ATT Uverse RG Bypass (0.2 BTC)
-
I have <earlyshellcmd>/conf/pfatt.sh</earlyshellcmd> right above the </system> line in the config.xml -- thats what the instructions say.
I'm familiar with the shell command pkg and have it installed/used it for the wpa_supplicant method. Just was curious why config.xml was clearing out this section after reboot.
-
Because manual edits of the config file are not guaranteed to be saved.
Use the shell command package.
-
@Derelict thought that config.xml did not get overwritten or recreated/changed at boot. is that incorrect (and if so, is the whole file reparsed or just certain sections)?
-
Manual edits outside the GUI are not supported. You can edit what is there if there is a supported configuration, but adding something like earlyshellcmd without the shell command package installed is just asking for trouble. Best to use the gui.
-
I did/do have the shell command pkg installed, same treatment.
-
That makes no sense. You'll have to post more details. Use the shell command package to make the entry and you will be fine.
-
@Derelict said in ATT Uverse RG Bypass (0.2 BTC):
That makes no sense. You'll have to post more details. Use the shell command package to make the entry and you will be fine.
but adding something like earlyshellcmd without the shell command package installed is just asking for trouble. Best to use the gui.
I read this as -- if i have the shell command package installed, i can use the <earlyshellcmd> in the config.xml. which is what I did. that still gets eliminated from the config.xml on reboot.
I will use the shell cmd package. Directions for the pfatt script might need to be updated then.
-
Yes, that was bad advice. The internet is full of it.
-
shellcmd package is easiest option here.
that said, even the pfSense book suggests hand editing config.xml in certain situations:
https://docs.netgate.com/pfsense/en/latest/book/bridging/bridging-and-interfaces.html#quickest-but-most-difficult-hand-edit-config-xmlis that bad advice? beyond @bulldog5 's issue, this is jusr an educational question about how config.xml is handled at boot time rather than whether hand editing it is advisable, supported or safe to do.
-
It is fine if you are manually changing the configuration instead of using the GUI for something that has a GUI field. The system does not know the difference when you restore the configuration.
But you should use the GUI to initially establish the necessary XML. In the instant case, that involves installing the shellcmd package.
For instance, if you are migrating a configuration from a system with em NICs to one with igb NICs it is perfectly acceptable to download the configuration, edit it to change the physical NIC names, and restore it to the new unit.
But don't expect just any manual edit to survive.
In other words, changing values in existing XML tags works (as long as your changes are sane) but you have to know exactly what you are doing if you choose to add your own tags from nothing.
-
Thanks for elaborating @Derelict, makes sense. Just speculating along those lines, as it sounded like he was using both the gui (via shellcmd pkg) and manually editing the <earlyshellcmd> section -- that may be why manual edits were lost at boot (gui superseded them).
-
Thanks for clearing it up.
-
Has anyone attempted (or ideally achieved) a bypass of the AT&T ONT? I am successfully bypassing the Residential Gateway, but I was curious about taking the fiber directly in to an SFP or SFP+ NIC. Latency should be superior by avoiding the media conversion to copper. The same NIC could then connect to a switch via fiber on a different port.
-
@jasonsansone you should look at pfatt method to bypass. I use to to plug my ONT directly into my pfsense router. https://github.com/aus/pfatt
-
@Makaveli6103 thank you, but you misunderstand my inquiry. I am using pfatt. The ONT connects via Cat6 into the NIC in my pfSense installation. I want to bypass the ONT so that the fiber line goes directly in to pfSense without the media conversion from fiber to copper.
-
@jasonsansone
not possible. It's the ONT that sets your line rate so you better believe there is security in it else anyone could just bypass it and get full gig. -
Ya, after more thought and research I realized that being the DMARC, I shouldn’t screw with it. Thank you.
-
I'm able to get this working in bridge mode but when I try it in supplicant mode, the boot up looks like this.
code_text Loading configuration......done. pfatt: starting pfatt... pfatt: configuration: pfatt: ONT_IF = em0 pfatt: RG_ETHER_ADDR = xx:xx:xx:xx:xx:xx pfatt: EAP_MODE = supplicant pfatt: EAP_SUPPLICANT_IDENTITY = xx:xx:xx:xx:xx:xx pfatt: EAP_BRIDGE_IF = em1 pfatt: EAP_BRIDGE_5268AC = 0 pfatt: resetting netgraph... pfatt: configuring EAP environment for supplicant mode... pfatt: cabling should look like this: pfatt: ONT---[] [em0] pfatt: creating vlan node and ngeth0 interface... ngeth0: link state changed to UP pfatt: enabling promisc for em0... em0: permanently promiscuous mode enabled pfatt: starting wpa_supplicant... pfatt: wpa_supplicant running on PID 453... pfatt: setting wpa_supplicant network configuration... pfatt: waitng EAP for authorization... em0: link state changed to UPcode_text
Then it just sits there. I have the certs in /conf/pfatt/wpa and the MAC address is correct.
