ATT Uverse RG Bypass (0.2 BTC)

Derelict

Be sure powerd is enabled and set to Hiadaptive or Maximum in System > Advanced, Miscellaneous

Derelict

@JonH said in ATT Uverse RG Bypass (0.2 BTC):

I'm using Derelict's Build.

To be clear, it is not my build I'm just the messenger. The main developers at Netgate built it.

JonH

@Derelict Thank You, it (powerd)was previously set that way.
I'm going to disable pfBlockerNG to see if that is making a substantial hit on throughput.

JonH

@gfeiner said in ATT Uverse RG Bypass (0.2 BTC):

So maybe it is your CPU

Link below show results of shell command 'systat load' while doing speed test. If I understand the output correctly it looks like my CPU are doing ok.
![ScreenShot](<a href="https://imgur.com/oW4yqgC"><img src="https://i.imgur.com/oW4yqgC.png" title="source: imgur.com" /></a>)

I also did a speed test with pfBlockerNG disabled and there was negligible improvement.

bulldog5

Has anyone tried using this netgraph method along with the certificate extraction from gateway method? I have the wpa_supplicant method working, but still have to use the 5port netgear switch in the middle of my ONT and PFsense WAN because of VLAN0. Wondering how i could use netgraph to deal with VLAN 0 issue.

GoldServe

So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.

1. Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
2. Connect the ONT to this uplink
3. Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
4. I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.

  /usr/bin/logger -st "pfatt" "starting wpa_supplicant..."

  WPA_PARAMS="\
    set eapol_version 2,\
    set fast_reauth 1,\
    ap_scan 0,\
    add_network,\
    set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\
    set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\
    set_network 0 eap TLS,\
    set_network 0 eapol_flags 0,\
    set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\
    set_network 0 key_mgmt IEEE8021X,\
    set_network 0 phase1 \\\"allow_canned_success=1\\\",\
    set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\
    enable_network 0\
  "

  WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant"

  # kill any existing wpa_supplicant process
  PID=$(pgrep -f "wpa_supplicant.*em0")
  if [ ${PID} > 0 ];
  then
    /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
    RES=$(kill ${PID})
  fi

  # start wpa_supplicant daemon
  RES=$(${WPA_DAEMON_CMD})
  PID=$(pgrep -f "wpa_supplicant.*em0")
  /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."

  # Set WPA configuration parameters.
  /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
  IFS=","
  for STR in ${WPA_PARAMS};
  do
    STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
    RES=$(eval wpa_cli ${STR})
  done

  # wait until wpa_cli has authenticated.
  WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"

  /usr/bin/logger -st "pfatt" "waiting EAP for authorization..."

  # TODO: blocking for bootup
  while true;
  do
    WPA_STATUS=$(eval ${WPA_STATUS_CMD})
    if [ X${WPA_STATUS} = X"Authorized" ];
    then
      /usr/bin/logger -st "pfatt" "EAP authorization completed..."
      break
    else
      sleep 1
    fi
  done
  /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..."
  /usr/bin/logger -st "pfatt" "done!"
else
  /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..."
  exit 1
fi

5. Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
6. Voila!

I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.

t41k2m3

Would @GoldServe (or others) know how to work a similar scenario (without netgraph) with a physical switch (e.g. cisco), instead of an ESXi virtual switch (ONT --> Switch --> pfSense WAN)? Switch should do VLAN0 tagging via dot1p. Is that possible and what (affordable) switches could do that?

t41k2m3

@bulldog5 sounds like you are looking for the supplicant branch:
https://github.com/aus/pfatt/tree/supplicant
Edit pfatt.sh to use EAP_MODE="supplicant" - that should create a simpler netgraph and call wpa_supplicant.
What netgear switch are you using and does it do outgoing VLAN0 tagging?

