pfatt and 20.7 don't seem to work

lrosenman · August 20, 2020, 01:37:38 AM

Last week even my 20.1 system stopped getting DHCP from ATT, so I took the OPNatt stuff out and am NOT bypassing the RG at the moment. If we find a way to get it to work on 20.7 (I upgraded since opnatt wasn't working anyway).

I did lose IPv6 as I can't seem to convince dhcp6c et al to get the PD from the NVG599.

I'll attach the opnatt.sh script I was running on 20.1.9 before ATT (AFAIK) broke it.

let me know what else I can supply.

harshw · August 21, 2020, 05:42:40 PM

Here's the original pfatt.sh script (not the newer one) if anyone wants to try this with 20.7

As usual you have to provide values for ONT_IF, RG_IF and RG_ETHER_ADDR should be set to the ATT RG mac

Code Select

#!/bin/sh
set -e

ONT_IF=
RG_IF=
RG_ETHER_ADDR=
OPNSENSE='yes'
LOG=/var/log/pfatt.log

getTimestamp(){
    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
}

{
    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
    echo "$(getTimestamp) Configuration: "
    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
    echo "$(getTimestamp)         RG_IF: $RG_IF"
    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
    echo "$(getTimestamp)      OPNSENSE: $OPNSENSE"

    echo -n "$(getTimestamp) loading netgraph kernel modules... "
    /sbin/kldload -nq ng_etf
    echo "OK!"

    if [ ${OPNSENSE} != 'yes' ]; then
        echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
        /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" 
        /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
        echo "OK!"
    fi 

    echo "$(getTimestamp) building netgraph nodes..."

    echo -n "$(getTimestamp)   creating ng_one2many... "
    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
    /usr/sbin/ngctl name $ONT_IF:lower o2m
    echo "OK!"

    echo -n "$(getTimestamp)   creating vlan node and interface... "
    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
    /usr/sbin/ngctl name o2m:many0 vlan0
    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether

    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
    echo "OK!"

    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
    /usr/sbin/ngctl name o2m:many1 waneapfilter
    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
    echo "OK!"

    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
    echo "OK!"

    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
    echo "OK!"

    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    echo "OK!"

    echo -n "$(getTimestamp)   enabling one2many links... "
    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
    echo "OK!"

    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
    /usr/sbin/ngctl rmhook waneapfilter: nomatch
    echo "OK!"

    echo -n "$(getTimestamp) enabling $RG_IF interface... "
    /sbin/ifconfig $RG_IF up
    echo "OK!"

    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
    /sbin/ifconfig $ONT_IF up
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
    /sbin/ifconfig $RG_IF promisc
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
    /sbin/ifconfig $ONT_IF promisc
    echo "OK!"

    echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
    echo "$(getTimestamp) done!"
} >> $LOG

cwied · August 22, 2020, 08:30:26 PM

For what it's worth, I just upgraded to 20.7, and I still seem to be able to get DHCP from ATT using the traditional bypass. I've compared my pfatt.sh to opnatt.sh and they're mostly identical.

I do have a few extra parameters on the ifconfigs to make the interfaces promiscuous, but I wouldn't have thought that they should matter:

Code Select

/sbin/ifconfig $RG_IF promisc -tso4 -tso6 -vlanhwtso
/sbin/ifconfig $ONT_IF promisc -tso4 -tso6 -vlanhwtso

cwied · August 22, 2020, 11:24:38 PM

A quick addition: one thing that broke for me recently on reboot was IPS. I was able to get IPS running some time ago, but after a power outage a week ago, my system would no longer maintain connectivity. It would come up just fine, but lose connectivity after a short time (less than a minute). I think that the netmap configuration for IPS somehow conflicts with the netgraph configuration for the bypass. Turning off intrusion detection fixed the problem. I haven't looked for a solution to have both work.

harshw · August 23, 2020, 02:57:41 AM

Quote from: cwied on August 22, 2020, 08:30:26 PM
For what it's worth, I just upgraded to 20.7, and I still seem to be able to get DHCP from ATT using the traditional bypass. I've compared my pfatt.sh to opnatt.sh and they're mostly identical.

I do have a few extra parameters on the ifconfigs to make the interfaces promiscuous, but I wouldn't have thought that they should matter:
Code Select Expand
/sbin/ifconfig $RG_IF promisc -tso4 -tso6 -vlanhwtso /sbin/ifconfig $ONT_IF promisc -tso4 -tso6 -vlanhwtso

The original script also has promiscuous mode enabled on the RG and ONT

Code Select

    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
    /sbin/ifconfig $RG_IF promisc
    echo "OK!"

    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
    /sbin/ifconfig $ONT_IF promisc
    echo "OK!"

The only additional parameters are for TSO. The -tso4/-tso6 disables TSO for IPv4 and v6. And the -vlanhwtso disables TSO on VLAN. That really shouldn't affect anything ...

samsonmcnulty · September 18, 2020, 04:59:55 AM

Has anyone that had their setup break with the update been able to confirm a workaround or cause for this?

BeepDog · September 27, 2020, 04:29:43 AM

I just upgraded from 20.1 to 20.7.

I'm using the original pfatt.sh from aus. So far, so good. I don't know if that's because I'm already authed, but I haven't had any troubles yet. If the internet is still up tomorrow, I can assume it works fine?

Everything came up, the interfaces remain the same, I have ipv4, but not ipv6. Hopefully that's not the start of something bad...

pfatt and 20.7 don't seem to work

lrosenman

August 20, 2020, 01:37:38 AM #15

harshw

August 21, 2020, 05:42:40 PM #16

cwied

August 22, 2020, 08:30:26 PM #17

cwied

August 22, 2020, 11:24:38 PM #18

harshw

August 23, 2020, 02:57:41 AM #19

samsonmcnulty

September 18, 2020, 04:59:55 AM #20

BeepDog

September 27, 2020, 04:29:43 AM #21