1
24.7 Production Series / "Reload" WAN interface via script/command line
« on: November 15, 2024, 04:12:11 pm »
Hello, what is the command line equivalent to the "Refresh" on the interfaces overview?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
24.7 Production Series / Re: WAN interface cycles UP and DOWN after DHCP PREINIT call
« on: November 05, 2024, 12:44:03 pm »The resolution on this was to load the realtek vendor driver. The new problem is not related to the previous instance, and is, in fact, the way the log off log on procedure with the WPA Supplicant is handled.
3
24.7 Production Series / Re: WAN interface cycles UP and DOWN after DHCP PREINIT call
« on: November 01, 2024, 09:56:55 pm »
After loading the realtek vendor drivers, the interface is still dropping the IP config but the pattern looks different
Somewhere in here is the smoking gun. I have removed connection-specific addresses for the moment
These are in reverse-time order as seen in the UI from most recent to oldest. At some point the link state changes DOWN during this process.
I use a WPA Supplicant to authenticate my connection, and I am still authenticated.
WPA status
Somewhere in here is the smoking gun. I have removed connection-specific addresses for the moment
These are in reverse-time order as seen in the UI from most recent to oldest. At some point the link state changes DOWN during this process.
I use a WPA Supplicant to authenticate my connection, and I am still authenticated.
Code: [Select]
2024-11-01T20:45:57 Notice kernel <6>re1: link state changed to UP
2024-11-01T20:45:57 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for wan(re1)
2024-11-01T20:45:56 Error dhcp6c transmit failed: Can't assign requested address
2024-11-01T20:45:55 Error dhcp6c transmit failed: Network is down
2024-11-01T20:45:54 Critical dhclient exiting.
2024-11-01T20:45:54 Error dhclient connection closed
2024-11-01T20:45:54 Error dhcp6c transmit failed: Network is down
2024-11-01T20:45:54 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,[lan]))
2024-11-01T20:45:54 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (,inet6,[lan])
2024-11-01T20:45:54 Notice opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for wan(re1)
2024-11-01T20:45:54 Notice kernel <6>re1: link state changed to DOWN
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : wireguard_sync())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : webgui_configure_do(,wan,lan))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : vxlan_configure_do())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : unbound_configure_do(,wan,lan))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : openssh_configure_do(,wan,lan))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : opendns_configure_do())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : ntpd_configure_do())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : dnsmasq_configure_do())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (execute task : dhcrelay_configure_if(,wan,lan,inet6))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip_map (,wan,lan,inet6)
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip (,lan)
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn (,lan)
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure newwanip (,wan)
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn (,wan)
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : wireguard_configure_do())
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : openvpn_configure_do(,wan,lan))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (execute task : ipsec_configure_do(,wan,lan))
2024-11-01T20:45:22 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure vpn_map (,wan,lan,inet6)
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure monitor (execute task : dpinger_configure_do(,[WAN_DHCP6]))
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure monitor (,[WAN_DHCP6])
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: ROUTING: keeping inet6 default route to fe80::21a:f0ff:fe86:5c6a%re1
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: ROUTING: configuring inet6 default gateway on wan
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: ROUTING: entering configure using wan, lan
2024-11-01T20:45:21 Warning radvd exiting, 1 sigterm(s) received
2024-11-01T20:45:21 Error opnsense /usr/local/etc/rc.newwanipv6: The command '/usr/sbin/daemon -f -p '/var/run/dhcpleases6.pid' '/usr/local/opnsense/scripts/dhcp/prefixes.sh'' returned exit code '3', the output was 'daemon: process already running, pid: 78863'
2024-11-01T20:45:21 Error opnsense /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '78863''(pid:/var/run/dhcpleases6.pid) returned exit code '1', the output was 'kill: 78863: No such process'
2024-11-01T20:45:21 Error opnsense /usr/local/etc/rc.newwanipv6: The command '/bin/kill -'TERM' '77612''(pid:/var/dhcpd/var/run/dhcpdv6.pid) returned exit code '1', the output was 'kill: 77612: No such process'
