Merge pull request 'Freebsd 13' (#55) from reedmcintosh/FreeBSD-13 into master

Reviewed-on: #55
2024-10-11 18:37:10 +05:30 · 2024-10-11 18:37:10 +05:30 · 3da1ff997e
commit 3da1ff997e
parent 7e30f3e353 6f8f36c984
15 changed files with 814 additions and 2 deletions
--- a/FreeBSD/backup.sh
+++ b/FreeBSD/backup.sh
@ -0,0 +1,14 @@
+#!/bin/csh
+#Script to grab all relevant configuration files and installed packages, and back it up to github
+/usr/sbin/pkg prime-origins > /root/fw/pkg_prime-origins
+
+foreach i ( "/boot/loader.conf" "/etc/pf.conf" "/etc/rc.conf" "/etc/start_if.eth0" "/usr/local/etc/dhcpd.conf" "/usr/local/etc/namedb/named.conf" "/usr/local/etc/namedb/dynamic/example.com.db" "/var/cron/tabs/root" "/usr/local/etc/dhcp6c.conf" "/etc/rtadvd.conf" "/usr/local/etc/dhcpd6.conf" "/etc/dhclient.conf" )
+	echo "Backing up "$i
+	/bin/cp $i /root/fw$i
+end
+
+echo "git push"
+cd /root/fw/
+/usr/local/bin/git add .
+/usr/local/bin/git commit -S -m "nightly backup"
+/usr/local/bin/git push -u origin main
--- a/FreeBSD/boot/loader.conf
+++ b/FreeBSD/boot/loader.conf
@ -0,0 +1,6 @@
+netgraph_load="YES"
+ng_ether_load="YES"
+ng_etf_load="YES"
+ng_vlan_load="YES"
+ng_eiface_load="YES"
+ng_one2many_load="YES"
--- a/FreeBSD/etc/dhclient.conf
+++ b/FreeBSD/etc/dhclient.conf
@ -0,0 +1,10 @@
+# $FreeBSD$
+#
+#	This file is required by the ISC DHCP client.
+#	See ``man 5 dhclient.conf'' for details.
+#
+#	In most cases an empty file is sufficient for most people as the
+#	defaults are usually fine.
+#
+#
+supersede domain-name-servers 127.0.0.1;
--- a/FreeBSD/etc/pf.conf
+++ b/FreeBSD/etc/pf.conf
@ -0,0 +1,60 @@
+wan = "ngeth0"
+lan = "xxx"
+
+#options
+set skip on lo0
+set block-policy drop
+set fingerprints "/etc/pf.os"
+set ruleset-optimization basic
+set optimization normal
+set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 }
+
+
+#scrub
+scrub on $wan all random-id fragment reassemble
+scrub on $lan all random-id fragment reassemble
+
+
+#NAT
+nat on $wan inet from ($lan:network) to any -> ($wan)
+
+
+#Filter
+
+#default deny
+block drop in inet all label "Default deny rule IPv4"
+block drop out inet all label "Default deny rule IPv4"
+block drop in inet6 all label "Default deny rule IPv6"
+block drop out inet6 all label "Default deny rule IPv6"
+
+#allow dhcp/dhcpv6 client
+pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
+pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
+pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
+
+#allow dhcp/dhcpv6 server
+pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server"
+pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
+pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
+
+#icmpv6
+pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state
+pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+
+#allow self
+pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
+pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
+
+#allow LAN
+pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule"
+pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule"
--- a/FreeBSD/etc/rc.conf
+++ b/FreeBSD/etc/rc.conf
@ -0,0 +1,44 @@
+hostname="fw"
+ifconfig_eth0=""
+ifconfig_ngeth0="DHCP"
+ifconfig_ngeth0_ipv6="inet6 accept_rtadv up"
+ipv6_cpe_wanif="ngeth0"
+ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0"
+ifconfig_eth2_ipv6="inet6 -accept-rtadv up"
+gateway_enable="YES"
+ipv6_gateway_enable="YES"
+ipv6_activate_all_interfaces="YES"
+rtadvd_enable="YES"
+rtadvd_interfaces="eth2"
+dhcp6c_enable="YES"
+dhcp6c_interfaces="ngeth0"
+dhcpd_enable="YES"
+dhcpd_flags="-q"
+dhcpd_conf="/usr/local/etc/dhcpd.conf"
+dhcpd_ifaces="eth2"
+dhcpd_withumask="022"
+dhcpd_chuser_enable="YES"
+dhcpd_withuser="dhcpd"
+dhcpd_withgroup="dhcpd"
+dhcpd_chroot_enable="YES"
+dhcpd_devfs_enable="YES"
+dhcpd_rootdir="/var/db/dhcpd"
+dhcpd6_enable="YES"
+dhcpd6_flags="-q"
+dhcpd6_conf="/usr/local/etc/dhcpd6.conf"
+dhcpd6_ifaces="eth2"
+dhcpd6_withumask="022"
+dhcpd6_chuser_enable="YES"
+dhcpd6_withuser="dhcpd"
+dhcpd6_withgroup="dhcpd"
+dhcpd6_chroot_enable="YES"
+dhcpd6_devfs_enable="YES"
+dhcpd6_rootdir="/var/db/dhcpd"
+pf_enable="YES"
+pf_rules="/etc/pf.conf"
+pflog_enable="YES"
+pflog_logfile="/var/log/pflog"
+powerd_enable="YES"
+powerd_flags="-b hadp -n hadp -a hadp"
+ntpd_enable="YES"
+sshd_enable="YES"
--- a/FreeBSD/etc/rtadvd.conf
+++ b/FreeBSD/etc/rtadvd.conf
@ -0,0 +1,2 @@
+default:\
+	:raflags="m"::prefixlen#64:\
--- a/FreeBSD/etc/start_if.eth0
+++ b/FreeBSD/etc/start_if.eth0
@ -0,0 +1,87 @@
+#!/bin/sh
+set -e
+
+ONT_IF='eth0'
+RG_IF='eth1'
+RG_ETHER_ADDR='00:11:22:33:44'
+LOG=/var/log/freeatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
+}
+
+{
+    echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
+
+    echo "$(getTimestamp) building netgraph nodes..."
+
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $RG_IF interface... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) set mac address on ngeth0..."
+    /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG
--- a/FreeBSD/pkg_prime-origins
+++ b/FreeBSD/pkg_prime-origins
@ -0,0 +1,6 @@
+dns/bind916
+net/dhcp6
+devel/git
+security/gnupg
+net/isc-dhcp44-server
+ports-mgmt/pkg
--- a/FreeBSD/usr/local/etc/dhcp6c.conf
+++ b/FreeBSD/usr/local/etc/dhcp6c.conf
@ -0,0 +1,12 @@
+interface ngeth0 {
+        send ia-pd 0;   # request prefix delegation
+        request domain-name-servers;
+        request domain-name;
+};
+id-assoc pd 0 {
+        prefix ::/60 infinity;
+        prefix-interface igb1 {
+                sla-id 1;
+                sla-len 4;
+        };
+};
--- a/FreeBSD/usr/local/etc/dhcpd.conf
+++ b/FreeBSD/usr/local/etc/dhcpd.conf
@ -0,0 +1,44 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+option arch code 93 = unsigned integer 16; # RFC4578
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+update-conflict-detection false;
+authoritative;
+subnet 192.168.1.0 netmask 255.255.255.0 {
+        pool {
+                range 192.168.1.100 192.168.1.199;
+        }
+
+        option routers 192.168.1.1;
+        option domain-name-servers 192.168.1.1;
+        ping-check true;
+
+}
+host s_lan_0 {
+        hardware ethernet 00:11:22:33:44:55;
+        fixed-address 192.168.1.50
+        option host-name "example-host1";
+}
+host s_lan_1 {
+        hardware ethernet 66:77:88:99:aa:bb;
+        fixed-address 192.168.1.51;
+        option host-name "example-host2";
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address)));
+
+zone example.com. {
+	primary 127.0.0.1;
+}
--- a/FreeBSD/usr/local/etc/dhcpd6.conf
+++ b/FreeBSD/usr/local/etc/dhcpd6.conf
@ -0,0 +1,31 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+ping-check true;
+authoritative;
+subnet6 2600:1234:5678:90ab::/64 {
+        range6 2600:1234:5678:90ab::1000 2600:1234:5678:90ab::2000;
+        do-forward-updates false;
+        option dhcp6.name-servers 2600:1234:5678:90ab::1;
+
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16))));
+
+zone example.com. {
+        primary 127.0.0.1;
+}
+
+
--- a/FreeBSD/usr/local/etc/namedb/named.conf
+++ b/FreeBSD/usr/local/etc/namedb/named.conf
@ -0,0 +1,385 @@
+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/local/share/doc/bind for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works.  Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
+
+options {
+	allow-query	{ any; };
+	recursion yes;
+	query-source-v6 address 2600:1234:5678:90ab::1;
+	// All file and path names are relative to the chroot directory,
+	// if any, and should be fully qualified.
