Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    att authenication bridge on SG-3100 IPv6 problems and wireguard not working

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 316 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmmm
      last edited by jmmm

      I followed the instructions here (https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html).
      I get an IPV4 address (the same address I always get).

      I either do not get an IPV6 address and Prefix Allocation (PAs), or I eventually get at least one IP address for the WAN and not a PA or I get an incorrect IPV6 address and something strange and it seems only one useable PA subnet. I am not really sure, IPV6 DHCP and PA just isn't working properly. DUID is correct: I checked the calculated DUID against a PCAP capture to make sure they matched.

      Second problem is that wireguard will not handshake. This one is strange. Everything else is the same -- the system gets the same WAN ip address. No handshake. a few Frames (presumably those required for handshake) are going back and forrth and are counted on both sides by the wireguard status, but it will not handshake and come up when ATT bypass setting are set up. This is true for wireguard over both IPV4 and IPV6. I konw that inbound IPV4 open ports and port forwards work fine for all other services. What could the configuration of the interfaces for authentication bridging possibly have to do with wireguard handshaking?

      the instructions for "Add Modem-WAN Bridge Rule" bridge all frames to the WAN/ONT port -- which I presume also includes DHCP request frames. Is this correct?

      att fiber 1GBit service
      SG-3100 with 24.03 firmware
      gateway is BGW210

      I extracted the certificates from the gateway, but this seems simpler than hoping the supplicant software works for the long term with pfsense updates.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Is this a fresh setup or after an upgrade to 24.03?

        What do the dhcp logs show for IPv6? Try enabling DHCPv6 client debug logging in Sys > Adv > Networking. That does produce a lot of logging though.

        J 1 Reply Last reply Reply Quote 0
        • J
          jmmm @stephenw10
          last edited by jmmm

          @stephenw10
          I loaded 23.09 by USB image and then upgraded to 24.03 by internet.

          I have a second SG3100 here and will try these experiments on that one (so I don't have to keep on switching configs to keep the internet up)

          But Wireguard not working when this is set up in strange. I can't figue out how that is related.

          By the way, the 88E6141 in the SG-3100 supports VLAN tagging with VID 0 and VID 1 in hardware. However, the GUI blocks this. I'll start another thread to discuss this. I think that the 88E6141 used in the SG-3100 (and maybe also in the SG-2100 but I don't have one to check) is capable of doing the ATT authentication bridge entirly in hardware at line speed without any software support.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            OK so to be clear this was working as expected in 23.09 and then failed after upgrade to 24.03?

            J 1 Reply Last reply Reply Quote 0
            • J
              jmmm @stephenw10
              last edited by jmmm

              @stephenw10

              Everything I was explaining is in 24.03. all works without the ATT bypass instructions set. with the ATT bypass set up, DHCPv6 is strange and wireguard won't connect (but all other firewall ports and services seem to work). When I reload the prior config without the ATT bypass instructions, Wirguard works again.

              I have another SG-3100 here that is freshly loaded with 23.09 upgraded to 24.03. I can load my config onto that and then try att auth bypass again. I have tried this several times on the other switch -- but who knows.

              By the way, the Marvell switch used for the lan ports can do the ATT bypass entirely in hardware. I'll help you guys write the VLAN and TCAM config for it.

              also, is there a reason why the instructions have all gateway->ONT traffic bridged? wouldn't this also bridge the modem's DHCP requests to ATT?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Mmm, I can't really comment on that. I didn't write it as I don't have access to an AT&T connection. Try it and see, contributions to the docs are always welcome.

                1 Reply Last reply Reply Quote 0
                • J
                  jmmm
                  last edited by

                  I'm down to the one problem that IPV6 doesn't work. I can see the DHCP6 request sent over the WAN interface and the /60 PA returned. However, these neer get assigned to interfaces. Also, the router sends a seperate DHCP6 requst for the WAN interface (because the instructions do not selecet "Request only an IPv6 prefix"). ATT assigns an IP address that is completly different than the PA assigned and regardless it is not assigned to the WAN interface.
                  We should be taking the first prefix ID (for example prefix ID 0) and using it for the WAN interface IPV6 address.

                  Any further ideas. I suspect there is more configuration required for IPV6 that is not in the guide. IPV4 and everything else seems to work.

                  Have WAN DHCP6 PCAP.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.