search

MonkWho / pfatt

Enable true bridge mode for AT&T U-Verse and pfSense (this is a fork of an original repository https://github.com/aus/pfatt. Since it is not available anymore, I'll do my best to maintain a copy for people that still need a bypass)
449 stars 175 forks source link

pfSense 2.4.5-p1, supplicant mode 1) failing to authorize, and 2) script is blocking system bootup **FIXED** #43

Closed Aerowinder closed 3 years ago

Aerowinder commented 3 years ago

Greetings,

Using certs I pulled from my BGW210-700, pfSense would not authenticate the WAN connection. The certs work fine in MikroTik's RouterOS, so it's an issue with the script. Also, if you fail to authenticate, pfSense gets stuck in the loop waiting for authentication. Console access is necessary to terminate the script. I've fixed both issues. My installs were tested on bare metal SG-2440 and Protectli Vault 6P.

/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." /sbin/ifconfig $ONT_IF ether $EAP_SUPPLICANT_IDENTITY /sbin/ifconfig $ONT_IF up /sbin/ifconfig $ONT_IF promisc

I added changing the MAC of the ONT_IF connection (physical WAN port) to the one associated with the certificates. I think I still had to spoof the WAN MAC with the pfSense webconfigurator, unsure why.

WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"

Authenticate against ONT_IF, not ngeth0.

Failed authentication keeps system from booting fix:

i=1 until [ "$i" -eq "5" ] do sleep 5 WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..."

IP_STATUS=$(eval ${IP_STATUS_CMD})

if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." break else /usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..." i=$((i+1)) fi done I switched from a never ending while loop to an until loop with a counter. If you fail to authenticate, the loop will still terminate, allowing the system to boot, albeit without WAN connection. The way the script was written is a serious pain if you don't have a console connection.

xkraz commented 3 years ago

Can you post a paste bin of your pfatt.sh ? I am getting authorized but not able to grab an ip

Aerowinder commented 3 years ago

For 2.4.5: https://pastebin.com/pQeBgPsV

Be sure to set your WAN NIC and EAP identity in the script. Be advised that this script moves some things around. File names are changed, etc. Look through the script to determine the changes. Then, in pfSense, set your WAN interface to ngeth0. Then, in the WAN interface config (ngeth0), spoof the MAC address to your EAP identity, then reboot.

xkraz commented 3 years ago

Thank you very much. Now, I do have one more question if you do not mind. My assigned gateway MAC is different than my EAP MAC because my my certs are from another router. Do I set the ngeth0 MAC address to my assigned gateway MAC that att gave me and set the EAP MAC to the MAC that I pulled the certs from?

Aerowinder commented 3 years ago

Your AT&T assigned gateway is irrelevant. The only thing that matters is the MAC of your keys.

xkraz commented 3 years ago

Up and running. Thank you very much.