ATT Uverse RG Bypass (0.2 BTC)
-
There is a hacky way around the RG by using a smart-dumb switch that supports vlan0, I use an inexpensive Netgear prosafe switch. PFSense WAN, ONT, and RG ONT, all 3 get plugged into the switch. The RG gets powered on for AUTH when needed, but mainly stays off. PFSense WAN mac clone of the RG WAN. With a battery backup on the ONT incase of rando power flickers, I go several months between needing to re-auth the RG.
-
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
I guess I have bad luck, my nic is also em0 and I made sure my certs were named the same as your script. Sadly I still get stuck at: pfatt: waiting EAP for authorization. No logs from pffat in /var/log either.
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
-
@archerious said in ATT Uverse RG Bypass (0.2 BTC):
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
I guess I have bad luck, my nic is also em0 and I made sure my certs were named the same as your script. Sadly I still get stuck at: pfatt: waiting EAP for authorization. No logs from pffat in /var/log either.
@GoldServe said in ATT Uverse RG Bypass (0.2 BTC):
So I got things working by not using any netgraph scripts on my ESXi 6.7u2 virtualized pfSense instance. If you follow the instructions below, you should get things working.
- Set up a new VSWITCH, port group with VLAN(0) and uplink on a dedicated network uplink (Allow mac address spoofing and the other two just incase)
- Connect the ONT to this uplink
- Create a new e1000e interface that resides in the port group from 1) in pFsense (em0 for me). I tried vmxnet3 and didn't seem to work
- I just took the portion of the script below to start wpa_supplicant. Find all em0 below and change with your adapter.
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS="\ set eapol_version 2,\ set fast_reauth 1,\ ap_scan 0,\ add_network,\ set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\ set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\ set_network 0 eap TLS,\ set_network 0 eapol_flags 0,\ set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\ set_network 0 key_mgmt IEEE8021X,\ set_network 0 phase1 \\\"allow_canned_success=1\\\",\ set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\ enable_network 0\ " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -iem0 -B -C /var/run/wpa_supplicant" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*em0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*em0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "em0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" else /usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..." exit 1 fi- Set em0 as your wan, DHCP, mac spoof (RG of cert MAC address)
- Voila!
I think this works because ESXI will strip and add VLAN0 tags on the port group so no need netgraph business. I don't think this would work by plugging into my Cisco SG500x because I can't define VLAN0 and so the switch would just drop everything. Too bad! Let me know if anyone has any ideas to improve on things.
Can you post your ESXi vSwitch settings for your WAN device? I just setup this over the weekend and had no issues. Granted I edited the pfatt.sh script directly to change a few things but it worked for me without issues.
-
@GoldServe Got it working, had to modify the script and also modify vswitchWAN with the MAC address of the certs as well as put that MAC inside pfsense under WAN. Everything worked as soon as I did that. Not sure if that was to be assumed, but I didn't realize it until I noticed the e1000e interface in ESXI had assigned some odd MAC address.
-
anyone upgrade to 2.4.5 yet?
-
@chewsie said in ATT Uverse RG Bypass (0.2 BTC):
anyone upgrade to 2.4.5 yet?
I am waiting. Not sure if upgrading will break pfatt.
-
@chewsie I did. Nothing broke on the script I used from GoldServe.
Can't comment if netgraph will be affected though.
-
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
-
@chewsie said in ATT Uverse RG Bypass (0.2 BTC):
anyone upgrade to 2.4.5 yet?
Yes, last night.
Running supplicant mode with ESX.
-
@Makaveli6103 said in ATT Uverse RG Bypass (0.2 BTC):
I am waiting. Not sure if upgrading will break pfatt.
Shouldn't break it, at least it didn't on netgate amd64 bare-metal hw, netgraph and wpa_supplicant still working.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I don't like the netgraph method since there are certain things you can't do with it, like traffic shaping, but I did modify the PFATT process on supplicant using VMWare's VLAN0 stripping and a straight em0 interface.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I had no idea there was a supplicant method. I will switch over this weekend.
-
@pyrodex why not? (I don't do traffic shapping) but I'm interested in why it doesn't work.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@pyrodex why not? (I don't do traffic shapping) but I'm interested in why it doesn't work.
Traffic shaping works for me. Using CoDel.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
Not sure why you guys are continuing to waste your time trying to re-invent the wheel. Use the wpa_supplicant method from: https://github.com/aus/pfatt/tree/supplicant
If you have your certs extracted already, follow the directions. the netgraph part in that script works just fine, you don't need to screw around with a dumb switch for VLAN0. Let it do its thing, and forget about it.
I couldn't get netgraph to work but I have had no issues with the VMware method.
-
I recently got certs from an nvg-589 so I could switch from the full netgraph to supplicant. I'm having the same issue as @AiC0315 where it hangs on waiting for eap authorization. The only difference is my pem files were already correctly named and have proper permissions so I'm at a loss.
The RGW I purchased was configured for dsl when I downloaded the certs. I have since factory reset the unit to verify that it would connect and it did. Do I need to redownload the certs now that it's in ethernet mode? (edit - Apparently I can't get into ssh anymore)
I have disabled the old pfatt script but I didn't disable the 5268ac reauth script. Could that be causing issues?
