att authenication bridge on SG-3100 IPv6 problems and wireguard not working
-
I followed the instructions here (https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html).
I get an IPV4 address (the same address I always get).I either do not get an IPV6 address and Prefix Allocation (PAs), or I eventually get at least one IP address for the WAN and not a PA or I get an incorrect IPV6 address and something strange and it seems only one useable PA subnet. I am not really sure, IPV6 DHCP and PA just isn't working properly. DUID is correct: I checked the calculated DUID against a PCAP capture to make sure they matched.
Second problem is that wireguard will not handshake. This one is strange. Everything else is the same -- the system gets the same WAN ip address. No handshake. a few Frames (presumably those required for handshake) are going back and forrth and are counted on both sides by the wireguard status, but it will not handshake and come up when ATT bypass setting are set up. This is true for wireguard over both IPV4 and IPV6. I konw that inbound IPV4 open ports and port forwards work fine for all other services. What could the configuration of the interfaces for authentication bridging possibly have to do with wireguard handshaking?
the instructions for "Add Modem-WAN Bridge Rule" bridge all frames to the WAN/ONT port -- which I presume also includes DHCP request frames. Is this correct?
att fiber 1GBit service
SG-3100 with 24.03 firmware
gateway is BGW210I extracted the certificates from the gateway, but this seems simpler than hoping the supplicant software works for the long term with pfsense updates.
-
Is this a fresh setup or after an upgrade to 24.03?
What do the dhcp logs show for IPv6? Try enabling DHCPv6 client debug logging in Sys > Adv > Networking. That does produce a lot of logging though.
-
@stephenw10
I loaded 23.09 by USB image and then upgraded to 24.03 by internet.I have a second SG3100 here and will try these experiments on that one (so I don't have to keep on switching configs to keep the internet up)
But Wireguard not working when this is set up in strange. I can't figue out how that is related.
By the way, the 88E6141 in the SG-3100 supports VLAN tagging with VID 0 and VID 1 in hardware. However, the GUI blocks this. I'll start another thread to discuss this. I think that the 88E6141 used in the SG-3100 (and maybe also in the SG-2100 but I don't have one to check) is capable of doing the ATT authentication bridge entirly in hardware at line speed without any software support.
-
OK so to be clear this was working as expected in 23.09 and then failed after upgrade to 24.03?
-
Everything I was explaining is in 24.03. all works without the ATT bypass instructions set. with the ATT bypass set up, DHCPv6 is strange and wireguard won't connect (but all other firewall ports and services seem to work). When I reload the prior config without the ATT bypass instructions, Wirguard works again.
I have another SG-3100 here that is freshly loaded with 23.09 upgraded to 24.03. I can load my config onto that and then try att auth bypass again. I have tried this several times on the other switch -- but who knows.
By the way, the Marvell switch used for the lan ports can do the ATT bypass entirely in hardware. I'll help you guys write the VLAN and TCAM config for it.
also, is there a reason why the instructions have all gateway->ONT traffic bridged? wouldn't this also bridge the modem's DHCP requests to ATT?
-
Mmm, I can't really comment on that. I didn't write it as I don't have access to an AT&T connection. Try it and see, contributions to the docs are always welcome.
-
I'm down to the one problem that IPV6 doesn't work. I can see the DHCP6 request sent over the WAN interface and the /60 PA returned. However, these neer get assigned to interfaces. Also, the router sends a seperate DHCP6 requst for the WAN interface (because the instructions do not selecet "Request only an IPv6 prefix"). ATT assigns an IP address that is completly different than the PA assigned and regardless it is not assigned to the WAN interface.
We should be taking the first prefix ID (for example prefix ID 0) and using it for the WAN interface IPV6 address.Any further ideas. I suspect there is more configuration required for IPV6 that is not in the guide. IPV4 and everything else seems to work.
Have WAN DHCP6 PCAP.