ATT Uverse RG Bypass (0.2 BTC)
-
@ccope Thanks, if you ever need someone to test a possible implementation of this let me know :)
-
Hey All!
Just wanted to clear up some confusion I'm seeing in these last few posts.
-
AT&T is definitely not removing the need for 802.1X. There just happens to be another workaround that, for some, has eliminated the need.
-
We definitely still need the script for 802.1X, but the desire is to remove the netgraph portions that previously enabled VLAN 0 communication, and use the new native methods. This is the piece a few of us are struggling with.
Hope it helps!
-
-
@bk150 said in ATT Uverse RG Bypass (0.2 BTC):
We have a discord that most of the folks from DSLreports have migrated to regarding discussion about AT&T specific bypass methods. There is a working GPON and XGS-PON bypass method. I can't speak much to the GPON method as I have XGS-PON but the XGS-PON method entails simply buying an Azores WAG-D20 and setting a handful of values on it. Once the device gets O5.1 status to the upstream OLT, you can send a DHCP request with the use of Netgraph on pfsense 2.7/23.01.
Hopefully it's not against the rules to post a link to the Discord (dm me if it gets removed): https://discord.gg/6TwFBquMTT
Did some research on this and this doesn't help me as I don't have XGS-PON nor do I have a newer 320 Att supplied RG. If I should ever upgrade to multi-gig service which would require a 320 based integration ONT/RG then I would have to do these GPON stick tricks and upgrade my NIC hardware on my PfSense box to accommodate. Even after that I would still be left having to send wpa_supplicant based authentication over VLAN 0.
At the end of the day we still have to send 802.1x over VLAN 0 which is what historically netgraph has been used for and what we are trying to get away from if possible with this new 2.7 PfSense implementation.
-
@bigjohns97 with the 2.7 devel you don't have to use netgraph anymore. The supplicant is completely unnecessary. The only part you need is the netgraph if you choose not to use 2.7
-
I have the azore wagd20, there are no certs needed. Netgraph is only for vlan0 detection. Once you clone your device to your router. There is not authentication necessary except for AT&t verifying the MAC address
-
https://www.balticnetworks.com/products/azores-1x-10gbe-1x-2-5gbe-intel-based-xgspon-ont
This shows xgspon which to my understanding is not compatible with old gpon installs.
-
@bigjohns97 Yes, that's correct for the xgspon, for regular gpon, all you need is a device with a sfp+ and to change the fiber connected at the ont.
-
@bigjohns97 Help me decide on this product: 2.5GBase-T SFP RJ45 Copper Module, Wiitek 2.5Gb Gigabit SFP to RJ45 Transceivers 100m, Compatible for Cisco SFP-2.5G-T, TP-Link Switch (Have to Pluginto The 2.5G SFP Port) https://a.co/d/j9k53Mscolored text
-
@untamedgorilla @bigjohns97 .. Just a reminder some people using the GPON SFP are still needing to do 802.1X auth, which requires a script still.
-
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
-
@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?
-
@sgc said in ATT Uverse RG Bypass (0.2 BTC):
@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):
@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip
So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?
Everything I have read so far still states you have to run certificates through WPA on VLAN 0.
-
@untamedgorilla I am and following the discord chat. It's working for me, no certs needed. But, there were at least two people on GPON, who I think were using Lantiq based modules, still needed certs. Maybe they resolved it and I missed it.
-
@nedyah700 Check the pinned messages under the USA #gpon channel and you can see that everyone there says you still have to use the wpa_supp on VLAN 0.
-
This post is deleted! -
I'm using the GPON bypass method with a DFP-34X-2C2 directly in my pfSense 2.4.5 server via a Broadcom BCM57810S SFP card. I have working certs with supplicant method in pfatt.sh. How does this need to be configured to get a DHCP lease on (VLAN 962) now given by the DFP ONT?
I tried setting the ONT_IF="bxe0" which is the NIC of the DFP-34X-2C2 SFP ONT. VLANs don't seem to be enabled until later in the boot process after the wpa_supplicant process, but it obviously wont move forward because it fails EAP Auth.
-
@bulldog5 so if I am understanding what you were trying to do is to stop using the PFAT&T script. And you are still trying to use the script or some type of authorization?
-
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
-
@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):
@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.
I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.
This is correct, there has been some speculation that using a pcp tag will allow you to get 802.1x auth on VLAN0 but no real instruction on how to do so yet.
You can trying joining the conversation on this thread https://github.com/MonkWho/pfatt/issues/79 and maybe you can get it to work.
-
I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?