ATT Uverse RG Bypass (0.2 BTC)
-
I have been running pfSense for many years. I think I’ve been using it for around 10 years (having come from SmoothWall, which stagnated over 10 years ago). I have been happy with my ISP, which I’ve had since 2006; including a move in 2011 to my current home. Alas, the wife wanted to buy a new house and we take possession of the new house tomorrow. Unfortunately, my current ISP did not expand to the community where my new house has been built for whatever reason, even though it remains in the same small city. Instead, I will have to move to AT&T if I wish to maintain having synchronous gigabit service. My current ISP provides a fiber gateway that only operates in bridge mode. At the utility service demarcation location of my house, the fiber comes in to the gateway with six RJ45 network jacks and four RJ12 telephone jacks. Port #1 on this gateway goes directly into a router while the other five are to be routed to set-top boxes, should I chose their video service, which I don’t; I also do not use the telephone jacks.
In my research of AT&T, it appears that instead of having an all-in-one box that exists on the side of the house, they route the fiber to an Optical Network Terminal inside the home, which then runs to a Residential Gateway, which appears to be a WiFi router. I do not want to use a WiFi router but continue using my pfSense and my Unifi UAP-AC Pro access points placed strategically in the new house. I have read about different ways to get around this and want to make it as seamless as possible.
Of all the methods I’ve seen, it appears that the Github project “pfatt” appears to be the best solution for bypassing the residential gateway. As I read further, there are two different methods of using it with one taking quite a bit of skill to pull off; the “netgraph” method or the “WPA Supplicant” method. I believe I will be starting off by using the original, “netgraph” method of connecting the WAN port of the pfSense to the ONT and placing the RG on a third Ethernet port (my pfSense machine has four gigabit ports, so not a big deal for me). The idea of using the WPA Supplicant method is intriguing, but it sounds difficult to acquire the keys needed to facilitate it... I've seen people talking about opening up a gateway, desoldering a memory chip to put in a chip reader to dump data. If there is an easier way to get the needed information, I would love to learn about it.
I have already downloaded the script, compiled my “ng_etf.ko” and copied it to the kernel and modified the script with the known Ethernet ports each device will be plugged into. I know I will need to obtain the MAC address of my RG when it arrives, move my script, and enable it in the “/conf/config.xml” but what else will I need to do? Do I need to tell the installer to put it into a certain mode? Should I pretend like I’m going to use the gateway the way AT&T anticipates most people do while the installer is there and then change everything once they are gone?
Is there some other forum for discussing this? It seems odd that the only support is following a single thread, covering several different aspects of the process. It would make more sense if the Netgate pfSense forum had a category for “Third-party Packages, Plugins, or Mods” and then create sub-categories below that. Upon asking a question on the Github page for pfatt, I was curtly told to look at the bounties section of this forum. Searching through a single, disjointed thread is like searching for a needle in a haystack; especially since the thread isn’t labeled “pfatt”.
-
@RonRN18 The easiest way to get the certs is to find somebody selling them. I was able to get mine from a guy on the dslreports forums. Once setup the wpa supplicant method works very well. The only problem I had was my Intel N3700 powered pfsense box would not pull full line speed, it topped out around 500mbps. I have sense moved to a Xeon E3-1220V3 and have no problems pulling full line speed. I've had my gateway unplugged since September 2019.
-
@RonRN18 said in ATT Uverse RG Bypass (0.2 BTC):
In my research of AT&T, it appears that instead of having an all-in-one box that exists on the side of the house, they route the fiber to an Optical Network Terminal inside the home, which then runs to a Residential Gateway, which appears to be a WiFi router. I do not want to use a WiFi router but continue using my pfSense and my Unifi UAP-AC Pro access points placed strategically in the new house. I have read about different ways to get around this and want to make it as seamless as possible.