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6))
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: plugins_configure dhcp (,inet6)
2024-11-01T20:45:21 Notice opnsense /usr/local/etc/rc.newwanipv6: IP renewal starting (address: fe80::2e0:4cff:fe5f:41ad%re1, interface: wan, device: re1)
2024-11-01T20:45:18 Notice dhcp6c dhcp6c_script: REQUEST on re1 renewal
2024-11-01T20:45:18 Notice dhcp6c dhcp6c_script: REQUEST on re1 executing
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : wireguard_sync())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : webgui_configure_do(,wan))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : vxlan_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : unbound_configure_do(,wan))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : openssh_configure_do(,wan))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : opendns_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : ntpd_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : dnsmasq_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (execute task : dhcrelay_configure_if(,wan,inet))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip_map (,wan,inet)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure newwanip (,wan)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn (,wan)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn_map (execute task : wireguard_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn_map (execute task : ipsec_configure_do(,wan))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure vpn_map (,wan,inet)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure newwanip_map:rfc2136 (,wan)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns (execute task : unbound_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns (execute task : dnsmasq_configure_do())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dns ()
2024-11-01T20:45:17 Warning radvd exiting, 1 sigterm(s) received
2024-11-01T20:45:17 Warning opnsense /usr/local/etc/rc.linkup: dhcpd_dhcp6_configure() found no suitable IPv6 address on lan(re0)
2024-11-01T20:45:17 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure monitor (execute task : dpinger_configure_do(,[WAN_GW]))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: plugins_configure monitor (,[WAN_GW])
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: ROUTING: keeping inet default route to <GATEWAY WAN IP>
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.newwanip: ROUTING: configuring inet default gateway on wan
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp (execute task : dhcpd_dhcp_configure())
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure dhcp ()
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure ipsec (execute task : ipsec_configure_do(,wan))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure ipsec (,wan)
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure monitor (execute task : dpinger_configure_do(,[WAN_GW,WAN_DHCP6]))
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: plugins_configure monitor (,[WAN_GW,WAN_DHCP6])
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: ROUTING: setting inet default route to <GATEWAY WAN IP>
2024-11-01T20:45:17 Notice opnsense /usr/local/etc/rc.linkup: ROUTING: configuring inet default gateway on wan
2024-11-01T20:45:16 Notice opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using wan
2024-11-01T20:45:16 Notice opnsense /usr/local/etc/rc.newwanip: IP renewal starting (new: <WAN IP>, old: <WAN IP>, interface: wan, device: re1, force: yes)
2024-11-01T20:45:16 Notice opnsense /usr/local/etc/rc.linkup: ROUTING: entering configure using wan
2024-11-01T20:45:16 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2024-11-01T20:45:16 Notice dhclient dhclient-script: Creating resolv.conf
2024-11-01T20:45:16 Notice dhclient dhclient-script: New Routers (re1): <GATEWAY WAN IP>
2024-11-01T20:45:16 Notice dhclient dhclient-script: New Broadcast Address (re1): <GATEWAY BROADCAST>
2024-11-01T20:45:16 Notice dhclient dhclient-script: New Subnet Mask (re1): 255.255.252.0
2024-11-01T20:45:16 Notice dhclient dhclient-script: New IP Address (re1): <WAN IP>
2024-11-01T20:45:16 Notice dhclient dhclient-script: New Hostname (re1): firewall
2024-11-01T20:45:16 Notice dhclient dhclient-script: Reason REBOOT on re1 executingWPA status
Code: [Select]
wpa_cli status
Selected interface 're1'
bssid=01:80:c2:00:00:03
freq=0
ssid=
id=0
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
ip_address=<WAN IP ADDRESS>
address=<RE1 MAC ID>
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1
EAP TLS cipher=DHE-RSA-AES256-SHA
tls_session_reused=0
eap_session_id=0de4c94c3a15a761470997c468debef836dcdb11a2d3dfe768bfb129dfbd749f5d67253e5a9c017b7c11b7a5987d31d93e7a2f4474a2a862649ace732f677962ba
uuid=14cfe463-8dd1-52e7-a236-550ded281a59
4
24.7 Production Series / Re: WAN interface cycles UP and DOWN after DHCP PREINIT call
« on: November 01, 2024, 07:20:35 am »
EDIT: OH WOW! The realtek driver cut down my reboot time by A LOT!
I have loaded the driver, I am noting this here as it only appeared during the install
I will give this some time to see what happens.
I have loaded the driver, I am noting this here as it only appeared during the install
I will give this some time to see what happens.
Code: [Select]
If you experience network hangs with IPv6 enabled,
you might need to disable the checksum offloading
by adding the following parameters to the related
ifconfig line in your /etc/rc.conf file:
-rxcsum -txcsum -rxcsum6 -txcsum6
5
24.7 Production Series / Re: WAN interface cycles UP and DOWN after DHCP PREINIT call
« on: November 01, 2024, 06:57:24 am »Realtek brand interfaces are known to be problematic. Did you try to install the vendor driver?
I have not tried new drivers, is there something specific I need to load these drivers?
6
24.7 Production Series / [RESOLVED] WAN interface cycles UP and DOWN after DHCP PREINIT call
« on: October 31, 2024, 09:33:43 pm »
Hello,
For some reason my WAN interface will cycle "UP" and "DOWN" after a dhclient PREINIT call on the interface
So far my only fix is to SSH into the firewall and run
This fixes it for the moment until it next occurs.
EDIT 2: If I run the command manually, I cannot replicate the problem.
EDIT: Current WAN config:
For some reason my WAN interface will cycle "UP" and "DOWN" after a dhclient PREINIT call on the interface
Code: [Select]
2024-10-31T19:47:19 Notice kernel <6>re1: link state changed to UP
2024-10-31T19:47:16 Notice kernel <6>re1: link state changed to DOWN
2024-10-31T19:46:57 Notice kernel <6>re1: link state changed to UP
2024-10-31T19:46:54 Notice kernel <6>re1: link state changed to DOWN
2024-10-31T19:46:40 Notice kernel <6>re1: link state changed to UP
2024-10-31T19:46:36 Notice kernel <6>re1: link state changed to DOWN
2024-10-31T19:46:14 Notice dhclient dhclient-script: Reason PREINIT on re1 executingSo far my only fix is to SSH into the firewall and run
Code: [Select]
ifconfig re1 upThis fixes it for the moment until it next occurs.
EDIT 2: If I run the command manually, I cannot replicate the problem.
Code: [Select]
2024-10-31T20:42:10 Notice sudo michael : TTY=pts/0 ; PWD=/home/michael ; USER=root ; COMMAND=/sbin/dhclient-script preinit re1EDIT: Current WAN config:
7
24.7 Production Series / Re: Adjust WAN DHCPv6 Send or Request Options? Lease time?
« on: October 31, 2024, 08:56:46 pm »
After much further research, there does not appear to be a good client-side solution to implement for IPv6.
8
24.7 Production Series / Re: Adjust WAN DHCPv6 Send or Request Options? Lease time?
« on: October 31, 2024, 01:20:21 am »
My existing OPNSense system was updated many many times. The last time I did a full re-install was 24.1 so I decided to completely reinstall and reconfigure for 24.7 just in case something silly would come up
After completely re-installing the OS, I get the same issue. DHCP6 script is running every couple minutes when I'm certain it doesn't actually need to.
I'm just wondering if there are any options to slow it down to an hour or a day?
After completely re-installing the OS, I get the same issue. DHCP6 script is running every couple minutes when I'm certain it doesn't actually need to.
I'm just wondering if there are any options to slow it down to an hour or a day?
Code: [Select]
2024-10-31T00:13:27 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-31T00:10:56 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-31T00:08:26 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-31T00:05:56 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
9
24.7 Production Series / Adjust WAN DHCPv6 Send or Request Options? Lease time?
« on: October 30, 2024, 05:03:03 am »
Hello,
I am trying to find ways to adjust the DHCPv6 options in the same way you can change the DHCPv4 timings in OPNSense
All I see are "Send Options", and "Request Options"
For DHCPv4 there are various timing options.
