OPNsense 22.7

[owenthewizard]

I'm happy to report that the supplicant method is working for me on 22.7 :).

[tman785]

Have you tried on the non-supplicant method?

Edit: I have the non-supplicant method working on 22.7.2

[matthewshammond]

I am running OPNsense 22.7.2-amd64 | FreeBSD 13.1-RELEASE-p1 on a Protectli VP2410 – 4 Port Intel J4125 and have an ATT BGW-320.

I have followed the instructions for pfatt (using openatt.sh) and following the additional instructions for OPNSense.

I connected the ONT to a TP-Link MC220L | Gigabit SFP to RJ45 Fiber Media Converter in order to plug ethernet into the Protectli. I then connected ethernet to the BG-320 via ethernet from Protectli to SFP port on BG-320.

I enabled the new port via 'interfaces' in OPNSense webgui. I had no internet. Below is output of my pfatt.log

2022-08-22 12:19:01 :: [pfatt.sh] :: pfSense + AT&T U-verse Residential Gateway for true bridge mode
2022-08-22 12:19:01 :: [pfatt.sh] :: Configuration:
2022-08-22 12:19:01 :: [pfatt.sh] ::        ONT_IF: igb1
2022-08-22 12:19:01 :: [pfatt.sh] ::         RG_IF: igb2
2022-08-22 12:19:01 :: [pfatt.sh] :: RG_ETHER_ADDR: xx:xx:xx:xx:xx:x (THE REAL MAC WAS HERE - I XX FOR POST)
2022-08-22 12:19:01 :: [pfatt.sh] :: loading netgraph kernel modules... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: building netgraph nodes...
2022-08-22 12:19:01 :: [pfatt.sh] ::   creating ng_one2many... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   creating vlan node and interface... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   defining etf for igb1 (ONT)... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   defining etf for igb2 (RG)... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   bridging etf for igb1 <-> igb2... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   defining filters for EAP traffic... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   enabling one2many links... OK!
2022-08-22 12:19:01 :: [pfatt.sh] ::   removing waneapfilter:nomatch hook... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: enabling igb2 interface... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: enabling igb1 interface... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: enabling promiscuous mode on igb2... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: enabling promiscuous mode on igb1... OK!
2022-08-22 12:19:01 :: [pfatt.sh] :: ngeth0 should now be available to configure as your pfSense WAN
2022-08-22 12:19:01 :: [pfatt.sh] :: done!

[ChromoX]

On OPNsense 22.7.4 I couldn't get DHCP(bypass) to work on the ONT_IF. It would just send Discovers properly(vlan0) constantly, but never get a response.

Looks exactly like https://github.com/MonkWho/pfatt/issues/17#issuecomment-667598242

I did have it working on version 22.7_4.

[KNOXDEV]

On OPNsense 22.7.4 I couldn't get DHCP(bypass) to work on the ONT_IF. It would just send Discovers properly(vlan0) constantly, but never get a response.

Running to this exact issue: EAP exchange works fine and then I never hear from ATT again. Fresh install.

The DHCP requests I'm sending on ONT that get no response:

09:00:14.983358 b0:5d:d4:1d:8c:71 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, larry.knx.local.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b0:5d:d4:1d:8c:71 (oui Unknown), length 300

The (assumed correct) DHCP requests the ATT residential gateway is sending to opnsense:

08:55:01.820664 b0:5d:d4:1d:8c:71 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 420: vlan 0, p 3, ethertype IPv4, larry.knx.local.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b0:5d:d4:1d:8c:71 (oui Unknown), length 374

They seem indistinguishable in tcpdump, but without doing a packet dump, I wonder why the ATT one is larger?...

Edit: I tried again and it worked first time...survived Residential Gateway and Opnsense reboots too. Sanity checking my cables and monitoring closely.

[lnxsrt]

Okay, I figured out how to make pfatt work again with 22.7.4. You have to create an interface for your ONT-IF. I called my PHYWAN. See below picture.

Then you have to override Hardware settings for PHYWAN as follows. Specifically the VLAN Filtering. "Leave default" makes no changes from what we set in the pfatt.sh script. Your pfatt.sh script should already disable vlanhwtag and vlanhwfilter.

[ChromoX]

Thanks @Inxsrt this helped.

I also needed to check the Promiscuous mode setting on the PHYWAN as well.

Seems to be working now.

[tman785]

What version of the script are you all using for supplicant? I'm trying on 22.7.4 with a fresh install, and cant get it to work.

[tman785]

On OPNsense 22.7.4 I couldn't get DHCP(bypass) to work on the ONT_IF. It would just send Discovers properly(vlan0) constantly, but never get a response.

Running to this exact issue: EAP exchange works fine and then I never hear from ATT again. Fresh install.

The DHCP requests I'm sending on ONT that get no response:

09:00:14.983358 b0:5d:d4:1d:8c:71 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 346: vlan 0, p 0, ethertype IPv4, larry.knx.local.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b0:5d:d4:1d:8c:71 (oui Unknown), length 300

The (assumed correct) DHCP requests the ATT residential gateway is sending to opnsense:

08:55:01.820664 b0:5d:d4:1d:8c:71 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 420: vlan 0, p 3, ethertype IPv4, larry.knx.local.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from b0:5d:d4:1d:8c:71 (oui Unknown), length 374

They seem indistinguishable in tcpdump, but without doing a packet dump, I wonder why the ATT one is larger?...

Edit: I tried again and it worked first time...survived Residential Gateway and Opnsense reboots too. Sanity checking my cables and monitoring closely.

I'm seeing the same issue. EAP traffic looks good, but DHCP not so much. Did you change anything to get it to work?

I do see an ARP Request who-has for the IP I usually am assigned that's coming into opnsense.

[moriahmorgan]

I'm happy to report that the supplicant method is working for me on 22.7 :).

Do you use the supplicant_opnsense_testing branch? Just making sure.

[owenthewizard]

I'm happy to report that the supplicant method is working for me on 22.7 :).

Do you use the supplicant_opnsense_testing branch? Just making sure.

I'm currently using my fork.

[plsnotracking]

I am running OPNsense 22.7.2-amd64 | FreeBSD 13.1-RELEASE-p1 on a Protectli VP2410 – 4 Port Intel J4125 and have an ATT BGW-320.

@owenthewizard @matthewshammond I'm not sure if I'm reading this right. I was reading at multiple places that with ATT BGW320-500 (1G), it is now NOT possible to fully bypass the modem. How are you running your setup? Any tutorials? I have an OPNsense 22.7 amd64 J1900 running connected to the ethernet port of the ATT router, but I haven't figured out how to make it all work. Thanks.

[owenthewizard]

I am running OPNsense 22.7.2-amd64 | FreeBSD 13.1-RELEASE-p1 on a Protectli VP2410 – 4 Port Intel J4125 and have an ATT BGW-320.

@owenthewizard @matthewshammond I'm not sure if I'm reading this right.

I was reading at multiple places that with ATT BGW320-500 (1G), it is now NOT possible to fully bypass the modem. How are you running your setup? Any tutorials? I have an OPNsense 22.7 amd64 J1900 running connected to the ethernet port of the ATT router, but I haven't figured out how to make it all work. Thanks.

It depends whether you are in GPON or XGS-PON area. This bypass only works for GPON.

[plsnotracking]

if my understanding is correct, I have GPON. Since the belt on top is green. Please let me know if my understanding is incorrect, thank you for helping out.

[owenthewizard]

@plsnotracking if you're in GPON then it shouldn't matter if you have the 320 or not. Have you tried my fork?

[plsnotracking]

@owenthewizard your fork did not mention the BGW300-520. I didn't give it a try owing to the prequisites section. I can give it a try if it might work. I wasn't sure if the certs can still be extracted. Thanks.

[owenthewizard]

@owenthewizard your fork did not mention the BGW300-520. I didn't give it a try owing to the prequisites section. I can give it a try if it might work. I wasn't sure if the certs can still be extracted. Thanks.

You don't need certificates from a BGW320, any certificates will work if you're in GPON.

[emopinata]

@owenthewizard your fork did not mention the BGW300-520. I didn't give it a try owing to the prequisites section. I can give it a try if it might work. I wasn't sure if the certs can still be extracted. Thanks.

You don't need certificates from a BGW320, any certificates will work if you're in GPON.

Orly?

[plsnotracking]

@owenthewizard so I'm not sure what I'm doing wrong (or actually I don't know what I'm doing at all). I'll just post all the questions, in hopes someone can guide me

1. I've connected my ATT Router to WAN port of my OPNSense box. I'm assuming this is correct?
2. The ONT port on my router has nothing connected to it? PFA is that expected?
3. The next thing that befuddles me is, on how to find the answer to the rest of the questions:

   
   # Interface Options

ONT_IF="xx0" EAP_IDENTITY="XX:XX:XX:XX:XX:XX" RG_ETHER="XX:XX:XX:XX:XX:XX"

wpa_supplicant Options

ca_cert="/conf/opnatt/wpa/ca.pem" client_cert="/conf/opnatt/wpa/client.pem" private_key="/conf/opnatt/wpa/private.pem"

Which is `step 3` in your documentation. The only thing so far I've been able to answer is `RG_ETHER` because that's available on the routers page.
4. The internet on my OPNSense box isn't working even though it's directly connected to the ATT router. The OPNsense box was factory reset and is running 22.7, I can ssh onto it, but it has no internet. Haven't made any changes so far. What am I missing here?
5. It doesn't have `bash` to run the script, but if I solve 4, I can fix that problem. Just thought I'd mention.

Thanks and sorry for the monologue, just wanted to feed all the information I had.

[owenthewizard]

@plsnotracking I don't have time to go in-depth at this exact moment but using certificates you don't use the BGW210/BGW300 at all. You connect the ONT directly to your *sense WAN port. wpa_cli does the auth, netgraph does the VLAN nonsense. You can also use certain switches to do the VLAN stuff instead of netgraph (#82).

[owenthewizard]

@plsnotracking Did you get your setup to work?

[plsnotracking]

@owenthewizard I never did, I tried a bunch of it, but couldn't really get it to work, so I just connected my devices with a double NAT. Honestly, I also didn't spend much of my time, thinking I'm pretty much illiterate in terms of doing anything network related. Do you have a few minutes to help me out? Thanks.

[owenthewizard]

@plsnotracking Do you have certificates?

[plsnotracking]

@owenthewizard nope, the only thing I've setup so far is an instance of OPNSense on J1425 box, and The ATT Fiber, then connected the ONT on router -> WAN port on OPNSense Box, OPNSense Box LAN to unmanaged Switch, Switch to the rest. Any clue on how to acquire certs? Thanks.

[owenthewizard]

@plsnotracking https://github.com/owenthewizard/opnatt/blob/supplicant/README.md#prerequisites Has some resources on extracting certificates.

I'm closing this issue as it's confirmed pfatt works on OPNsense 22.7 and how-to is out of scope for this issue. Further discussion regarding my fork specifically should take place there as a Discussion or Issue. For general how-to or other issues feel free to reach out to me via the email address on my GitHub profile.

[owenthewizard]

For anyone that comes across this I forgot that if you have the BGW320 you don't have a separate ONT and thus can't use pfatt/opnatt to bypass.