+	directory	"/usr/local/etc/namedb/working";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
+	statistics-file	"/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+	#listen-on	{ 127.0.0.1; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver.  To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+//	listen-on-v6	{ ::1; };
+
+	listen-on-v6	{ any; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
+// If you've got a DNS server around at your upstream provider, enter
+// its IP address here, and enable the line below.  This will make you
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
+/*
+	forwarders {
+		127.0.0.1;
+	};
+*/
+
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer.  Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+//	forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
+// named_auto_forward_only (the effect of which is described above).
+//	include "/usr/local/etc/namedb/auto_forward.conf";
+
+	/*
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
+};
+
+zone "thundat00th.net." { type master; allow-update { 127.0.0.1; }; file "/usr/local/etc/namedb/dynamic/example.com.db"; };
+
+// If you enable a local name server, don't forget to enter 127.0.0.1
+// first in your /etc/resolv.conf so this server will be queried.
+// Also, make sure to enable it in /etc/rc.conf.
+
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
+
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	On the other hand, this method requires more monitoring than the
+	hints file to be sure that an unexpected failure mode has not
+	incapacitated your server.  Name servers that are serving a lot
+	of clients will benefit more from this approach than individual
+	hosts.  Use with caution.
+
+	To use this mechanism, uncomment the entries below, and comment
+	the hint zone above.
+
+	As documented at http://dns.icann.org/services/axfr/ these zones:
+	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
+	are available for AXFR from these servers on IPv4 and IPv6:
+	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
+zone "." {
+	type slave;
+	file "/usr/local/etc/namedb/slave/root.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "in-addr.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/in-addr.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "ip6.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/ip6.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+*/
+
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
+zone "localhost"	{ type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
+zone "127.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
+zone "0.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912, 5735 and 6303)
+zone "0.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Private Use Networks (RFCs 1918, 5735 and 6303)
+zone "10.in-addr.arpa"	   { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Shared Address Space (RFC 6598)
+zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3927, 5735 and 6303)
+zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IETF protocol assignments (RFCs 5735 and 5736)
+zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303)
+zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
+zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Router Benchmark Testing (RFCs 2544 and 5735)
+zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IANA Reserved - Old Class E Space (RFC 5735)
+zone "240.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "241.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "242.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "243.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "244.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "245.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "246.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "247.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "248.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "249.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "250.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "251.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "252.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "253.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "254.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "8.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "c.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "e.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "0.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "1.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "2.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "8.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "0.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "1.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "2.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 ULA (RFCs 4193 and 6303)
+zone "c.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Link Local (RFCs 4291 and 6303)
+zone "8.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
+zone "c.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "e.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "f.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"		{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// NB: Do not use the IP addresses below, they are faked, and only
+// serve demonstration/documentation purposes!
+//
+// Example slave zone config entries.  It can be convenient to become
+// a slave at least for the zone your own domain is in.  Ask
+// your network administrator for the IP address of the responsible
+// master name server.
