From 69425b77f54575e36163653216cf8eab916cc984 Mon Sep 17 00:00:00 2001 From: aus Date: Tue, 20 Nov 2018 15:52:06 -0600 Subject: [PATCH 1/7] add workaround script for 5268AC, fixes #5 --- README.md | 10 +++++++++- bin/pfatt-5268AC.sh | 31 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 bin/pfatt-5268AC.sh diff --git a/README.md b/README.md index c5dbfb0..52c4556 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,15 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon]( scp bin/pfatt.sh root@pfsense:/root/bin/ ssh root@pfsense chmod +x /root/bin/pfatt.sh ``` - Now edit your `config.xml` to include `/root/bin/pfatt.sh` above `` + Now edit your `/conf/config.xml` to include `/root/bin/pfatt.sh` above ``. + + **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Perfom these additional steps to install: + + Copy `bin/pfatt-5268AC.sh` to `/usr/local/etc/rc.d/`: + ``` + scp bin/pfatt-5268AC.sh root@pfsense:/usr/local/etc/rc.d/ + ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC.sh + ``` 4. Connect cables: - `$RG_IF` to Residiential Gateway on the ONT port (not the LAN ports!) diff --git a/bin/pfatt-5268AC.sh b/bin/pfatt-5268AC.sh new file mode 100644 index 0000000..e886923 --- /dev/null +++ b/bin/pfatt-5268AC.sh @@ -0,0 +1,31 @@ +#!/bin/sh +PING_HOST=8.8.8.8 +SLEEP=5 +LOG=/var/log/pfatt.log + +getTimestamp(){ + echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt-5268AC.sh] ::"` +} + +{ + RG_CONNECTED="/usr/sbin/ngctl show laneapfilter:eapout" + + echo "$(getTimestamp) Starting 5268AC ping monitor ..." + while + if /sbin/ping -t2 -q -c1 $PING_HOST > /dev/null ; then + if $RG_CONNECTED >/dev/null 2>&1 ; then + echo "$(getTimestamp) Connection to $PING_HOST is up, but EAP is being bridged!" + echo -n "$(getTimestamp) Disconnecting netgraph node ... " + /usr/sbin/ngctl rmhook laneapfilter: eapout && echo "OK!" || echo "ERROR!" + fi + else + if ! $RG_CONNECTED >/dev/null 2>&1 ; then + echo "$(getTimestamp) Connection to $PING_HOST is down, but EAP is not being bridged!" + echo -n "$(getTimestamp) Connecting netgraph node ... " + /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout && echo "OK!" || echo "ERROR!" + fi + fi + sleep $SLEEP + do :; done + echo "$(getTimestamp) Stopping 5268AC ping monitor ..." +} >> $LOG \ No newline at end of file From 8b7b10249691d474339d3d1e75e1df18df873f13 Mon Sep 17 00:00:00 2001 From: aus Date: Tue, 20 Nov 2018 18:30:47 -0600 Subject: [PATCH 2/7] add logging --- README.md | 4 ++ bin/pfatt.sh | 133 +++++++++++++++++++++++++++------------------------ 2 files changed, 74 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index 52c4556..d4ac320 100644 --- a/README.md +++ b/README.md @@ -195,6 +195,10 @@ That's it! Now your clients should be recieving public IPv6 addresses via DHCP6. # Troubleshooting +## Logging + +Output from `pfatt.sh` and `pfatt-5268AC.sh` can be found in `/var/log/pfatt.log`. + ## tcpdump Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface: diff --git a/bin/pfatt.sh b/bin/pfatt.sh index 27cec99..b4c5483 100755 --- a/bin/pfatt.sh +++ b/bin/pfatt.sh @@ -3,84 +3,91 @@ set -e ONT_IF='em0' RG_IF='em1' -RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' +RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' +LOG=/var/log/pfatt.log -echo "$0: pfSense + AT&T U-verse Residential Gateway for true bridge mode" -echo "Configuration: " -echo " ONT_IF: $ONT_IF" -echo " RG_IF: $RG_IF" -echo "RG_ETHER_ADDR: $RG_ETHER_ADDR" +getTimestamp(){ + echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"` +} -echo -n "loading netgraph kernel modules... " -/sbin/kldload ng_etf -echo "OK! (any 'already loaded' errors can be ignored)" +{ + echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode" + echo "$(getTimestamp) Configuration: " + echo "$(getTimestamp) ONT_IF: $ONT_IF" + echo "$(getTimestamp) RG_IF: $RG_IF" + echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" -echo -n "attaching interfaces to ng_ether... " -/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" -/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" -echo "OK!" + echo -n "$(getTimestamp) loading netgraph kernel modules... " + /sbin/kldload ng_etf + echo "OK! (any 'already loaded' errors can be ignored)" -echo "building netgraph nodes..." + echo -n "$(getTimestamp) attaching interfaces to ng_ether... " + /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" + /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" + echo "OK!" -echo -n " creating ng_one2many... " -/usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one -/usr/sbin/ngctl name $ONT_IF:lower o2m -echo "OK!" + echo "$(getTimestamp) building netgraph nodes..." -echo -n " creating vlan node and interface... " -/usr/sbin/ngctl mkpeer o2m: vlan many0 downstream -/usr/sbin/ngctl name o2m:many0 vlan0 -/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether + echo -n "$(getTimestamp) creating ng_one2many... " + /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one + /usr/sbin/ngctl name $ONT_IF:lower o2m + echo "OK!" -/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' -/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR -echo "OK!" + echo -n "$(getTimestamp) creating vlan node and interface... " + /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream + /usr/sbin/ngctl name o2m:many0 vlan0 + /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether -echo -n " defining etf for $ONT_IF (ONT)... " -/usr/sbin/ngctl mkpeer o2m: etf many1 downstream -/usr/sbin/ngctl name o2m:many1 waneapfilter -/usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper -echo "OK!" + /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' + /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR + echo "OK!" -echo -n " defining etf for $RG_IF (RG)... " -/usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream -/usr/sbin/ngctl name $RG_IF:lower laneapfilter -/usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper -echo "OK!" + echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " + /usr/sbin/ngctl mkpeer o2m: etf many1 downstream + /usr/sbin/ngctl name o2m:many1 waneapfilter + /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper + echo "OK!" -echo -n " bridging etf for $ONT_IF <-> $RG_IF... " -/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout -echo "OK!" + echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " + /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream + /usr/sbin/ngctl name $RG_IF:lower laneapfilter + /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper + echo "OK!" -echo -n " defining filters for EAP traffic... " -/usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' -/usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' -echo "OK!" + echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " + /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout + echo "OK!" -echo -n " enabling one2many links... " -/usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" -echo "OK!" + echo -n "$(getTimestamp) defining filters for EAP traffic... " + /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' + echo "OK!" -echo -n " removing waneapfilter:nomatch hook... " -/usr/sbin/ngctl rmhook waneapfilter: nomatch -echo "OK!" + echo -n "$(getTimestamp) enabling one2many links... " + /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" + echo "OK!" -echo "enabling interfaces..." -echo -n " $RG_IF ... " -/sbin/ifconfig $RG_IF up -echo "OK!" + echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " + /usr/sbin/ngctl rmhook waneapfilter: nomatch + echo "OK!" -echo -n " $ONT_IF ... " -/sbin/ifconfig $ONT_IF up -echo "OK!" + echo "$(getTimestamp) enabling interfaces..." + echo -n " $RG_IF ... " + /sbin/ifconfig $RG_IF up + echo "OK!" -echo -n "enabling promiscuous mode on $RG_IF... " -/sbin/ifconfig $RG_IF promisc -echo "OK!" + echo -n " $ONT_IF ... " + /sbin/ifconfig $ONT_IF up + echo "OK!" -echo -n "enabling promiscuous mode on $ONT_IF... " -/sbin/ifconfig $ONT_IF promisc -echo "OK!" + echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " + /sbin/ifconfig $RG_IF promisc + echo "OK!" -echo "ngeth0 should now be available to configure as your pfSense WAN" -echo "done!" + echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " + /sbin/ifconfig $ONT_IF promisc + echo "OK!" + + echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN" + echo "$(getTimestamp) done!" +} >> $LOG From 641f58ce7970e76876360f9e6528e998201bc0b3 Mon Sep 17 00:00:00 2001 From: aus Date: Tue, 20 Nov 2018 18:33:45 -0600 Subject: [PATCH 3/7] quiet load ng_etf --- bin/pfatt.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/pfatt.sh b/bin/pfatt.sh index b4c5483..4c0acb6 100755 --- a/bin/pfatt.sh +++ b/bin/pfatt.sh @@ -18,8 +18,8 @@ getTimestamp(){ echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" echo -n "$(getTimestamp) loading netgraph kernel modules... " - /sbin/kldload ng_etf - echo "OK! (any 'already loaded' errors can be ignored)" + /sbin/kldload -nq ng_etf + echo "OK!" echo -n "$(getTimestamp) attaching interfaces to ng_ether... " /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" From 0d172a1facee65f5bfd980dc4f1b1c3d8d8e9fb7 Mon Sep 17 00:00:00 2001 From: aus Date: Tue, 20 Nov 2018 18:41:57 -0600 Subject: [PATCH 4/7] fix indention --- bin/pfatt.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bin/pfatt.sh b/bin/pfatt.sh index 4c0acb6..66e8b4e 100755 --- a/bin/pfatt.sh +++ b/bin/pfatt.sh @@ -28,12 +28,12 @@ getTimestamp(){ echo "$(getTimestamp) building netgraph nodes..." - echo -n "$(getTimestamp) creating ng_one2many... " + echo -n "$(getTimestamp) creating ng_one2many... " /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one /usr/sbin/ngctl name $ONT_IF:lower o2m echo "OK!" - echo -n "$(getTimestamp) creating vlan node and interface... " + echo -n "$(getTimestamp) creating vlan node and interface... " /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream /usr/sbin/ngctl name o2m:many0 vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether @@ -42,41 +42,41 @@ getTimestamp(){ /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR echo "OK!" - echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " + echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... " /usr/sbin/ngctl mkpeer o2m: etf many1 downstream /usr/sbin/ngctl name o2m:many1 waneapfilter /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper echo "OK!" - echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " + echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... " /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream /usr/sbin/ngctl name $RG_IF:lower laneapfilter /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper echo "OK!" - echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " + echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... " /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout echo "OK!" - echo -n "$(getTimestamp) defining filters for EAP traffic... " + echo -n "$(getTimestamp) defining filters for EAP traffic... " /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' echo "OK!" - echo -n "$(getTimestamp) enabling one2many links... " + echo -n "$(getTimestamp) enabling one2many links... " /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" echo "OK!" - echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " + echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... " /usr/sbin/ngctl rmhook waneapfilter: nomatch echo "OK!" echo "$(getTimestamp) enabling interfaces..." - echo -n " $RG_IF ... " + echo -n "$(getTimestamp) $RG_IF ... " /sbin/ifconfig $RG_IF up echo "OK!" - echo -n " $ONT_IF ... " + echo -n "$(getTimestamp) $ONT_IF ... " /sbin/ifconfig $ONT_IF up echo "OK!" From 38bb24835e4959150e8f9fadeb1915dcad76a3bc Mon Sep 17 00:00:00 2001 From: aus Date: Sun, 2 Dec 2018 20:59:11 -0600 Subject: [PATCH 5/7] note to consider changing PING_HOST --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d4ac320..10dc666 100644 --- a/README.md +++ b/README.md @@ -104,7 +104,7 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon]( ``` Now edit your `/conf/config.xml` to include `/root/bin/pfatt.sh` above ``. - **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Perfom these additional steps to install: + **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install: Copy `bin/pfatt-5268AC.sh` to `/usr/local/etc/rc.d/`: ``` From 5ae90573f711bea49a953e2455883bbdd213c369 Mon Sep 17 00:00:00 2001 From: ac3d912 Date: Sun, 9 Dec 2018 22:29:28 -0600 Subject: [PATCH 6/7] Created rc.d init script --- README.md | 9 ++++++--- bin/pfatt-5268AC | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 bin/pfatt-5268AC diff --git a/README.md b/README.md index 10dc666..e7ae8f0 100644 --- a/README.md +++ b/README.md @@ -106,10 +106,13 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon]( **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install: - Copy `bin/pfatt-5268AC.sh` to `/usr/local/etc/rc.d/`: + Copy `bin/pfatt-5268AC` to `/usr/local/etc/rc.d/` + + Copy `bin/pfatt-5268AC.sh` to `/root/bin/`: ``` - scp bin/pfatt-5268AC.sh root@pfsense:/usr/local/etc/rc.d/ - ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC.sh + scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/ + scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/ + ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC.sh /root/bin/pfatt-5268AC ``` 4. Connect cables: diff --git a/bin/pfatt-5268AC b/bin/pfatt-5268AC new file mode 100644 index 0000000..583f7cb --- /dev/null +++ b/bin/pfatt-5268AC @@ -0,0 +1,50 @@ +#!/bin/sh + +script_path="/root/bin/pfatt-5268AC.sh" + +name=`/usr/bin/basename "${script_path}"` + +rc_start() { + ### Lock out other start signals until we are done + /usr/bin/touch /var/run/${name}.lck + + ${script_path} & + pid=$! + + if [ $pid ]; then + echo $pid > /var/run/${name}.pid + /usr/bin/logger -p daemon.info -i -t pfattStartup "Successfully started ${name}" + else + /usr/bin/logger -p daemon.error -i -t pfattStartup "Error starting ${name}" + fi + + ### Remove the lock + if [ -f /var/run/${name}.lck ]; then + /bin/sleep 2 + /bin/rm /var/run/${name}.lck + fi +} + +rc_stop() { + if [ -f /var/run/${name}.pid ]; then + kill -9 `cat /var/run/${name}.pid` + /bin/rm /var/run/${name}.pid + fi +} + +case $1 in + start) + if [ ! -f /var/run/${name}.lck ]; then + rc_start + fi + ;; + stop) + rc_stop + ;; + restart) + if [ ! -f /var/run/${name}.lck ]; then + rc_stop + rc_start + fi + ;; +esac From dfa5a1867822d0003687f0df87689b89ab6d32e0 Mon Sep 17 00:00:00 2001 From: ac3d912 Date: Sun, 9 Dec 2018 22:34:32 -0600 Subject: [PATCH 7/7] Fixing minor error in README I had the .sh file in the wrong directory in the chmod --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e7ae8f0..0d9e35b 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon]( ``` scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/ scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/ - ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC.sh /root/bin/pfatt-5268AC + ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC /root/bin/pfatt-5268AC.sh ``` 4. Connect cables: