ATT Uverse RG Bypass (0.2 BTC)
-
@bk150
I'm running 2.4.5 and rebooted just the other day with no problems. -
-rw------- 1 root wheel 6431 Aug 22 16:46 ca.pem -rw------- 1 root wheel 1131 Aug 22 16:46 client.pem -rw------- 1 root wheel 887 Aug 22 16:46 private.pem
-
@AiC0315 I set my permissions to 775 and tested. It was previously set to 774. Unfortunately same message, "Waiting EAP for Autorization". Three files, ca.pem, client.pem, and private.pem. running 2.4.5 r1 also.
-
-
I recently set up new service with AT&T and was not able to get wpa_supplicant/dhcp working without making a few tweaks to the
pfatt.sh
script:wpa_supplicant
had to run on the bare port, notngeth0
-WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -ingeth0 -B -C /var/run/wpa_supplicant" +WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
- Both the bare port and
ngeth0
had to have a MAC that matched the certificates I was using (not my assigned router gateway, as I had purchased certificates online instead of messing with the firmware of my assigned gateway):-/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR +/usr/sbin/ngctl msg ngeth0: set $EAP_SUPPLICANT_IDENTITY /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." +/sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY /sbin/ifconfig $ONT_IF up /sbin/ifconfig $ONT_IF promisc
This got me line speeds with minimal CPU usage on a bare metal installation of pfsense (CPU is a Xeon D-1518 @ 2.2Ghz, for reference, which is overkill for this but not the 10Gbps ports)
That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.
-
@Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):
That said, I still do not have IPV6 working fully, and am at a loss there-- I can get a WAN IP via DHCPv6, and I can get prefix delegations for all of my LANs, but IPv6 packets just get dropped several hops outside of my network without the slightest hint as to why.
Did you set your IPv6 to DHCPv6 on your WAN and then in the IPv6 settings set a prefix? I have my prefix set to /60 and the following settings:
Use IPv4 Connectivity as Parent Interface - Checked
Request only an IPv6 Prefix - Checked
Send IPv6 Prefix Hint - CheckedOnce this is done save and then go to each non-WAN interface and set IPv6 to TRACK and then set the track interface to WAN and start with 0 incrementing by one for each interface.
-
@pyrodex Hmmmm, those checkboxes are different from what's recommended in the pfatt repo, but even with your settings I can't get more than 2 hops into AT&T's network before the packets disappear. (
traceroute6 google.com
always shows pfsense + 2 more hops, and then nothing; pfsense is connected directly to the ONT in my setup) -
@Darth-Android said in ATT Uverse RG Bypass (0.2 BTC):
always shows pfsense + 2 more hops, and then nothing
I actually seem to get a 3rd hop beyond pfsense when I uncheck Request only an IPv6 Prefix, but still no actual connectivity to external addresses.
-
@Darth-Android Interesting I may give this a try later. Though it’s working now in bridge mode and that makes me hesitant to touch it more... especially with potential changes they’re making..
Is the supplicant mode meant to be faster than bridge?
-
@shad0wca7 It should not be any faster per se, but it reduces complexity (read: failure points) and allows you to not have to find space / power for the RG.
The questions about speed are around the use of netgraph (
ngctl
) to strip the VLAN0 headers in pfsense instead of putting a dumb switch between the ONT and pfsense; netgraph is extremely flexible, but comes at a cost of CPU performance and if your CPU doesn't have enough horsepower, that could be an issue. However: Both the bridge and supplicant methods with pfatt use netgraph, so if you have the bridge method working satisfactorily, supplicant should be about the same in terms of speed/CPU usage. -
Actually if you are running pfsense as a guest under vmware, you don't need netgraph at all for the wpa_supplicant version. And this also meant for me that I didn't need to do PCI passthrough of interfaces which made VM migration to another machine much easier.
I haven't been able to figure out how to make vmotion migration work, though I did buy a dumb switch that will let me play with it when I get time and the kids aren't using the network for school.
-
Ah, yeah I keep forgetting the difference between virtualized and bare-metal. If you have something that (dumb switch, virtualization) strips the VLAN0 tags, straight supplicant without any netgraph will be faster / less CPU intensive.
-
@Darth-Android cool. I’m running bare metal on an HP T620 plus (4 core AMD Jaguar) which is ample.. I’ll leave bridge mode working for now but watch this with interest.
-
Hi Folks having some trouble wpa_supplicant seems to be hanging at starting wpa_supplicant doesn’t advance past that I put another usr/bin/logger -st before wpa_daemon_cmd and it stops right there before that command is run any ideas
-
I am running OPNsense (Don't hate me..) with the same code base and using supplicant mode with netgraph on bare metal without issues.
I get full line speed and can make my line testing with Torrents and multiple users.
-
@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):
supplicant mode
No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?
-
@bkatt said in ATT Uverse RG Bypass (0.2 BTC):
@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):
supplicant mode
No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?
I’ve been running it...... still have to use net graph due to vlan 0.
-
@bkatt said in ATT Uverse RG Bypass (0.2 BTC):
@shad0wca7 said in ATT Uverse RG Bypass (0.2 BTC):
supplicant mode
No updates this this thread in a while. Anyone have any luck recently with supplicant mode on bare hardware?
I'm still running supplicant mode on my SG-5100 without any issues.
-
You can get around the vlan0 requirement by using a dumb switch between the ONT and pf/ontsense box.
-
@bk150 A few different people were having issues. Specifically I and a few others were having waiting for auth issue. ATT fiber installed in the area about 2 years ago now, so may be that has newer firmware not allowing that method to work. Or could be something I am doing wrong. Who knows. I have the bridge netgraph working for last few months, I guess close enough.