Right now, I feel like the DHClient on the WAN interface is rolling too frequently given that the v4 lease is 3600 (3 days) and it's going every couple hours, spurts for a few minutes in a row then quits.
DHCPv6 is setup as:
* Request prefix only
* (Optional) Interface ID is 1
* VLAN Priority 0
* Prefix Delegation Size 60
LAN is set to TRACK WAN interface.
I am trying to find ways to adjust the DHCPv6 options in the same way you can change the DHCPv4 timings in OPNSense
All I see are "Send Options", and "Request Options"
For DHCPv4 there are various timing options.
Right now, I feel like the DHClient on the WAN interface is rolling too frequently given that the v4 lease is 3600 (3 days) and it's going every couple hours, spurts for a few minutes in a row then quits.
DHCPv6 is setup as:
* Request prefix only
* (Optional) Interface ID is 1
* VLAN Priority 0
* Prefix Delegation Size 60
LAN is set to TRACK WAN interface.
Code: [Select]
2024-10-30T03:23:10 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:20:40 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:18:09 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:15:39 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:13:09 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:10:39 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:08:09 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:05:39 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:03:08 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T03:00:38 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:58:08 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:55:38 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:53:08 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:50:38 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:48:08 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:45:37 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:43:07 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:40:37 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:38:07 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
2024-10-30T02:35:37 Notice dhcp6c dhcp6c_script: RENEW on re1 executing
10
24.1 Legacy Series / Re: Update to 24.1 AT&T Supplicant Bootup issue
« on: May 21, 2024, 02:54:10 pm »
I solved the problem.
The script didn't have execute permissions, and was getting "permission denied" during startup. chmod +x /usr/local/etc/rc.syshook.d/early/99-opnatt fixed the boot time issues.
Because of the failed boots, it was using fall back WAN interface (which doesn't work). Re-bind WAN interface to ngeth0, reboot again, and now it's working.
The script didn't have execute permissions, and was getting "permission denied" during startup. chmod +x /usr/local/etc/rc.syshook.d/early/99-opnatt fixed the boot time issues.
Because of the failed boots, it was using fall back WAN interface (which doesn't work). Re-bind WAN interface to ngeth0, reboot again, and now it's working.
11
24.1 Legacy Series / [SOLVED] Update to 24.1 AT&T Supplicant Bootup issue
« on: May 21, 2024, 08:35:44 am »
Hello!
I wanted to re-do my firewall configuration and setup for a bit of practice, and for some reason the same scripts I have for PFATT don't quite work the way they used to and I swear I'm missing a step.
It's all straight forward, I have the supplicant certificates, and everything in the script works outside of bootup time.
I can't seem to find the errors encountered on startup, and I feel like there was something to remove "re1" (my WAN interface) from being "accidentally used" in the old 23 version.
Again, all of this "works" just requires manual intervention for the script to actually run/work.
From previous instructions, this script is located at /usr/local/etc/rc.syshook.d/early/99-opnatt
I wanted to re-do my firewall configuration and setup for a bit of practice, and for some reason the same scripts I have for PFATT don't quite work the way they used to and I swear I'm missing a step.
It's all straight forward, I have the supplicant certificates, and everything in the script works outside of bootup time.
I can't seem to find the errors encountered on startup, and I feel like there was something to remove "re1" (my WAN interface) from being "accidentally used" in the old 23 version.
Again, all of this "works" just requires manual intervention for the script to actually run/work.
From previous instructions, this script is located at /usr/local/etc/rc.syshook.d/early/99-opnatt
Code: [Select]
#!/usr/bin/env sh
#
# CONFIG
# ======
#
# ONT_IF Interface connected to the ONT
#
# RG_ETHER_ADDR MAC address of your assigned Residential Gateway
#
# EAP_MODE EAP authentication mode: supplicant or bridge
#
# supplicant Use wpa_supplicant to authorize your connection.
# Requires valid certs in /conf/pfatt/wpa. No
# Residential Gateway connection required.
#
# bridge Bridge EAPoL traffic from your Residential Gateway to
# authorize your connection. Residential Gateway
# connection required.
#
# EAP_SUPPLICANT_IDENTITY Required only with supplicant mode. MAC address associated
# with your cert used as your EAP-TLS identity. If you extracted
# the cert from your stock issue residential gateway, this is the
# same as $RG_ETHER_ADDR.
#
# EAP_BRIDGE_IF Required only with bridge mode. Interface that is connected
# to your Residential Gateway.
#
# EAP_BRIDGE_5268AC Required only with bridge mode. Enable workaround for 5268AC.
# Enable if you have the 5268AC. See https://github.com/aus/pfatt/issues/5
# for details. 0=OFF 1=ON
#
# Required Config
# ===============
ONT_IF="re1"
RG_ETHER_ADDR=""
EAP_MODE="supplicant"
# Supplicant Config
# =================
EAP_SUPPLICANT_IDENTITY=""
# Bridge Config
# =============
EAP_BRIDGE_IF="xx1"
EAP_BRIDGE_5268AC=0
##### DO NOT EDIT BELOW #################################################################################
/usr/bin/logger -st "pfatt" "starting pfatt..."
/usr/bin/logger -st "pfatt" "configuration:"
/usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF"
/usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR"
/usr/bin/logger -st "pfatt" " EAP_MODE = $EAP_MODE"
/usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY"
/usr/bin/logger -st "pfatt" " EAP_BRIDGE_IF = $EAP_BRIDGE_IF"
/usr/bin/logger -st "pfatt" " EAP_BRIDGE_5268AC = $EAP_BRIDGE_5268AC"
/usr/bin/logger -st "pfatt" "resetting netgraph..."
/usr/sbin/ngctl shutdown waneapfilter: >/dev/null 2>&1
/usr/sbin/ngctl shutdown laneapfilter: >/dev/null 2>&1
/usr/sbin/ngctl shutdown $ONT_IF: >/dev/null 2>&1
/usr/sbin/ngctl shutdown $EAP_BRIDGE_IF: >/dev/null 2>&1
/usr/sbin/ngctl shutdown o2m: >/dev/null 2>&1
/usr/sbin/ngctl shutdown vlan0: >/dev/null 2>&1
/usr/sbin/ngctl shutdown ngeth0: >/dev/null 2>&1
/sbin/kldload -nq netgraph
/sbin/kldload -nq ng_ether
/sbin/kldload -nq ng_vlan
/sbin/kldload -nq ng_eiface
/sbin/kldload -nq ng_one2many
if [ "$EAP_MODE" = "bridge" ] ; then
/usr/bin/logger -st "pfatt" "configuring EAP environment for $EAP_MODE mode..."
/usr/bin/logger -st "pfatt" "cabling should look like this:"
/usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST[$EAP_BRIDGE_IF] []---[] [ONT_PORT]ResidentialGateway"
/usr/bin/logger -st "pfatt" "loading netgraph kernel modules..."
/sbin/kldload -nq ng_etf
/usr/bin/logger -st "pfatt" "attaching interfaces to ng_ether..."
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$EAP_BRIDGE_IF');"
/usr/bin/logger -st "pfatt" "building netgraph nodes..."
/usr/bin/logger -st "pfatt" "creating ng_one2many..."
/usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
/usr/sbin/ngctl name $ONT_IF:lower o2m
/usr/bin/logger -st "pfatt" "creating vlan node and interface..."
/usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
/usr/sbin/ngctl name o2m:many0 vlan0
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
/usr/bin/logger -st "pfatt" "defining etf for $ONT_IF (ONT)..."
/usr/sbin/ngctl mkpeer o2m: etf many1 downstream
/usr/sbin/ngctl name o2m:many1 waneapfilter
/usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
/usr/bin/logger -st "pfatt" "defining etf for $EAP_BRIDGE_IF (RG)... "
/usr/sbin/ngctl mkpeer $EAP_BRIDGE_IF: etf lower downstream
/usr/sbin/ngctl name $EAP_BRIDGE_IF:lower laneapfilter
/usr/sbin/ngctl connect laneapfilter: $EAP_BRIDGE_IF: nomatch upper
/usr/bin/logger -st "pfatt" "bridging etf for $ONT_IF <-> $EAP_BRIDGE_IF... "
/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
/usr/bin/logger -st "pfatt" "defining filters for EAP traffic... "
/usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
/usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
/usr/bin/logger -st "pfatt" "enabling one2many links... "
/usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
/usr/bin/logger -st "pfatt" "removing waneapfilter:nomatch hook... "
/usr/sbin/ngctl rmhook waneapfilter: nomatch
/usr/bin/logger -st "pfatt" "enabling interfaces..."
/sbin/ifconfig $EAP_BRIDGE_IF up
/sbin/ifconfig $ONT_IF up
/usr/bin/logger -st "pfatt" "enabling promiscuous mode..."
/sbin/ifconfig $EAP_BRIDGE_IF promisc
/sbin/ifconfig $ONT_IF promisc
logger -st "pfatt" "waiting for EAP to complete authorization (unimplemented!)..."
# TODO: detect, wait for EAP
# TODO: force DHCP if needed
if [ "$EAP_BRIDGE_5268AC" = "1" ] ; then
# install proper rc script
/bin/cp /conf/pfatt/bin/pfatt-5268AC.rc /usr/local/etc/rc.d/pfatt-5268AC.sh
# kill any existing pfatt-5268AC process
PID=$(pgrep -f "pfatt-5268AC")
if [ ${PID} > 0 ]; then
/usr/bin/logger -st "pfatt" "terminating existing pfatt-5268AC on PID ${PID}..."
RES=$(kill ${PID})
/usr/local/etc/rc.d/pfatt-5268AC.sh stop
fi
/usr/bin/logger -st "pfatt" "enabling 5268AC workaround..."
/usr/local/etc/rc.d/pfatt-5268AC.sh start
fi
/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
/usr/bin/logger -st "pfatt" "done!"
elif [ "$EAP_MODE" = "supplicant" ] ; then
/usr/bin/logger -st "pfatt" "configuring EAP environment for $EAP_MODE mode..."
/usr/bin/logger -st "pfatt" "cabling should look like this:"
/usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST"
/usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..."
/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
/usr/sbin/ngctl name $ONT_IF:lower vlan0
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."
/sbin/ifconfig $ONT_IF up
/sbin/ifconfig $ONT_IF promisc
/usr/bin/logger -st "pfatt" "starting wpa_supplicant..."
WPA_PARAMS="\
set eapol_version 2,\
set fast_reauth 1,\
ap_scan 0,\
add_network,\
set_network 0 ca_cert \\\"/conf/pfatt/wpa/ca.pem\\\",\
set_network 0 client_cert \\\"/conf/pfatt/wpa/client.pem\\\",\
set_network 0 eap TLS,\
set_network 0 eapol_flags 0,\
set_network 0 identity \\\"$EAP_SUPPLICANT_IDENTITY\\\",\
set_network 0 key_mgmt IEEE8021X,\
set_network 0 phase1 \\\"allow_canned_success=1\\\",\
set_network 0 private_key \\\"/conf/pfatt/wpa/private.pem\\\",\
enable_network 0\
"
WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -ingeth0 -B -C /var/run/wpa_supplicant"
# kill any existing wpa_supplicant process
PID=$(pgrep -f "wpa_supplicant.*ngeth0")
if [ ${PID} > 0 ];
then
/usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
RES=$(kill ${PID})
fi
# start wpa_supplicant daemon
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant.*ngeth0")
/usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."
# Set WPA configuration parameters.
/usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
IFS=","
for STR in ${WPA_PARAMS};
do
STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
RES=$(eval wpa_cli ${STR})
done
# wait until wpa_cli has authenticated.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "pfatt" "waiting EAP for authorization..."
# TODO: blocking for bootup
while true;
do
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
/usr/bin/logger -st "pfatt" "EAP authorization completed..."
IP_STATUS=$(eval ${IP_STATUS_CMD})
if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
then
/usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
IP_STATUS=$(eval ${IP_STATUS_CMD})
fi
/usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
break
else
sleep 1
fi
done
/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
/usr/bin/logger -st "pfatt" "done!"
else
/usr/bin/logger -st "pfatt" "error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..."
exit 1
fi
Pages: [1]