[SOLVED]: 24.7 Upgrade from 24.1.10 broke my AT&T Fiber Bypass

[adamrc]

Mine is still not working with the code above. The openatt.sh script seems to work just fine, however, something is not working with wpa_supplicant. I tried manually executing the script in early and it gets to "daemonize" and gives me a permission denied. Any way to further debug it?

No need for the openatt.sh script using my method above. Just ensure certs are in the folders specified in the file.

On the identity piece, is that the RG modem's former MAC address like the same as the opnaatt.sh script or are you saying my WAN mac address on my opnsense box?

It's the AT&T RG modem MAC address.

[GPz1100]

,
Franco

Congrats on finally implementing the vlan 0 patches for wpa_supplicant. Why did it take so long?  Pfsense had it back in june of 2023.

[franco]

Congrats on finally implementing the vlan 0 patches for wpa_supplicant. Why did it take so long?  Pfsense had it back in june of 2023.

Do you want to be set to read only mode for trolling? My first and last warning.

[selcouth]

I'm back up and running as well.  I scrapped everything and went to the 8311 Discord channel for bypassing and got the proper info.  Here are the files and contents that I used.  Netgraph is no longer used/needed anymore.

/usr/local/etc/rc.syshook.d/early/04-wpa (make sure to chmod +x this file)

Code Select Expand

#!/bin/sh
env OPENSSL_CONF=/conf/wpa/openssl.conf /usr/local/sbin/wpa_supplicant -Dwired -i igb0 -B -C /var/run/wpa_supplicant -c /conf/wpa/wpa_supplicant.conf

/conf/wpa/openssl.conf

Code Select Expand

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0

/conf/wpa/wpa_supplicant.conf

Code Select Expand

# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 windows 386
#
# Change file names to absolute paths
ctrl_interface=DIR=/var/run/wpa_supplicant
openssl_ciphers=DEFAULT@SECLEVEL=0
eapol_version=2
ap_scan=0
fast_reauth=1
network={
        ca_cert="/conf/wpa/ca.pem"
        client_cert="/conf/wpa/client.pem"
        eap=TLS
        eapol_flags=0
        identity="REDACTED" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/conf/wpa/private.pem"
}


Thank you for posting this. I just moved to OPNsense from pFsense and was struggling with the ngeth0 method. The method you referenced worked perfectly.

[Quasmo]

Not sure what is causing the problem on my end...
I just switched from pfSense to OPNsense. I have setup the files similar to those set out by adamrc, but my Wan interface never connects on reboot. I can get the process to work, but it takes a couple steps...

I have to ...
login to the system console
kill all wpa_supplicant processes
delete /var/run/wpa_supplicant/igb0
run 04-wpa

refresh the interface in the GUI, after these steps it will load an external IP.
I'm beginning to wonder if there isn't a race condition causing the failure, but I thought the "04-" would keep that from happening.

The system hangs on Initializing WAN interface while booting.

Anyone have any ideas, or how to best troubleshoot?

[Quasmo]

For those seeing this. I was able to solve my problem. I had to make sure that the interface was enabled before I could run the WPA supplicant code.

I went to the 8311 discord and found the code posted here by Adamrc. There is a line omitted in the /usr/local/etc/rc.syshook.d/early/04-wpa file.

Code Select Expand


#!/bin/sh
/sbin/ifconfig igb0 link FF:FF:FF:FF:FF:FF

env OPENSSL_CONF=/conf/wpa/openssl.conf /usr/local/sbin/wpa_supplicant -Dwired -i igb0 -B -C /var/run/wpa_supplicant -c /conf/wpa/wpa_supplicant.conf


Where igb0 is the interface, and FF:FF:FF:FF:FF:FF is the Gateway MAC

[hieroglyph]

I'm back up and running as well.  I scrapped everything and went to the 8311 Discord channel for bypassing and got the proper info.  Here are the files and contents that I used.  Netgraph is no longer used/needed anymore.

/usr/local/etc/rc.syshook.d/early/04-wpa (make sure to chmod +x this file)

Code Select Expand

#!/bin/sh
env OPENSSL_CONF=/conf/wpa/openssl.conf /usr/local/sbin/wpa_supplicant -Dwired -i igb0 -B -C /var/run/wpa_supplicant -c /conf/wpa/wpa_supplicant.conf

/conf/wpa/openssl.conf

Code Select Expand

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0

/conf/wpa/wpa_supplicant.conf

Code Select Expand

# Generated by 802.1x Credential Extraction Tool
# Copyright (c) 2018-2019 devicelocksmith.com
# Version: 1.04 windows 386
#
# Change file names to absolute paths
ctrl_interface=DIR=/var/run/wpa_supplicant
openssl_ciphers=DEFAULT@SECLEVEL=0
eapol_version=2
ap_scan=0
fast_reauth=1
network={
        ca_cert="/conf/wpa/ca.pem"
        client_cert="/conf/wpa/client.pem"
        eap=TLS
        eapol_flags=0
        identity="REDACTED" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/conf/wpa/private.pem"
}


For those seeing this. I was able to solve my problem. I had to make sure that the interface was enabled before I could run the WPA supplicant code.

I went to the 8311 discord and found the code posted here by Adamrc. There is a line omitted in the /usr/local/etc/rc.syshook.d/early/04-wpa file.

Code Select Expand


#!/bin/sh
/sbin/ifconfig igb0 link FF:FF:FF:FF:FF:FF

env OPENSSL_CONF=/conf/wpa/openssl.conf /usr/local/sbin/wpa_supplicant -Dwired -i igb0 -B -C /var/run/wpa_supplicant -c /conf/wpa/wpa_supplicant.conf


Where igb0 is the interface, and FF:FF:FF:FF:FF:FF is the Gateway MAC

These two posts got me back up and running.

The MAC addresses mentioned in the "04-wpa" and "wpa_supplicant.conf" files, is the MAC of the WAN port on the AT&T issued router. This same MAC address needs to be used in the opnsense GUI under Interfaces > Assignments > select your AT&T WAN interface > MAC address. On this same page look for Device at the top and take note of what it says. If it says something other than igb0, change the two places that say igb0 in 04-wpa to your network device name. Example: I had to change from igb0 to igc7 for my setup to work.

[AryasDad]

I cannot get this to work on my end.  I have followed the latest post additions and still am unable to bypass my BGW210.

I am suspecting my issue is I am running Opnsense as a VM in Proxmox and my setup for bridging my NIC to my VM is not setup properly?

Based on information I have seen online, my WAN interface on my Proxmox is setup as follows:

Code Select Expand


iface enp1s0 inet manual

iface enp1s0.0 inet manual

auto vmbr1
iface vmbr1 inet manual
bridge-ports enp1s0.0
bridge-stp off
bridge-fd 0
post-up echo 8 > /sys/class/net/vmbr1/bridge/group_fwd_mask


My Proxmox OPNsense VM WAN network is setup as follows:

Code Select Expand


net0: virtio=<BGW210 MAC address>,bridge=vmbr1,queues=8


And my various config files based on the above posts are as follows:
wpa_supplicant.conf

Code Select Expand


# Change file names to absolute paths
ctrl_interface=DIR=/var/run/wpa_supplicant
openssl_ciphers=DEFAULT@SECLEVEL=0
eapol_version=2
ap_scan=0
fast_reauth=1
network={
        ca_cert="/conf/wpa/CA.pem"
        client_cert="/conf/wpa/Client.pem"
        eap=TLS
        eapol_flags=0
        identity="<BGW210 MAC address>" # Internet (ONT) interface MAC address must match this value
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/conf/wpa/PrivateKey.pem"
}


openssl.conf

Code Select Expand


openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=0


/usr/local/etc/rc.syshook.d/early/04-wpa

Code Select Expand


#!/bin/sh

/sbin/ifconfig vtnet0 link <BGW210 MAC address>

env OPENSSL_CONF=/conf/wpa/openssl.conf /usr/local/sbin/wpa_supplicant -Dwired -i vtnet0 -B -C /var/run/wpa_supplicant -c /conf/wpa/wpa_supplicant.conf -t -dd


And finally, I set my WAN MAC to <BGW210 MAC address> in Opnsense GUI.

When I boot up, it hangs on WAN initialization and when I try to manually start 04-wpa, it fails.

Any idea what I need to adjust to get the working on my end?  I am running Opnsense version 24.7.7-amd64.

Thank you!

[AryasDad]

I seemed to have solved my own issue.  Apparently my first Nic port is defective.  Finally noticed with trying different things and plugging and unplugging that the ethernet data lights were not lighting up when I plugged into Nic #1.  Moved everything over to another Nic and BAM, it started negotiating and working as expected on a quick test.

So I have put everything back to previous still using the RG IP passthrough for now until I get a chance to properly adjust everything on a permanent basis.

Sometimes it is the simplest of things....  :-[

[schlumpy]

Anyone have any ideas, or how to best troubleshoot?

Instead of ./early/04-wpa try moving it to ./start/94-wpa