ATT Uverse RG Bypass (0.2 BTC)

timtrace

Can't get the supplicant mode to work.

I had to comment lines 205-231 of pfatt.sh to get the system to boot.

wpa_cli status says:
Supplicant PAE state=HELD
suppPortStatus=Unauthorized
EAP state=FAILURE

tcpdump -i ONT_IF -e vlan says:
05:20:52.486546 f8:2d:c0:xx:xx:xx (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 22: vlan 0, p 0, ethertype EAPOL, EAPOL start (1) v2, len 0

/conf/pfatt/bin/* is 755 and /conf/pfatt/wpa/* is 644

Certs import without error into the web configurator, if only to make sure that they're intact. I've since pulled them back out of there.

What could be keeping this thing from being authorized?

neatneat

I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?

GPz1100

Rj11 = dsl. You need fiber.

fortillian

@neatneat said in ATT Uverse RG Bypass (0.2 BTC):

I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?

Uverse is the name of their interwebz service which can be DSL or Fiber. You could get a DSL modem if you don't want to use their equipment. If you have uverse TV service, or ATT home phone service, you'll need to keep their equipment in place.

bk150

I removed the gateway from my setup using the supplicant method from MonkWho's fork of pfatt from aus.

https://github.com/MonkWho/pfatt/tree/supplicant

This worked well on a SG-5100 on pfSense 2.4.5 p1 with certificates purchased on eBay from maczrcool. I'm getting full line speed (940/940) with no issues. I've tested that the setup survives expected and unexpected reboots.

lmgcnbzlp

@bk150 I'm trying to do what you've accomplished, on my PCEngines APU2 box with 2.4.5 p1 using MonkWho's fork. I have the certs extracted from my Arris BGW210. Did you also need Netgraph for the Supplicant approach? I was hoping to avoid it.

JonH

@lmgcnbzlp said in ATT Uverse RG Bypass (0.2 BTC):

I have the certs extracted from my Arris BGW210

Just wondering what you used to extract the certs.

lmgcnbzlp

@JonH I used the python script method per:

https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/

Had to run it twice because the script didn't have a wait period defined to account for telnet server startup leadtime, but on the second run it appears to have worked and was able to save the certs to my local machine in the manner documented in the readme.

fresnoboy

@timtrace

Did you get this to work? I am trying to enable pfsense to be moved to a different system via vmotion for doing maintenance on the host. Right now I use the netgraph bypass method, but I don't think it will work if I am using PCI device passthrough, which prevents the VM to be migrated.

Does the vlan0 tagging get interfered with by vmware's management of the network interfaces? I can use port mirroring on a switch to make the ONT and even the gateway available on multiple systems.

thx
mike

DanielJay23

I have the netgraph version working well on my system. I am currently running 2.4.4-RELEASE. Will upgrading to 2.4.5_1 break this setup? Will I have to re-do my setup or can I just do a straight update through the web interface of my pfSense box?

MonkWho

@DanielJay23 said in ATT Uverse RG Bypass (0.2 BTC):

I have the netgraph version working well on my system. I am currently running 2.4.4-RELEASE. Will upgrading to 2.4.5_1 break this setup? Will I have to re-do my setup or can I just do a straight update through the web interface of my pfSense box?

Before upgrading I would recommend you compare your current pfatt.sh script with the one if the repository here https://github.com/MonkWho/pfatt and see if any big changes are necessary.

One major change in 2.4.5 is that ng_etf module is now part of base pfsense and you don't need to compile and upload it anymore. And it's also loaded by default so we cleaned out those parts of the script as well. If you don't update your current pfatt.sh it might hang with an error and stop the boot process of your box. Depends what version of the script you are running. Early versions required that module to load and didn't have "-nq" flag that allowed system to skip if it's already loaded.

andrew_241

I'm trying to use the supplicant version of pfatt.sh, and my pfSense box hangs on 'waiting EAP for authorization...' during boot. I had to manually break and edit the relevant parts of config.xml to be able to boot properly. I think I'm using the latest version of the script, and I did follow the instructions here. I do have the necessary certificates extracted from an unused gateway device.

Any idea on what the problem might be?

Thanks!

MonkWho

@andrew_241 I had this issue too at some point. I believe it happened because I had a typo in the MAC field in the script.

Have you tried booting normally and then running the script by hand to see if it creates interfaces and authenticates? You can take the script apart and run one command at a time to try and see where the problem occurs.

I also need to look at the script and figure out a way for some sort of an escape sequence if it this happens on boot. So people are not stuck like you were. Heck there is still an incomplete "TODO" in the code from the original creator specifically for this issue with hanging on boot.

andrew_241

I'll try executing the script manually. Just to confirm, I'll have the WAN interface port (igb0) directly connected to the ONT, but with no mac spoofing on it. Am I correct in assuming that the script creates the interface that spoofs the MAC of the gateway device?

AiC0315

@andrew_241 when I initially set mine up my .pem files were not named correctly, so you may want to check that.
On mine, I have the mac address for the certs in the script and the mac address for my RG spoofed on my pfsense box. My certs did not come from my RG that's why I use 2 MACs

ffuentes

can somebody pm me on where I can get the pem's. Thanks.

andrew_241

So I tried to run the script manually when the firewall was already up and running, and it still hangs at 'waiting EAP for authorization...'. I can't see the ngeth0 interface as an option under 'Interface Assignments'.

If I change my igb0's MAC address to that of the gateway device, and run wpa_supplicant manually with the following configuration:

eapol_version=2
fast_reauth=1
ap_scan=0
network={
        ca_cert="/cf/conf/pfatt/wpa/ca.pem"
        client_cert="/cf/conf/pfatt/wpa/client.pem"
        eap=TLS
        eapol_flags=0
        identity="(Gateway MAC Address)"
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/cf/conf/pfatt/wpa/private.pem"
}

I get the log message:

igb0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

So the certificates work. I can get my IP address, but the connection is slow (web browsers take a long time with DNS). I probably still need netgraph.

andrew_241

@AiC0315

I found the public certs for the CAs on the web. The client certificates I'm using, as well as the private key, were extracted from a different gateway device of the same model (BGW210-700) that I had sitting around.

GPz1100

@andrew_241

You should see no speed difference between a dumb switch bypass and certs. All wpa_supplicant does is allow for authentication of the device. It consumes practically no resources.

See if you have something hogging the cpu (top command in console). Netgraph method is obsolete these days. Certs method is completely self contained requiring no gateway box to be connected.

andrew_241

@GPz1100

I haven't read this entire thread, but I was under the impression that the netgraph method was required to get the WAN interface to recognize the traffic on VLAN0 from the ONT.