ATT Uverse RG Bypass (0.2 BTC)
-
Hey guys,
I'm trying to wrap my head around all of this and how it works.
I believe the network diagram I've created is how things should be wired up.
igb0 (WAN/ONT) needs to have the mac address of the ATT Residential Gateway (RG).
igb2 is connected to the RG and somehow the ONT<->RG authentication magic happens (EAP Proxy?).
igb1 (LAN) goes to switch.Somehow pfsense is not confused by the mac address on igb0 and the mac address of the RG connected to igb2 being the same.
Are ethernet aliases used? (I think pfsense calls them virtual ips?) I.E. igb0 has an alias for vlan0 traffic which I think is just the ONT<->RG traffic, while the regular igb0 has DHCP (or static) internet address assigned?
-
From what I've read from the original DSL Reports thread (http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode)
There are two possible solutions to get the ONT to talk to the RG through something.
One is to set up a bridge between the two interfaces (igb0 and igb2). However, 801.D compliance means that 801.x packets won't pass across, and pfsense's drivers are compliant. One would need to custom compile the drivers to break this compliance.
Two is to use a proxy. However, it seems that the proxy solutions mentioned are incompatible?
I found two proxy solutions. One is written in python:
https://github.com/jaysoffian/eap_proxy
However, Pyrodex mentioned in this thread that it has a linux dependency (PFRING).
As was mentioned by variance in this thread, the other needs to be compiled –
https://github.com/kuwerty/eapolproxy
However, from the DSL thread:I checked out the eapolproxy, and successfully compiled it on my freebsd dev box. After getting some dependencies (libstdc++) onto pfsense, it does start and appears to be passing the EAP traffic from the RG on OPT1 up to the WAN interface where the ONT is, but nothing ever comes back - it just keeps spamming the EAPOL start and logoffs. I will have to keep playing with it, but I feel like the solution is close. It would be good to have some others try this…
Indeed, that person created an issue in github about this, but it looks like the code has been long abandoned.
Rajl then came up with the netgraph solution which, apparently, should be able to bridge the two interfaces in such a way that the 801.x traffic passes across. However pfsense's oddities breaks this a bit.
aus got this working, but must rely on the linux vm host to do part of the work – something the rest of us cannot rely on.
Pyrodex is testing on bare metal. Since pfsense doesn't come with the ng_etf.ko file, he pulled it from a fresh copy of reebsd 11.1.
-
/sbin/kldload /boot/kernel/ng_etf.ko
Pyrodex,
In your script, does this have to execute in addition to loading the module at boot? For security reasons, I thought kernel modules could only load at boot in pfsense?
-
I was able to see the interfaces in the ngctl list command so I know it loaded and they got inserted. I haven't had a chance to do TCPdumps yet and will try again this Sunday while the wife is at work.
kldstat Id Refs Address Size Name 1 24 0xffffffff80200000 2c2da38 kernel 2 1 0xffffffff82e2f000 316ae8 zfs.ko 3 2 0xffffffff83146000 cae8 opensolaris.ko 4 1 0xffffffff83221000 32ce cpuctl.ko 5 1 0xffffffff83225000 8191 aesni.ko 6 1 0xffffffff8322e000 4700 cryptodev.ko 7 1 0xffffffff83233000 2c63 coretemp.ko 8 1 0xffffffff83236000 191f ng_etf.ko
-
Tantamount,
Your network diagram is correct and you're definitely heading in the right direction as far as "wrapping your head around this" goes.
If you're remotely familiar with the OSI networking model this makes a lot more sense. Basically, we are creating a script using Netgraph to do layer 2 (Ethernet Frame) processing to relay authentication frames between the ONT and the RG while diverting all other Ethernet Frames from the ONT up to layers 3-7 of the PFSense network stack.
To go into more detail, ATT's RG uses embedded certificates and the EAPOL protocol to authenticate the RG with the ONT and ATT's wider network. However, the EAPOL is susceptible to what's known as a "man-in-the-middle" attack where a third-party can intercept the traffic. What we are (attempting) to do is two things:
(1) Relay all EAPOL ethernet frames between the RG and the ONT. This requires using MAC address spoofing so that the WAN interface on the PFSense router uses the MAC address of the RG instead of its own MAC address. This makes the ONT think it is communicating with the RG instead of an unauthorized PFSense device. Virtual IPs are not used (they are something completely different as they are operating at layers 3-7 of the network stack).
