ATT Uverse RG Bypass (0.2 BTC)
-
Just occurred to me as an alternative that you could use a NetGraph multiplexer node instead of the ng_tee node.
-
I did a bit more testing, but no success just yet. (I suspect I need to first try to get this to work on phsyical hardware. Currently trying using a pfSense VM and I'm not seeing packet carry over from Linux hypervisor to the pfSense VM)
Regarding the ng_ether "bug", I did some digging on this. It turns out that this is not a bug necessarily. pfSense actually does a NGM_ETHER_DETACH against interfaces under some circumstanaces.
https://github.com/pfsense/pfsense/blob/9a18ac7af8ae4a4fde8998c18cc7ba7802056477/src/etc/inc/interfaces.inc#L180
I think this was for performance reasons back when netgraph had performance overhead.
Anyways, you think you'd be able to just do a control message of NGM_ETHER_ATTACH, but that doesn't exist in vanilla FreeBSD. Luckily, pfSense integrates some patches to enable NGM_ETHER_ATTACH, but you have to call it from PHP.
https://github.com/pfsense/FreeBSD-ports/blob/e178a5cf520e928efb3c7d896e3d9fcfb41ac7e5/devel/php56-pfSense-module/files/pfSense.c#L3094
This will re-enable the interface as a node in netgraph:
php -r 'pfSense_ngctl_attach(".", "em0");'
Also, for ng_one2many (assuming that's what you mean by multiplexer) I don't think that will work. I initially looked at this too, but it distributes packets in a round-robin fashion so the many's would only see some packets. At least, that's how I interpret the man page.
-
ng_one2many is what I was referring to. The man page states that it has several transmission modes, including round-robin and transmit-all. The man page says that the round robin mode is the default, but my experience when playing with it is that transmit-all was the default. In either case, you could easily set the transmission mode to transmit-all to ensure that you get the desired behavior. So it will work and is simpler to work with than ng_tee.
That's great research on the ng_ether issue. It's been holding me up for awhile, forcing me to do my testing on other distributions (e.g., vanilla FreeBSD and OPNSense) and then curse when I couldn't get it working on PFSense. I'll have to see if it works with my scripts on a VM or PFSense. It should, but Murphy's law always strikes me down!
-
Doh! Good catch on the ng_one2many transmit-all algorithm. I was looking at an old man page from an earlier version of FreeBSD, which it didnt support transmit-all yet. That's what I get for googling the man pages, instead of reading them in terminal! May give this a shot later… I'll report back if I have any success.
Cheers!
-
It worked!! True U-verse bridge mode on pfSense!
[2.4.2-RELEASE][root@pfsense.knox.lan]/root: ngctl list There are 9 total nodes: Name: T Type: tee ID: 00000021 Num hooks: 3 Name: ue0 Type: ether ID: 00000003 Num hooks: 2 Name: vlan0 Type: vlan ID: 00000024 Num hooks: 2 Name: <unnamed>Type: socket ID: 00000006 Num hooks: 0 Name: ngctl96372 Type: socket ID: 00000047 Num hooks: 0 Name: ngeth0 Type: eiface ID: 00000027 Num hooks: 1 Name: waneapfilter Type: etf ID: 0000002a Num hooks: 3 Name: laneapfilter Type: etf ID: 00000031 Num hooks: 3 Name: em0 Type: ether ID: 00000019 Num hooks: 2 [2.4.2-RELEASE][root@pfsense.knox.lan]/root: ifconfig em0 em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=40098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx media: Ethernet autoselect (1000baseT <full-duplex>) status: active [2.4.2-RELEASE][root@pfsense.knox.lan]/root: ifconfig ue0 ue0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8000b <rxcsum,txcsum,vlan_mtu,linkstate>ether xx:xx:xx:xx:xx:xx hwaddr xx:xx:xx:xx:xx:xx media: Ethernet autoselect (100baseTX <full-duplex>) status: active [2.4.2-RELEASE][root@pfsense.knox.lan]/root: ifconfig ngeth0 ngeth0: flags=8a43 <up,broadcast,running,allmulti,simplex,multicast>metric 0 mtu 1500 options=28 <vlan_mtu,jumbo_mtu>ether xx:xx:xx:xx:xx:xx inet xx.xx.xx.xx netmask 0xfffffc00 broadcast xx.xx.xx.xx media: Ethernet autoselect (1000baseT <full-duplex>) status: active</full-duplex></vlan_mtu,jumbo_mtu></up,broadcast,running,allmulti,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,linkstate></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso></up,broadcast,running,simplex,multicast></unnamed>
For reference…
em0 is connected to my ONT.
em1 is connected to my LAN
ue0 is connected to my RG (via USB ethernet)
ngeth0 is the VLANed device which is configured as my WAN in pfSenseCommands to get it running (thanks for the help on ng_tee rajl!) ...
# copy and load ng_etf kernel module kldload /boot/kernel/ng_etf.ko # # setup netgraph nodes # # list out netgraph nodes ngctl list # pfSense for some reason detaches ether devices. reattach any missing devices. php -r 'pfSense_ngctl_attach(".", "em0");' # create tee node to split em0 traffic (one for EAP, one for VLAN0) ngctl mkpeer em0: tee lower left # may get a warning ngctl name em0:lower T # create vlan node + eiface ngctl mkpeer T: vlan right downstream ngctl name T:right vlan0 ngctl mkpeer vlan0: eiface vlan0 ether ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' # create etf and connect to em0 (ONT) ngctl mkpeer T: etf left2right downstream ngctl name T:left2right waneapfilter ngctl connect waneapfilter: em0: nomatch upper # create etf and connect to em1 (RG) ngctl mkpeer ue0: etf lower downstream ngctl name ue0:lower laneapfilter ngctl connect laneapfilter: ue0: nomatch upper # define filters for EAP traffic ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic ngctl connect waneapfilter: laneapfilter: eapout eapout # change MAC address to match RG (also can be done in pfSense) ifconfig ngeth0 ether xx:xx:xx:xx:xx:xx
There is still worked to be done though to make this perfect though…
1. Explore using ng_one2many to see if that simplifies the netgraph a bit
2. Automate / Harden change so its persistant across reboots (rajl already documented this earlier)
3. Document!And for what it's worth, I'm running this pfSense in a virtual machine via Proxmox (QEMU/KVM). I couldnt get the VLAN0 traffic to bridge across the interface into pfSense, so I ended up doing a PCI passthrough of the NIC device.
-
That's awesome!!! My suspicion is that this would run on baremetal just fine (have to test though). So let's say there's a 4th todo - test this to run on baremetal for those of use that don't virtualize! :-) Hopefully, it won't take too much modification.
This should be pretty easy to automate so that it executes across reboots. Just save your commands as a shell script (don't forget the #!/bin/sh at the beginning of the file) and follow the PFSense instructions for executing shell scripts at the end of the boot process.
https://doc.pfsense.org/index.php/Executing_commands_at_boot_time
I read somewhere that ATT will occassionally push firmware updates to the RG, which this setup may have problems with because the RG is being isolated from the ATT network. But that's a bridge to cross when we get there.
-
Would it be possible to have ONT go to port A of a switch set to vlan 20
and have port B of that switch also on vlan 20 connect to the RG's ONT port?Would a switch normally process/filter those 802.1x packets in such a setup?
My pfsense vm is in a different area of the house on a different switch and I'm curious if I'll be able to get this working.
Also, is there any practical benefit to doing this? For instance, would it open outgoing tcp port 25 traffic?
-
Would it be possible to have ONT go to port A of a switch set to vlan 20
and have port B of that switch also on vlan 20 connect to the RG's ONT port?Would a switch normally process/filter those 802.1x packets in such a setup?
My pfsense vm is in a different area of the house on a different switch and I'm curious if I'll be able to get this working.
Also, is there any practical benefit to doing this? For instance, would it open outgoing tcp port 25 traffic?
I don't know the answer to your question, but I suspect that won't work. The problem is that ONT traffic comes in on VLAN0 and needs to egress on VLAN0. I'm not sure your switch would tag VLAN0 <-> VLAN20 accordingly.
Also, I'm having some duplicate packets in my previous setup. Hoping one2many might solve that. More to come…
-
Would it be possible to have ONT go to port A of a switch set to vlan 20
and have port B of that switch also on vlan 20 connect to the RG's ONT port?Would a switch normally process/filter those 802.1x packets in such a setup?
My pfsense vm is in a different area of the house on a different switch and I'm curious if I'll be able to get this working.
Also, is there any practical benefit to doing this? For instance, would it open outgoing tcp port 25 traffic?
I'll try to answer your questions in detail.
First, the switch setup you're describing won't work because your switch would block the traffic for several reasons. First, if the switch would drop the ethernet frames because ATT tags them as vlan0, but you're setting your ports for vlan20. Second, your switch would probably drop all the authentication frames (802.1X) because most (but not all) switches are fully compliant with 802.1D, which requires that switches and bridges not forward 802.1X frames. However, some switches are not standard compliant and will forward the frames anyway.
That said, you could always run a long cable from one of the house to the other to solve the problem.
Regarding your question about practical benefits, the main practical benefit is performance. The RGs tend to have (1) a small state table with a limited number of entries and (2) middling (at best) performance ARM processors that start to choke under load when you start to do "real routing." As an example, get a few good bit-torrents going on a 1-Gig connection and they try to browser the web. Your performance will crawl because the RG's state table is too small to keep track of all of the connections and the RG's processor is unable to process all the connections at line-speed. Bypassing the RG to use your own PFSense box solves both of these problems.
Some older (but still relevant) articles on why you would want to replace consumer grade routers with an x86 router (such as one using PFSense) are below:
https://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/
https://arstechnica.com/gadgets/2016/09/the-router-rumble-ars-diy-build-faces-better-tests-tougher-competition/ -
I was afraid you were going to say that – I tried it last night and was unsuccessful.
I've got one of those Netgate gs-2440's that I'll use instead of the vm. I'll be able to put it right next to the RG and ONT.
-
Going to try this today with my 4 port SuperMicro physical and report back. Had to install FreeBSD 11.1 in a VM to get the kernel module since the link seems to be dead.
UPDATE:
No luck.
I use the crappy switch trick today and swap VLANs and my igb0 is the MAC of the RG. My igb0 (WAN) is connected into my bypass switch on a VLAN with the ONT and the RG is on another VLAN that gets flipped and flopped if the internet goes down.
