ATT Uverse RG Bypass (0.2 BTC)

bigjohns97

@untamedgorilla

https://www.balticnetworks.com/products/azores-1x-10gbe-1x-2-5gbe-intel-based-xgspon-ont

This shows xgspon which to my understanding is not compatible with old gpon installs.

untamedgorilla

@bigjohns97 Yes, that's correct for the xgspon, for regular gpon, all you need is a device with a sfp+ and to change the fiber connected at the ont.

untamedgorilla

@bigjohns97 Help me decide on this product: 2.5GBase-T SFP RJ45 Copper Module, Wiitek 2.5Gb Gigabit SFP to RJ45 Transceivers 100m, Compatible for Cisco SFP-2.5G-T, TP-Link Switch (Have to Pluginto The 2.5G SFP Port) https://a.co/d/j9k53Mscolored text

nedyah700

@untamedgorilla @bigjohns97 .. Just a reminder some people using the GPON SFP are still needing to do 802.1X auth, which requires a script still.

untamedgorilla

@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip

sgc

@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):

@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip

So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?

bigjohns97

@sgc said in ATT Uverse RG Bypass (0.2 BTC):

@untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):

@nedyah700 it no longer requires authentication. That's what they have found. Certs are completely unnecessary now. What it was is that some connectors didn't connect at the 2.5gig that the ont uses. But people found out which connectors actually can work and the one I posted earlier is one of the ones that can work. You can literally plug it straight into your PF sense if you have 2.7 and it will get a wan IP. If you don't use 2.7 you have to use net graph to get it to get the vlan0 ip

So if I am understanding what you are saying if I plug in my fiber from the wall right in to my pf router this will work with 23.01. Has anyone tested this yet?

Everything I have read so far still states you have to run certificates through WPA on VLAN 0.

nedyah700

@untamedgorilla I am and following the discord chat. It's working for me, no certs needed. But, there were at least two people on GPON, who I think were using Lantiq based modules, still needed certs. Maybe they resolved it and I missed it.

bigjohns97

@nedyah700 Check the pinned messages under the USA #gpon channel and you can see that everyone there says you still have to use the wpa_supp on VLAN 0.

untamedgorilla

This post is deleted!

bulldog5

I'm using the GPON bypass method with a DFP-34X-2C2 directly in my pfSense 2.4.5 server via a Broadcom BCM57810S SFP card. I have working certs with supplicant method in pfatt.sh. How does this need to be configured to get a DHCP lease on (VLAN 962) now given by the DFP ONT?

I tried setting the ONT_IF="bxe0" which is the NIC of the DFP-34X-2C2 SFP ONT. VLANs don't seem to be enabled until later in the boot process after the wpa_supplicant process, but it obviously wont move forward because it fails EAP Auth.

sgc

@bulldog5 so if I am understanding what you were trying to do is to stop using the PFAT&T script. And you are still trying to use the script or some type of authorization?

bulldog5

@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.

I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.

bigjohns97

@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):

@sgc I'm pretty sure the pfatt script is still required for the 802.1Auth. I'm trying to get rid of the ATT white ONT, and move to the ONT cloned DFP stick which I put directly into my pfsense server. I get O5 status and a supplied vlan to pickup the internet on. I'm struggling with how to configure pfsense to get the tagged vlan traffic on the appropriate NIC, since its all (internal) to pfsense now.

I believe I still need ngeth because of VLAN0 still an issue, but now need vlan tagged 962 as well.

This is correct, there has been some speculation that using a pcp tag will allow you to get 802.1x auth on VLAN0 but no real instruction on how to do so yet.

You can trying joining the conversation on this thread https://github.com/MonkWho/pfatt/issues/79 and maybe you can get it to work.

stephenw10

I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?

bulldog5

@bigjohns97 I will try posting over there, hopefully i'm making sense.

bigjohns97

@stephenw10 said in ATT Uverse RG Bypass (0.2 BTC):

I assume the non-netgraph scripts in that thread will only work if you are using the method where you have extracted the certs from the AT&T device?

I wish I had that answer, the one user who got it working was using I believe a realtec NIC but when comparing interface flags we weren't able to find any issues.

So this whole extracted certs where the 802.1x identity matches the MAC spoof vs someone who purchased their certs and the 802.1x identity doesn't match the MAC spoof could be an explanation for why it didn't work for me.

bigjohns97

@bulldog5 said in ATT Uverse RG Bypass (0.2 BTC):

@bigjohns97 I will try posting over there, hopefully i'm making sense.

You are making sense, what I would do if I were you would be to separate the two implementations.

Get your setup working with the bypass and the ONT still in line.

Then once that is working try bypassing the ONT with your SFP

stephenw10

Mmm, I think that could be a separate problem. I guess if a non-netgraph solution is available that might be applicable to a different VLAN directly.
To use those scripts would need the extracted certs but it looks like you have those @bulldog5?

You would certainly need to be running pfSense 23.01/2.7 to use them.

Steve

bulldog5

@stephenw10 correct, I have working certs and have had the RGW bypassed for a few years now. Long story short, I want to move the ATT white ONT from the garage, I figured I would just clone it and get rid of it all together. (Extended fiber to server closet and jack straight in to pfsense SFP) so thats where I'm at with this project.

I need a solution to handle VLAN0, but also tagged vlan traffic on the WAN nic.