Bypass At&t fiber BGW210-700

kflemin81

@stephenw10 sorry back again :)

I decided to bump up to the SG-3100 and started through this process again. After updating to 2.4.5, I do not see the ng_etf (with kldstat -v | grep ng_etf) type so tried to pull it from the repo again but now I'm getting a certificate failure.

Script is running part of the way through but not completing because it can't find the type.

I suspect this is something simple I'm missing.

Thanks!

[2.4.5-RELEASE][admin@pfSense.localdomain]/boot/kernel: pkg add https://repo01.netgate.com/pkg/pfSense_factory-v2_4_4_aarch64-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://repo01.netgate.com/pkg/pfSense_factory-v2_4_4_aarch64-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz: Authentication error

behemyth

@RonRN18 The reason bypassing ATT's gear is so tough is because they apply vlan tags to the traffic between their CPE and the modem AND they have a certificate on the gateway that the CPE uses to authenticate to their network. There is a well documented way to use a dumb switch and bypass their modem, however, if you lose power or have to reset that switch, you need to do the bypass method again, and its a giant PITA. Sometimes it works, and sometimes it doesn't. I actually just used their gateway while I had them - I design networks for fortune 50 companies for a living - and had no issues. The state table on those is massive, and unless your hosting torrents you should never, ever, max it out. I suppose you could if you had a bunch of malware you didn't know about..

As far as the statics - from all the people who have used the bypass method, you cannot use any static IPs without using their modem. Again, the vlan tags come into play here, and only their gateway handles them correctly. If I remember correctly, IPv6 is very hit or miss as well.

I actually moved back to cable to I could use PfSense again - its just much, much easier than dealing with ATT's gear. If you aren't a network pro, just use their stuff.

The script method some people try is just bridging the traffic, and you can't get full gig when your doing that (not without some serious compute power doing the route/switch functions).

stephenw10

@kflemin81 said in Bypass At&t fiber BGW210-700:

I decided to bump up to the SG-3100 and started through this process again.

The same thing applies there as with the SG-1100. The module appears to be missing from kernel. The required chanhes have been pushed and it's marked for 2.4.5p1: https://redmine.pfsense.org/issues/10463
You are seeing those errors trying to access the repo because the SG-3100 is armv6 not aarch64. The module is not present there either though.

Steve

stephenw10

@behemyth said in Bypass At&t fiber BGW210-700:

The script method some people try is just bridging the traffic, and you can't get full gig when your doing that (not without some serious compute power doing the route/switch functions).

I guess that depends how you are going to define 'serious compute power'.

Everything has to go through netgraph to get tagged VLAN0 and I think that's single threaded so probably more than you would normally expect.

Steve

kflemin81

Thanks @stephenw10 does this mean it will be in a future version?

This same pull did work a few weeks ago when I configured the SG-1100 for the same and I was able to manually add the package using the repo then.

stephenw10

Yes but on the 3100 you need to try:

pkg add https://firmware.netgate.com/pkg/pfSense_factory-v2_4_4_armv6-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz

Since it's armv6. Again though no guarantees that will work on the 2.4.5 kernel.

Steve

Yellow Snow

@kflemin81 said in Bypass At&t fiber BGW210-700:

@stephenw10 as a follow-up it does work on SG-1100 with 2.4.5, I was able to set it up and am now bypassing the ATT RG completely.

One thing I did run into was that my interface names differed from the output of ngctl and ifconfig, so I needed to manually change some parts of the script.

But so far so good!

@stephenw10 Can you help me with this? What did you change to get NG1100 to work?

mvneta0.4090 and mvnet0.4092 does not work. ifconfig says the same thing.

Can you pastebin your pfatt.sh please?

Prodian0013

@stephenw10 @kflemin81 the mvneta0.xxxx interfaces arent getting created before the earlyshellcmd script is executed which causes the script to fail. How did you resolve this issue?

ngctl: send msg: No such file or directory

  Name: mvneta0         Type: ether           ID: 00000001   Num hooks: 0
  Name: <unnamed>       Type: socket          ID: 00000004   Num hooks: 0
  Name: <unnamed>       Type: socket          ID: 00000005   Num hooks: 0
  Name: ngctl420        Type: socket          ID: 00000008   Num hooks: 0

When I try using "shellcmd" then I get mismatch interface error because "ngeth0" isnt created yet which is assigned to wan so to even get pfsense to finish booting i have to change the interface assignment.

Any advice? Thanks.

stephenw10

I can't actually help with this directly as I don't have an AT&T connection to test against. I'm not even in the US.

However we have seen this can work as reported above.

So if you run it as shellcmd the interface assignment check fails?

Steve

bbrendon

For some reason this repo was deleted https://github.com/aus/pfatt. If you google around you can find forks of it. There was a lot of really good info in the gitub issues, so it's definitely a loss. I deleted most of my emails about it thinking I could just get the info from github.

stephenw10

Yup. This now seems to be the best source: https://github.com/MonkWho/pfatt