I tried the script and connected igb0 straight into the ONT and igb3 to the RG removing my bypass switch out of line. I had no luck and the RG would attempt to AUTH the port on the ONT but never went past that.
Here is the script I used:
#igb2 is connected to the ONT #lagg0 is connected to the LAN #igb3 is connected to the RG #ngeth0 is the VLANed device which is configured as my WAN in pfSense # copy and load ng_etf kernel module /sbin/kldload /boot/kernel/ng_etf.ko # # setup netgraph nodes # # list out netgraph nodes /usr/sbin/ngctl list # pfSense for some reason detaches ether devices. reattach any missing devices. php -r 'pfSense_ngctl_attach(".", "igb0");' # create tee node to split ONT traffic (one for EAP, one for VLAN0) /usr/sbin/ngctl mkpeer igb0: tee lower left # may get a warning /usr/sbin/ngctl name igb0:lower T # create vlan node + eiface /usr/sbin/ngctl mkpeer T: vlan right downstream /usr/sbin/ngctl name T:right vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' # create etf and connect to ONT /usr/sbin/ngctl mkpeer T: etf left2right downstream /usr/sbin/ngctl name T:left2right waneapfilter /usr/sbin/ngctl connect waneapfilter: igb0: nomatch upper # create etf and connect to RG /usr/sbin/ngctl mkpeer igb3: etf lower downstream /usr/sbin/ngctl name igb3:lower laneapfilter /usr/sbin/ngctl connect laneapfilter: igb3: nomatch upper # define filters for EAP traffic /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout # change MAC address to match RG (also can be done in pfSense) ifconfig ngeth0 ether <mac></mac>
-
It's hard to say what your exact issue is without more information.
However, the first thing I would do is run some tcpdumps to see what's going on.
You should run tcpdumps on the ONT interface and the RG interface:
tcpdump -ei em0 tcpdump -ei em1
From the RG interface, you should see some EAPOL starts:
MAC (oui Unknown) > MAC (oui Unknown), ethertype EAPOL (0x888e), length 60: EAPOL start (1) v2, len 0
These packets come every so often. I think the RG does some backoff /delay if it doesnt immediately auth correctly. You can always reboot your RG to initiate.
If your netgraph is setup correctly, this EAP start packet from the RG will be bridged onto your ONT interface. Then you should see some more EAP packets from the ONT interface and RG interface as they negotiate 802.1/X EAP authentication.
Once that completes, you should start seeing 802.1Q (tagged as vlan0) traffic on your ONT interface.
I start another tcpdump on my VLAN0 netgraph device to see if netgraph is bridging over the VLAN0 to ngeth0:
tcpdump -ei ngeth0
If I dont see traffic being bridged between ngeth0 and the ONT interface, then netgraph is not setup correctly. At this point, ngeth0 needs to DHCP using the authorized MAC address. You should see an untagged DCHP request on ngeth0 carry over to the ONT interface tagged as VLAN0. Then you should get a DHCP response and you're in business.
-
Hey guys,
I'm trying to wrap my head around all of this and how it works.
I believe the network diagram I've created is how things should be wired up.
igb0 (WAN/ONT) needs to have the mac address of the ATT Residential Gateway (RG).
igb2 is connected to the RG and somehow the ONT<->RG authentication magic happens (EAP Proxy?).
igb1 (LAN) goes to switch.Somehow pfsense is not confused by the mac address on igb0 and the mac address of the RG connected to igb2 being the same.
Are ethernet aliases used? (I think pfsense calls them virtual ips?) I.E. igb0 has an alias for vlan0 traffic which I think is just the ONT<->RG traffic, while the regular igb0 has DHCP (or static) internet address assigned?
-
From what I've read from the original DSL Reports thread (http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode)
There are two possible solutions to get the ONT to talk to the RG through something.
One is to set up a bridge between the two interfaces (igb0 and igb2). However, 801.D compliance means that 801.x packets won't pass across, and pfsense's drivers are compliant. One would need to custom compile the drivers to break this compliance.
Two is to use a proxy. However, it seems that the proxy solutions mentioned are incompatible?
I found two proxy solutions. One is written in python:
https://github.com/jaysoffian/eap_proxy
However, Pyrodex mentioned in this thread that it has a linux dependency (PFRING).
As was mentioned by variance in this thread, the other needs to be compiled –
https://github.com/kuwerty/eapolproxy
However, from the DSL thread:I checked out the eapolproxy, and successfully compiled it on my freebsd dev box. After getting some dependencies (libstdc++) onto pfsense, it does start and appears to be passing the EAP traffic from the RG on OPT1 up to the WAN interface where the ONT is, but nothing ever comes back - it just keeps spamming the EAPOL start and logoffs. I will have to keep playing with it, but I feel like the solution is close. It would be good to have some others try this…
Indeed, that person created an issue in github about this, but it looks like the code has been long abandoned.
Rajl then came up with the netgraph solution which, apparently, should be able to bridge the two interfaces in such a way that the 801.x traffic passes across. However pfsense's oddities breaks this a bit.
aus got this working, but must rely on the linux vm host to do part of the work – something the rest of us cannot rely on.
Pyrodex is testing on bare metal. Since pfsense doesn't come with the ng_etf.ko file, he pulled it from a fresh copy of reebsd 11.1.
-
/sbin/kldload /boot/kernel/ng_etf.ko
Pyrodex,
In your script, does this have to execute in addition to loading the module at boot? For security reasons, I thought kernel modules could only load at boot in pfsense?
-
I was able to see the interfaces in the ngctl list command so I know it loaded and they got inserted. I haven't had a chance to do TCPdumps yet and will try again this Sunday while the wife is at work.
kldstat Id Refs Address Size Name 1 24 0xffffffff80200000 2c2da38 kernel 2 1 0xffffffff82e2f000 316ae8 zfs.ko 3 2 0xffffffff83146000 cae8 opensolaris.ko 4 1 0xffffffff83221000 32ce cpuctl.ko 5 1 0xffffffff83225000 8191 aesni.ko 6 1 0xffffffff8322e000 4700 cryptodev.ko 7 1 0xffffffff83233000 2c63 coretemp.ko 8 1 0xffffffff83236000 191f ng_etf.ko
-
Tantamount,
Your network diagram is correct and you're definitely heading in the right direction as far as "wrapping your head around this" goes.
If you're remotely familiar with the OSI networking model this makes a lot more sense. Basically, we are creating a script using Netgraph to do layer 2 (Ethernet Frame) processing to relay authentication frames between the ONT and the RG while diverting all other Ethernet Frames from the ONT up to layers 3-7 of the PFSense network stack.
To go into more detail, ATT's RG uses embedded certificates and the EAPOL protocol to authenticate the RG with the ONT and ATT's wider network. However, the EAPOL is susceptible to what's known as a "man-in-the-middle" attack where a third-party can intercept the traffic. What we are (attempting) to do is two things:
(1) Relay all EAPOL ethernet frames between the RG and the ONT. This requires using MAC address spoofing so that the WAN interface on the PFSense router uses the MAC address of the RG instead of its own MAC address. This makes the ONT think it is communicating with the RG instead of an unauthorized PFSense device. Virtual IPs are not used (they are something completely different as they are operating at layers 3-7 of the network stack).
(2) Intercept all other ethernet frames and send them up to layers 3-7 of the PFSense network stack for further firewall processing.Step 1 can be solved two ways:
(1) Bridge the traffic. This requires a non-standards compliant bridge device or driver (a trivial modification to the FreeBSD bridge kernel module if you know C programming).
(2) Write a program that intercepts and relays the EAPOL frames (i.e., performs a man-in-the-middle attack). The problem with the EAP_Proxy script is that it relies on a number of Python libraries that provide linux specific operating system calls. However, the algorithm that it uses is really simple, so I created a short NetGraph script to duplicate the functionality of the eap_proxy script because Netgraph is part of the FreeBSD base.The final issue that is causing problems on bare-metal is that ATT is tagging all internet traffic as being assigned to VLAN 0. Technically, VLAN 0 means the frame is not assigned to a VLAN. However, ATT uses it as an actual VLAN identifier. FreeBSD, being overly standards compliant, therefore refuses to create a virtual interface on VLAN 0 and bind services to VLAN 0, allowing for traffic to be read from and written to VLAN 0. Solve that problem, and this will work on bare-metal. AUS has already solved it by using PCI pass-through to work around the issue for virtualized PFSense (which will help a lot of people).
-
The final issue that is causing problems on bare-metal is that ATT is tagging all internet traffic as being assigned to VLAN 0. Technically, VLAN 0 means the frame is not assigned to a VLAN. However, ATT uses it as an actual VLAN identifier. FreeBSD, being overly standards compliant, therefore refuses to create a virtual interface on VLAN 0 and bind services to VLAN 0, allowing for traffic to be read from and written to VLAN 0. Solve that problem, and this will work on bare-metal. AUS has already solved it by using PCI pass-through to work around the issue for virtualized PFSense (which will help a lot of people).
Thanks Rajl.
I thought PCI pass-through makes virtual environments more "bare metal" because it makes the hardware exclusive to one virtual machine. I'm not clear how this would solve the VLAN 0 tagging issue unless his virtual environment was the cause of the problem?
-
Any more progress on this?
I'm testing using a spare machine while the 4 port nic arrives.
For the moment pfsense is installed baremetal. Running into issues at the following
# create etf and connect to em1 (RG) ngctl mkpeer ue0: etf lower downstream ngctl name ue0:lower laneapfilter ngctl connect laneapfilter: ue0: nomatch upper
All the previous command execute correctly. Interface names have been adjusted as needed based on how my system identified them.
em0 - intel pro 1000 (builtin) - ONT (WAN) xl0 - 3com - gateway ue0 - usb - LAN
So the original snippet is changed to
# create etf and connect to em1 (RG) ngctl mkpeer xl0: etf lower downstream ngctl name xl0:lower laneapfilter ngctl connect laneapfilter: xl0: nomatch upper
I end up getting this error (including entire input/output to this point).