My setup is probably the same as what you describe (incl UAP-ACpro inside my LAN). When the ATT gigfiber was installed I was using an SG-2440. Many have said it works w/ 1g but I had poor throughput and finally did the pfatt with netgraph. It did increase my speed but not significantly. Not close to 1g.
So based on comments others made I upgraded my pfSense appliance and run now run an SG-5100. I get the full 1g now. The 5100 is a bit overkill for my usage but I had read mixed reviews about the 3100 and decided to go for more HP.
I don't run a web server. I'm just a home internet user. Near as I can tell, the deal with ATT router is the NAT table (on my BG210 it is in /diagnostics menu) filling up. My system has been running for many months and that table, max of 8192, is at a whopping 77.
I did not reload pfatt on the 5100 and instead have occasionally checked the NAT table. All is well so my advise is to try your setup w/o the bypass first and see if you can live with it.
I disabled the ATT wifi and run their router in IP Passthru mode and altered the dhcp lease time to 99 days. My IP has not changed in the past many months.
Good luck.
-
@JonH in my current setup, I have 1g service through a different ISP and while I don’t get a full 1000 Mbps, I generally see 750-850 Mbps download and 800-875 Mbps upload.
I run about about 20-30 VMs on 3 bare-metal multi-cpu servers. I also run 5 desktops, 3 laptops, 2 tablets, 2 smartphones, 4 TVs with at least Internet connected video streaming device each. I then have about 10 SBCs (Raspberry Pis of each generation, Beaglebone, Pine64, and another “knock-off”/alternative). I have several other connected devices. I have well over 100 statically assigned IPs in my house. This is why I’m looking at bypassing AT&T’s NATting device.
It’s my hobby, but this is one aspect I have limited experience (bypassing the RG) and finding very limited community support. I know I will eventually figure it all out, once I’ve played with it a while, I’m just trying to learn from other mistakes so I can make different mistakes, not just repeating mistakes of others.
-
@RonRN18 said in ATT Uverse RG Bypass (0.2 BTC):
It’s my hobby, but this is one aspect I have limited experience (bypassing the RG) and finding very limited community support. I know I will eventually figure it all out, once I’ve played with it a while, I’m just trying to learn from other mistakes
I get that. It wouldn't hurt to try ATT as installed and then move to pfatt if needed. When you get it all sorted out it would be nice to find out what you ended up doing.
-
@RonRN18 You should try the bypass method of cloning the ATTRG MAC address to PFSense WAN and use a switch for VLAN0 connection to the ONT. I am running PFSense baremetal on a Dell R210II directly connected to the ATT ONT through a Netgear GSS108E switch and getting a public IP. I had to reconnect the BGW210 2 times in 2019 to reauth the connection, otherwise the connection lasted through multiple server restarts over the year. Currently sitting at 85 days uptime since last reboot and haven't had to reauth in 2020 yet. When I do need to reauth, I plug in the BGW210 power and login to the Netgear switch and flip the VLANs real quick. Takes about 2 mins and most of that is waiting for the BGW210 to boot up and reauth, I could probably automate it if I had to do it enough. I also ran the same scenario in a PFSense VM in ESXI with no issues. PFATT would be nice if it was baked in and just worked with ease, and we didn't have to deal with ATT certs. But for now, this is the "easiest" bypass method.
-
The prices on ebay for the certs has really sky rocketed. I guess good 'ol supply and demand. I remember paying $20 for a nvg589 a year ago. Rooted and pulled the certs. These days they're (the certs) are going for $100+.
-
@aus why did you take down the pfatt github repo?
-
I was wondering the same thing. I was getting ready to do it when I couldnt find the repo anymore. :(
-
Lets hope someone who still has the recent scripts can make them available.
-
@ikkuranus
I came here wondering the same thing. Was just about to try it.. It looks like there's a clone here, but is outdated according to the internet archive..Edit: Maybe just use this repo
https://github.com/0xC0ncord/pfatt -
It turns out that I have a clone from 04/19/2020 so looks like I am good to go. I would like to know what happen though...
