Use *sense without netgraph

[gpz1100]

Someone over on the discord channel mentioned they were able to get opnsense 23 to work without using netgraph at all.

Wpa_supplicant is still required, but the only change is flagging the wan port with vlanpcp 7. No promisc, no -vanhwfilter, etc.

ifconfig igb0 vlanpcp 7

I could not replicate this. In testing, eapol traffic was coming as 888e from the ONT. A logon command from wpa_cli would leave as 8100 from the wan interface.

It was then suggested to use a smart switch with port based vlans. That is configure 2 unused ports on a separate untagged vlan. Similar to the old school dumb switch method.

I first tested with a dumb switch (dgs-1005) just to see if it would strip the vlan0 tags, with no success. Same issue as above

Then used a managed switch. Looks like this on a dlink dgs-1100-08;

A comparable configuration on a netgear gs308t did NOT work. There was no traffic passed as the switch completely ignored the inbound vlan0 tagging from the ONT.

On the dlink however, this was successful. Tcpdump showed no vlan or priority tags for the wan interface. Wpa_supplicant worked flawlessly without netgraph as did dhcp. It would appear the dlink switch successfully striped the vlan0 tags.

All eapol traffic contained 888e for ethertype in both directions. Success present in both opnsense 23.1.5.x and pfsense+ 23.01. I did not test older versions.

I expect other switches to work as well, but it matters in what the default behavior is with vlan0 packets. Does it ignore the traffic entirely (netgear gs308t), or does it treat it as native vlan and allow to pass (dlink dgs-1100-08)?

---

20230408 - dlink dgs-1100-08 hw B1 fw 1.00.b031 per above 20230412 - dlink dgs-1100-05v2 hardware A1 fw 1.00.003 confirmed working per @topsecretsauce 20230413 - tplink TL-SG108E hw v5.0, fw 1.0.0 Build 20191021 Rel.53360 per @owenthewizard 20230414 - Dlink DGS-1210-10 hw F1, fw 6.31.002 per me.

[owenthewizard]

This is really great. With enough input we could build a supported list of models.

I'm going to try with a newer model (DGS-1100-05V2) and report back.

[owenthewizard]

Here is the full version info for the known working DGS-1100-08.

[gpz1100]

Found this thread on reddit,

https://www.reddit.com/r/homelab/comments/mw5pmd/comment/hka2n2n/?utm_source=reddit&utm_medium=web2x&context=3

Based on the above, supposedly TpLink SG108E will also do it. I don't have that switch to test, but if others can comment/confirm?

[owenthewizard]

Based on the above, supposedly TpLink SG108E will also do it.

Purchased SG108E and SG105E, will test.

[owenthewizard]

From the Reddit thread, possibily working:

• Cisco Catalyst 3750G
• mikrotik rb4011

[topsecretsauce]

Hey everyone,

I got it to work with the Dlink DGS-1100-05V2 on firmware 1.00.003 (only available firmware) and I essentially used the same setup as @gpz1100.

[owenthewizard]

Hey everyone,

I got it to work with the Dlink DGS-1100-05V2 on firmware 1.00.003 (only available firmware) and I essentially used the same setup as @gpz1100.

Can you add the hardware version as well?

[topsecretsauce]

@owenthewizard revision A1 for that D Link switch I mentioned.

[owenthewizard]

I can confirm that: Device Description	TL-SG108E
Firmware Version	1.0.0 Build 20191021 Rel.53360
Hardware Version	TL-SG108E 5.0

Works! I'm using vlanpcp 7. vlanpcp not needed

Do note the hardware version - there are seven of them that exist!

[gpz1100]

@owenthewizard Why do you even need pcp 7 with this method?

[owenthewizard]

@owenthewizard Why do you even need pcp 7 with this method?

I just tested, and in fact you don't!

[bigjohns97]

I noticed you guys are setting VLAN ID to 100, is that accurate?

EDIT: I see you are just using any VLAN ID to strip the tags from the ONT.

Has anyone tried using a unifi switch?

[topsecretsauce]

I noticed you guys are setting VLAN ID to 100, is that accurate?

EDIT: I see you are just using any VLAN ID to strip the tags from the ONT.

Has anyone tried using a unifi switch?

I used VLAN 4040. The VLAN itself is arbitrary.

I haven't tried with a unifi switch (I ran out of physical ports.). The UI makes it hard to tell what's going on. It's stylized like it's doing port-based VLANs. If the incoming traffic to a client through an access port does not have a VLAN tag, then it stands a good chance of working.

[bigjohns97]

I tried with a unifi flex mini and it didn't work.

[topsecretsauce]

Try setting a port profile with the stripper VLAN as the native network. Then assign this port profile to the two ports. This is the closest thing I can see working so far.

[bigjohns97]

Try setting a port profile with the stripper VLAN as the native network. Then assign this port profile to the two ports. This is the closest thing I can see working so far.

This is what I did, didn't work.

[topsecretsauce]

What didn't work? Did you see any traffic from the authenticator going into the WAN port or just nothing at all?

[bigjohns97]

What didn't work? Did you see any traffic from the authenticator going into the WAN port or just nothing at all?

No eap traffic other than the eapol frame sent by my wpa client.

[topsecretsauce]

What didn't work? Did you see any traffic from the authenticator going into the WAN port or just nothing at all?

No eap traffic other than the eapol frame sent by my wpa client.

Then it's probably that it's dropping/rejecting VLAN 0 frames coming into the port. Either the USW firmware or the switch is doing it at the hardware level. Seems like that's always going to be a factor.

[gpz1100]

Dlink dgs-1210-10 HW F1, fw 6.31.002 also works

[rcmcdonald91]

Hello,

pfSense Plus 23.05 includes several features that makes this possible natively without netgraph:

Ability to set VLAN 0 PCP tag and enable promiscuous mode per interface:

Ethernet (L2) Filtering Support:

[gpz1100]

@rcmcdonald91 This thread pertains to the supplicant bypass method, not bridge. Does wpa_supplicant respond to vlan0 tagged traffic in 23.05ß?

[ChronicledMonocle]

wpa_supplicant needs patches to support VLAN0 tagging, as it doesn't support it right now. Being worked on.

[rcmcdonald91]

Yes. wpa_supplicant needs a patch to support VLAN0.

[gpz1100]

@rcmcdonald91 Glad to help test once something is available.

[5ch17]

Dlink dgs-1210-10 HW F1, fw 6.31.002 also works

pfSense Plus 23.05 Release fails to get WAN address via DHCP (EAP is successful) - tested with DLink DGS-1100-08v2 hardware A1 fw 1.00.003. Has anyone seen/fixed this (assuming the same occurs with the other switches reported working in this thread, including DGS-1100-05v2)?

[owenthewizard]

Dlink dgs-1210-10 HW F1, fw 6.31.002 also works

pfSense Plus 23.05 Release fails to get WAN address via DHCP (EAP is successful) - tested with DLink DGS-1100-08v2 hardware A1 fw 1.00.003. Has anyone seen/fixed this (assuming the same occurs with the other switches reported working in this thread, including DGS-1100-05v2)?

Did you spoof your RG MAC on your WAN interface? I had this issue but I had just forgotten to spoof.

[5ch17]

pfSense Plus 23.05 Release fails to get WAN address via DHCP (EAP is successful) - tested with DLink DGS-1100-08v2 hardware A1 fw 1.00.003. Has anyone seen/fixed this (assuming the same occurs with the other switches reported working in this thread, including DGS-1100-05v2)?

Did you spoof your RG MAC on your WAN interface? I had this issue but I had just forgotten to spoof.

Yes, it was spoofed. Got it working with DLink DGS-1100-05v2 (5-port) with same HW A1 and FW 1.00.003. It also required setting PCP (Priority Tag) to 1 on WAN as DHCP would not work without it -- inspiration from pfsense configuration recipe here: https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html . 8-port dlink (DGS-1100-08v2) still did not work with the same config.

[ChronicledMonocle]

pfSense Plus 23.05 Release fails to get WAN address via DHCP (EAP is successful) - tested with DLink DGS-1100-08v2 hardware A1 fw 1.00.003. Has anyone seen/fixed this (assuming the same occurs with the other switches reported working in this thread, including DGS-1100-05v2)?

Did you spoof your RG MAC on your WAN interface? I had this issue but I had just forgotten to spoof.

Yes, it was spoofed. Got it working with DLink DGS-1100-05v2 (5-port) with same HW A1 and FW 1.00.003. It also required setting PCP (Priority Tag) to 1 on WAN as DHCP would not work without it -- inspiration from pfsense configuration recipe here: https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html . 8-port dlink (DGS-1100-08v2) still did not work with the same config.

Why do you have a switch in front of your WAN at all? Just plug the WAN directly into the ONT.

[5ch17]

Why do you have a switch in front of your WAN at all? Just plug the WAN directly into the ONT.

Had tried that before and it had not worked with wpa supplicant (EAP failed). Will test again with PCP set and see

[5ch17]

Yes. wpa_supplicant needs a patch to support VLAN0.

except it may not work without the stripper switch until wpa_supplicant is patched (https://github.com/MonkWho/pfatt/issues/82#issuecomment-1538499594)

[owenthewizard]

I added this table to my fork:

Manufacturer	Model	Working	HW Version	SW Version	Notes	Updated
D-Link	DGS-1100-08	✅	B1	1.00.b031		@gpz1100 04/08/2023
D-Link	DGS-1100-05v2	✅	A1	1.00.003		@topsecretsauce 04/12/2023
TP-Link	TL-SG108E	✅	5.0	1.0.0 Build 20191021 Rel.53360		@owenthewizard 04/13/2023
D-Link	DGS-1210-10	✅	F1	6.31.002		@gpz1100 04/14/2023
Netgear	GS308T	❌				@gpz1100 04/08/2023
Cisco	Catalyst 3750G	❔
Mikrotik	RB4011	❔
Ubiquiti	USW-Flex-Mini	❌				@bigjohns97 04/14/2023

[gpz1100]

I think it's safe to close this thread with the recent developments in wpa_supplicant - it now listens on vlan0, negating any need for switches to strip vlan 0 tags.

https://github.com/MonkWho/pfatt/issues/83#issuecomment-1583267490

Thoughts?

[owenthewizard]

I think it's safe to close this thread with the recent developments in wpa_supplicant - it now listens on vlan0, negating any need for switches to strip vlan 0 tags.

#83 (comment)

Thoughts?

I agree.

[bigjohns97]

I think it's safe to close this thread with the recent developments in wpa_supplicant - it now listens on vlan0, negating any need for switches to strip vlan 0 tags.

#83 (comment)

Thoughts?

I agree, no need for stripper switches with the new wpa supp