Any ideas of what might be wrong?Thanks!
-
Figured out the problem. The code is looking for:
ca.pem
client.pem
private.pemMy .pem files where named differently. Once I changed them I got supplicant mode working. One odd thing I noticed, download speeds are 500-600 while upload speeds are 920-940..
-
So I am not having luck. I have tried in both the dumb switch, bridge mode way and using the pfatt.sh add-on. On first bootup I never got prompted to adjust interfaces, but in the web GUI I was able to select the ngeth0 interface for my WAN.
DHCP never pulls down an IP and just displays 0.0.0.0. This is the same thing that happened when I tried it in dumb switch bridge mode.
Right now the connection from AT&T is directly plugged into igb4 and igb3 is plugged directly into my BGW210.
When I had tested dumb switch bridge mode I had tested with AT&T line going through my switch then to modem, all worked, but then unplugging mode and spoofing mac never seemed to work. Any ideas? We are a small office, but no way the 8k session limitation is doable for us so I must have a work around or we will end up paying the ETF and cancelling services.
Some info from my config.
There are 11 total nodes:
Name: igb0_366 Type: ether ID: 00000024 Num hooks: 0
Name: igb3 Type: ether ID: 00000004 Num hooks: 2
Name: snmpd Type: socket ID: 00000025 Num hooks: 0
Name: igb4 Type: ether ID: 00000005 Num hooks: 1
Name: <unnamed> Type: socket ID: 00000009 Num hooks: 0
Name: o2m Type: one2many ID: 0000000e Num hooks: 3
Name: vlan0 Type: vlan ID: 00000011 Num hooks: 2
Name: ngeth0 Type: eiface ID: 00000014 Num hooks: 1
Name: waneapfilter Type: etf ID: 00000018 Num hooks: 2
Name: ngctl25340 Type: socket ID: 0000003a Num hooks: 0
Name: eapfiltlaner Type: etf ID: 0000001c Num hooks: 3Log file
2019-10-16 13:19:45 :: [pfatt.sh] :: pfSense + AT&T U-verse Residential Gateway for true bridge mode
2019-10-16 13:19:45 :: [pfatt.sh] :: Configuration:
2019-10-16 13:19:45 :: [pfatt.sh] :: ONT_IF: igb4
2019-10-16 13:19:45 :: [pfatt.sh] :: RG_IF: igb3
2019-10-16 13:19:45 :: [pfatt.sh] :: RG_ETHER_ADDR: xxxxx
2019-10-16 13:19:45 :: [pfatt.sh] :: OPNSENSE: no
2019-10-16 13:19:45 :: [pfatt.sh] :: loading netgraph kernel modules... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: attaching interfaces to ng_ether... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: building netgraph nodes...
2019-10-16 13:19:45 :: [pfatt.sh] :: creating ng_one2many... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: creating vlan node and interface... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: defining etf for igb4 (ONT)... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: defining etf for igb3 (RG)... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: bridging etf for igb4 <-> igb3... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: defining filters for EAP traffic... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: enabling one2many links... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: removing waneapfilter:nomatch hook... OK!
2019-10-16 13:19:45 :: [pfatt.sh] :: enabling igb3 interface... OK!
2019-10-16 13:19:46 :: [pfatt.sh] :: enabling igb4 interface... OK!
2019-10-16 13:19:46 :: [pfatt.sh] :: enabling promiscuous mode on igb3... OK!
2019-10-16 13:19:46 :: [pfatt.sh] :: enabling promiscuous mode on igb4... OK!
2019-10-16 13:19:46 :: [pfatt.sh] :: ngeth0 should now be available to configure as your pfSense WAN
2019-10-16 13:19:46 :: [pfatt.sh] :: done!
2019-10-16 13:39:46 :: [pfatt.sh] :: pfSense + AT&T U-verse Residential Gateway for true bridge mode
