ATT Uverse RG Bypass (0.2 BTC)

aus

Thank you! That’s very generous of you and much appreciated. I’m glad this solution worked for you. Cheers!

untamedgorilla

Thank you @aus. I'm actually using the supplicant version and it works like a charm!!! Great work. Now I have to figure your static ips, @Dade, I looking at you!

untamedgorilla

@Dade I figured out the static IP, I just setup 1:1 nat, it was pretty straightforward.

Makaveli6103

I set this up a month ago and worked great for 2 week so. Then for the past 2 weeks my connection will drop randomly every day or few days. My logs are linked below. But another question I have is the link to the gateway suppose to work also? When I connect to it it says there is no link and to contact ATT but my PFsense internet works.

Logs

gfeiner

@Makaveli6103 said in ATT Uverse RG Bypass (0.2 BTC):

I set this up a month ago and worked great for 2 week so. Then for the past 2 weeks my connection will drop randomly every day or few days. My logs are linked below. But another question I have is the link to the gateway suppose to work also? When I connect to it it says there is no link and to contact ATT but my PFsense internet works.

Logs

I believe @aus stated that (the gateway not having link) is expected since all traffic from the gateway other than authentication is blocked.

gfeiner

Has anyone here using this bypass method noticed the WAN lease time obtained from ATT DHCP is only 1 hour long? Apparently people using other bypass methods have noticed it as well (see here) It only seems to happen when bypassing the gateway. The lease obtained when using ip-passthrough mode is much longer. I can see that in /var/db/dhclient.leases.ngeth0 the leases are 3600 seconds and going a grep "renewal in" /var/log/dhcpd.log shows the lease renewing every 1800 seconds which is the 1/2way point of a 3600 second lease. I'm curious if anyone can come up with a way to increase that lease time. I tried using a "send" dhcp-lease-time option to increase it, but it didn't help; the lease obtained was still 3600 seconds.

Makaveli6103

@gfeiner ok thanks. But any idea why my connection drops?

gfeiner

@Makaveli6103 said in ATT Uverse RG Bypass (0.2 BTC):

@gfeiner ok thanks. But any idea why my connection drops?

What is connected to igb2? The ONT or the gateway? Your logs are showing link going up and down on that port. Bad cable or faulty device connected to that port.

Makaveli6103

@gfeiner igb2 is the gateway. I will change the cable. I did also turn of gateway monitoring to see if that does anything.

Makaveli6103

@gfeiner I think I know what was wrong. I have the Pace 5268AC gateway and I did add the script to help with the EAP-Logoff issue. But when i added the script to the /rc.d folder I forgot to add .sh. I added it and now see it running in the logs. Hopefully this was the issue.

gfeiner

@Makaveli6103 said in ATT Uverse RG Bypass (0.2 BTC):

@gfeiner I think I know what was wrong. I have the Pace 5268AC gateway and I did add the script to help with the EAP-Logoff issue. But when i added the script to the /rc.d folder I forgot to add .sh. I added it and now see it running in the logs. Hopefully this was the issue.

Good to know.

JonH

@gfeiner
I just got the ATT 1g service, internet only, no TV or VOIP. The RG is BGW210. I changed it's IP addr to 192.168.100.1 because as delivered it was the same as my pfSense box. Passthrough gives me a 5 minute lease although the setup screen is has a different lease time.

I have an SG-2440 and behind that an unmanaged 1g switch. My speedtests run around 550 Mbps, the RG Diagnostic menu has a speed test built in which shows that it is doing ~950Mbps.

I realize my setup is double NAT, I am reading here to find out if I can get rid of the double NAT and if that will increase my throughput.

I'm still seeking more info on the pfatt patch.

Makaveli6103

@JonH did you read the instructions on the GitHub? There is a little learninf curve but isn't too hard.

Derelict

Just a quick note that the etf kernel module is now available as a command-line-installable package from the Netgate repos.

[2.4.4-RELEASE][root@pfSense]/root: pkg search etf
ng_etf-kmod-0.1                ng_etf kernel module
[2.4.4-RELEASE][root@pfSense]/root: pkg install ng_etf-kmod
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	ng_etf-kmod: 0.1 [pfSense]

Number of packages to be installed: 1

3 KiB to be downloaded.

Proceed with this action? [y/N]:

No need to scp it from another FreeBSD node and it should track updates by FreeBSD.

JonH

@Derelict said in ATT Uverse RG Bypass (0.2 BTC):

etf kernel module is now available

Nice. Thanks for this info

JonH

@JonH I've installed pfatt 2 days ago, running w/o problems except my speed tests are still ~550 (~950 if wired directly as per AT&T). I'm not running Snort or Suricata. My cpu generally runs < 15%.

pfatt.sh contains (in addition to RG MAC addr:
ONT_IF='igb0'
RG_IF='igb3'

/usr/sbin/ngctl list
There are 13 total nodes:
Name: igb0 Type: ether ID: 00000001 Num hooks: 1
Name: <unnamed> Type: socket ID: 00000007 Num hooks: 0
Name: <unnamed> Type: socket ID: 0000006a Num hooks: 0
Name: <unnamed> Type: socket ID: 0000006b Num hooks: 0
Name: <unnamed> Type: socket ID: 0000006c Num hooks: 0
Name: <unnamed> Type: socket ID: 0000006d Num hooks: 0
Name: o2m Type: one2many ID: 0000000d Num hooks: 3
Name: vlan0 Type: vlan ID: 00000010 Num hooks: 2
Name: ngctl25207 Type: socket ID: 000000d3 Num hooks: 0
Name: ngeth0 Type: eiface ID: 00000013 Num hooks: 1
Name: waneapfilter Type: etf ID: 00000017 Num hooks: 2
Name: laneapfilter Type: etf ID: 0000001b Num hooks: 1
Name: igb3 Type: ether ID: 0000005d Num hooks: 0

One question is my interface assignments in the pfSense web configurator: The pfatt readme says "pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure ngeth0 as your pfSense WAN."
In my case I didn't get any prompts so I read this to mean I should have ngeth0 as my WAN interface. Thus, I changed the WAN from igb0 to ngeth0 (and spoofing RG MAC). This leaves igb0 as "available".

Is this correct or am I misreading the readme? Should WAN remain igb0?

There was one comment earlier in this thread to make sure pfatt was being executed at <earlyshellcmd>. How would I determine that? And the etf filters have less hooks than an example posted earlier in this thread. Is that important?

Derelict

I would not edit the configuration to add the shell command. I would use the Shell Command package. There is an option there to select early.

JonH

@Derelict said in ATT Uverse RG Bypass (0.2 BTC):

I would use the Shell Command package.

Thank you. I was not aware of that package.
I'll give it a shot.

aus

re: which interface, your WAN should be ‘ngeth0’. If pfSense doesn’t prompt you to configure, you should manually set it.

re: performance, early shell cmd won’t improve that. Unfortunately, Netgraph configured as such does add a bit of CPU overhead at high network utilization. If your total CPU does not exceed ~15% under high network utilization, I would double check your single core performance. It may be maxed on a single core.

I’ve tested pfatt on a couple different boxes. Some performed better than others. My current CPU can mostly saturate (900+) my 1000/1000 plan:

AMD GX-420CA SOC
Current: 800 MHz, Max: 2000 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

Supplicant mode has a little less overhead since the Netgraph is simpler. You might get more out of your hardware with that.

JonH

@aus: Thanks for feedback.

ngeth0 is on WAN. In the Interface Assignments menu that leaves igb0 down.
My CPU at ~15% is just average network usage. I don't run web servers. I have minimal streaming.
According to top, running in the shell, my largest cpu load is ntopng, I have disabled that and there is no noticeable improvement.

pfSense is running on a SG-2440 appliance (pre-Netgate appliance). It has 2 Atom C2358 1.7 GHz cpu's. I don't know how to check the individual cpu performance.
For crypto I think my setting is default, I don't recall setting it. It is set to BSD cryptodev but I will try no crypto to see if there is a noticeable difference.
I'm using a dumb switch.
I'm have a BGW210-700 & not using the AT&T wifi.
Is Supplicant Mode a function of compiling the etf.ko? If not, how do I remove it? I'm using Derelict's Build.

For kicks, I unplugged my LAN cable (igb1) and plugged a linux box directly into it (leaving a single NAS on igb2 & the RG on igb3). Same ~500 speedtest.net results. That linux box plugged into AT&T default setup is ~800-900.

You are at 4 cores, I'm at 2 cores. Maybe my throughput is the best I can expect with my SG-2440?