IPSEC VPN BGW320

CyberTiVo

Re: IPSEC VPN AT&T U-verse
I decided to switch to AT&T fiber after I read about the hack to bypass the RG and work with pfSense; they show up and installed the new BGW320 instead of the by-passable BGW210, I was a little late to the party; However, the PassThrough option now has a checkbox to allow ESP packets. With it selected, my tunnels come up and I can ping the distant end. Unfortunately, ping is the only thing that works.
Troubleshooting with tcpdump doesn't show any traffic to or from the remote host on the WAN interface being passed through from the RG, even though it works. Since tcpdump doesn't show traffic working, I can't use that as a tool to see why other ports (443, 8080, 8051, 22) don't; I'm stuck at this point

CyberTiVo

@cybertivo One more piece of info, I see the packets make it to the host on the other end of the tunnel with tcpdump and the host replies; everything works fine with the Media Comm connection; both firewalls running 2.4.5p1

CyberTiVo

@cybertivo Ok, too much Holiday Eggnog; I am brain damaged; I was tcpdumping the WAN interface and, of course, didn't see the packets, as they are encrypted; packets make it thru the firewall to both LAN interfaces, but only ping works; web browsing to 8080, 443, 8989 don't work; Safari shows about 15% of the blue progress bar in the URL field then eventually times out; I will post a dump of the traffic in a bit; the AT&T BGW320 shows a state for the connection between the 2 firewalls

CyberTiVo

@cybertivo AT&T side of tunnel and where client is using web browser to connect to remote servers

listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:38:58.636779 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [SEW], seq 3115810592, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 408619134 ecr 0,sackOK,eol], length 0
12:38:58.668556 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [S.E], seq 1974426754, ack 3115810593, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2989008682 ecr 408619134], length 0
12:38:58.668967 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 0
12:38:58.670041 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [P.], seq 1:360, ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 359
12:38:58.705410 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [P.], seq 1449:2023, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 574
12:38:58.706578 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619200 ecr 2989008682,nop,nop,sack 1 {1449:2023}], length 0

Remote side of tunnel, where servers reside

listening on igb1, link-type EN10MB (Ethernet), capture size 262144 bytes
12:38:58.653204 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [SEW], seq 3115810592, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 408619134 ecr 0,sackOK,eol], length 0
12:38:58.653471 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [S.E], seq 1974426754, ack 3115810593, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 2989008682 ecr 408619134], length 0
12:38:58.685362 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 0
12:38:58.686446 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [P.], seq 1:360, ack 1, win 2058, options [nop,nop,TS val 408619165 ecr 2989008682], length 359
12:38:58.688642 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 1448
12:38:58.688684 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [P.], seq 1449:2023, ack 360, win 1027, options [nop,nop,TS val 2989008717 ecr 408619165], length 574
12:38:58.722873 IP 172.18.1.82.54818 > 70.1.1.1.8989: Flags [.], ack 1, win 2058, options [nop,nop,TS val 408619200 ecr 2989008682,nop,nop,sack 1 {1449:2023}], length 0
12:38:58.986996 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989009016 ecr 408619200], length 1448
12:38:59.384939 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989009414 ecr 408619200], length 1448
12:39:00.006949 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989010036 ecr 408619200], length 1448
12:39:01.009156 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989011038 ecr 408619200], length 1448
12:39:02.792952 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989012822 ecr 408619200], length 1448
12:39:06.164192 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989016193 ecr 408619200], length 1448
12:39:12.700471 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989022729 ecr 408619200], length 1448
12:39:25.573268 IP 70.1.1.1.8989 > 172.18.1.82.54818: Flags [.], seq 1:1449, ack 360, win 1027, options [nop,nop,TS val 2989035601 ecr 408619200], length 1448

CyberTiVo

@cybertivo I'm surprised no one is interested in coming up with a solution for using pfSense with the new AT&T Residential Gateway like the awesome work from MonkWho for the BGW210.

phatty

@cybertivo did you ever get anywhere with this. I have some traffic passing but seems like traffic initiated from at&t end is where most of the problem lies.
I thought static IPs would help, but no such luck so far. This same tunnel config was previously working when connected to cable modem.