Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specific EtherType packet Forwarding between WAN and OPT interfaces

    General pfSense Questions
    2
    3
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fuzzball
      last edited by

      I'd like to take all EtherType 0x888E (802.1X) packets and pass them between the WAN and an OPT interface. I think the authentication would originate at the OPT interface. To add a wrinkle to it all, the MAC address of the device connecting to the OPT interface would be spoofed on the WAN interface for this plan to work. Is this even possible with pfSense?

      I must admit I'm doing something a bit off so bear with me here. I have AT&T's gigabit service and unfortunately one needs to use their Router/Gateway (RG) device that has a small NAT table and doesn't have the features I've come to rely on with pfSense. They use 802.1X authentication between the RG and the ONT (fiber to ethernet handoff) before DHCP and everything else will work. It reauthenticates periodically and when the interface on the ONT is down and then reconnected, authentication must happen again. Over on the DSL Reports forum, brianlan figured out that he could use a smart switch to setup a VLAN with the ONT on one interface and then swap the membership of the interfaces that the RG and his router are on with the router spoofing the MAC of the RG. I have a Dell 5424 switch (fully managed Layer 2) and my knowledge gaps are preventing me from even getting the ONT and RG to talk over the same VLAN. I'm investigating that angle as well, but I'd rather not burn three interfaces on the switch when I have an open interface on my pfSense box.

      1 Reply Last reply Reply Quote 0
      • D
        David_W
        last edited by

        Do you know the 802.1x credentials? If so, I'd attempt to configure wpa_supplicant (which you will have to do manually) to carry out 802.1x authentication on the interface connected to the ONT. I believe you need the -D wired in the wpa_supplicant command line and key_mgmt=IEEE8021X in the network block of the configuration file, but I've no experience of setting this up. The man pages for wpa_supplicant(8) and wpa_supplicant.conf(5) will guide you.

        Packet filtering based on EtherType is a layer 2 thing - it's not really got that much to do with a router (layer 3). If you don't know the 802.1x credentials, it sounds like connecting all three devices to the same VLAN, with the pfSense interface spoofing the MAC of the AT&T gateway and all traffic other than 802.1x blocked to the AT&T gateway port will do what you want. As I don't know your switch, I don't know what is possible there.

        1 Reply Last reply Reply Quote 0
        • F
          Fuzzball
          last edited by

          My understanding is the authentication is certificate based, which I don't have access to so no way out of that. I was hoping pfSense had some Layer 2 capabilities baked in, but was a shot in the dark. I have a Dell 5424 switch which should in theory be able to only allow the 802.1X packets through to the RG and everything else to pfSense, however I'm having trouble just getting the RG and ONT to talk through the switch in the first place before any ACLs get applied.

          I appreciate the reply!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.