+//
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
+//
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
+//
+// NB: Don't blindly enable the examples below. :-)  Use actual names
+// and addresses instead.
+
+/* An example dynamic zone
+key "exampleorgkey" {
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
+};
+zone "example.org" {
+	type master;
+	allow-update {
+		key "exampleorgkey";
+	};
+	file "/usr/local/etc/namedb/dynamic/example.org";
+};
+*/
+
+/* Example of a slave reverse zone
+zone "1.168.192.in-addr.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa";
+	masters {
+		192.168.1.1;
+	};
+};
+*/
--- a/FreeBSD/var/cron/tabs/root
+++ b/FreeBSD/var/cron/tabs/root
@ -0,0 +1,8 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.q40BAzenoV installed on Sun Apr 18 22:56:27 2021)
+# (Cron version -- $FreeBSD$)
+# monthly zpool scrub
+0 2 1 * * /sbin/zpool scrub zrootmirror
+
+# nightly config backup
+0 3 * * * /root/fw/backup.sh
--- a/README.md
+++ b/README.md
@ -301,7 +301,7 @@ There is a whole thread on this at [DSLreports](http://www.dslreports.com/forum/

 However, I don't think this works for everyone. I had to explicitly tag my WAN traffic to VLAN0 which wasn't supported on my switch.

-## OPNSense / FreeBSD
+## OPNSense
 For OPNSense 20.1:
 follow the pfSense instructions, EXCEPT:
 1) use file opnatt.sh
@ -310,7 +310,23 @@ follow the pfSense instructions, EXCEPT:
 4) do *NOT* modify config.xml, nor do any of the duid stuff
 5) note: You *CAN* use IPv6 Prefix id 0, as OPNSense does *NOT* assign a routeable IPv6 address to ngeth0

-I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience.
+## FreeBSD (tested on 13.0-RELEASE)
+For FreeBSD:
+1) use file freeatt.sh
+2) ng_etf.ko is not needed, standard FreeBSD includes all of the required modules
+3) modules can be loaded from /boot/loader.conf, an example loader.conf with the modules listed is included (loading modules in the script should work, but lets do things "properly")
+4) put the freeatt.sh script into '/etc' and rename to `start_if.$ONT_IF` in my case the file is `/etc/start_if.igb0` this will depend on your hardware
+5) in rc.conf, add the line `ifconfig_$ONT_IF=""` this will trigger rc to run our start_if.$ONT_IF script to create the ngeth0 interface, and then do nothing else to the interface, in my case this line is `ifconfig_igb0=""` (using $RG_IF instead probably gives the same result)
+6) configure the rest of rc.conf, an example is provided with the essentials, gateway_enable, DHCP settings etc.
+7) configure pf, dhcpd, etc. to taste, generic examples provided
+
+Once you have IPv4 connectivity you're done, unless you want IPv6 as well.  The default dhclient still does not support IPv6, so:
+1) Install KAME dhcp6c 'pkg install dhcp6'
+2) Configure rc.conf with 'ipv6_cpe_wanif="ngeth0"' in addition to the other ipv6, dhcp6c, and rtadvd configuration in rc.conf, filling in with your lan interface(s)
+3) use the example configuration in `/usr/local/etc/dhcp6c.conf` to configure dhcp6c
+4) Set some inet6 rules in pf.conf and test
+
+Example configuration files are provided for bind, dhcpd, dhcpd6, rtadvd, etc. based off of a currently working dual stack router running FreeBSD 13, other versions of FreeBSD may work

 # U-verse TV

--- a/bin/freeatt.sh
+++ b/bin/freeatt.sh
@ -0,0 +1,87 @@
+#!/bin/sh
+set -e
+
+ONT_IF='xx0'
+RG_IF='xx1'
+RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
+LOG=/var/log/freeatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
+}
+
+{
+    echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
+
+    echo "$(getTimestamp) building netgraph nodes..."
+
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $RG_IF interface... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) set mac address on ngeth0..."
+    /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG