Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ATT Uverse RG Bypass (0.2 BTC)

    Bounties
    80
    555
    1.2m
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anyn12 @GPz1100
      last edited by

      @GPz1100 I'm using the dfp-34x to bypass the AT&T ONT and RG, but curiously, I don't need to authenticate at all with the DFP-34X. Does anyone know why I no longer need to authenticate with wpa_supplicant when bypassing the ONT? I've read conflicting info about whether authentication should be needed or not.

      Prior to bypassing the ONT with the dfp-34x, I was using AT&T ONT -> Swtich (strip VLAN0) -> Pfsense, but could not pull IP unless I authenticated with wpa_supplicant.

      GPz1100G 1 Reply Last reply Reply Quote 0
      • U
        untamedgorilla @AiC0315
        last edited by untamedgorilla

        @AiC0315 said in ATT Uverse RG Bypass (0.2 BTC):

        @GPz1100 I found the original files and was able to get it sorted out. Thank you for your help!!

        It's because the authentication isn't really needed (there is long thread on DSLreports that proves that 802.1x authentication isn't necessary). What is needed is a compatible ont or ont sfp+ (2.5 gig sensing, which isn't in all ont or ont sticks), that is spoofed to the mac address and type of RG. That is why you can bypass the ont and RG. The only hold up was that most firewalls wouldn't recognize vlan0 on the wan. There are numerous people like myself who no longer use the RG and ONT. I do have the 5gig connection so I'm not on the older GPON, I'm on XGS-PON. But it works 100% without extracting certs. I personally have been using the Azores WAG-D20 for about a year now. The only time I have ever had my bgw320-505 powered on is when AT&T had to replace my fiber line when tree cutters dropped a tree on my fiber line and cut it. So they could run a line test.

        A E 2 Replies Last reply Reply Quote 0
        • A
          anyn12 @untamedgorilla
          last edited by

          @untamedgorilla Thanks, I've consistently seen that XGS-PON doesn't use authentication in the same way as GPON - but, I'm on GPON. I have seen the DSLreports thread but then again on the discord there are conflicting discussions. I guess I should be happy with it and let it go but concerned its just a temporary fluke in my setup.

          1 Reply Last reply Reply Quote 0
          • Z
            Zaf9670 @DefenderLLC
            last edited by

            @DefenderLLC I understand the box is combined but that doesn't necessarily mean the process is different to intercept/use. It sounds like the replies after ours show it has had some mixed success unless the all-in-ones register differently between models.

            DefenderLLCD 1 Reply Last reply Reply Quote 1
            • DefenderLLCD
              DefenderLLC @Zaf9670
              last edited by

              @Zaf9670 said in ATT Uverse RG Bypass (0.2 BTC):

              @DefenderLLC I understand the box is combined but that doesn't necessarily mean the process is different to intercept/use. It sounds like the replies after ours show it has had some mixed success unless the all-in-ones register differently between models.

              I certainly hope so. Most of them seem to have the BGW310. I have the BGW320 and I haven't seen anyone crack the cert/keys on that one yet. It's really not that big of a deal to me as I'm not experiencing any packet loss, but if someone gets it to work then I would love to try it.

              1 Reply Last reply Reply Quote 0
              • GPz1100G
                GPz1100 @anyn12
                last edited by

                @anyn12 said in ATT Uverse RG Bypass (0.2 BTC):

                @GPz1100 I'm using the dfp-34x to bypass the AT&T ONT and RG, but curiously, I don't need to authenticate at all with the DFP-34X. Does anyone know why I no longer need to authenticate with wpa_supplicant when bypassing the ONT? I've read conflicting info about whether authentication should be needed or not.

                Prior to bypassing the ONT with the dfp-34x, I was using AT&T ONT -> Swtich (strip VLAN0) -> Pfsense, but could not pull IP unless I authenticated with wpa_supplicant.

                Based on discussions on discord, it appears some on GPON users are connected to an olt that allow traffic without 802.1x auth taking place. That is, even when using the stock 010a ont.

                Then there's your sfp which maybe spoofing a successful 802.1x response upstream. In terms of xgspon, it would appear 802.1x auth is not used (at this time?) with such implementations so devices such as the azores wag20 work with just serial/mac spoofing.

                One thing is clear, att is consistently inconsistent.

                1 Reply Last reply Reply Quote 0
                • stephenw10S stephenw10 referenced this topic on
                • E
                  Eddie55 @untamedgorilla
                  last edited by

                  @untamedgorilla said in ATT Uverse RG Bypass (0.2 BTC):

                  Azores WAG-D20

                  So you are saying
                  Even though i have 1 Gig Att Fiber with a Pace 5268AC
                  i can use a Azores WAG-D20 to replace my Pace 5268AC and connect it directly to my pfsense box?
                  No headaches or setup just plug and play?

                  dreamdenizenD 1 Reply Last reply Reply Quote 0
                  • dreamdenizenD
                    dreamdenizen @Eddie55
                    last edited by

                    @Eddie55 it's not that easy. If you're on the Pace rg you likely have GPON, so the Azores ont won't work.

                    E 1 Reply Last reply Reply Quote 0
                    • E
                      Eddie55 @dreamdenizen
                      last edited by Eddie55

                      @dreamdenizen
                      what would you recommend i do
                      i currently have

                      Pace 5268AC
                      4 port pfsense router
                      Unifi 24 port poe managed switch

                      1 Reply Last reply Reply Quote 0
                      • J
                        jasonsansone
                        last edited by

                        I have never been able to update past 22.05, but previously didn't have the time to extensively debug the issue. I am also starting to care more as I don't want to be running an unpatched, insecure system indefinitely. I am using the supplicant method which works great on 22.05. Certs are extracted from my BGW210, not purchased. Here is what happens if I execute the script manually in 23.01.

                        pfatt 59368 - - starting pfatt...
                        pfatt 59524 - - resetting netgraph...
                        pfatt 60893 - - creating vlan node and ngeth0 interface...
                        pfatt 61867 - - enabling promisc for igb0...
                        pfatt 63602 - - starting wpa_supplicant...
                        pfatt 63884 - - terminating existing wpa_supplicant on PID 42344...
                        pfatt 76978 - - wpa_supplicant running on PID 76616...
                        pfatt 77163 - - setting wpa_supplicant network configuration...
                        pfatt 87692 - - waiting for EAP authorization...
                        pfatt 17137 - - EAP authorization completed...
                        pfatt 17614 - - no IP address assigned, force restarting DHCP...
                        dhclient not running? (check /var/run/dhclient/dhclient.ngeth0.pid).
                        DHCPREQUEST on ngeth0 to 255.255.255.255 port 67
                        DHCPREQUEST on ngeth0 to 255.255.255.255 port 67
                        DHCPDISCOVER on ngeth0 to 255.255.255.255 port 67 interval 6
                        DHCPDISCOVER on ngeth0 to 255.255.255.255 port 67 interval 13
                        My address (104.62.99.47) was re-added
                        DHCPDISCOVER on ngeth0 to 255.255.255.255 port 67 interval 12
                        My address (104.62.99.47) was deleted, dhclient exiting
                        pfatt 67484 - - IP address is ...
                        pfatt 67576 - - ngeth0 should now be available to configure as your WAN...
                        pfatt 74890 - - set mac address on ngeth0...
                        

                        I never get an IP and the WAN remains down. Does anyone have any thoughts? My pfatt script is attached. pfatt.txt

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          The bug in e1000 that stopped it passing vlan0 tagged traffic is fixed in 23.09(.1) so try that.

                          You can probably do that directly without netgraph there too since both WPA and dhclient can now accept vlan0.

                          GPz1100G J 2 Replies Last reply Reply Quote 0
                          • GPz1100G
                            GPz1100 @stephenw10
                            last edited by

                            @stephenw10 Use of openssl 3.0 introduced other issues requiring some additional parameters in later pf versions.

                            I've attached a txt containing my notes from the discord discussion on the issue.

                            pfsense_openssl 3.0 related.txt

                            1 Reply Last reply Reply Quote 0
                            • J
                              jasonsansone @stephenw10
                              last edited by

                              @stephenw10 @GPz1100

                              I upgraded to 23.09.1 and changed to using the method detailed here. However, wpa_cli status reports "connecting" and "unauthorized". The exact same hardware and certs authenticate fine on 22.05 using the old pfatt wpa_supplicant script. Any recommendations?

                              dreamdenizenD 1 Reply Last reply Reply Quote 0
                              • dreamdenizenD
                                dreamdenizen @jasonsansone
                                last edited by dreamdenizen

                                @jasonsansone

                                I put my certs and wpa_supplicant.conf file in /root/wpa and used the following earlyshellcmd and shellcmd. Worked perfectly fine on 23.09.1 until I bailed to OPNsense last week. Same commands are also working great on OPNsense 23.7.10 using rc.syshook.d scripts.

                                earlyshellcmd

                                ifconfig igb0 ether "xx:xx:xx:xx:xx:xx" && wpa_supplicant -s -dd -B -Dwired -i igb0 -c /root/wpa/wpa_supplicant.conf -P /var/run/wpa_supplicant.pid && sleep 10 && wpa_cli logon
                                

                                Plug your RG ethernet MAC in place of the xx:xx... above

                                shellcmd

                                wpa_cli logoff && sleep 10 && wpa_cli logon
                                

                                the -s and -dd flags in my earlyshellcmd will cause wpa_supplicant to push all debug log activity to syslog, so look there for clues as to what's happening if you still can't auth.

                                You may have caused your ONT to flag due to too many failed auth attempts, so make sure to push the reset pin in on the back before your first boot with these commands.

                                Good luck.

                                J 1 Reply Last reply Reply Quote 1
                                • J
                                  jasonsansone @dreamdenizen
                                  last edited by

                                  @dreamdenizen can you please post your .conf just so I can verify? Thank you. Your method is what I was testing, except I will enable debug logging to better investigate. I had it working once, and then it stopped, which lead me to also suspect I got flagged for too many repeat authentications. Except it’s strange that a reboot into the old boot environmental using the supplicant script works. I would have thought that if I was blocked or suspended, it would fail regardless of method.

                                  dreamdenizenD 1 Reply Last reply Reply Quote 0
                                  • dreamdenizenD
                                    dreamdenizen @jasonsansone
                                    last edited by dreamdenizen

                                    @jasonsansone your flags may vary based on what was extracted from your BGW210-700 or NVG so I would not recommend changing anything produced by the devicelocksmith extraction tool. My wpa_supplicant.conf is exactly what was spit out by the tool with the addition of

                                    ctrl_interface=DIR=/var/run/wpa_supplicant
                                    

                                    to account for running patched versions of wpa_supplicant prior to vlan0 handling being added to mainline. That added line works fine with mainline as well, so I never removed it.

                                    ctrl_interface=DIR=/var/run/wpa_supplicant
                                    eapol_version=1
                                    ap_scan=0
                                    fast_reauth=1
                                    network={
                                            ca_cert="/root/wpa/CA.pem"
                                            client_cert="/root/wpa/Client.pem"
                                            eap=TLS
                                            eapol_flags=0
                                            identity="xx:xx:xx:xx:xx:xx" # Internet (ONT) interface MAC address must match this value
                                            key_mgmt=IEEE8021X
                                            phase1="allow_canned_success=1"
                                            private_key="/root/wpa/PrivateKey.pem"
                                    }
                                    
                                    J 1 Reply Last reply Reply Quote 0
                                    • J
                                      jasonsansone @dreamdenizen
                                      last edited by

                                      @dreamdenizen thank you. Unfortunately the originally extracted conf has been lost. I was trying to avoid doing the extraction process again.

                                      J 1 Reply Last reply Reply Quote 0
                                      • J
                                        jasonsansone @jasonsansone
                                        last edited by

                                        Here is the syslog output:

                                        Dec 23 08:38:29 pfsense pfatt[63277]: starting wpa_supplicant... Dec 23 08:38:29 pfsense wpa_supplicant[63663]: Successfully initialized wpa_supplicant Dec 23 08:38:33 pfsense pfatt[71584]: wpa_supplicant running on PID 70876... Dec 23 08:38:33 pfsense pfatt[72244]: setting wpa_supplicant network configuration... Dec 23 08:38:33 pfsense wpa_supplicant[70876]: igb0: Associated with 01:80:c2:00:00:03 Dec 23 08:38:33 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 Dec 23 08:39:34 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Dec 23 08:39:48 pfsense wpa_supplicant[70876]: igb0: CTRL-EVENT-EAP-STARTED EAP authentication started

                                        And here is the output from wpa_cli status:

                                        `wpa_cli status
                                        Selected interface 'igb0'
                                        bssid=01:80:c2:00:00:03
                                        freq=0
                                        ssid=
                                        id=0
                                        mode=station
                                        pairwise_cipher=NONE
                                        group_cipher=NONE
                                        key_mgmt=IEEE 802.1X (no WPA)
                                        wpa_state=ASSOCIATED
                                        address=74:8a:0d:5f:be:21
                                        Supplicant PAE state=CONNECTING
                                        suppPortStatus=Unauthorized
                                        EAP state=IDLE
                                        uuid=666db3f9-54bb-5d96-8859-3fd4bbaa9546

                                        wpa_cli status
                                        Selected interface 'igb0'
                                        bssid=01:80:c2:00:00:03
                                        freq=0
                                        ssid=
                                        id=0
                                        mode=station
                                        pairwise_cipher=NONE
                                        group_cipher=NONE
                                        key_mgmt=IEEE 802.1X (no WPA)
                                        wpa_state=ASSOCIATED
                                        address=74:8a:0d:5f:be:21
                                        Supplicant PAE state=HELD
                                        suppPortStatus=Unauthorized
                                        EAP state=FAILURE
                                        uuid=666db3f9-54bb-5d96-8859-3fd4bbaa9546`

                                        J 1 Reply Last reply Reply Quote 0
                                        • J
                                          jasonsansone @jasonsansone
                                          last edited by

                                          Extracted certs and conf from RG again. Used exact conf parameters and certs. Tested with and without PCP 1 and/or -vlanhwfilter. Same result.

                                          dreamdenizenD GPz1100G 2 Replies Last reply Reply Quote 0
                                          • dreamdenizenD
                                            dreamdenizen @jasonsansone
                                            last edited by

                                            @jasonsansone is that mac address listed in your post the MAC of the RG ethernet? If not, make sure to override the MAC address in Interfaces > WAN with that of your ethernet RG. I also recommend redacting it in your last post.

                                            J 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.