bulldog5

@t41k2m3
I'm using a GS105Ev2 switch currently. This switch handles the VLAN0 fine, which is why the esxi method also works. But i'm running my pfsense on baremetal, so that option doesn't really apply to me. It would be "nice" to eliminate the GS105E in the middle of my ONT and pfsense WAN. I'll give the link you sent a shot and see how it goes. Thanks

t41k2m3

@bulldog5 curious about the config for both pfS and GS105ev2 if you don't mind. Could not get it to work with latest firmware on GS108ev3 and bare metal pfS (should be pretty close to your GS105ev2 setup) - EAP would not go through and no DHCP or anything after. Is your pfS going out on WAN NIC or do you use VLAN (if so what #/priority)? Any special settings on the switch - not much seemed to be configurable beyond 802.1q tagging and (802.1p) CoS of 0?

bulldog5

@t41k2m3

GS105Ev2 settings

VLAN > 802.1Q TAB

Basic 802.1Q VLAN Status:

PORT 1 and 3 are both in VLAN ID 1. Those are my ONT and WAN ports.

Make sure you're not using Port Based and have that Disabled.

t41k2m3

@bulldog5 is it possible that pfS is doing the tagging (how is pfS setup?) or that no tagging is required at your location? It's a bit odd because it looks like the switch is just passing traffic through on native VLAN without tagging (802.1q or p).

bulldog5

@t41k2m3 you have your MAC Address of your gateway set as your WAN interface in pfsense right?

t41k2m3

@bulldog5 correct. is that all you did on your pfs and it's working?

bulldog5

@t41k2m3

When i was using the VLAN swap method; yes, I set my WAN interface to DHCP, and set the MAC Address to same as my gateway.

bulldog5

I've tried using the pfatt.sh script in supplicant mode, and I get the following No such file messages when I run it..

pfatt: starting pfatt...
pfatt: configuration:
pfatt: ONT_IF = igb1
pfatt: RG_ETHER_ADDR =XX:XX:XX:XX:XX:XX
pfatt: EAP_MODE = supplicant
pfatt: EAP_SUPPLICANT_IDENTITY = XX:XX:XX:XX:XX:XX
pfatt: EAP_BRIDGE_IF = igb1
pfatt: EAP_BRIDGE_5268AC = 0
pfatt: resetting netgraph...
pfatt: configuring EAP environment for supplicant mode...
pfatt: cabling should look like this:
pfatt: ONT---[] [igb1]pfSense
pfatt: creating vlan node and ngeth0 interface...
ngctl: send msg: No such file or directory
ngctl: send msg: No such file or directory
ngctl: send msg: No such file or directory
ngctl: send msg: No such file or directory
ngctl: send msg: No such file or directory
pfatt: enabling promisc for igb1...
pfatt: starting wpa_supplicant...
pfatt: wpa_supplicant running on PID ...
pfatt: setting wpa_supplicant network configuration...
pfatt: waiting EAP for authorization...
pfatt: EAP authorization completed...
ifconfig: interface ngeth0 does not exist
pfatt: no IP address assigned, force restarting DHCP...
dhclient not running? (check /var/run/dhclient.ngeth0.pid).
ifconfig: interface ngeth0 does not exist
ngeth0: not found
exiting.
ifconfig: interface ngeth0 does not exist
pfatt: IP address is ...
pfatt: ngeth0 should now be available to configure as your WAN...
pfatt: done!

GoldServe

@bulldog5 When you issue ngctl list, do you see igb1 in the list below?

bulldog5

@GoldServe

No my ONT/WAN is igb1 and LAN is igb0

There are 5 total nodes:
Name: igb2 Type: ether ID: 00000003 Num hooks: 0
Name: igb3 Type: ether ID: 00000004 Num hooks: 0
Name: ngctl92076 Type: socket ID: 00000017 Num hooks: 0
Name: <unnamed> Type: socket ID: 00000007 Num hooks: 0
Name: snmpd Type: socket ID: 00000009 Num hooks: 0

GoldServe

@bulldog5 Well, i don't see igb1 in that list you posted. That's your problem.

bulldog5

@GoldServe

right, so how does it get in that list? I configured the pfatt.sh script and ran it. those are the errors i get.