ATT Uverse RG Bypass (0.2 BTC)
-
@AiC0315 I am using bridge mode, 3 interfaces for the default pfatt method, my device is a SG-8860 so I have 6 ports, all in use. But I have my primary LAN, the Uverse WAN, and the Uverse 210 gateway device. On top of that are my other networks including my still functional AT&T Enterprise WAN, VOIP Lan, some VLANS, and a port dedicated for my CARP HA failover configurations. The unplugged method was my reference to attempting some dumb switch methods I have seen documented where you simply only plug the RG in when loosing connection and needing re-authentication. I am wondering if something has changed with the latest firmware, that is denying my Cascade Router feature, or if something could be different for being in a multi-tenant office building.
-
@phatty It wouldn't surprise me at all if something on ATT's end has changed. I was using the DMZ+ mode on my pace gateway and one day I had no internet, due to a firmware update.
I would go back and carefully look at the pfatt instructions. Bridge mode is very easy to get working.
FYI I never got the dumb switch method to work either.
-
@phatty Using the dumb switch method have you tried configuring the wan interface on your pfsense box statically with the ip assigned to your att modem during authentication?
-
@gfeiner said in ATT Uverse RG Bypass (0.2 BTC):
FYI. I'm doing this bypass on my netgate SG5100 and I can get in the 900-940Mb range with ATT UVERSE gigabit plan. So maybe it is your CPU.
Well, it appears you were right and thanks for the suggestion. Last week I retired my SG2440 for a SG5100. I still have not installed all the pkg's I was using in 2440 but I didn't run IDS stuff so I don't think what I haven't installed impacts my speed.
Using CLI speedtest I am getting 950-990 which is about 2x what I was getting before. I am not currently using the aus rg-bypass, just the BGW ip-passthrough.
-
I am getting a staggering amount of packet loss (10-13% spikes), is there anyway that the bypass is causing this? or should i look elsewhere? I'm new btw.
-
There is a hacky way around the RG by using a smart-dumb switch that supports vlan0, I use an inexpensive Netgear prosafe switch. PFSense WAN, ONT, and RG ONT, all 3 get plugged into the switch. The RG gets powered on for AUTH when needed, but mainly stays off. PFSense WAN mac clone of the RG WAN. With a battery backup on the ONT incase of rando power flickers, I go several months between needing to re-auth the RG.
-
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi
- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
I guess I have bad luck, my nic is also em0 and I made sure my certs were named the same as your script. Sadly I still get stuck at: pfatt: waiting EAP for authorization. No logs from pffat in /var/log either.
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi
- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
-
@archerious said in ATT Uverse RG Bypass (0.2 BTC):
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi
- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
I guess I have bad luck, my nic is also em0 and I made sure my certs were named the same as your script. Sadly I still get stuck at: pfatt: waiting EAP for authorization. No logs from pffat in /var/log either.
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi
- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
Can you post your ESXi vSwitch settings for your WAN device? I just setup this over the weekend and had no issues. Granted I edited the pfatt.sh script directly to change a few things but it worked for me without issues.
-
@GoldServe Got it working, had to modify the script and also modify vswitchWAN with the MAC address of the certs as well as put that MAC inside pfsense under WAN. Everything worked as soon as I did that. Not sure if that was to be assumed, but I didn't realize it until I noticed the e1000e interface in ESXI had assigned some odd MAC address.
-
anyone upgrade to 2.4.5 yet?
-
@chewsie said in ATT Uverse RG Bypass (0.2 BTC):
anyone upgrade to 2.4.5 yet?
I am waiting. Not sure if upgrading will break pfatt.
-
@chewsie I did. Nothing broke on the script I used from GoldServe.
Can't comment if netgraph will be affected though.
-
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
-
@chewsie said in ATT Uverse RG Bypass (0.2 BTC):
anyone upgrade to 2.4.5 yet?
Yes, last night.
Running supplicant mode with ESX.
-
@Makaveli6103 said in ATT Uverse RG Bypass (0.2 BTC):
I am waiting. Not sure if upgrading will break pfatt.
Shouldn't break it, at least it didn't on netgate amd64 bare-metal hw, netgraph and wpa_supplicant still working.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I don't like the netgraph method since there are certain things you can't do with it, like traffic shaping, but I did modify the PFATT process on supplicant using VMWare's VLAN0 stripping and a straight em0 interface.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I had no idea there was a supplicant method. I will switch over this weekend.
-
@pyrodex why not? (I don't do traffic shapping) but I'm interested in why it doesn't work.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@pyrodex why not? (I don't do traffic shapping) but I'm interested in why it doesn't work.
Traffic shaping works for me. Using CoDel.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I couldn't get netgraph to work but I have had no issues with the VMware method.