-
@GPz1100 Do you need the scripts?
-
@AiC0315 I need them too please
-
@hfrazier since this was a public repo, do we know which is the new parent where future work should go? If he deleted/made private, there should have been a split and all the forks should have gotten reparented.
edit: looks like MonkWho is the new parent repo, based on the graph. Here's all the most recent updates for anyone who needs them https://github.com/MonkWho/pfatt/network
-
@andrewpdupuis Ah, thanks! I had found that repo just wasn't sure if it was the latest.
-
This post is deleted! -
@hfrazier Looks like the latest fork from that is found at https://github.com/neclimdul/pfatt
-
Does anyone have the zip of https://github.com/aus/pfatt/tree/supplicant ?
-
I decided to check if there were any changes to pfatt last week and found out that original is now gone and my fork became a new parent. No idea how or why.
I will maintain it to the best of my abilities. I pulled some requests and done some commits to clean things up. Screwed up a little when I was uploading the supplicant branch but got it all fixed up now. I also separated OPNsense specific script into it's own file for clarity. So currently https://github.com/MonkWho/pfatt contains the latest files.
@GPz1100 said in ATT Uverse RG Bypass (0.2 BTC):
Does anyone have the zip of https://github.com/aus/pfatt/tree/supplicant ?
A copy of it is here - https://github.com/MonkWho/pfatt/tree/supplicant. It contains most recent files. Unfortunatly this branch was not there when I originally created my fork so I had to semi-manually recreate it from a backup I had locally.
-
@MonkWho I just want to say thank you for carrying the torch. I just recently discovered this whole workaround thing - was getting discouraged trying to find a way to build the netgraph for my SG3100 - then found out it is included with pfsense now. Except on 2.4.5, the ng_etf package is missing! lol
https://redmine.pfsense.org/issues/10463
So now I must wait until 2.4.5-p1 release to be able to set this all up. Anyways, thank you for carrying on the work @aus started.
-
@glio Maybe I am missing something, I am running 2.4.5 with the supplicant bypass. I did install it on an earlier version.
-
@AiC0315 The EAP proxy is not available without ng_etf being present. I've not previously set up this stuff on earlier versions so maybe that's the difference.
-
I've heard people being able to use the supplicant mode without netgraph if they used a switch or bypass switch between pfSense and the ONT. Can anyone confirm and what model switch did you use?
I tried this on my new physical firewall with a DGS-1005G and had no luck. Any one?
-
So based on what I'm reading over the past 2+ years pfsense still requires netgraph in order to work with the 802.1x certificates?
Also of note, someone on Reddit found a downgrade loophole for the BGW210-700 which allows root access. So you can extract the 802.1x certificates and disable the auto-updates to the gateway.
Reddit post:
https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/Pastebin with steps to perform:
https://pastebin.com/SUGLTfv4 -
This post is deleted! -
Is this expected behavior?
Running the netgraph bypass as documented at https://github.com/MonkWho/pfatt . No LANs have been routed to ngeth0 just yet.
I get about about one packet every two-three minutes from the RG: tcpdump -ei em4
10:06:30.887851 f8:2d:c0:yy:yy:yy (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 424: vlan 0, p 3, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from f8:2d:c0:yy:yy:yy (oui Unknown), length 378And I get about 100 per minute from the ONT: tcpdump -ei em5
09:59:03.144906 a0:f3:e4:59:27:94 (oui Unknown) > f8:2d:c0:yy:yy:yy (oui Unknown), ethertype 802.1Q (0x8100), length 60: vlan 0, p 0, ethertype IPv4, 162-224-176-1.lightspeed.stlsmo.sbcglobal.net > zzz-zzz-179-129.lightspeed.stlsmo.sbcglobal.net: ICMP echo reply, id 30739, seq 4885, length 8- $RG_IF = em4
- $ONT_IF = em5
- f8:2d:c0:yy:yy:yy / zzz-zzz-179-129.lightspeed.stlsmo.sbcglobal.net = my RG
- a0:f3:e4:59:27:94 / 162-224-176-1.lightspeed.stlsmo.sbcglobal.net = ATT
-
^^For the first one, I think that might be a byproduct of the rg not getting an ip when using the eap proxy method. That is, it keeps requesting, but because the proxy only passes 802.1x traffic, it never actually receives it.
