ATT Uverse RG Bypass (0.2 BTC)
-
@fresnoboy In this case the guest OS is unaware of the VLAN tags being applied, as for why I don't run virtualized it is too much of a performance hit when doing VPN at 1gbit speeds.
-
@bigjohns97 I would be surprised if there is much of a hit at all running virtualized. ESXi at least passes all the processor extensions through to the guest, so if you have the crypto acceleration, it definitely uses that. I know that's the case with my PFSense VM.
-
@fresnoboy I would consider yourself surprised then :)
This is something I have tried recently using esxi 8.0 and 22.xx as well as 23.01 and while I got the same performance line rate wise the CPU percentage being shown as utilized was 100% utilization.
Whenever I do this on bare metal the CPU utilization is around 20% on the exact same hardware.
I almost want to install a second drive in my server just so I can switch back and forth using BIOS boot options.
But so far I have not found anyone that could point to anything I was doing wrong, just that generic "virtualization shouldn't cause a performance penalty" response.
Which BTW I am that guy as a server admin / engineer of over 25 years I am that dude arguing for virtualization, but I could never get it to not show such CPU utilization when performance this performance benchmark test.
-
@bigjohns97 Count me surprised. Was this true with ESXi 7? 8.0 is a little too much milk for my taste - I only drink wine in hypervisors.
-
No esxi here, but I am using proxmox.
PF + 23.01
I tried all sorts of variations to get rid of the vlan0, including suggestions from https://forum.proxmox.com/threads/how-to-pass-vlan-0-priority-tags-to-pfsense-for-dhcp.112374/ , post #2.
No can do. The only way I can get auth to work is by directly passing the wan nic to the pf vm and using the netgraph/supplicant method. The certs are known good and have been in use for a number of years.
Using 23.01, should it be possible to use wpa_supplicant and have functional wan dhcp without netgraph of any kind?
-
@gpz1100 no, it never was said to work in pfsense 23.01. There is so much bad misinformation on this topic. Freebsd 14 still doesn't handle tagged vlan0 inbound, which is what ATT EAP auth uses via wpa_supplicant. The kernel just discards because BSD doesn't know how to handle.
-
The vlan0 part is not the problem. FreeBSD 14 and pfSense 23.01/2.7 will handle that no problem.
Additionally in 23.01/2.7 priority tagged dhcp traffic will also be passed by bpf which is what was breaking connections to other ISPs. The only exception to that is the e1000 driver (em and igb) where vlan hardware filtering must be disabled due to a bug.But none of that applies to AT&T where the authentication requirement (currently) means you must use the netgraph script and doing so causes other issues. Such as the fact that the iflib e1000 driver doesn't seem to pass traffic with it.
-
@stephenw10 so why doesn't it work for ATT? What needs to be changed/fixed? Without netgraph.
-
There's two scenarios. For most users who have the AT&T device still connected something is required to forward the auth traffic to it and responses back and that requires netgraph or some equivalent setup.
If you have extracted the certs and are using WPA directly it might be possible. I have no way to test. I suspect bpf might get in the way still. Also there were reports of WPA for DHCP not working in other situations and since it's not supported in pfSense it's not something that gets tested.Steve
-
@stephenw10 I have working extracted certs and have done testing (see my post from 7days ago). It does not work in ATT/ pfsense which requires auth. The netgraph method has worked for me in 2.4.5, but as many know, it's not ideal being single threaded and as line speeds get faster, more resources are consumed.
-
What NIC are you using?
-
@fresnoboy When I tried it on ESXi 7 wireguard wasn't out and I wasn't terminating VPN tunnels on my pfsense, but I do remember there to be the same CPU usage delta between hypervisor and bare metal.
-
@gpz1100 I've never tried proxmox other than one time playing around with unraid which I believe runs proxmox under the covers.
Were you defining your vNIC's with your VLANs as "vlan aware"?In ESXi I would just assign the vlan 0 as well as set the MAC address to my att provided gateway MAC in the interface options for the virtual machine for the WAN interface and that was it. Didn't have to do anything on the pfsense guest itself outside of running a simple wpa_supplicant script to get a DHCP address from Att.
-
@stephenw10 https://reviews.freebsd.org/D31515 had to be updated on FreeBSD for the VLAN 0 to actually be able to get DHCP, I wonder if the same thing needs to happen to wpa supplicant.
-
@stephenw10 test box has a 4port 1Gbe intel nic, em. Also has an ionboard Realtek nic that I tried.
-
OK, well it won't work using netgraph and that Intel NIC in 23.01/2.7.
It should work using netgraph with the Realtek NIC AFAIK though I've not tried it.
To use it without netgraph you would need to disable vlan hardware filtering on the em NIC. Though I have no way to test if it's possible.
-
@stephenw10 the intel driver bug was supposed to be fixed in 2.7/23.01. And I disabled -vlanhwfilter. I'm not testing netgraph,my goal was to eliminate netgraph and just be able to auth with wpa_supplicant in its own.
-
The e1000 driver bug is not fixed. I tested it last week when confirming the igc is not affected.
If you disable vlan hardware filtering and run a pcap you will see the incoming tagged packets.
I would try that and see what's responding or not from pfSense.Presumably you have some other script running to activate the wpa_suplicant with the appropriate certs etc?
-
@bigjohns97 said in ATT Uverse RG Bypass (0.2 BTC):
@gpz1100 I've never tried proxmox other than one time playing around with unraid which I believe runs proxmox under the covers.
Were you defining your vNIC's with your VLANs as "vlan aware"?In ESXi I would just assign the vlan 0 as well as set the MAC address to my att provided gateway MAC in the interface options for the virtual machine for the WAN interface and that was it. Didn't have to do anything on the pfsense guest itself outside of running a simple wpa_supplicant script to get a DHCP address from Att.
I tried defining the vlan with both vlan aware enabled and disabled. Made no difference as far as wpa_supplicant being able to receive the eapol traffic.
I tried with both the intel nic and a usb rtl8153 based nic, both failed.
My "production" firewall is sophos utm under proxmox. The intel nic is in passthrough mode for the wan. There I run wpa_supplicant directly, without anything additional to handle vlan0. It's been working fine for a number of years. UTM is going EOL so exploring other options.
-
Well since there is no gui options for that in pfSense you would need, at a minimum, something like this: https://redmine.pfsense.org/issues/5474
