ATT Uverse RG Bypass (0.2 BTC)

shad0wca7

@Darth-Android Interesting I may give this a try later. Though it’s working now in bridge mode and that makes me hesitant to touch it more... especially with potential changes they’re making..

Is the supplicant mode meant to be faster than bridge?

Darth Android

@shad0wca7 It should not be any faster per se, but it reduces complexity (read: failure points) and allows you to not have to find space / power for the RG.

The questions about speed are around the use of netgraph (ngctl) to strip the VLAN0 headers in pfsense instead of putting a dumb switch between the ONT and pfsense; netgraph is extremely flexible, but comes at a cost of CPU performance and if your CPU doesn't have enough horsepower, that could be an issue. However: Both the bridge and supplicant methods with pfatt use netgraph, so if you have the bridge method working satisfactorily, supplicant should be about the same in terms of speed/CPU usage.

fresnoboy

Actually if you are running pfsense as a guest under vmware, you don't need netgraph at all for the wpa_supplicant version. And this also meant for me that I didn't need to do PCI passthrough of interfaces which made VM migration to another machine much easier.

I haven't been able to figure out how to make vmotion migration work, though I did buy a dumb switch that will let me play with it when I get time and the kids aren't using the network for school.

Darth Android

Ah, yeah I keep forgetting the difference between virtualized and bare-metal. If you have something that (dumb switch, virtualization) strips the VLAN0 tags, straight supplicant without any netgraph will be faster / less CPU intensive.

shad0wca7

@Darth-Android cool. I’m running bare metal on an HP T620 plus (4 core AMD Jaguar) which is ample.. I’ll leave bridge mode working for now but watch this with interest.

bquedens

Hi Folks having some trouble wpa_supplicant seems to be hanging at starting wpa_supplicant doesn’t advance past that I put another usr/bin/logger -st before wpa_daemon_cmd and it stops right there before that command is run any ideas

pyrodex

I am running OPNsense (Don't hate me..) with the same code base and using supplicant mode with netgraph on bare metal without issues.

I get full line speed and can make my line testing with Torrents and multiple users.

bkatt

@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):

supplicant mode

No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?

pyrodex

@bkatt said in ATT Uverse RG Bypass (0.2 BTC):

@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):

supplicant mode

No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?

I’ve been running it...... still have to use net graph due to vlan 0.

bk150

@bkatt said in ATT Uverse RG Bypass (0.2 BTC):

@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):

supplicant mode

No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?

I'm still running supplicant mode on my SG-5100 without any issues.

GPz1100

You can get around the vlan0 requirement by using a dumb switch between the ONT and pf/ontsense box.

bkatt

@bk150 A few different people were having issues. Specifically I and a few others were having waiting for auth issue. ATT fiber installed in the area about 2 years ago now, so may be that has newer firmware not allowing that method to work. Or could be something I am doing wrong. Who knows. I have the bridge netgraph working for last few months, I guess close enough.

vesalius

@fresnoboy any post or walk through you know of on doing this, bridging or supplicant, when virtualizing pfSense. Interested in doing this on Proxmox, but want to be less ignorant about it before attempting.

AiC0315

I was running the supplicant bypass with the certs, that quit working for me. Then I was using the RG connected bypass and about a week or two ago that quite working as well.

pyrodex

@AiC0315

Apparently the people who had their just stop working with any method of bypass is most likely due to upgrades in your area to XGS-PON. Supposedly the certificate isn’t enough anymore and looks like AT&T has added more checks to TR-069 that exists on the RG. Smart people are looking into it but as AT&T moves away from the separate ONT and to a combo RG/ONT this maybe dead on the vine.

AiC0315

@pyrodex
I had read about that over on the dsl forums. It's a shame, it was working very well. I am hoping someone figures out the magic solution to the new ONT/RG. Even though it has WIFI 6, i just dont want their crap in the way.

t41k2m3

If supplicant mode still works for you in 2.4.5-p1, has anyone tried if it still works in pfsense+ 21.02 (or pfsense ce 2.5.0)?

Darth Android

@t41k2m3 I was able to just update from 2.4.5 to 2.5.0 using the update button in the web config and everything continued to work. System updated, rebooted, and automatically reconnected.

fresnoboy

@darth-android

This is great news. Are you using the WPA supplicant or the bridging approach with the RG?

Darth Android

@fresnoboy I'm using wpa_supplicant with extracted certificates at the moment. RG continues to sit in a box in the closet.

I did double-check my previous tweaks to pfatt.sh mentioned earlier in this thread, and they are still required for wpa_supplicant to work for me (notably, wpa_supplicant has to run on the raw interface, not the ngeth0 interface that has vlan0 headers stripped).

I've been trying to further tweak the script so that it no longer hangs on bootup if the router can't get an IP for any reason, which I've found to be a particular annoyance, but luckily everything has been super stable so it's mostly only an issue when I'm tinkering with things. If I get something working I'll upload/post it.