ATT Uverse RG Bypass (0.2 BTC)
-
Sorry if I wasn't clear. By "cherrypick", I meant take the patch from the v13 version of wpa_supplicant and apply it to the current pfsense wpa_supplicant code. It's an easy one line change: https://cgit.freebsd.org/src/commit/?id=d70886d063166786ded0007af8cdcbf57b7b4827
-
That should now be in current 21.09/2.6 snapshots if anyone is able to test.
https://github.com/pfsense/FreeBSD-src/commit/61c7d15d84f80ae1d92b42dc2da56ad94a80b46bSteve
-
stephenw10 Netgate Administratorlast edited by stephenw10 Jun 3, 2021, 5:19 PM May 28, 2021, 8:54 PM
This is now also in 2.5.2 snaps. Feedback appreciated.
-
Hi All,
I'm using frontier 1gb fiber service for my internet and I have a strange issue when using the netgraph script.
Currently my setup is using a pfsense instance on a Hyper-V server which is great because the virtual switch strips the vlan tags so my pfsense works great natively. My speed test show about 940mbp up and down on my hyper v instance.
If I use a use pfsense on comparable hardware directly on a metal box using the netgraph script I get speed tests of about 750mbs down and 840 up consistently. CPU and memory aren't even breaking a sweat. I would have expected speeds of around the same as my Hyper-V since that PC is actually using more resources. Not to mention other than adding the netgraph script I'm using pfsense straight from installation without making any other changes.
I'm happy to post any benchmarks and would love to hear this groups thoughts on this.
Thanks -
@michaellacroix recommend you look through and tune/test interface settings eg:
NIC Flow Control
NIC Offload
NIC Rx Buffer
NIC Tx BufferThese being out of tune for best performance on your particular platform likely would explain that amount of speed discrepancy.
-
Great idea! I will try that as soon as I get home. These are intel em cards.
-
@stephenw10 I upgraded from 2.4.4 with no issues. I'm using supplicant mode.
-
I'm using the latest 2.5.2 release.
-
So I tried making changes to tune my interface settings which made no difference in speed.
I did however remove netgraph from the equation and set a static IP from the dhcp pool and it also made very little difference in regard to speed. I think the hyper-v vmswitch is just stripping out all the crap from my ISP's connection allowing for the best connection and performance.
If that's the case I guess I'm stuck using pfsense as a vm. I would have much rather preferred using dedicated equipment instead. -
Mmm, yeah if you're going through a v-switch and trying to use vlan0 I could certainly see that causing problems!
-
I got the "joy" of receiving the BGW320-500 device in my new house. Let me know if anyone wants me to test anything regarding a potential bypass. I'm reasonably strong with Linux/UNIX and have a fair bit of hardware laying around that can run pfsense and others.
-
I have been running supplicant mode with ngeth for a while now successfully but would love to be able to just use a switch to handle the VLAN 0 piece and take ngeth out of the chain and then just use my certs and wpa_supplicant to authenticate to the At&t network.
Would it be possible to get a smart switch and then have the port going to my pfsense WAN port as untagged VLAN 0 and then the port going to the ONT as a tagged VLAN 0 port and not have to use ngeth anymore and just use the wpa_supplicant and extracted certs to authenticate?
I really don't want to go the virtualization route and always hear about people using a dumb switch but don't want to have to plugin the RG whenever there is an issue.
Will this untagged / tagged combo work with a switch like the Netgear GS108Ev3?
-
@bigjohns97 You can use a managed netgear switch and use its mac based vlan feature to do what you want. I use ms510tx to do exactly what you are asking for. I see some other switches which has this capability on this page. link
Check the user manual of your switch to see if you have it.
-
@netnerdy said in ATT Uverse RG Bypass (0.2 BTC):
@bigjohns97 You can use a managed netgear switch and use its mac based vlan feature to do what you want. I use ms510tx to do exactly what you are asking for. I see some other switches which has this capability on this page. link
Check the user manual of your switch to see if you have it.
@netnerdy that is a pretty expensive option, I am guessing you used MAC based VLAN to have flexibility to plug into any port?
I was looking to use the GS108Ev3 model which has port based VLAN but when I go into the user manual online it says VLAN ID 1-4096. This is a little concerning.
I am guessing you are using that switch for more than just bypassing the Att RG?
I might just order the GS108Ev3 from somewhere with a good return policy and give this a shot.
Thanks for confirming the tagged / untagged combo would work for me.
-
@netnerdy said in ATT Uverse RG Bypass (0.2 BTC):
ms510tx
That switch will tag traffic in VLAN0? That surprises me if true.
-
@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):
@netnerdy said in ATT Uverse RG Bypass (0.2 BTC):
ms510tx
That switch will tag traffic in VLAN0? That surprises me if true.
The docs suggest valid values 1-4093.
I am beginning to think this only way to do what I am looking for is to use a hypervisor.
-
Right, because VLAN 0 is invalid, out if spec. It seems likely AT&T and others use it precisely because it's difficult to use with other equipment. Though that could just be my inner cynic.
-
What's that line "How I stopped worrying and learned to love the hypervisor"? :)
Seriously though, the ability to do snapshots and easily restore to a prior state is really helpful. PFSense is usually very stable, but there have been times with the original 2.5.0 upgrade and plugins where being able to recover from a snapshot helped save me (and the family) from extended downtime.
-
@fresnoboy said in ATT Uverse RG Bypass (0.2 BTC):
What's that line "How I stopped worrying and learned to love the hypervisor"? :)
Seriously though, the ability to do snapshots and easily restore to a prior state is really helpful. PFSense is usually very stable, but there have been times with the original 2.5.0 upgrade and plugins where being able to recover from a snapshot helped save me (and the family) from extended downtime.
I would love to have snapshots available to me for restores but I just couldn't get over how much the PfSense GUI showed cpu usage when doing speed tests while using ESXi. Without suricata running I only get around 3% CPU during a speed test but with ESXi it was around 30%.
This was passing through the NIC which obviously I would need to give up if I were to trade ngeth for virtualization.
I do run suricata now but honestly don't feel like I really get much from it outside of a bunch of false positives, I do get a great feeling from pfblockerng from a security perspective.
At the end of the day I just felt like running this on ESXi just added complexity and hurt performance enough to a point I wasn't comfortable with.
I may revisit this with something like proxmox where I can dedicate cores but I seem to remember a similar experience when using unraid which I believe is the same hypervisor as proxmox under the covers.
-
Reason my switch is expensive is because it can do multi-
gig. Iâm sure you can find cheap gigabit managed switches
that can do mac based vlan from netgear.I also run my pfsense on ESXI for easy backup/restore, but can also do NIC passthrough and so donât incur the ngeth or ESXI networking cost, which both cost extra cpu.
@stephenw10
Vlan 0 is not out of spec. Itâs called âpriority taggingâ. This mechanism is used to prioritize stuff like VOIP phone packets in switches which support it. The problem arises because there are devices which would like to specify a priority in their ip packets without specifying a vlan id. Check out the link I sent previously, youâll see mentions of âpriority taggingâ there.