Everything working but blinking red light?

[pedronavf]

Thanks for all the work on this! I got everything working ok but the Residential Gateway never gets a solid green light, it goes from blinking green to blinking red.

Looking at the tcpdump of the RG_IF it looks like the RG keeps waiting to receive the DHCP response, but the WAN interface did get it. Is this how it's supposed to work? My fear is that I think it might be working but the IP is cached and everything will break hours/days later when the RG wants to renew the certificate.

[maxfield-allison]

Mine has done the same thing. It's because the RG can't finalize the connection. If you ever need a new lease on your firewall, It will still allow the handshake through so you won't have to worry about it.

[pedronavf]

Ah, ok. Thanks for the info! I spent the whole day tweaking the configuration trying to get rid of the blinking red light without actually trying to see if I had internet access! :)

[AndrewReaganM]

I have experienced the same thing. The RG never actually gets an internet connection, so it will just forever think that the internet isn't working.

[mwpastore]

A related issue is that the RG will never receive any firmware updates, new certificates, etc. from AT&T because it doesn't think it has an internet connection. I will probably continue connecting the RG directly to the ONT for a few minutes every few months for this reason. (I just switched over from the VLAN flop solution.)

[MonkWho]

On the note of the "issue" itself. When I was was running in the bridged mode I'm pretty sure my RG would sometimes think it's fine and show green lights and sometimes it was stuck with red blinking. Either way internet was up and running. So when implementing bridged mode don't use the lights on RG as indicator. Run the scripts and test your actual connection to see if it's working.

And a reply to @mwpastore post: If you are using a bridged mode then your RG doesn't need any updates or new certs. It's just sitting there making sure auth happens. And if you are using supplicant mode then your RG is disconnected and sitting in a drawer somewhere. Either way currently there is no need for firmware updates or new certs.

[mwpastore]

@MonkWho Certs expire, signing authorities change, vulns get patched, protocols and cipher suites come and go. It's not unfathomable that something "important" could get pushed down via firmware update, with out-of-date units eventually being unable to authenticate. That's just my thinking—and why I periodically connect mine directly to the ONT and let it pull down the latest firmware—but you're the expert!

[MonkWho]

@mwpastore The whole point of this bypass is to eliminate RG and not have any traffic go through it. Bridged mode keeps it online for the auth purposes only and drops all other transfers while supplicant mode allows us to disconnect RG completely since we have the necessary certs extracted. So while your points are valid I personally don't see a reason to connect RG to the network. There is no additional security or efficiency to be gained from it. One day AT&T will break this bypass but we will burn that bridge when we come to it.

And I'm far from an expert. I'm just another schmuck on the internet trying to get by.

[pedronavf]

When I set up bridge mode I got confused, even though I was seeing packets going out when doing the tcpdump, because the light started green and then switched to red. I fought for hours to get a green light without even trying if the internet connection was working :)

I took the light to mean "succesful authentication" rather than "internet access available". I'll take a shot at configuring the supplicant mode next.

[noelhibbard]

@mwpastore The whole point of this bypass is to eliminate RG and not have any traffic go through it. Bridged mode keeps it online for the auth purposes only and drops all other transfers while supplicant mode allows us to disconnect RG completely since we have the necessary certs extracted. So while your points are valid I personally don't see a reason to connect RG to the network. There is no additional security or efficiency to be gained from it. One day AT&T will break this bypass but we will burn that bridge when we come to it.

And I'm far from an expert. I'm just another schmuck on the internet trying to get by.

True only auth packets go through the RG but if the RG is never actually on the internet to have it's certs renewed then it will eventually fail to auth. I was reading about people extracting certs from their modems and the expiration dates ranged from 2021 to 2035. I doubt we will still have the same hardware in 2035 but if we have a cert that expires this year it will be an issue. I'm thinking about going back to my old method of programatically swapping ports on my VLAN switch where I can schedule it to put the RG on the internet for an hour once a month in the middle of the night.

[mwpastore]

@noelhibbard I wonder if we can do some additional configuration to trick the RG into thinking it's fully online... perhaps as simple as allowing it to obtain an IP address via DHCP and connect to the Internet via NAT?

[noelhibbard]

@noelhibbard I wonder if we can do some additional configuration to trick the RG into thinking it's fully online... perhaps as simple as allowing it to obtain an IP address via DHCP and connect to the Internet via NAT?

It has the same MAC as the pfSense WAN adapter so it would theoretically get the same IP. Not sure how that would work.

I need to dig deeper into netgraph and figure out how to at least schedule it to put the RG fully online for an hour once per month. Not optimal but not terrible.

[mwpastore]

It has the same MAC as the pfSense WAN adapter so it would theoretically get the same IP. Not sure how that would work.

Well, I'm thinking about running a DHCP server on the main router to hand out a local address, but I don't know if the RG would accept a private IPv4 address, and I also don't know how Linux will feel about getting a DHCPOFFER broadcast from a MAC address that's also associated with a local interface.