ATT Uverse RG Bypass (0.2 BTC)
-
@andrew_241 said in ATT Uverse RG Bypass (0.2 BTC):
I haven't read this entire thread, but I was under the impression that the netgraph method was required to get the WAN interface to recognize the traffic on VLAN0 from the ONT.
If you are physical... virtually you don't need netgraph :).
-
You are correct. I forgot about that. I'm running a virtualized setup here (esxi). When testing pfsense/certs I had no vlan0 issues.. The other option is to use a dumb switch between the ONT and pfsense wan ports.
-
I tried to run the pfatt.sh script on my pfSense box manually, but I get the following:
[2.4.5-RELEASE][root@pfSense]/root: /cf/conf/pfatt/bin/pfatt.sh pfatt: starting pfatt... pfatt: configuration: pfatt: ONT_IF = igb0 pfatt: RG_ETHER_ADDR = (MAC address is here) pfatt: EAP_MODE = supplicant pfatt: EAP_SUPPLICANT_IDENTITY = (MAC address is here) pfatt: EAP_BRIDGE_IF = igb1 pfatt: EAP_BRIDGE_5268AC = 0 pfatt: resetting netgraph... pfatt: configuring EAP environment for supplicant mode... pfatt: cabling should look like this: pfatt: ONT---[] [igb0]pfSense pfatt: creating vlan node and ngeth0 interface... ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory pfatt: enabling promisc for igb0... pfatt: starting wpa_supplicant... pfatt: wpa_supplicant running on PID ... pfatt: setting wpa_supplicant network configuration... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory pfatt: waiting EAP for authorization... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory
I also got the same error when trying to type in the commands manually.
-
I've since connected a dumb switch (Netgear GS105) between the ONT and my pfSense box in order to deal with the VLAN 0 issue, and retried the gateway bypass method using only the wpa_supplicant, and a spoofed MAC address. My wpa_supplicant configuration is as it was in my comment above, and I've configured Shellcmd to execute the following toward the end of the boot up process:
wpa_supplicant -s -B -Dwired -iigb0 -c/cf/conf/wpa_supplicant.conf
So far, so good. There are some instances where DNS resolving takes a couple seconds though, but it seems the bypass was successful.
-
Looks like this method isn't working. I keep losing IPv4 connectivity after about one hour (gateway goes down), among other problems, including long wait times (2 minutes or so) to renew the WAN connection after a release.
-
Connectivity seems to stop if dhcp is unsuccessful. Need to find out why it's taking so long/failing.
-
Looks like something's going on with DHCP. The lease time from the ISP is one hour, according to a packet capture. I tried the bypass method again and this time I couldn't even get a stable connection after authenticating. I get a lease offer from the ISP after about two minutes in, but for some reason, pfSense wasn't accepting it.
-
I had a number of issues with getting this to work. I had the same behavior (worked for an hour then quit) when I ran the script manually using the bypass method in esxi.. However, after having pfatt.sh start up as an early shell command in pfsense, and doing a reboot, things appear to be stable.
I did take out all references to ngeth in the script since vmware is doing the VLAN0 stripping and replaced them with em0. And I prefixed the cert files with a /cf so the files had the right absolute file name.
-
Folks, now that I have the supplicant method working well and virtualized pfsense talking to the ONT directly, I would like to enable it to failover to a different ESX host so that when I do ESXi host upgrades I don't have to take Internet downtime. This was impossible before with ethernet devices in passthrough mode.
Now, I have unifi switches, but I don't think I can use them to create a separate VLAN that connects the ONT to the two different hosts because they process 802.1x messages in the switch. Is that right?
So should I use one of the cheap netgear switches mentioned earlier in the thread and will vmotion etc... work if I share the ONT port that way?
Thanks!
-
@andrew_241 said in ATT Uverse RG Bypass (0.2 BTC):
I tried to run the pfatt.sh script on my pfSense box manually, but I get the following:
[2.4.5-RELEASE][root@pfSense]/root: /cf/conf/pfatt/bin/pfatt.sh pfatt: starting pfatt... pfatt: configuration: pfatt: ONT_IF = igb0 pfatt: RG_ETHER_ADDR = (MAC address is here) pfatt: EAP_MODE = supplicant pfatt: EAP_SUPPLICANT_IDENTITY = (MAC address is here) pfatt: EAP_BRIDGE_IF = igb1 pfatt: EAP_BRIDGE_5268AC = 0 pfatt: resetting netgraph... pfatt: configuring EAP environment for supplicant mode... pfatt: cabling should look like this: pfatt: ONT---[] [igb0]pfSense pfatt: creating vlan node and ngeth0 interface... ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory ngctl: send msg: No such file or directory pfatt: enabling promisc for igb0... pfatt: starting wpa_supplicant... pfatt: wpa_supplicant running on PID ... pfatt: setting wpa_supplicant network configuration... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory pfatt: waiting EAP for authorization... Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory Failed to connect to non-global ctrl_ifname: (nil) error: No such file or directory
I also got the same error when trying to type in the commands manually.
@andrew_241 I don't know if you resolved it but from this log it seems you might be having some issue with ngctl. Try running some of the commands from "resetting netgraph" section but without ">/dev/null 2>&1" and see if those commands also give you errors. Also see if you can run "ngctl list" command and let us know what it outputs.
-
@MonkWho I'm having the same issue as andrew_241. I've attached a screenshot of a ngctl list command and the "restting netgraph" commands. The other screenshot displays the console errors when -s is added to WPA_DAEMON_CMD. I had to CTRL-C to get to a command prompt to run the commands. Any guidance would be appreciated. Thanks!
-
Folks, if you are trying to get the pfatt.sh supplicant model configuration to run under vmware which is taking care of the VLAN0 issue, here is the configuration I am using with em0 as the WAN interface (I hardcoded em0 there, so look for all instances of em0 if you need to use a different interface). I have removed all the ngeth references as that is not needed anymore.
Works great, super reliable and no gateway needed anymore in supplicant mode.
Attached.
-
@csburroughs said in ATT Uverse RG Bypass (0.2 BTC):
@MonkWho I'm having the same issue as andrew_241. I've attached a screenshot of a ngctl list command and the "restting netgraph" commands. The other screenshot displays the console errors when -s is added to WPA_DAEMON_CMD. I had to CTRL-C to get to a command prompt to run the commands. Any guidance would be appreciated. Thanks!
It sounds like there is something strange going on with netgraph on your server. I'm not really an expert in it.
Try running "kldstat -v" and see is these are on the list:
netgraph
ng_ether
ng_eiface
ng_one2many
ng_vlan
ng_etfAlso try running "ngctl list" and see if there are any issues with the nodes on the list.
-
This post is deleted! -
Count me as yet another user with bridge working and supplicant not. I'm running 2.4.5-p1 on bare metal. I've verified my certificates, verified my paths, and stepped through the supplicant code in pfatt.sh manually. wpa_cli shows CONNECTING and then FAILED.
To confirm, has anyone reported a working supplicant configuration without virtualization? I've tried on my Intel 82576 and I217-LM cards. I may take some time to spin up ESXi and virtualize pfSense to get around keeping the RG plugged in.
-
@Selcouth You should be able to confirm a working config by connecting the ONT to pfsense by way of a dumb switch (t o filter out the vlan 0 tags). ONT goes to one port, pfsense's wan goes to another.
-
@Selcouth I'm running supplicant mode on an SG-5100 on 2.4.5-RELEASE-p1 (amd64). I purchased the certificates from maczrcool on eBay and followed the guide in the README in the supplicant branch of MonkWho's pfatt fork: https://github.com/MonkWho/pfatt/tree/supplicant
-
@bk150 It looks like that method is funneling all wan traffic through ngeth0 for the vlan0 tagging. First off are you able to attain full line speed (during speed tests)? Is the pfsense cpu usage very high during this event?
-
@GPz1100 Here is a result from just a few moments ago:
Here's a screenshot of CPU usage and load average on the system during the test:
-
I wonder if the usage would be that high if a dumb switch was placed inline in between ont and pfsense wan?
-
@GPz1100 I'm not authenticating with a dumb switch in line either. I must have some other problem. Maybe I'll start fresh to double check everything.
-
@GPz1100 I'll find a day/evening when my girlfriend doesn't need internet and try the dumbswitch method. I can post my results back here
-
Hello All.
I am able to get this script working via bridge mode, but having issues getting it to work via supplicant mode. It is running on bare metal.The script seems to hang at "Waiting EAP for authorization"
I have root and wheel group full permission to the 3 certs. I got them from ebay and converted them into the correct format using some tools suggested online. Is there anything easy I could be missing? Been through the guide multiple times but cannot seem to figure it out thus far.
I have checked the configuration inside pfatt.sh multiple times and appears to be correct.
-
i following this thread with lot of interest
-
I had the same issue as above with the 'no such file or directory' errors and resolved it by adding the following lines in the pfatt.sh script around line 144:
/usr/bin/logger -st "pfatt" "attaching interfaces to ng_ether..."
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"The lines were added right after:
/usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST"I had to set the WAN interface back to ngeth0, but after a reboot, I was getting an IP address and was able to browse the net. Hope this helps.
-
@Dade I realize you posted this a long time ago, so sorry for bringing this up again. I also have ATT with 5 extra static IPs (/29). I made another lan interface and assigned the "Gateway IP" from ATT to this interface. I don't have any problem using 1:1 NAT to assign public IPs to specific devices on my LAN.