Lastly, I have changed the spoofed mac from my 5268ac to match the mac of the extracted certs.
edit - Finally got it working after making the changes suggested here - https://github.com/aus/pfatt/pull/19#issuecomment-605648696
-
I have been running pfSense for many years. I think I’ve been using it for around 10 years (having come from SmoothWall, which stagnated over 10 years ago). I have been happy with my ISP, which I’ve had since 2006; including a move in 2011 to my current home. Alas, the wife wanted to buy a new house and we take possession of the new house tomorrow. Unfortunately, my current ISP did not expand to the community where my new house has been built for whatever reason, even though it remains in the same small city. Instead, I will have to move to AT&T if I wish to maintain having synchronous gigabit service. My current ISP provides a fiber gateway that only operates in bridge mode. At the utility service demarcation location of my house, the fiber comes in to the gateway with six RJ45 network jacks and four RJ12 telephone jacks. Port #1 on this gateway goes directly into a router while the other five are to be routed to set-top boxes, should I chose their video service, which I don’t; I also do not use the telephone jacks.
In my research of AT&T, it appears that instead of having an all-in-one box that exists on the side of the house, they route the fiber to an Optical Network Terminal inside the home, which then runs to a Residential Gateway, which appears to be a WiFi router. I do not want to use a WiFi router but continue using my pfSense and my Unifi UAP-AC Pro access points placed strategically in the new house. I have read about different ways to get around this and want to make it as seamless as possible.
Of all the methods I’ve seen, it appears that the Github project “pfatt” appears to be the best solution for bypassing the residential gateway. As I read further, there are two different methods of using it with one taking quite a bit of skill to pull off; the “netgraph” method or the “WPA Supplicant” method. I believe I will be starting off by using the original, “netgraph” method of connecting the WAN port of the pfSense to the ONT and placing the RG on a third Ethernet port (my pfSense machine has four gigabit ports, so not a big deal for me). The idea of using the WPA Supplicant method is intriguing, but it sounds difficult to acquire the keys needed to facilitate it... I've seen people talking about opening up a gateway, desoldering a memory chip to put in a chip reader to dump data. If there is an easier way to get the needed information, I would love to learn about it.
I have already downloaded the script, compiled my “ng_etf.ko” and copied it to the kernel and modified the script with the known Ethernet ports each device will be plugged into. I know I will need to obtain the MAC address of my RG when it arrives, move my script, and enable it in the “/conf/config.xml” but what else will I need to do? Do I need to tell the installer to put it into a certain mode? Should I pretend like I’m going to use the gateway the way AT&T anticipates most people do while the installer is there and then change everything once they are gone?
Is there some other forum for discussing this? It seems odd that the only support is following a single thread, covering several different aspects of the process. It would make more sense if the Netgate pfSense forum had a category for “Third-party Packages, Plugins, or Mods” and then create sub-categories below that. Upon asking a question on the Github page for pfatt, I was curtly told to look at the bounties section of this forum. Searching through a single, disjointed thread is like searching for a needle in a haystack; especially since the thread isn’t labeled “pfatt”.
-
@RonRN18 The easiest way to get the certs is to find somebody selling them. I was able to get mine from a guy on the dslreports forums. Once setup the wpa supplicant method works very well. The only problem I had was my Intel N3700 powered pfsense box would not pull full line speed, it topped out around 500mbps. I have sense moved to a Xeon E3-1220V3 and have no problems pulling full line speed. I've had my gateway unplugged since September 2019.
-
@RonRN18 said in ATT Uverse RG Bypass (0.2 BTC):
In my research of AT&T, it appears that instead of having an all-in-one box that exists on the side of the house, they route the fiber to an Optical Network Terminal inside the home, which then runs to a Residential Gateway, which appears to be a WiFi router. I do not want to use a WiFi router but continue using my pfSense and my Unifi UAP-AC Pro access points placed strategically in the new house. I have read about different ways to get around this and want to make it as seamless as possible.
My setup is probably the same as what you describe (incl UAP-ACpro inside my LAN). When the ATT gigfiber was installed I was using an SG-2440. Many have said it works w/ 1g but I had poor throughput and finally did the pfatt with netgraph. It did increase my speed but not significantly. Not close to 1g.
So based on comments others made I upgraded my pfSense appliance and run now run an SG-5100. I get the full 1g now. The 5100 is a bit overkill for my usage but I had read mixed reviews about the 3100 and decided to go for more HP.
I don't run a web server. I'm just a home internet user. Near as I can tell, the deal with ATT router is the NAT table (on my BG210 it is in /diagnostics menu) filling up. My system has been running for many months and that table, max of 8192, is at a whopping 77.
I did not reload pfatt on the 5100 and instead have occasionally checked the NAT table. All is well so my advise is to try your setup w/o the bypass first and see if you can live with it.
I disabled the ATT wifi and run their router in IP Passthru mode and altered the dhcp lease time to 99 days. My IP has not changed in the past many months.
Good luck.
-
@JonH in my current setup, I have 1g service through a different ISP and while I don’t get a full 1000 Mbps, I generally see 750-850 Mbps download and 800-875 Mbps upload.
I run about about 20-30 VMs on 3 bare-metal multi-cpu servers. I also run 5 desktops, 3 laptops, 2 tablets, 2 smartphones, 4 TVs with at least Internet connected video streaming device each. I then have about 10 SBCs (Raspberry Pis of each generation, Beaglebone, Pine64, and another “knock-off”/alternative). I have several other connected devices. I have well over 100 statically assigned IPs in my house. This is why I’m looking at bypassing AT&T’s NATting device.
It’s my hobby, but this is one aspect I have limited experience (bypassing the RG) and finding very limited community support. I know I will eventually figure it all out, once I’ve played with it a while, I’m just trying to learn from other mistakes so I can make different mistakes, not just repeating mistakes of others.