(2) Intercept all other ethernet frames and send them up to layers 3-7 of the PFSense network stack for further firewall processing.Step 1 can be solved two ways:
(1) Bridge the traffic. This requires a non-standards compliant bridge device or driver (a trivial modification to the FreeBSD bridge kernel module if you know C programming).
(2) Write a program that intercepts and relays the EAPOL frames (i.e., performs a man-in-the-middle attack). The problem with the EAP_Proxy script is that it relies on a number of Python libraries that provide linux specific operating system calls. However, the algorithm that it uses is really simple, so I created a short NetGraph script to duplicate the functionality of the eap_proxy script because Netgraph is part of the FreeBSD base.The final issue that is causing problems on bare-metal is that ATT is tagging all internet traffic as being assigned to VLAN 0. Technically, VLAN 0 means the frame is not assigned to a VLAN. However, ATT uses it as an actual VLAN identifier. FreeBSD, being overly standards compliant, therefore refuses to create a virtual interface on VLAN 0 and bind services to VLAN 0, allowing for traffic to be read from and written to VLAN 0. Solve that problem, and this will work on bare-metal. AUS has already solved it by using PCI pass-through to work around the issue for virtualized PFSense (which will help a lot of people).
-
The final issue that is causing problems on bare-metal is that ATT is tagging all internet traffic as being assigned to VLAN 0. Technically, VLAN 0 means the frame is not assigned to a VLAN. However, ATT uses it as an actual VLAN identifier. FreeBSD, being overly standards compliant, therefore refuses to create a virtual interface on VLAN 0 and bind services to VLAN 0, allowing for traffic to be read from and written to VLAN 0. Solve that problem, and this will work on bare-metal. AUS has already solved it by using PCI pass-through to work around the issue for virtualized PFSense (which will help a lot of people).
Thanks Rajl.
I thought PCI pass-through makes virtual environments more "bare metal" because it makes the hardware exclusive to one virtual machine. I'm not clear how this would solve the VLAN 0 tagging issue unless his virtual environment was the cause of the problem?
-
Any more progress on this?
I'm testing using a spare machine while the 4 port nic arrives.
For the moment pfsense is installed baremetal. Running into issues at the following
# create etf and connect to em1 (RG) ngctl mkpeer ue0: etf lower downstream ngctl name ue0:lower laneapfilter ngctl connect laneapfilter: ue0: nomatch upper
All the previous command execute correctly. Interface names have been adjusted as needed based on how my system identified them.
em0 - intel pro 1000 (builtin) - ONT (WAN) xl0 - 3com - gateway ue0 - usb - LAN
So the original snippet is changed to
# create etf and connect to em1 (RG) ngctl mkpeer xl0: etf lower downstream ngctl name xl0:lower laneapfilter ngctl connect laneapfilter: xl0: nomatch upper
I end up getting this error (including entire input/output to this point).
[2.4.3-RELEASE][root@pfSense.localdomain]/root: kldload /boot/kernel/ng_etf.ko
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl list
There are 2 total nodes:
Name: ngctl57043 Type: socket ID: 00000012 Num hooks: 0
Name: <unnamed>Type: socket ID: 00000006 Num hooks: 0
[2.4.3-RELEASE][root@pfSense.localdomain]/root: php -r 'pfSense_ngctl_attach(".", "em0");'
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer em0: tee lower left
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name em0:lower T
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer T: vlan right downstream
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name T:right vlan0
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer vlan0: eiface vlan0 ether
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer T: etf left2right downstream
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl name T:left2right waneapfilter
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl connect waneapfilter: em0: nomatch upper
[2.4.3-RELEASE][root@pfSense.localdomain]/root: ngctl mkpeer xl0: etf lower downstream
ngctl: send msg: No such file or directory
[2.4.3-RELEASE][root@pfSense.localdomain]/root:</unnamed>Not sure how to move forward from this.
Also, I'm a bit confused on how a pci-passthrough (when virtualized) is any different than bare metal, as far as vlan0 tagging is concerned. When the nic is defined as pci-pass through, does the underlying vm have direct access to the nic? This would be similar as a baremetal implementation, no?
Thanks!
-
hi I've just been reading this thread.
I have a pfsense router but unfortunately Uverse is not here in Australia, so I can't help practically..however i see you have got my ng-etf pair set up so I see we have somehow communicated before :-)
let me see if I understand the full picture..
You need to link the ONT (whatever that stands for .. Optical Network translator?) via vlan0 to the RG, but you only want protocol 8xxx to go to the RG, and all other protocols/ethertypes to go to the pfsense IP stack.. is that right?
-
this MAY work but may not.. it depends if the packets coming out of the interface have already been stripped of vlan tags.
ONT]–--[em0]lower–-downstream[eapfilter:]nomatch–--vlan0[VLAN]downstream–--upper[em0…
eapout
|
|
|
RG]–----[em1]lower–--------------/ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
ngctl mkpeer igb0: vlan upper downstream
ngctl name igb0:upper vlanheader
ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'if they haven't then we may need to put the vlan nodes (two) on the other side of the etf node, so that it doesn't see the vlan tags.
Maybe I should add an option to make etf nodes take vlan tags into account.
If you can attach the nghook program to an inserted ngtee node (inserted somewhere in your current graph) and see what comes out. (with -a ).
then we can see what the packets look like.
-
hi I've just been reading this thread.
I have a pfsense router but unfortunately Uverse is not here in Australia, so I can't help practically..however i see you have got my ng-etf pair set up so I see we have somehow communicated before :-)
let me see if I understand the full picture..
You need to link the ONT (whatever that stands for .. Optical Network translator?) via vlan0 to the RG, but you only want protocol 8xxx to go to the RG, and all other protocols/ethertypes to go to the pfsense IP stack.. is that right?
You've actually been talking to me on the FreeBSD mailing lists, but I posted the final results to share with the world and a number of people have been running with it. :)
To help you with the terminology and define the problem:
ONT = Optical Network Terminal. It's the box in your house where the fiber-optic cable is terminated and the signal is converted into an electrical signal. It has an RJ-45 1000BaseT jack that you use to plug the RG into.
RG = Residential Gateway. It's one of those all-in-one wireless routers that is provided by the ISP (AT&T). It's low-end consumer gear that has a number of issues. Many of us have outgrown it's limitations and want to get rid of it. However, we can't because the RG is required for authentication with the ISP.
EAP-OL = Encapsulated Authentication Protocol Over LAN. It works at layer 2 and can be easily man-in-the-middled. The RG uses this protocol to authenticate with the ISP. My suspicion is that the RG is using EAP-OL to authenticate with the ONT so that the ONT can ensure that only an approved, authenticated device is connected to it/the network. However, where the actual end-point for the EAP-OL frames is located is immaterial.
-
this MAY work but may not.. it depends if the packets coming out of the interface have already been stripped of vlan tags.
ONT]–--[em0]lower–-downstream[eapfilter:]nomatch–--vlan0[VLAN]downstream–--upper[em0…
eapout
|
|
|
RG]–----[em1]lower–--------------/ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
ngctl mkpeer igb0: vlan upper downstream
ngctl name igb0:upper vlanheader
ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'if they haven't then we may need to put the vlan nodes (two) on the other side of the etf node, so that it doesn't see the vlan tags.
Maybe I should add an option to make etf nodes take vlan tags into account.
If you can attach the nghook program to an inserted ngtee node (inserted somewhere in your current graph) and see what comes out. (with -a ).
then we can see what the packets look like.
I'm not sure that will work, because I think it may be stripping VLAN tags at the wrong point. You can correct me if I am wrong.
Here's a rough sketch of how the frames are tagged.
Before:
[ONT] –---[Tagged VLAN 0]–------------ [RG] –---[No VLAN Tags]–----------[LAN]
After:
[ONT] –----[Tagged VLAN 0] –----------[PFSense] –-----[No VLAN Tags]–---[LAN]
|
|
|–------------[Tagged VLAN 0]–-[RG]Hope this helps. Someone on this thread has gotten this to work with virtualized PFSense on ProxMox using PCI Passthrough. No one, however, has yet reported getting this to work on bare metal.
It's been the fun challenge.
-
@rajl As I understand it, the whole reason for doing the pci passthrough is because there's issue with passing vlan0 through the hypervisor? By configuring the nic as pci passthrough, the guest os (pfsense) has full access to the nic. Vlan0 is then passed through the graphing definition.
I've been testing further on the spare machine (bare metal pfsense install). I realized the reason for my errors above - I did not reattach the missing interfaces. Once I did that pfsense ssh accepted all the commands except those below.
I'm using the code from this post: https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292
# define filters for EAP traffic ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic ngctl connect waneapfilter: laneapfilter: eapout eapout
I resolved this by issuing the connect command first - to establish eapout definition? Once done there were no further errors.
However, monitoring the RG interface with tcpdump, all I see are these. Mac c0:a0:0d:xx:xx:xx is that of the RG.
08:13:56.104742 c0:a0:0d:xx:xx:xx (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype EAPOL (0x888e), length 60: EAPOL start (1) v2, len 0
On the WAN interface (ngeth0), I see this. RG mac is spoofed to c0:a0:0d:xx:xx:xx for this interface.
09:06:56.718637 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:08:24.668681 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:25.261889 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 4 09:09:25.261895 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:28.585333 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:39.433119 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:47.419730 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:50.440866 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300 09:09:52.419034 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:55.558504 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:09:57.418368 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:09:58.448730 c0:a0:0d:xx:xx:xx (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from c0:a0:0d:xx:xx:xx (oui Unknown), length 300
So it would seem that eapol requests are going out, but not coming back in? On the RG tcpdump there should be additional traffic showing the response, right?
On the em0: interface (ONT) here's some tcpdump output:
09:29:37.126874 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15 09:30:02.284280 18:4a:6f:11:62:fd (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 0, p 7, ethertype ARP, Request who-has 107.x.x.x (c0:a0:0d:xx:xx:xx (oui Unknown)) tell 0.0.0.0, length 46 09:30:02.284291 c0:a0:0d:xx:xx:xx (oui Unknown) > 18:4a:6f:11:62:fd (oui Unknown), ethertype 802.1Q (0x8100), length 46: vlan 0, p 0, ethertype ARP, Reply 107.x.x.x is-at c0:a0:0d:77:xx:xx (oui Unknown), length 28 09:33:39.499764 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 4 09:33:39.499769 00:90:d0:63:ff:01 (oui Unknown) > 01:80:c2:00:00:03 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15
-
Quad port nic arrived today. Ready for more testing. While my understanding of netgraph is vague at best, I am able to follow directions well.
Several other questions;
-
In the course of testing this, what is the correct way to determine that EAP authentication is taking place and is successful? The gateway has a broadband light which when connected directly to the ONT, flashes initially then goes solid green. If there's an error it flashes red. Given that we're only passing EAP packets the gateway does not get a dhcp requests honored and won't be getting any ip's. There should be some other means to confirm eap packets are flowing in both directions.
-
Should the pfsense WAN port (em0, not the bridge) have its mac spoofed? The instructions on page 2 indicate to spoof the mac on the bridge to that of the gateway.
I think ideally we want to have vlan0 tags dropped for packets destined for the lan interface and added to those going to wan (ngeth0)?
Thanks!
-
-
Quad port nic arrived today. Ready for more testing. While my understanding of netgraph is vague at best, I am able to follow directions well.
Several other questions;
-
In the course of testing this, what is the correct way to determine that EAP authentication is taking place and is successful? The gateway has a broadband light which when connected directly to the ONT, flashes initially then goes solid green. If there's an error it flashes red. Given that we're only passing EAP packets the gateway does not get a dhcp requests honored and won't be getting any ip's. There should be some other means to confirm eap packets are flowing in both directions.