I am also using the static "Gateway IP" from ATT as the IP address for a VPN server--which works except for one thing. My ATT static Gateway IP is 75.xxx.xxx.78. My dynamic ATT IP is 68.xxx.xxx.29. I can connect to the VPN using the address 75.xxx.xxx.78, but while connected to this VPN, if I google "what is my IP address" the response is 68.xxx.xxx.29, when it should be 75.xxx.xxx.78.
Using your method, were you able to resolve this? Either way, could you describe the firewall/NAT rules that you used?
Thanks!
-
@Ican-treadorwrite The IP you're going to see on a "what's my IP" query is going to be the NAT IP that applies to that traffic. You'll have to create a new NAT rule ONLY for the internal IP addresses of your VPN clients specifying that that specific IP (your static IP) is the "NAT address" for that traffic.
-
@bkatt said in ATT Uverse RG Bypass (0.2 BTC):
Hello All.
I am able to get this script working via bridge mode, but having issues getting it to work via supplicant mode. It is running on bare metal.The script seems to hang at "Waiting EAP for authorization"
I have root and wheel group full permission to the 3 certs. I got them from ebay and converted them into the correct format using some tools suggested online. Is there anything easy I could be missing? Been through the guide multiple times but cannot seem to figure it out thus far.
I have checked the configuration inside pfatt.sh multiple times and appears to be correct.
I am having this exact same situation. Permissions, names, etc all look fine - it just hangs at 'waiting EAP for authorisation'....
-
@shad0wca7
What are your file names and file type?
I have my permissions set to 755 -
I really hope the underlying issue people are having isn't related to this: https://www.dslreports.com/forum/r32839785-AT-T-Fiber-Gateway-bypass-with-WPA-supplicant-stopped-working-2-days-ago
-
@bk150
I'm running 2.4.5 and rebooted just the other day with no problems. -
-rw------- 1 root wheel 6431 Aug 22 16:46 ca.pem -rw------- 1 root wheel 1131 Aug 22 16:46 client.pem -rw------- 1 root wheel 887 Aug 22 16:46 private.pem
-
@AiC0315 I set my permissions to 775 and tested. It was previously set to 774. Unfortunately same message, "Waiting EAP for Autorization". Three files, ca.pem, client.pem, and private.pem. running 2.4.5 r1 also.
-
-
I recently set up new service with AT&T and was not able to get wpa_supplicant/dhcp working without making a few tweaks to the
pfatt.sh
script:wpa_supplicant
had to run on the bare port, notngeth0
-WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -ingeth0 -B -C /var/run/wpa_supplicant" +WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
- Both the bare port and
ngeth0
had to have a MAC that matched the certificates I was using (not my assigned router gateway, as I had purchased certificates online instead of messing with the firmware of my assigned gateway):-/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR +/usr/sbin/ngctl msg ngeth0: set $EAP_SUPPLICANT_IDENTITY /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." +/sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY /sbin/ifconfig $ONT_IF up /sbin/ifconfig $ONT_IF promisc
This got me line speeds with minimal CPU usage on a bare metal installation of pfsense (CPU is a Xeon D-1518 @ 2.2Ghz, for reference, which is overkill for this but not the 10Gbps ports)
That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.
-
@Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):
That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.
Did you set your IPv6 to DHCPv6 on your WAN and then in the IPv6 settings set a prefix? I have my prefix set to /60 and the following settings:
Use IPv4 Connectivity as Parent Interface - Checked
Request only an IPv6 Prefix - Checked
Send IPv6 Prefix Hint - CheckedOnce this is done save and then go to each non-WAN interface and set IPv6 to TRACK and then set the track interface to WAN and start with 0 incrementing by one for each interface.
-
@pyrodex Hmmmm, those checkboxes are different from what's recommended in the pfatt repo, but even with your settings I can't get more than 2 hops into AT&T's network before the packets disappear. (
traceroute6 google.com
always shows pfsense + 2 more hops, and then nothing; pfsense is connected directly to the ONT in my setup) -
@Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):
always shows pfsense + 2 more hops, and then nothing
I actually seem to get a 3rd hop beyond pfsense when I uncheck Request only an IPv6 Prefix, but still no actual connectivity to external addresses.
-
@Darth-Android Interesting I may give this a try later. Though it’s working now in bridge mode and that makes me hesitant to touch it more... especially with potential changes they’re making..
Is the supplicant mode meant to be faster than bridge?
-
@shad0wca7 It should not be any faster per se, but it reduces complexity (read: failure points) and allows you to not have to find space / power for the RG.
The questions about speed are around the use of netgraph (
ngctl
) to strip the VLAN0 headers in pfsense instead of putting a dumb switch between the ONT and pfsense; netgraph is extremely flexible, but comes at a cost of CPU performance and if your CPU doesn't have enough horsepower, that could be an issue. However: Both the bridge and supplicant methods with pfatt use netgraph, so if you have the bridge method working satisfactorily, supplicant should be about the same in terms of speed/CPU usage.