pfatt and 20.7 don't seem to work

Started by lrosenman, August 01, 2020, 09:02:57 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 01, 2020, 09:02:57 AM
I have 20.1 working great with 20.1.  When I upgrade to 20.7, I don't get DHCP from ATT.

Is there something(TM) changed between the HardenedBSD releases that possibly breaks NetGraph?

I made the grave mistake of NOT having a off machine backup of my config and had to rebuild it from scratch.

I don't want to go through this again trying to get current.
August 02, 2020, 11:48:28 AM #1
TBH, we do not patch netgraph unless we have a panic report (which we had to be solved in time for 20.7).

The Beta and RC1 were available for testing and reports were acted upon if there are FreeBSD patches that solve the issue (like the LTE panic).


Cheers,
Franco
August 02, 2020, 09:26:22 PM #2
I can confirm the same behavior.
Auto upgraded, and broke the ATT Fiber (pfatt/opnatt) functionality.

Complete reinstall, and reconfigured pfatt, with the same results.

I can see EAP traffic headed to the ONT and a DHCP request, but no reply.  I'm assuming a EAP failure.

<edit - logs>
14:22:46.441955 xx:xx:xx:xx:xx:x0 (oui Unknown) > xx:xx:xx:xx:xx:x3 (oui Unknown), ethertype EAPOL (0x888e), length 60: EAPOL start (1) v2, len 0
14:22:46.443955 00:90:d0:63:ff:01 (oui Unknown) > xx:xx:xx:xx:xx:x0 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 0, p 7, ethertype EAPOL, EAP packet (0) v1, len 15
14:22:59.562188 xx:xx:xx:xx:xx:x0 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, OPNsense.localdomain.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:x0 (oui Unknown), length 300
August 02, 2020, 11:32:27 PM #3
I successfully upgraded to r1 and then to release, with no issues.  I am using pfatt in traditional mode, not with eap certs, though.
August 03, 2020, 03:43:49 AM #4
What do you mean by "traditional mode"?

All I have done is set opnatt.sh as 99-opnatt.sh (after the appropriate .sh editing for the OF_INT and MAC.

What is the "traditional", so I can work backwards to figure out where my cfg is breaking?
August 03, 2020, 03:44:34 AM #5
Quote from: lrosenman on August 01, 2020, 09:02:57 AM
I have 20.1 working great with 20.1.  When I upgrade to 20.7, I don't get DHCP from ATT.

Is there something(TM) changed between the HardenedBSD releases that possibly breaks NetGraph?

I made the grave mistake of NOT having a off machine backup of my config and had to rebuild it from scratch.

I don't want to go through this again trying to get current.

Are you using the original vanilla pfatt from aus or one of the many forks that now have WPA supplicant and certificates etc?

Thinking of upgrading, need to figure out how to do it without breaking my internet ...
August 03, 2020, 05:47:13 AM #6
Quote from: fraggle on August 03, 2020, 03:43:49 AM
What do you mean by "traditional mode"?

All I have done is set opnatt.sh as 99-opnatt.sh (after the appropriate .sh editing for the OF_INT and MAC.

What is the "traditional", so I can work backwards to figure out where my cfg is breaking?

The original "traditional" pfatt script from aus was forked and now there's a couple of scripts that can use certificates from the ATT devices etc to authenticate (so you don't even need a ATT device). I believe this is what he's referring to. It's also noteworthy that the poster said he upgraded to RC1 and then to GA. So perhaps something changed between RC1 and GA that is causing the script to fail?
August 03, 2020, 04:22:50 PM #7
Ahh.

In that case, I'm using a more "traditional" configuration:
https://github.com/MonkWho/pfatt

NetGraph bridging of 802.1x traffic.
August 03, 2020, 05:21:41 PM #8 Last Edit: August 03, 2020, 05:31:39 PM by lrosenman
Same here, using the monkwho opnatt.sh script bridging EAPOL. 
I did NOT install RC1 either.

August 05, 2020, 02:00:01 AM #9
Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local
August 05, 2020, 04:16:27 AM #10
The current opnatt.sh script loads the appropriate netgraph modules.

A fresh install of 20.1.9_1 works, upgrading to 20.7 breaks the DHCP stuff (no address, no connectivity).

August 05, 2020, 07:20:58 AM #11
Quote from: mrancier on August 05, 2020, 02:00:01 AM
Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local .

Are you using the original script by aus or the one from MonkWho or others? If you're using the original script and it is working for you = then it's just a matter of seeing why the newer ones aren't working (changed locations for files and binaries perhaps?)
August 05, 2020, 08:38:13 PM #12
In my case I'm using the new OPNatt.sh from MonkWho on 20.1 (I was using the original aus one when this started, and 20.7 broke it), and the current opnatt.sh script from MonkWho works on 20.1 and does NOT work on 20.7.

I can't afford to test 20.7 again as it breaks all my connectivity.

August 05, 2020, 11:08:10 PM #13
Quote from: harshw on August 05, 2020, 07:20:58 AM
Quote from: mrancier on August 05, 2020, 02:00:01 AM
Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local .

Are you using the original script by aus or the one from MonkWho or others? If you're using the original script and it is working for you = then it's just a matter of seeing why the newer ones aren't working (changed locations for files and binaries perhaps?)

I am using the original script, or rather the last one I downloaded directly from aus's github before it evaporated.
August 20, 2020, 01:32:49 AM #14
Quote from: mrancier on August 05, 2020, 11:08:10 PM
Quote from: harshw on August 05, 2020, 07:20:58 AM
Quote from: mrancier on August 05, 2020, 02:00:01 AM
Sorry about the delay.  Life kinda got in the way.  In any case, I meant traditional in the sense that I am not using the extracted certificates from the gateway, which I do have, to do a full bypass, ie., ont to opnsense.
The only other thing I might point to is that at some point within the last upgrade the devs stopped loading the netgraph modules by default, so you have to ensure that you are adding them to your loader.conf or loader.conf.local .

Are you using the original script by aus or the one from MonkWho or others? If you're using the original script and it is working for you = then it's just a matter of seeing why the newer ones aren't working (changed locations for files and binaries perhaps?)

I am using the original script, or rather the last one I downloaded directly from aus's github before it evaporated.

Could you possibly provide a copy of that script so I can compare the Monkwho opnatt script and see what might be different?
Print
Go Up Pages1 2
User actions