Bypass At&t fiber BGW210-700

RonRN18

@sherpagoodness

First off, I'm not sure if there is a difference in repository information from 2.4.4 and 2.4.5, but I was trying to follow the instructions of installing ng_etf_kmod with no luck. When I enter "pkg search etf", I get no return. If I ignore the no return of information and move on to the next step, "pkg install ng_etf-kmod", I get all the text of updating repository catalog and all repositories are up-to-date, but "No packages available to install matching 'ng_etf-kmod' have been found in the repositories."

I am wondering if I've missed a prerequisite step of adding a repository. If so, how do I add the missing repository?

stephenw10

There is a difference. What are you installing on?

It's in kernel for amd64 but missing from 2.4.5 for other architectures. See the discussion in the last few posts here.

Steve

FinalLe

@stephenw10 Hey I need some help, I'm on 2.45 amd64 and when I try to run the script pfatt.sh it says "ng_etf file not found". I know its in kernel for 2.45 but when I run kldstat I don't see it on the list. Is there a step I am missing?

I'm using the pfatt.sh from link here.

stephenw10

If you're using the script from there you should not see that as it won't try to load the module. Assuming you didn't set opnsense=yes.

You have to use kldstat -v to see the in-kernel modules.

Steve

FinalLe

@stephenw10 Thanks for replying. Ok I see it in kldstat -v. Yeah I have opnsense='no' but it still comes up as file not found. Since its in kernel I should just be able to edit the pfatt and it work right?

stephenw10

Hmm, the logic is not quite right in the script then. Seems like it should be -lt. The error should not matter though the module is still available, it doesn't look like the script does anything with the error.

Steve

FinalLe

@stephenw10 Do I have to load the module?

stephenw10

No it's already in the kernel in 2.4.5.

FinalLe

@stephenw10 hmm yeah not sure why its not working then. I reinstalled pfsense and used the older script file link and still same error.

stephenw10

Yeah the old will try to load the module as was required in 2.4.4 and fail. Just comment out those lines if the error is causing a problem.
The error doesn't do anything though so if it's not working that's not the reason.

Steve

RonRN18

For those that have successfully bypassed their AT&T Fiber Gateway, I am curious about if this has any effect on acquiring multiple static IP addresses? I was told that I can order static IP addresses but I have a suspicion that they are going to insist that they do things to the gateway to make it work. Does my suspicion have any warrant? Also, despite following instructions, it appears I do not have the ability to use IPv6... I'm not sure if it changed from a standard offering to a premium service or what. I used the pfatt.sh script using the ngeth0 interface, not the WPA_supplicant, to bypass the gateway. I still have my gateway plugged into the pfSense via a third NIC with the ONT on my first NIC and LAN on second.

FinalLe

@stephenw10 Ok got it all working last night, just had to comment out those lines and was all good. Thanks for the help!

kflemin81

@stephenw10 sorry back again :)

I decided to bump up to the SG-3100 and started through this process again. After updating to 2.4.5, I do not see the ng_etf (with kldstat -v | grep ng_etf) type so tried to pull it from the repo again but now I'm getting a certificate failure.

Script is running part of the way through but not completing because it can't find the type.

I suspect this is something simple I'm missing.

Thanks!

[2.4.5-RELEASE][admin@pfSense.localdomain]/boot/kernel: pkg add https://repo01.netgate.com/pkg/pfSense_factory-v2_4_4_aarch64-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
545659552:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://repo01.netgate.com/pkg/pfSense_factory-v2_4_4_aarch64-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz: Authentication error

behemyth

@RonRN18 The reason bypassing ATT's gear is so tough is because they apply vlan tags to the traffic between their CPE and the modem AND they have a certificate on the gateway that the CPE uses to authenticate to their network. There is a well documented way to use a dumb switch and bypass their modem, however, if you lose power or have to reset that switch, you need to do the bypass method again, and its a giant PITA. Sometimes it works, and sometimes it doesn't. I actually just used their gateway while I had them - I design networks for fortune 50 companies for a living - and had no issues. The state table on those is massive, and unless your hosting torrents you should never, ever, max it out. I suppose you could if you had a bunch of malware you didn't know about..

As far as the statics - from all the people who have used the bypass method, you cannot use any static IPs without using their modem. Again, the vlan tags come into play here, and only their gateway handles them correctly. If I remember correctly, IPv6 is very hit or miss as well.

I actually moved back to cable to I could use PfSense again - its just much, much easier than dealing with ATT's gear. If you aren't a network pro, just use their stuff.

The script method some people try is just bridging the traffic, and you can't get full gig when your doing that (not without some serious compute power doing the route/switch functions).

stephenw10

@kflemin81 said in Bypass At&t fiber BGW210-700:

I decided to bump up to the SG-3100 and started through this process again.

The same thing applies there as with the SG-1100. The module appears to be missing from kernel. The required chanhes have been pushed and it's marked for 2.4.5p1: https://redmine.pfsense.org/issues/10463
You are seeing those errors trying to access the repo because the SG-3100 is armv6 not aarch64. The module is not present there either though.

Steve

stephenw10

@behemyth said in Bypass At&t fiber BGW210-700:

The script method some people try is just bridging the traffic, and you can't get full gig when your doing that (not without some serious compute power doing the route/switch functions).

I guess that depends how you are going to define 'serious compute power'.

Everything has to go through netgraph to get tagged VLAN0 and I think that's single threaded so probably more than you would normally expect.

Steve

kflemin81

Thanks @stephenw10 does this mean it will be in a future version?

This same pull did work a few weeks ago when I configured the SG-1100 for the same and I was able to manually add the package using the repo then.

stephenw10

Yes but on the 3100 you need to try:

pkg add https://firmware.netgate.com/pkg/pfSense_factory-v2_4_4_armv6-pfSense_factory-v2_4_4/All/ng_etf-kmod-0.1.txz

Since it's armv6. Again though no guarantees that will work on the 2.4.5 kernel.

Steve

Yellow Snow

@kflemin81 said in Bypass At&t fiber BGW210-700:

@stephenw10 as a follow-up it does work on SG-1100 with 2.4.5, I was able to set it up and am now bypassing the ATT RG completely.

One thing I did run into was that my interface names differed from the output of ngctl and ifconfig, so I needed to manually change some parts of the script.

But so far so good!

@stephenw10 Can you help me with this? What did you change to get NG1100 to work?

mvneta0.4090 and mvnet0.4092 does not work. ifconfig says the same thing.

Can you pastebin your pfatt.sh please?

Prodian0013

@stephenw10 @kflemin81 the mvneta0.xxxx interfaces arent getting created before the earlyshellcmd script is executed which causes the script to fail. How did you resolve this issue?

ngctl: send msg: No such file or directory

  Name: mvneta0         Type: ether           ID: 00000001   Num hooks: 0
  Name: <unnamed>       Type: socket          ID: 00000004   Num hooks: 0
  Name: <unnamed>       Type: socket          ID: 00000005   Num hooks: 0
  Name: ngctl420        Type: socket          ID: 00000008   Num hooks: 0

When I try using "shellcmd" then I get mismatch interface error because "ngeth0" isnt created yet which is assigned to wan so to even get pfsense to finish booting i have to change the interface assignment.

Any advice? Thanks.