ATT Uverse RG Bypass (0.2 BTC)
-
I'm trying to use the supplicant version of pfatt.sh, and my pfSense box hangs on 'waiting EAP for authorization...' during boot. I had to manually break and edit the relevant parts of config.xml to be able to boot properly. I think I'm using the latest version of the script, and I did follow the instructions here. I do have the necessary certificates extracted from an unused gateway device.
Any idea on what the problem might be?
Thanks!
-
@andrew_241 I had this issue too at some point. I believe it happened because I had a typo in the MAC field in the script.
Have you tried booting normally and then running the script by hand to see if it creates interfaces and authenticates? You can take the script apart and run one command at a time to try and see where the problem occurs.
I also need to look at the script and figure out a way for some sort of an escape sequence if it this happens on boot. So people are not stuck like you were. Heck there is still an incomplete "TODO" in the code from the original creator specifically for this issue with hanging on boot.
-
I'll try executing the script manually. Just to confirm, I'll have the WAN interface port (igb0) directly connected to the ONT, but with no mac spoofing on it. Am I correct in assuming that the script creates the interface that spoofs the MAC of the gateway device?
-
@andrew_241 when I initially set mine up my .pem files were not named correctly, so you may want to check that.
On mine, I have the mac address for the certs in the script and the mac address for my RG spoofed on my pfsense box. My certs did not come from my RG that's why I use 2 MACs -
can somebody pm me on where I can get the pem's. Thanks.
-
So I tried to run the script manually when the firewall was already up and running, and it still hangs at 'waiting EAP for authorization...'. I can't see the ngeth0 interface as an option under 'Interface Assignments'.
If I change my igb0's MAC address to that of the gateway device, and run wpa_supplicant manually with the following configuration:
eapol_version=2 fast_reauth=1 ap_scan=0 network={ ca_cert="/cf/conf/pfatt/wpa/ca.pem" client_cert="/cf/conf/pfatt/wpa/client.pem" eap=TLS eapol_flags=0 identity="(Gateway MAC Address)" key_mgmt=IEEE8021X phase1="allow_canned_success=1" private_key="/cf/conf/pfatt/wpa/private.pem" }I get the log message:
igb0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfullySo the certificates work. I can get my IP address, but the connection is slow (web browsers take a long time with DNS). I probably still need netgraph.
-
I found the public certs for the CAs on the web. The client certificates I'm using, as well as the private key, were extracted from a different gateway device of the same model (BGW210-700) that I had sitting around.
-
You should see no speed difference between a dumb switch bypass and certs. All wpa_supplicant does is allow for authentication of the device. It consumes practically no resources.
See if you have something hogging the cpu (top command in console). Netgraph method is obsolete these days. Certs method is completely self contained requiring no gateway box to be connected.
-
I haven't read this entire thread, but I was under the impression that the netgraph method was required to get the WAN interface to recognize the traffic on VLAN0 from the ONT.
-
@andrew_241 said in ATT Uverse RG Bypass (0.2 BTC):
I haven't read this entire thread, but I was under the impression that the netgraph method was required to get the WAN interface to recognize the traffic on VLAN0 from the ONT.
If you are physical... virtually you don't need netgraph :).
-
You are correct. I forgot about that. I'm running a virtualized setup here (esxi). When testing pfsense/certs I had no vlan0 issues.. The other option is to use a dumb switch between the ONT and pfsense wan ports.
-
I tried to run the pfatt.sh script on my pfSense box manually, but I get the following:
[2.4.5-RELEASE][root@pfSense]/root: /cf/conf/pfatt/bin/pfatt.sh pfatt: starting pfatt... pfatt: configuration: pfatt: ONT_IF = igb0 pfatt: RG_ETHER_ADDR = (MAC address is here) pfatt: EAP_MODE = supplicant pfatt: EAP_SUPPLICANT_IDENTITY = (MAC address is here) pfatt: EAP_BRIDGE_IF = igb1 pfatt: EAP_BRIDGE_5268AC = 0 pfatt: resetting netgraph... pfatt: configuring EAP environment for supplicant mode... pfatt: cabling should look like this: pfatt: ONT---[] [igb0]pfSense pfatt: creating vlan node and ngeth0 interface... ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory pfatt: enabling promisc for igb0... pfatt: starting wpa_supplicant... pfatt: wpa_supplicant running on PID ... pfatt: setting wpa_supplicant network configuration... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory pfatt: waiting EAP for authorization... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directoryI also got the same error when trying to type in the commands manually.
-
I've since connected a dumb switch (Netgear GS105) between the ONT and my pfSense box in order to deal with the VLAN 0 issue, and retried the gateway bypass method using only the wpa_supplicant, and a spoofed MAC address. My wpa_supplicant configuration is as it was in my comment above, and I've configured Shellcmd to execute the following toward the end of the boot up process:
wpa_supplicant -s -B -Dwired -iigb0 -c/cf/conf/wpa_supplicant.confSo far, so good. There are some instances where DNS resolving takes a couple seconds though, but it seems the bypass was successful.
-
Looks like this method isn't working. I keep losing IPv4 connectivity after about one hour (gateway goes down), among other problems, including long wait times (2 minutes or so) to renew the WAN connection after a release.
-
Connectivity seems to stop if dhcp is unsuccessful. Need to find out why it's taking so long/failing.
-
Looks like something's going on with DHCP. The lease time from the ISP is one hour, according to a packet capture. I tried the bypass method again and this time I couldn't even get a stable connection after authenticating. I get a lease offer from the ISP after about two minutes in, but for some reason, pfSense wasn't accepting it.
-
I had a number of issues with getting this to work. I had the same behavior (worked for an hour then quit) when I ran the script manually using the bypass method in esxi.. However, after having pfatt.sh start up as an early shell command in pfsense, and doing a reboot, things appear to be stable.
I did take out all references to ngeth in the script since vmware is doing the VLAN0 stripping and replaced them with em0. And I prefixed the cert files with a /cf so the files had the right absolute file name.
-
Folks, now that I have the supplicant method working well and virtualized pfsense talking to the ONT directly, I would like to enable it to failover to a different ESX host so that when I do ESXi host upgrades I don't have to take Internet downtime. This was impossible before with ethernet devices in passthrough mode.
Now, I have unifi switches, but I don't think I can use them to create a separate VLAN that connects the ONT to the two different hosts because they process 802.1x messages in the switch. Is that right?
So should I use one of the cheap netgear switches mentioned earlier in the thread and will vmotion etc... work if I share the ONT port that way?
Thanks!
-
@andrew_241 said in ATT Uverse RG Bypass (0.2 BTC):
I tried to run the pfatt.sh script on my pfSense box manually, but I get the following:
[2.4.5-RELEASE][root@pfSense]/root: /cf/conf/pfatt/bin/pfatt.sh pfatt: starting pfatt... pfatt: configuration: pfatt: ONT_IF = igb0 pfatt: RG_ETHER_ADDR = (MAC address is here) pfatt: EAP_MODE = supplicant pfatt: EAP_SUPPLICANT_IDENTITY = (MAC address is here) pfatt: EAP_BRIDGE_IF = igb1 pfatt: EAP_BRIDGE_5268AC = 0 pfatt: resetting netgraph... pfatt: configuring EAP environment for supplicant mode... pfatt: cabling should look like this: pfatt: ONT---[] [igb0]pfSense pfatt: creating vlan node and ngeth0 interface... ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory pfatt: enabling promisc for igb0... pfatt: starting wpa_supplicant... pfatt: wpa_supplicant running on PID ... pfatt: setting wpa_supplicant network configuration... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory pfatt: waiting EAP for authorization... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directoryI also got the same error when trying to type in the commands manually.
@andrew_241 I don't know if you resolved it but from this log it seems you might be having some issue with ngctl. Try running some of the commands from "resetting netgraph" section but without ">/dev/null 2>&1" and see if those commands also give you errors. Also see if you can run "ngctl list" command and let us know what it outputs.
-
@MonkWho I'm having the same issue as andrew_241. I've attached a screenshot of a ngctl list command and the "restting netgraph" commands. The other screenshot displays the console errors when -s is added to WPA_DAEMON_CMD. I had to CTRL-C to get to a command prompt to run the commands. Any guidance would be appreciated. Thanks!