[2.4.3-RELEASE][root@pfSense.localdomain]/root: kldload /boot/kernel/ng_etf.ko
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl list
There are 2 total nodes:
Name: ngctl57043 Type: socket ID: 00000012 Num hooks: 0
Name: <unnamed>Type: socket ID: 00000006 Num hooks: 0
[2.4.3-RELEASE][root@pfSense.localdomain]/root: php -r 'pfSense_ngctl_attach(".", "em0");'
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer em0: tee lower left
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name em0:lower T
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer T: vlan right downstream
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name T:right vlan0
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer vlan0: eiface vlan0 ether
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer T: etf left2right downstream
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name T:left2right waneapfilter
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl connect waneapfilter: em0: nomatch upper
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer xl0: etf lower downstream
ngctl: send msg: No such file or directory
[2.4.3-RELEASE][root@pfSense.localdomain]/root:</unnamed>Not sure how to move forward from this.
Also, I'm a bit confused on how a pci-passthrough (when virtualized) is any different than bare metal, as far as vlan0 tagging is concerned. When the nic is defined as pci-pass through, does the underlying vm have direct access to the nic? This would be similar as a baremetal implementation, no?
Thanks!
-
hi I've just been reading this thread.
I have a pfsense router but unfortunately Uverse is not here in Australia, so I can't help practically..however i see you have got my ng-etf pair set up so I see we have somehow communicated before :-)
let me see if I understand the full picture..
You need to link the ONT (whatever that stands for .. Optical Network translator?) via vlan0 to the RG, but you only want protocol 8xxx to go to the RG, and all other protocols/ethertypes to go to the pfsense IP stack.. is that right?
-
this MAY work but may not.. it depends if the packets coming out of the interface have already been stripped of vlan tags.
ONT]–--[em0]lower–-downstream[eapfilter:]nomatch–--vlan0[VLAN]downstream–--upper[em0…
eapout
|
|
|
RG]–----[em1]lower–--------------/ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
ngctl mkpeer igb0: vlan upper downstream
ngctl name igb0:upper vlanheader
ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'if they haven't then we may need to put the vlan nodes (two) on the other side of the etf node, so that it doesn't see the vlan tags.
Maybe I should add an option to make etf nodes take vlan tags into account.
If you can attach the nghook program to an inserted ngtee node (inserted somewhere in your current graph) and see what comes out. (with -a ).
then we can see what the packets look like.
-
hi I've just been reading this thread.
I have a pfsense router but unfortunately Uverse is not here in Australia, so I can't help practically..however i see you have got my ng-etf pair set up so I see we have somehow communicated before :-)
let me see if I understand the full picture..
You need to link the ONT (whatever that stands for .. Optical Network translator?) via vlan0 to the RG, but you only want protocol 8xxx to go to the RG, and all other protocols/ethertypes to go to the pfsense IP stack.. is that right?
You've actually been talking to me on the FreeBSD mailing lists, but I posted the final results to share with the world and a number of people have been running with it. :)
To help you with the terminology and define the problem:
ONT = Optical Network Terminal. It's the box in your house where the fiber-optic cable is terminated and the signal is converted into an electrical signal. It has an RJ-45 1000BaseT jack that you use to plug the RG into.
RG = Residential Gateway. It's one of those all-in-one wireless routers that is provided by the ISP (AT&T). It's low-end consumer gear that has a number of issues. Many of us have outgrown it's limitations and want to get rid of it. However, we can't because the RG is required for authentication with the ISP.
EAP-OL = Encapsulated Authentication Protocol Over LAN. It works at layer 2 and can be easily man-in-the-middled. The RG uses this protocol to authenticate with the ISP. My suspicion is that the RG is using EAP-OL to authenticate with the ONT so that the ONT can ensure that only an approved, authenticated device is connected to it/the network. However, where the actual end-point for the EAP-OL frames is located is immaterial.
-
this MAY work but may not.. it depends if the packets coming out of the interface have already been stripped of vlan tags.
ONT]–--[em0]lower–-downstream[eapfilter:]nomatch–--vlan0[VLAN]downstream–--upper[em0…
eapout
|
|
|
RG]–----[em1]lower–--------------/ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
ngctl mkpeer igb0: vlan upper downstream
ngctl name igb0:upper vlanheader
ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'if they haven't then we may need to put the vlan nodes (two) on the other side of the etf node, so that it doesn't see the vlan tags.
Maybe I should add an option to make etf nodes take vlan tags into account.
If you can attach the nghook program to an inserted ngtee node (inserted somewhere in your current graph) and see what comes out. (with -a ).
then we can see what the packets look like.
I'm not sure that will work, because I think it may be stripping VLAN tags at the wrong point. You can correct me if I am wrong.
Here's a rough sketch of how the frames are tagged.
Before:
[ONT] –---[Tagged VLAN 0]–------------ [RG] –---[No VLAN Tags]–----------[LAN]
After:
[ONT] –----[Tagged VLAN 0] –----------[PFSense] –-----[No VLAN Tags]–---[LAN]
|
|
|–------------[Tagged VLAN 0]–-[RG]Hope this helps. Someone on this thread has gotten this to work with virtualized PFSense on ProxMox using PCI Passthrough. No one, however, has yet reported getting this to work on bare metal.
It's been the fun challenge.
-
@rajl As I understand it, the whole reason for doing the pci passthrough is because there's issue with passing vlan0 through the hypervisor? By configuring the nic as pci passthrough, the guest os (pfsense) has full access to the nic. Vlan0 is then passed through the graphing definition.
I've been testing further on the spare machine (bare metal pfsense install). I realized the reason for my errors above - I did not reattach the missing interfaces. Once I did that pfsense ssh accepted all the commands except those below.
I'm using the code from this post: https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292
# define filters for EAP traffic ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic ngctl connect waneapfilter: laneapfilter: eapout eapout
I resolved this by issuing the connect command first - to establish eapout definition? Once done there were no further errors.
However, monitoring the RG interface with tcpdump, all I see are these. Mac c0:a0:0d:xx:xx:xx is that of the RG.
08:13:56.104742 c0:a0:0d:xx:xx:xx (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype EAPOL (0x888e), length 60: EAPOL start (1) v2, len 0
On the WAN interface (ngeth0), I see this. RG mac is spoofed to c0:a0:0d:xx:xx:xx for this interface.
09:06:56.718637 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:08:24.668681 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:25.261889 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 4 09:09:25.261895 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:28.585333 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:39.433119 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:47.419730 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:50.440866 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:52.419034 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:55.558504 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:57.418368 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:58.448730 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300
So it would seem that eapol requests are going out, but not coming back in? On the RG tcpdump there should be additional traffic showing the response, right?
On the em0: interface (ONT) here's some tcpdump output:
09:29:37.126874 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:30:02.284280 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:30:02.284291 c0:a0:0d:xx:xx:xx (oui Unknown) > 18:4a:6f:11:62:fd (oui Unknown), ethertype 802.1Q (0x8100), length 46: vlan 0, p 0, ethertype ARP, Reply 107.x.x.x is-at c0:a0:0d:77:xx:xx (oui Unknown), length 28 09:33:39.499764 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 4 09:33:39.499769 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15
-
Quad port nic arrived today. Ready for more testing. While my understanding of netgraph is vague at best, I am able to follow directions well.
Several other questions;
-
In the course of testing this, what is the correct way to determine that EAP authentication is taking place and is successful? The gateway has a broadband light which when connected directly to the ONT, flashes initially then goes solid green. If there's an error it flashes red. Given that we're only passing EAP packets the gateway does not get a dhcp requests honored and won't be getting any ip's. There should be some other means to confirm eap packets are flowing in both directions.
-
Should the pfsense WAN port (em0, not the bridge) have its mac spoofed? The instructions on page 2 indicate to spoof the mac on the bridge to that of the gateway.
I think ideally we want to have vlan0 tags dropped for packets destined for the lan interface and added to those going to wan (ngeth0)?
Thanks!
-
-
Quad port nic arrived today. Ready for more testing. While my understanding of netgraph is vague at best, I am able to follow directions well.
Several other questions;
-
In the course of testing this, what is the correct way to determine that EAP authentication is taking place and is successful? The gateway has a broadband light which when connected directly to the ONT, flashes initially then goes solid green. If there's an error it flashes red. Given that we're only passing EAP packets the gateway does not get a dhcp requests honored and won't be getting any ip's. There should be some other means to confirm eap packets are flowing in both directions.
-
Should the pfsense WAN port (em0, not the bridge) have its mac spoofed? The instructions on page 2 indicate to spoof the mac on the bridge to that of the gateway.
I think ideally we want to have vlan0 tags dropped for packets destined for the lan interface and added to those going to wan (ngeth0)?
Thanks!
The first one is easy 8):
Step 8: Confirm authentication. After 1-2 minutes, you will see the “Broadband” light on your RG flash green and then go to solid green for a short period of time. This means that the 802.1X port authentication has completed successfully. However, your Broadband light will then start flashing read and then go blank. This is because the RG is not receiving an IP address from the ATT network via DHCP (your PFSense Box is attempting request and receive the IP address).
If you don't see it go solid green for a short period of time, then EAP-OL authentication failed. If you go to the status page for the RG, it will say something like status authenticated, but also indicate that the internet is "down" because you were unable to get an IP address via DHCP.
-
The only spoofing that should be done is the RG's WAN port. Specifically, the PFSense WAN port will be spoofing the address of the RG's WAN port. Failure to do this will result in a failure to authenticate, as the MAC address of the RG is verified by AT&T.
-
Ideally, the netgraph framework should be stripping the VID from all Ethernet frames on ingress and after EAP-OL filtering is done. The issue is that if the VLAN is not set to 0, the RG might not recognize the EAP response frames from the ONT. However, because FreeBSD cannot create an interface on VLAN 0, you will need to untag all of the frames before they leave the Netgraph and get passed back up to the kernel stack.
In other words, the Netgraph should do the following on frames coming from the ONT:
(1) Determine whether frame is EAP-OL.
(2) If frame is EAP-OL, then relay/forward unmodified frame to RG.
(3) If frame is not EAP-OL, strip VID from frame and sent modified frame to kernel stack for further processing by systemFor frames being sent to the ONT, we are essentially doing the reverse:
(1) If frame is EAP-OL frame from RG, forward unmodified frame to ONT
(2) If frame is any other frame from RG, drop
(3) If frame is from PFSense kernel, tag it as VLAN 0 and forward to ONT.Hope this makes sense.
-
-
Yes, makes perfect sense. I think #3 clearly defines netgraph inputs and desired outcomes.