-
Should the pfsense WAN port (em0, not the bridge) have its mac spoofed? The instructions on page 2 indicate to spoof the mac on the bridge to that of the gateway.
I think ideally we want to have vlan0 tags dropped for packets destined for the lan interface and added to those going to wan (ngeth0)?
Thanks!
The first one is easy 8):
Step 8: Confirm authentication. After 1-2 minutes, you will see the “Broadband” light on your RG flash green and then go to solid green for a short period of time. This means that the 802.1X port authentication has completed successfully. However, your Broadband light will then start flashing read and then go blank. This is because the RG is not receiving an IP address from the ATT network via DHCP (your PFSense Box is attempting request and receive the IP address).
If you don't see it go solid green for a short period of time, then EAP-OL authentication failed. If you go to the status page for the RG, it will say something like status authenticated, but also indicate that the internet is "down" because you were unable to get an IP address via DHCP.
-
The only spoofing that should be done is the RG's WAN port. Specifically, the PFSense WAN port will be spoofing the address of the RG's WAN port. Failure to do this will result in a failure to authenticate, as the MAC address of the RG is verified by AT&T.
-
Ideally, the netgraph framework should be stripping the VID from all Ethernet frames on ingress and after EAP-OL filtering is done. The issue is that if the VLAN is not set to 0, the RG might not recognize the EAP response frames from the ONT. However, because FreeBSD cannot create an interface on VLAN 0, you will need to untag all of the frames before they leave the Netgraph and get passed back up to the kernel stack.
In other words, the Netgraph should do the following on frames coming from the ONT:
(1) Determine whether frame is EAP-OL.
(2) If frame is EAP-OL, then relay/forward unmodified frame to RG.
(3) If frame is not EAP-OL, strip VID from frame and sent modified frame to kernel stack for further processing by systemFor frames being sent to the ONT, we are essentially doing the reverse:
(1) If frame is EAP-OL frame from RG, forward unmodified frame to ONT
(2) If frame is any other frame from RG, drop
(3) If frame is from PFSense kernel, tag it as VLAN 0 and forward to ONT.Hope this makes sense.
-
-
Yes, makes perfect sense. I think #3 clearly defines netgraph inputs and desired outcomes.
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox. It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
-
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Not quite. You're over-thinking this part. In PFSense, go to the settings for your WAN interface and enter in the MAC address you want to use (the RG's WAN interface). NG_eth read and writes packets using the parameters specified for the operating system. So if you override the MAC address of the WAN interface with the MAC address for the RG's WAN interface, ng_eth will pick up these changes and write frames using the spoofed MAC address. Does that make sense?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox.
That maybe. Unfortunately, I am completely unfamiliar with ProxMox. I was hoping that if he got this working with ProxMox that the solution could be easily ported to bare-metal. But we seem to be missing something.
It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
I feel like I am staring over the edge of the abyss. NetGraph is so powerful that it is awe inspiring. Unfortunately, it is so infrequently used that the documentation is quite sparse. Thank God that we have jeli on this thread to guide us when we go astray. Seriously, he's one of the creators of Netgraph and if he doesn't know the answer, probably no one does.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
:D
-
For #2, the only spoofing then should be for the ngeth0 interface, not em0 (physical interface ONT is connected to)?
Not quite. You're over-thinking this part. In PFSense, go to the settings for your WAN interface and enter in the MAC address you want to use (the RG's WAN interface). NG_eth read and writes packets using the parameters specified for the operating system. So if you override the MAC address of the WAN interface with the MAC address for the RG's WAN interface, ng_eth will pick up these changes and write frames using the spoofed MAC address. Does that make sense?
Rereading the thread a few more times I think AUS got around the vlan tags on the lan issue by defining a particular filter in proxmox.
That maybe. Unfortunately, I am completely unfamiliar with ProxMox. I was hoping that if he got this working with ProxMox that the solution could be easily ported to bare-metal. But we seem to be missing something.
It seems like netgraph is fairly powerful tool for low level packet routing and this type of function may very well be possible. I wish I had a better understanding of netgraph fundamentals. It would make a whole lot more sense.