The 2nd looks like the gateway is responding to a ping request? You have something pinging the gateway ip (162.224.176.1) often?
-
Sounds like the first one is benign, unless, it is an indicator that something else is wrong.
The second - I’m not pinging in on that IP.
Edit: The second thing, with the 100+ pings per minute, was the pfSense gateway monitor. It's now disabled.
-
What gateway box are you using? Maybe time to dump it entirely and go wpa_supplicant method?
-
@GPz1100 Worked on that last night, I’ve got the certs off of the RG and broken into PEMs. Will work on the rest this evening.
Bricked the gateway though. I think I left the file system RW when I rebooted. It’s in a boot loop.
Thankfully, I still have my Charter connection, so I’m not in an outage condition.
-
Can't get the supplicant mode to work.
I had to comment lines 205-231 of pfatt.sh to get the system to boot.
wpa_cli status says:
Supplicant PAE state=HELD
suppPortStatus=Unauthorized
EAP state=FAILUREtcpdump -i ONT_IF -e vlan says:
05:20:52.486546 f8:2d:c0:xx:xx:xx (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 22: vlan 0, p 0, ethertype EAPOL, EAPOL start (1) v2, len 0/conf/pfatt/bin/* is 755 and /conf/pfatt/wpa/* is 644
Certs import without error into the web configurator, if only to make sure that they're intact. I've since pulled them back out of there.
What could be keeping this thing from being authorized?
-
I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?
-
Rj11 = dsl. You need fiber.
-
@neatneat said in ATT Uverse RG Bypass (0.2 BTC):
I just moved into a temporary housing situation and was told this unit has ATT U-Verse. I'm looking at the back of my current RG (BGW210-700) and it's using an RJ11 from "broadband" port to the wall. The wall port doesn't have an RJ45 connection. Are there any workarounds for this using this method?
Uverse is the name of their interwebz service which can be DSL or Fiber. You could get a DSL modem if you don't want to use their equipment. If you have uverse TV service, or ATT home phone service, you'll need to keep their equipment in place.
-
I removed the gateway from my setup using the supplicant method from MonkWho's fork of pfatt from aus.
https://github.com/MonkWho/pfatt/tree/supplicant
This worked well on a SG-5100 on pfSense 2.4.5 p1 with certificates purchased on eBay from maczrcool. I'm getting full line speed (940/940) with no issues. I've tested that the setup survives expected and unexpected reboots.
-
@bk150 I'm trying to do what you've accomplished, on my PCEngines APU2 box with 2.4.5 p1 using MonkWho's fork. I have the certs extracted from my Arris BGW210. Did you also need Netgraph for the Supplicant approach? I was hoping to avoid it.
-
@lmgcnbzlp said in ATT Uverse RG Bypass (0.2 BTC):
I have the certs extracted from my Arris BGW210
Just wondering what you used to extract the certs.
-
@JonH I used the python script method per:
https://www.reddit.com/r/ATT/comments/g59rwm/bgw210700_root_exploitbypass/
Had to run it twice because the script didn't have a wait period defined to account for telnet server startup leadtime, but on the second run it appears to have worked and was able to save the certs to my local machine in the manner documented in the readme.
-
Did you get this to work? I am trying to enable pfsense to be moved to a different system via vmotion for doing maintenance on the host. Right now I use the netgraph bypass method, but I don't think it will work if I am using PCI device passthrough, which prevents the VM to be migrated.
Does the vlan0 tagging get interfered with by vmware's management of the network interfaces? I can use port mirroring on a switch to make the ONT and even the gateway available on multiple systems.
thx
mike