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox. It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
-
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Not quite. You're over-thinking this part. In PFSense, go to the settings for your WAN interface and enter in the MAC address you want to use (the RG's WAN interface). NG_eth read and writes packets using the parameters specified for the operating system. So if you override the MAC address of the WAN interface with the MAC address for the RG's WAN interface, ng_eth will pick up these changes and write frames using the spoofed MAC address. Does that make sense?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox.
That maybe. Unfortunately, I am completely unfamiliar with ProxMox. I was hoping that if he got this working with ProxMox that the solution could be easily ported to bare-metal. But we seem to be missing something.
It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
I feel like I am staring over the edge of the abyss. NetGraph is so powerful that it is awe inspiring. Unfortunately, it is so infrequently used that the documentation is quite sparse. Thank God that we have jeli on this thread to guide us when we go astray. Seriously, he's one of the creators of Netgraph and if he doesn't know the answer, probably no one does.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
:D
-
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Not quite. You're over-thinking this part. In PFSense, go to the settings for your WAN interface and enter in the MAC address you want to use (the RG's WAN interface). NG_eth read and writes packets using the parameters specified for the operating system. So if you override the MAC address of the WAN interface with the MAC address for the RG's WAN interface, ng_eth will pick up these changes and write frames using the spoofed MAC address. Does that make sense?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox.
That maybe. Unfortunately, I am completely unfamiliar with ProxMox. I was hoping that if he got this working with ProxMox that the solution could be easily ported to bare-metal. But we seem to be missing something.
It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
I feel like I am staring over the edge of the abyss. NetGraph is so powerful that it is awe inspiring. Unfortunately, it is so infrequently used that the documentation is quite sparse. Thank God that we have jeli on this thread to guide us when we go astray. Seriously, he's one of the creators of Netgraph and if he doesn't know the answer, probably no one does.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
:D
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
-
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
Half correct. In the PFSense GUI, you set the WAN interface to whatever you want (e.g., WAN = em0, LAN = em1, RG=em2). In the netgraph script, you set the ng_eth node representing the WAN to whatever interface you specified in the PFSense GUI. In the PFSense GUI, you set the value for the MAC address equal to the MAC address of the RG's WAN interface (i.e., you're having the PFSense WAN spoof the MAC address of the RG instead of using its own MAC address).
Everything else is handled by Netgraph at layer 2 (Ethernet frames). Since PFSense mostly operates at layers 3 and 4, it will be oblivious to what Netgraph is doing. As far as PFSense is concerned, it writes packets to and receives packets from the network interface. Once the network interface receives the packets, Netgraph sorts and processes them.
-
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
Half correct. In the PFSense GUI, you set the WAN interface to whatever you want (e.g., WAN = em0, LAN = em1, RG=em2). In the netgraph script, you set the ng_eth node representing the WAN to whatever interface you specified in the PFSense GUI. In the PFSense GUI, you set the value for the MAC address equal to the MAC address of the RG's WAN interface (i.e., you're having the PFSense WAN spoof the MAC address of the RG instead of using its own MAC address).
Everything else is handled by Netgraph at layer 2 (Ethernet frames). Since PFSense mostly operates at layers 3 and 4, it will be oblivious to what Netgraph is doing. As far as PFSense is concerned, it writes packets to and receives packets from the network interface. Once the network interface receives the packets, Netgraph sorts and processes them.
This could have been the issue I had when I tried on my physical box. I changed the WAN interface to ng_eth and never got access fully… I can try again on Sunday while the wife is at work and I'll do the following.
#igb2 is connected to the ONT #lagg0 is connected to the LAN #igb3 is connected to the RG #ngeth0 is the VLANed device which is configured as my WAN in pfSense # copy and load ng_etf kernel module /sbin/kldload /boot/kernel/ng_etf.ko # # setup netgraph nodes # # list out netgraph nodes /usr/sbin/ngctl list # pfSense for some reason detaches ether devices. reattach any missing devices. php -r 'pfSense_ngctl_attach(".", "igb0");' # create tee node to split ONT traffic (one for EAP, one for VLAN0) /usr/sbin/ngctl mkpeer igb0: tee lower left # may get a warning /usr/sbin/ngctl name igb0:lower T # create vlan node + eiface /usr/sbin/ngctl mkpeer T: vlan right downstream /usr/sbin/ngctl name T:right vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' # create etf and connect to ONT /usr/sbin/ngctl mkpeer T: etf left2right downstream /usr/sbin/ngctl name T:left2right waneapfilter /usr/sbin/ngctl connect waneapfilter: igb0: nomatch upper # create etf and connect to RG /usr/sbin/ngctl mkpeer igb3: etf lower downstream /usr/sbin/ngctl name igb3:lower laneapfilter /usr/sbin/ngctl connect laneapfilter: igb3: nomatch upper # define filters for EAP traffic /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout # change MAC address to match RG (also can be done in pfSense) ifconfig ngeth0 ether <mac></mac>
Does this syntax look ok?
-
Unless I'm misunderstanding, there's still a puzzle piece (or 2) missing.
- What connects the wan to the lan? Ok, maybe masquerading in pfsense.
- More importantly wan frames are still tagged with vlan0. The missing piece (netgraph filter) strips these tags when traffic is routed anywhere else but the gateway.
-
Using some obscure search terms I can't even remember at this point I came across this. It's greek to me but might make more sense to others. Look for the posts by toast0.
https://news.ycombinator.com/item?id=16741660 which links to
http://ruka.org/~toast/steal/
Some missing .h files ( pcap-int.h & portability.h ) found here :
https://github.com/freebsd/freebsd/tree/master/contrib/libpcap -
Ok, so firstly here is a pretty good introduction to using netgraph:
https://people.freebsd.org/~julian/netgraph.html
Since I don't have one of these I can't experiment, but it seems we have a number of things we need to do, and a number of things to keep in mind.
- traffic between the RG and ONT is all on vlan 0, including real user traffic.
- since vlan 0 is a reserved value, it is not certain that the hardware interfaces (NIC) can generate them, and in any case different people have different interfaces so we can't assume anything.
see this https://en.wikipedia.org/wiki/IEEE_802.1Q - the etf (ether type filter) node was not written to take vlan tags into account. Since vlan tags include an ether type of 0x8100, it will stop the etf node from seeing the eap etherype.
so maybe this is what we need, with HW vlan disabled and the interfaces in promiscuous mode. Also with the MAC of the main interface set to spoof that of the RG.
ONT)–-[ngiface]lower–--vlan0[ngvlan]downstream–--downstream[ngetf]nomatch–-----upper[ngiface]
|
RG)–- [ngiface]lower–--vlan0[ngvlan]downstream–-------------/ -
oops in the above the interfaces should be ngether not ngiface.. that's a completely different node type.
-
Any luck on a physical system? I was swamped this past weekend with yard work and will attempt Sunday since it will be raining.
-
I was unable to get anywhere on a pfsense system but was semi successful on opnsense with this -
https://news.ycombinator.com/item?id=16740694
http://ruka.org/~toast/steal/Several notes:
-
steal_util.c has to be modified to reflect actual interface names. There's a total of 4 places to update, 2 for each interface. As the code comes, em1 refers to the ONT, em0 refers to the RGW
-
ngeth0 is defined as the wan interface in opnsense
-
elsewhere in the code update the static ip to your own att public ip. Do not touch the 172.xxx lines
-
I also had to define the rgw mac and ip address in the ngeth0 interface in opnsense
If you're familiar with freebsd, this can be set up on that too, as a novice, I found opnsense easier to configure.
Main issues I ran into were speed. I wasn't able to pull full bandwidth like I could before. My per connection speed dropped to about 200 mbps where as before I could top it out at ~700-800 mbps. It wasn't a cpu issue. I5 4590, top showed a single core at most at ~30% with enough threads to saturate, 200 mbps was barely 5-6%.
I did not write this code but came across it after finding the above forums posts. Maybe it can be made to work with pfsense too.
Good luck!
P.S. In the end I went a different direction
https://forum.opnsense.org/index.php?topic=7298.msg37970#msg37970
-
-
Hi all. I'm new to this thread but I've been working on this a long time. My goal has been to implement eap_proxy.py on PFSense. If you look at eap_proxy, the problem is that it uses PF_RING to sniff the packets, which is not available on FreeBSD. To get around this, I started working on an implementation using libpcap, which does work on FreeBSD/PFSense.
However, libpcap has very poor performance and wouldn't be a good solution for an embedded router on a fiber AT&T connection. I did a bunch of digging and discovered a project, netmap-libpcap (https://github.com/luigirizzo/netmap-libpcap/) that has integrated the very fast netmap filter into libpcap. This software is capable of sniffing packets on 10 Gbe, so it sounded like a better fit.
I code in Go and so my first effort was to write a simple sniffer that looked for ethernet type 0x888E (EAP) packets and printed them out whenever it found one. This wasn't too hard and I produced a binary that worked on Linux and successfully printed EAP packets coming from the ONT. The next challenge was to get it working on FreeBSD/PFSense. This was a lot tougher but I was ultimately successful. I did this by building netmap-libpcap on a FreeBSD VM, then compiling my Go program on that VM and statically linking it to the netmap-patched libpcap. I then copied this binary to the PFSense box and I'll be damned, it works. Well, sort of. Read on…
I was able to get my statically compiled, super fast sniffer running on PFSense and it can sniff all kinds of packets but I was not able to sniff the EAP packets. This is due to the VLAN ID 0 issues that have been discussed at length in this thread. I'm stuck. I don't see any EAP packets coming through and need to figure out how to strip the VLAN ID. I really don't want a solution that requires a custom kernel for every PFSense release.
If I can solve this problem, I feel confident that I can write a very fast and CPU-friendly eap_proxy clone for PFSense.
Can someone catch me up with where we are on VLAN 0 tagged frames?
-
@snelly Given my results with the dumb switch, I don't think vlan 0 plays much of a role if any.
Are you doing your testing in a VM or bare metal? If the former, make sure the nics (or vswitches) are in promiscuous mode. On my esxi setup, even with the dumb switch, I had to enable the following to make the mac spoofing work. I don't have promiscuous mode on because there's no eap traffic.
https://i.imgur.com/AactcPF.png
-
I'm doing my work on a Netgate 8-port router running PFSense. The dumb switch is an interesting idea but I wonder if they can really handle bidirectional, line-rate gigabit traffic flows.