I feel like I am staring over the edge of the abyss. NetGraph is so powerful that it is awe inspiring. Unfortunately, it is so infrequently used that the documentation is quite sparse. Thank God that we have jeli on this thread to guide us when we go astray. Seriously, he's one of the creators of Netgraph and if he doesn't know the answer, probably no one does.
Your ascii pic in post https://forum.pfsense.org/index.php?topic=111043.msg798687#msg798687 paints a good rough draft. In fact, starting with a visual is probably the best way to attack this problem. Just need to fill in the details.
:D
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
-
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
Half correct. In the PFSense GUI, you set the WAN interface to whatever you want (e.g., WAN = em0, LAN = em1, RG=em2). In the netgraph script, you set the ng_eth node representing the WAN to whatever interface you specified in the PFSense GUI. In the PFSense GUI, you set the value for the MAC address equal to the MAC address of the RG's WAN interface (i.e., you're having the PFSense WAN spoof the MAC address of the RG instead of using its own MAC address).
Everything else is handled by Netgraph at layer 2 (Ethernet frames). Since PFSense mostly operates at layers 3 and 4, it will be oblivious to what Netgraph is doing. As far as PFSense is concerned, it writes packets to and receives packets from the network interface. Once the network interface receives the packets, Netgraph sorts and processes them.
-
So if I am reading you right in the GUI we don’t change the WAN interface to ngeth and don’t change the MAC address to the RG since this is handled by net graph?
Half correct. In the PFSense GUI, you set the WAN interface to whatever you want (e.g., WAN = em0, LAN = em1, RG=em2). In the netgraph script, you set the ng_eth node representing the WAN to whatever interface you specified in the PFSense GUI. In the PFSense GUI, you set the value for the MAC address equal to the MAC address of the RG's WAN interface (i.e., you're having the PFSense WAN spoof the MAC address of the RG instead of using its own MAC address).
Everything else is handled by Netgraph at layer 2 (Ethernet frames). Since PFSense mostly operates at layers 3 and 4, it will be oblivious to what Netgraph is doing. As far as PFSense is concerned, it writes packets to and receives packets from the network interface. Once the network interface receives the packets, Netgraph sorts and processes them.
This could have been the issue I had when I tried on my physical box. I changed the WAN interface to ng_eth and never got access fully… I can try again on Sunday while the wife is at work and I'll do the following.
#igb2 is connected to the ONT #lagg0 is connected to the LAN #igb3 is connected to the RG #ngeth0 is the VLANed device which is configured as my WAN in pfSense # copy and load ng_etf kernel module /sbin/kldload /boot/kernel/ng_etf.ko # # setup netgraph nodes # # list out netgraph nodes /usr/sbin/ngctl list # pfSense for some reason detaches ether devices. reattach any missing devices. php -r 'pfSense_ngctl_attach(".", "igb0");' # create tee node to split ONT traffic (one for EAP, one for VLAN0) /usr/sbin/ngctl mkpeer igb0: tee lower left # may get a warning /usr/sbin/ngctl name igb0:lower T # create vlan node + eiface /usr/sbin/ngctl mkpeer T: vlan right downstream /usr/sbin/ngctl name T:right vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' # create etf and connect to ONT /usr/sbin/ngctl mkpeer T: etf left2right downstream /usr/sbin/ngctl name T:left2right waneapfilter /usr/sbin/ngctl connect waneapfilter: igb0: nomatch upper # create etf and connect to RG /usr/sbin/ngctl mkpeer igb3: etf lower downstream /usr/sbin/ngctl name igb3:lower laneapfilter /usr/sbin/ngctl connect laneapfilter: igb3: nomatch upper # define filters for EAP traffic /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' # use filters to bridge EAP traffic /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout # change MAC address to match RG (also can be done in pfSense) ifconfig ngeth0 ether <mac></mac>
Does this syntax look ok?
-
Unless I'm misunderstanding, there's still a puzzle piece (or 2) missing.
- What connects the wan to the lan? Ok, maybe masquerading in pfsense.
- More importantly wan frames are still tagged with vlan0. The missing piece (netgraph filter) strips these tags when traffic is routed anywhere else but the gateway.