22.01/2.6.0 Upgrade - Broke DHCP on WAN Interface with Custom Startup Script

nedyah700

Getting ahead of the comments. I know this not technically supported, but a handful of us out there use this.

The latest's upgrade (confirmed on both 22.01 and 2.6.0) broke a start-up script many of us AT&T Fiber customers use that allows us to use pfSense natively with AT&T.

Essentially, this startup script use either WPA_SUPPLICANT or netgraph (depending on a users configuration) to authenticate with AT&T's ONT. After 802.1X authentication, the script then request an IP. It appears with this update the authentication still works but the DHCP request fails.

Anyone else here having this issue? I looked at the release notes and couldn't see anything obvious (to me at least) that would have broken this script.

GitHub Issue: https://github.com/MonkWho/pfatt/issues/67

I believe this is the part of the script that is failing.

if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
	then
		/usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
		RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
		IP_STATUS=$(eval ${IP_STATUS_CMD})
	fi
		/usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
		/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
	break

And here is a screenshot of my boot-up. MAC Address removed. The DHCPDISCOVER just continues for a few more times then fails out.

Failed DHCP_No MAC.png

sgc

I am having the same problem did not find this until now I posted too

nedyah700

May have figured out a solution.

https://forum.netgate.com/post/1026680

JKnott

@nedyah700 said in 22.01/2.6.0 Upgrade - Broke DHCP on WAN Interface with Custom Startup Script:

MAC Address removed.

Why? Your MAC address is irrelevant off your local connection.

nedyah700

@jknott It is my AT&T router MAC address and with they way AT&T authenticates on it's network this being public is not a good idea.

sgc

I got the certs out again and now it doesn't work I can't get pass the

WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "pfatt" "waiting for EAP authorization..."
During all this messing. I deleted my cert, so I had to pull again.

=Here is my full script
#!/usr/bin/env sh

EAP_SUPPLICANT_IDENTITY=""
RG_ETHER_ADDR=""
LOG=/var/log/pfatt.log
ONT_IF="igb0"

getTimestamp(){
echo date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"
}

DO NOT EDIT BELOW
/usr/bin/logger -st "pfatt" "starting pfatt..."
/usr/bin/logger -st "pfatt" "configuration:"
/usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF"
/usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY"
/usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR"

Netgraph cleanup.
/usr/bin/logger -st "pfatt" "resetting netgraph..."
/usr/sbin/ngctl shutdown $ONT_IF: >/dev/null 2>&1
/usr/sbin/ngctl shutdown vlan0: >/dev/null 2>&1
/usr/sbin/ngctl shutdown ngeth0: >/dev/null 2>&1

/usr/bin/logger -st "pfatt" "your ONT should be connected to pyshical interface $ONT_IF"
/usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..."
/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
/usr/sbin/ngctl name $ONT_IF:lower vlan0
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR

/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
/sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR
/sbin/ifconfig $ONT_IF up
/sbin/ifconfig $ONT_IF promisc

/usr/bin/logger -st "pfatt" "starting wpa_supplicant..."

WPA_PARAMS="
set eapol_version 2,
set fast_reauth 1,
ap_scan 0,
add_network,
set_network 0 ca_cert "/root/pfatt/wpa/ca.pem",
set_network 0 client_cert "/root/pfatt/wpa/client.pem",
set_network 0 eap TLS,
set_network 0 eapol_flags 0,
set_network 0 identity "$EAP_SUPPLICANT_IDENTITY",
set_network 0 key_mgmt IEEE8021X,
set_network 0 phase1 "allow_canned_success=1",
set_network 0 private_key "/root/pfatt/wpa/private.pem",
enable_network 0
"
WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"

Kill any existing wpa_supplicant process.
PID=$(pgrep -f "wpa_supplicant")
if [ ${PID} > 0 ];
then
/usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
RES=$(kill ${PID})
fi

Start wpa_supplicant daemon.
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant")
/usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."

Set WPA configuration parameters.
/usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
IFS=","
for STR in ${WPA_PARAMS};
do
STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
RES=$(eval wpa_cli ${STR})
done

Create variables to check authentication status.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "pfatt" "waiting for EAP authorization..."

Check authentication once per 5 seconds for 25 seconds (5 attempts). Continue without authentication if necessary (no WAN).
i=1
until [ "$i" -eq "5" ]
do
sleep 5
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
/usr/bin/logger -st "pfatt" "EAP authorization completed..."

IP_STATUS=$(eval ${IP_STATUS_CMD})

if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
then
	/usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
	RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
	IP_STATUS=$(eval ${IP_STATUS_CMD})
fi
/usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
sleep 5
/usr/bin/logger -st "pfatt" "set mac address on ngeth0..."
/sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
break

else
/usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..."
i=$((i+1))
fi
done