29 AM

Thanks for the notification.