Merge pull request #13 from aus/5268AC

WIP: pfatt-5268AC.sh
2018-12-25 10:55:10 -06:00 · 2018-12-25 10:55:10 -06:00 · 509a928481
commit 509a928481
parent c97901b920 0165cc4d55
4 changed files with 167 additions and 64 deletions
--- a/README.md
+++ b/README.md
@ -104,7 +104,18 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](
    scp bin/pfatt.sh root@pfsense:/root/bin/
    ssh root@pfsense chmod +x /root/bin/pfatt.sh
    ```
-    Now edit your `config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>`
+    Now edit your `/conf/config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>`. 
+    
+    **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install:
+
+    Copy `bin/pfatt-5268AC` to `/usr/local/etc/rc.d/`
+    
+    Copy `bin/pfatt-5268AC.sh` to `/root/bin/`:
+    ```
+    scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/
+    scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/
+    ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC /root/bin/pfatt-5268AC.sh
+    ```

 4. Connect cables:
    - `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!)
@ -167,6 +178,10 @@ That's it! Now your clients should be receiving public IPv6 addresses via DHCP6.

 # Troubleshooting

+## Logging
+
+Output from `pfatt.sh` and `pfatt-5268AC.sh` can be found in `/var/log/pfatt.log`.
+
 ## tcpdump

 Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface:
--- a/bin/pfatt-5268AC
+++ b/bin/pfatt-5268AC
@ -0,0 +1,50 @@
+#!/bin/sh
+
+script_path="/root/bin/pfatt-5268AC.sh"
+
+name=`/usr/bin/basename "${script_path}"`
+
+rc_start() {
+    ### Lock out other start signals until we are done
+    /usr/bin/touch /var/run/${name}.lck
+
+    ${script_path} &
+    pid=$!
+    
+    if [ $pid ]; then
+        echo $pid > /var/run/${name}.pid
+        /usr/bin/logger -p daemon.info -i -t pfattStartup "Successfully started ${name}"
+    else
+        /usr/bin/logger -p daemon.error -i -t pfattStartup "Error starting ${name}"
+    fi
+    
+    ### Remove the lock
+    if [ -f /var/run/${name}.lck ]; then
+        /bin/sleep 2
+        /bin/rm /var/run/${name}.lck
+    fi
+}
+
+rc_stop() {
+    if [ -f /var/run/${name}.pid ]; then
+        kill -9 `cat /var/run/${name}.pid`
+        /bin/rm /var/run/${name}.pid
+    fi
+}
+
+case $1 in
+    start)
+        if [ ! -f /var/run/${name}.lck ]; then
+            rc_start
+        fi
+        ;;
+    stop)
+        rc_stop
+        ;;
+    restart)
+        if [ ! -f /var/run/${name}.lck ]; then
+            rc_stop
+            rc_start
+        fi
+        ;;
+esac
--- a/bin/pfatt-5268AC.sh
+++ b/bin/pfatt-5268AC.sh
@ -0,0 +1,31 @@
+#!/bin/sh
+PING_HOST=8.8.8.8
+SLEEP=5
+LOG=/var/log/pfatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt-5268AC.sh] ::"`
+}
+
+{
+    RG_CONNECTED="/usr/sbin/ngctl show laneapfilter:eapout"
+
+    echo "$(getTimestamp) Starting 5268AC ping monitor ..."
+    while
+    if /sbin/ping -t2 -q -c1 $PING_HOST > /dev/null ; then
+        if $RG_CONNECTED >/dev/null 2>&1 ; then
+        echo "$(getTimestamp) Connection to $PING_HOST is up, but EAP is being bridged!"
+        echo -n "$(getTimestamp) Disconnecting netgraph node ... "
+        /usr/sbin/ngctl rmhook laneapfilter: eapout && echo "OK!" || echo "ERROR!"
+        fi
+    else
+        if ! $RG_CONNECTED >/dev/null 2>&1 ; then
+        echo "$(getTimestamp) Connection to $PING_HOST is down, but EAP is not being bridged!"
+        echo -n "$(getTimestamp) Connecting netgraph node ... "
+        /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout  && echo "OK!" || echo "ERROR!"
+        fi
+    fi
+    sleep $SLEEP
+    do :; done 
+    echo "$(getTimestamp) Stopping 5268AC ping monitor ..."
+} >> $LOG
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@ -3,84 +3,91 @@ set -e

 ONT_IF='em0'
 RG_IF='em1'
-RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'                     
+RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
+LOG=/var/log/pfatt.log

-echo "$0: pfSense + AT&T U-verse Residential Gateway for true bridge mode"
-echo "Configuration: "
-echo "       ONT_IF: $ONT_IF"
-echo "        RG_IF: $RG_IF"
-echo "RG_ETHER_ADDR: $RG_ETHER_ADDR"
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
+}

-echo -n "loading netgraph kernel modules... "
-/sbin/kldload ng_etf
-echo "OK! (any 'already loaded' errors can be ignored)"
+{
+    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"

-echo -n "attaching interfaces to ng_ether... "
-/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" 
-/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
-echo "OK!"
+    echo -n "$(getTimestamp) loading netgraph kernel modules... "
+    /sbin/kldload -nq ng_etf
+    echo "OK!"

-echo "building netgraph nodes..."
+    echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
+    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" 
+    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
+    echo "OK!"

-echo -n "  creating ng_one2many... "
-/usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
-/usr/sbin/ngctl name $ONT_IF:lower o2m
-echo "OK!"
+    echo "$(getTimestamp) building netgraph nodes..."

-echo -n "  creating vlan node and interface... "
-/usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
-/usr/sbin/ngctl name o2m:many0 vlan0
-/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"

-/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
-/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
-echo "OK!"
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether

-echo -n "  defining etf for $ONT_IF (ONT)... "
-/usr/sbin/ngctl mkpeer o2m: etf many1 downstream
-/usr/sbin/ngctl name o2m:many1 waneapfilter
-/usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
-echo "OK!"
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"

-echo -n "  defining etf for $RG_IF (RG)... "
-/usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
-/usr/sbin/ngctl name $RG_IF:lower laneapfilter
-/usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
-echo "OK!"
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"

-echo -n "  bridging etf for $ONT_IF <-> $RG_IF... "
-/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
-echo "OK!"
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"

-echo -n "  defining filters for EAP traffic... "
-/usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-/usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-echo "OK!"
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"

-echo -n "  enabling one2many links... "
-/usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
-echo "OK!"
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"

-echo -n "  removing waneapfilter:nomatch hook... "
-/usr/sbin/ngctl rmhook waneapfilter: nomatch
-echo "OK!"
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"

-echo "enabling interfaces..."
-echo -n "  $RG_IF ... "
-/sbin/ifconfig $RG_IF up
-echo "OK!"
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"

-echo -n "  $ONT_IF ... "
-/sbin/ifconfig $ONT_IF up
-echo "OK!"
+    echo "$(getTimestamp) enabling interfaces..."
+    echo -n "$(getTimestamp)   $RG_IF ... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"

-echo -n "enabling promiscuous mode on $RG_IF... "
-/sbin/ifconfig $RG_IF promisc
-echo "OK!"
+    echo -n "$(getTimestamp)   $ONT_IF ... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"

-echo -n "enabling promiscuous mode on $ONT_IF... "
-/sbin/ifconfig $ONT_IF promisc
-echo "OK!"
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"

-echo "ngeth0 should now be available to configure as your pfSense WAN"
-echo "done!"
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG