Merge pull request 'Freebsd 13' (#55) from reedmcintosh/FreeBSD-13 into master

Reviewed-on: #55

FreeBSD/backup.sh

@@ -0,0 +1,14 @@
+#!/bin/csh
+#Script to grab all relevant configuration files and installed packages, and back it up to github
+/usr/sbin/pkg prime-origins > /root/fw/pkg_prime-origins
+
+foreach i ( "/boot/loader.conf" "/etc/pf.conf" "/etc/rc.conf" "/etc/start_if.eth0" "/usr/local/etc/dhcpd.conf" "/usr/local/etc/namedb/named.conf" "/usr/local/etc/namedb/dynamic/example.com.db" "/var/cron/tabs/root" "/usr/local/etc/dhcp6c.conf" "/etc/rtadvd.conf" "/usr/local/etc/dhcpd6.conf" "/etc/dhclient.conf" )
+	echo "Backing up "$i
+	/bin/cp $i /root/fw$i
+end
+
+echo "git push"
+cd /root/fw/
+/usr/local/bin/git add .
+/usr/local/bin/git commit -S -m "nightly backup"
+/usr/local/bin/git push -u origin main

FreeBSD/boot/loader.conf

@@ -0,0 +1,6 @@
+netgraph_load="YES"
+ng_ether_load="YES"
+ng_etf_load="YES"
+ng_vlan_load="YES"
+ng_eiface_load="YES"
+ng_one2many_load="YES"

FreeBSD/etc/dhclient.conf

@@ -0,0 +1,10 @@
+# $FreeBSD$
+#
+#	This file is required by the ISC DHCP client.
+#	See ``man 5 dhclient.conf'' for details.
+#
+#	In most cases an empty file is sufficient for most people as the
+#	defaults are usually fine.
+#
+#
+supersede domain-name-servers 127.0.0.1;

FreeBSD/etc/pf.conf

@@ -0,0 +1,60 @@
+wan = "ngeth0"
+lan = "xxx"
+
+#options
+set skip on lo0
+set block-policy drop
+set fingerprints "/etc/pf.os"
+set ruleset-optimization basic
+set optimization normal
+set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 }
+
+
+#scrub
+scrub on $wan all random-id fragment reassemble
+scrub on $lan all random-id fragment reassemble
+
+
+#NAT
+nat on $wan inet from ($lan:network) to any -> ($wan)
+
+
+#Filter
+
+#default deny
+block drop in inet all label "Default deny rule IPv4"
+block drop out inet all label "Default deny rule IPv4"
+block drop in inet6 all label "Default deny rule IPv6"
+block drop out inet6 all label "Default deny rule IPv6"
+
+#allow dhcp/dhcpv6 client
+pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
+pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
+pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
+pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
+
+#allow dhcp/dhcpv6 server
+pass in quick on $lan inet proto udp from any port = bootpc to { 255.255.255.255, ($lan), ($lan:broadcast) } port = bootps keep state label "allow access to DHCP server"
+pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
+pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
+pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server"
+pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
+
+#icmpv6
+pass quick inet6 proto ipv6-icmp all icmp6-type { unreach, toobig, neighbrsol, neighbradv } keep state
+pass out quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from fe80::/10 to { fe80::/10, ff02::/16 } icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type { echorep, routersol, routeradv, neighbrsol, neighbradv } keep state
+
+#allow self
+pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
+pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
+
+#allow LAN
+pass in on $lan inet all flags S/SA keep state label "Default allow LAN to any rule"
+pass in on $lan inet6 all flags S/SA keep state label "Default allow LAN to any rule"

FreeBSD/etc/rc.conf

@@ -0,0 +1,44 @@
+hostname="fw"
+ifconfig_eth0=""
+ifconfig_ngeth0="DHCP"
+ifconfig_ngeth0_ipv6="inet6 accept_rtadv up"
+ipv6_cpe_wanif="ngeth0"
+ifconfig_eth2="inet 192.168.1.1 netmask 255.255.255.0"
+ifconfig_eth2_ipv6="inet6 -accept-rtadv up"
+gateway_enable="YES"
+ipv6_gateway_enable="YES"
+ipv6_activate_all_interfaces="YES"
+rtadvd_enable="YES"
+rtadvd_interfaces="eth2"
+dhcp6c_enable="YES"
+dhcp6c_interfaces="ngeth0"
+dhcpd_enable="YES"
+dhcpd_flags="-q"
+dhcpd_conf="/usr/local/etc/dhcpd.conf"
+dhcpd_ifaces="eth2"
+dhcpd_withumask="022"
+dhcpd_chuser_enable="YES"
+dhcpd_withuser="dhcpd"
+dhcpd_withgroup="dhcpd"
+dhcpd_chroot_enable="YES"
+dhcpd_devfs_enable="YES"
+dhcpd_rootdir="/var/db/dhcpd"
+dhcpd6_enable="YES"
+dhcpd6_flags="-q"
+dhcpd6_conf="/usr/local/etc/dhcpd6.conf"
+dhcpd6_ifaces="eth2"
+dhcpd6_withumask="022"
+dhcpd6_chuser_enable="YES"
+dhcpd6_withuser="dhcpd"
+dhcpd6_withgroup="dhcpd"
+dhcpd6_chroot_enable="YES"
+dhcpd6_devfs_enable="YES"
+dhcpd6_rootdir="/var/db/dhcpd"
+pf_enable="YES"
+pf_rules="/etc/pf.conf"
+pflog_enable="YES"
+pflog_logfile="/var/log/pflog"
+powerd_enable="YES"
+powerd_flags="-b hadp -n hadp -a hadp"
+ntpd_enable="YES"
+sshd_enable="YES"

FreeBSD/etc/rtadvd.conf

@@ -0,0 +1,2 @@
+default:\
+	:raflags="m"::prefixlen#64:\

FreeBSD/etc/start_if.eth0

@@ -0,0 +1,87 @@
+#!/bin/sh
+set -e
+
+ONT_IF='eth0'
+RG_IF='eth1'
+RG_ETHER_ADDR='00:11:22:33:44'
+LOG=/var/log/freeatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
+}
+
+{
+    echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
+
+    echo "$(getTimestamp) building netgraph nodes..."
+
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $RG_IF interface... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) set mac address on ngeth0..."
+    /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG

FreeBSD/pkg_prime-origins

@@ -0,0 +1,6 @@
+dns/bind916
+net/dhcp6
+devel/git
+security/gnupg
+net/isc-dhcp44-server
+ports-mgmt/pkg

FreeBSD/usr/local/etc/dhcp6c.conf

@@ -0,0 +1,12 @@
+interface ngeth0 {
+        send ia-pd 0;   # request prefix delegation
+        request domain-name-servers;
+        request domain-name;
+};
+id-assoc pd 0 {
+        prefix ::/60 infinity;
+        prefix-interface igb1 {
+                sla-id 1;
+                sla-len 4;
+        };
+};

FreeBSD/usr/local/etc/dhcpd.conf

@@ -0,0 +1,44 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+option arch code 93 = unsigned integer 16; # RFC4578
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+update-conflict-detection false;
+authoritative;
+subnet 192.168.1.0 netmask 255.255.255.0 {
+        pool {
+                range 192.168.1.100 192.168.1.199;
+        }
+
+        option routers 192.168.1.1;
+        option domain-name-servers 192.168.1.1;
+        ping-check true;
+
+}
+host s_lan_0 {
+        hardware ethernet 00:11:22:33:44:55;
+        fixed-address 192.168.1.50
+        option host-name "example-host1";
+}
+host s_lan_1 {
+        hardware ethernet 66:77:88:99:aa:bb;
+        fixed-address 192.168.1.51;
+        option host-name "example-host2";
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, option host-name, concat("dyn-",binary-to-ascii(10,8,"-",leased-address)));
+
+zone example.com. {
+	primary 127.0.0.1;
+}

FreeBSD/usr/local/etc/dhcpd6.conf

@@ -0,0 +1,31 @@
+option domain-name "example.com";
+option ldap-server code 95 = text;
+option domain-search-list code 119 = text;
+
+default-lease-time 7200;
+max-lease-time 86400;
+log-facility local7;
+one-lease-per-client true;
+deny duplicates;
+ping-check true;
+authoritative;
+subnet6 2600:1234:5678:90ab::/64 {
+        range6 2600:1234:5678:90ab::1000 2600:1234:5678:90ab::2000;
+        do-forward-updates false;
+        option dhcp6.name-servers 2600:1234:5678:90ab::1;
+
+}
+
+ddns-update-style interim;
+ddns-dual-stack-mixed-mode true;
+update-conflict-detection true;
+update-optimization false;
+deny client-updates;
+ddns-domainname "example.com.";
+ddns-hostname=pick(option fqdn.hostname, concat("dyn-",binary-to-ascii(16,16,"-",substring(option dhcp6.ia-na, 16, 16))));
+
+zone example.com. {
+        primary 127.0.0.1;
+}
+
+

FreeBSD/usr/local/etc/namedb/named.conf

@@ -0,0 +1,385 @@
+// Refer to the named.conf(5) and named(8) man pages, and the documentation
+// in /usr/local/share/doc/bind for more details.
+//
+// If you are going to set up an authoritative server, make sure you
+// understand the hairy details of how DNS works.  Even with
+// simple mistakes, you can break connectivity for affected parties,
+// or cause huge amounts of useless Internet traffic.
+
+options {
+	allow-query	{ any; };
+	recursion yes;
+	query-source-v6 address 2600:1234:5678:90ab::1;
+	// All file and path names are relative to the chroot directory,
+	// if any, and should be fully qualified.
+	directory	"/usr/local/etc/namedb/working";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
+	statistics-file	"/var/stats/named.stats";
+
+// If named is being used only as a local resolver, this is a safe default.
+// For named to be accessible to the network, comment this option, specify
+// the proper IP address, or delete this option.
+	#listen-on	{ 127.0.0.1; };
+
+// If you have IPv6 enabled on this system, uncomment this option for
+// use as a local resolver.  To give access to the network, specify
+// an IPv6 address, or the keyword "any".
+//	listen-on-v6	{ ::1; };
+
+	listen-on-v6	{ any; };
+
+// These zones are already covered by the empty zones listed below.
+// If you remove the related empty zones below, comment these lines out.
+	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
+	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
+
+// If you've got a DNS server around at your upstream provider, enter
+// its IP address here, and enable the line below.  This will make you
+// benefit from its cache, thus reduce overall DNS traffic in the Internet.
+/*
+	forwarders {
+		127.0.0.1;
+	};
+*/
+
+// If the 'forwarders' clause is not empty the default is to 'forward first'
+// which will fall back to sending a query from your local server if the name
+// servers in 'forwarders' do not have the answer.  Alternatively you can
+// force your name server to never initiate queries of its own by enabling the
+// following line:
+//	forward only;
+
+// If you wish to have forwarding configured automatically based on
+// the entries in /etc/resolv.conf, uncomment the following line and
+// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
+// named_auto_forward_only (the effect of which is described above).
+//	include "/usr/local/etc/namedb/auto_forward.conf";
+
+	/*
+	   Modern versions of BIND use a random UDP port for each outgoing
+	   query by default in order to dramatically reduce the possibility
+	   of cache poisoning.  All users are strongly encouraged to utilize
+	   this feature, and to configure their firewalls to accommodate it.
+
+	   AS A LAST RESORT in order to get around a restrictive firewall
+	   policy you can try enabling the option below.  Use of this option
+	   will significantly reduce your ability to withstand cache poisoning
+	   attacks, and should be avoided if at all possible.
+
+	   Replace NNNNN in the example with a number between 49160 and 65530.
+	*/
+	// query-source address * port NNNNN;
+};
+
+zone "thundat00th.net." { type master; allow-update { 127.0.0.1; }; file "/usr/local/etc/namedb/dynamic/example.com.db"; };
+
+// If you enable a local name server, don't forget to enter 127.0.0.1
+// first in your /etc/resolv.conf so this server will be queried.
+// Also, make sure to enable it in /etc/rc.conf.
+
+// The traditional root hints mechanism. Use this, OR the slave zones below.
+zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };
+
+/*	Slaving the following zones from the root name servers has some
+	significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+	3. Greater resilience to any potential root server failure/DDoS
+
+	On the other hand, this method requires more monitoring than the
+	hints file to be sure that an unexpected failure mode has not
+	incapacitated your server.  Name servers that are serving a lot
+	of clients will benefit more from this approach than individual
+	hosts.  Use with caution.
+
+	To use this mechanism, uncomment the entries below, and comment
+	the hint zone above.
+
+	As documented at http://dns.icann.org/services/axfr/ these zones:
+	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
+	are available for AXFR from these servers on IPv4 and IPv6:
+	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
+*/
+/*
+zone "." {
+	type slave;
+	file "/usr/local/etc/namedb/slave/root.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "in-addr.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/in-addr.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+zone "ip6.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/ip6.arpa.slave";
+	masters {
+		192.0.32.132;           // lax.xfr.dns.icann.org
+		2620:0:2d0:202::132;    // lax.xfr.dns.icann.org
+		192.0.47.132;           // iad.xfr.dns.icann.org
+		2620:0:2830:202::132;   // iad.xfr.dns.icann.org
+	};
+	notify no;
+};
+*/
+
+/*	Serving the following zones locally will prevent any queries
+	for these zones leaving your network and going to the root
+	name servers.  This has two significant advantages:
+	1. Faster local resolution for your users
+	2. No spurious traffic will be sent from your network to the roots
+*/
+// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
+zone "localhost"	{ type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
+zone "127.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
+zone "255.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
+zone "0.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
+
+// "This" Network (RFCs 1912, 5735 and 6303)
+zone "0.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Private Use Networks (RFCs 1918, 5735 and 6303)
+zone "10.in-addr.arpa"	   { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "30.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "31.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Shared Address Space (RFC 6598)
+zone "64.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "65.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "66.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "67.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "68.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "69.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "70.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "71.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "72.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "73.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "74.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "75.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "76.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "77.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "78.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "79.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "80.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "81.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "82.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "83.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "84.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "85.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "86.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "87.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "88.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "89.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "90.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "91.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "92.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "93.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "94.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "95.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "96.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "97.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "98.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "99.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "100.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "101.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "102.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "103.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "104.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "105.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "106.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "107.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "108.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "109.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "110.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "111.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "112.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "113.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "114.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "115.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "116.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "117.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "118.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "119.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "120.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "121.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "122.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "123.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "124.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "125.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "126.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "127.100.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Link-local/APIPA (RFCs 3927, 5735 and 6303)
+zone "254.169.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IETF protocol assignments (RFCs 5735 and 5736)
+zone "0.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303)
+zone "2.0.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "100.51.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "113.0.203.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
+zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// Router Benchmark Testing (RFCs 2544 and 5735)
+zone "18.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "19.198.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IANA Reserved - Old Class E Space (RFC 5735)
+zone "240.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "241.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "242.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "243.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "244.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "245.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "246.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "247.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "248.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "249.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "250.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "251.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "252.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "253.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "254.in-addr.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Unassigned Addresses (RFC 4291)
+zone "1.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "8.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "c.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "e.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "0.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "1.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "2.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "8.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "0.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "1.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "2.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "3.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "4.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "5.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "6.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "7.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 ULA (RFCs 4193 and 6303)
+zone "c.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Link Local (RFCs 4291 and 6303)
+zone "8.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "9.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "a.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "b.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
+zone "c.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "d.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "e.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+zone "f.e.f.ip6.arpa"	{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// IP6.INT is Deprecated (RFC 4159)
+zone "ip6.int"		{ type master; file "/usr/local/etc/namedb/master/empty.db"; };
+
+// NB: Do not use the IP addresses below, they are faked, and only
+// serve demonstration/documentation purposes!
+//
+// Example slave zone config entries.  It can be convenient to become
+// a slave at least for the zone your own domain is in.  Ask
+// your network administrator for the IP address of the responsible
+// master name server.
+//
+// Do not forget to include the reverse lookup zone!
+// This is named after the first bytes of the IP address, in reverse
+// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
+//
+// Before starting to set up a master zone, make sure you fully
+// understand how DNS and BIND work.  There are sometimes
+// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
+//
+// NB: Don't blindly enable the examples below. :-)  Use actual names
+// and addresses instead.
+
+/* An example dynamic zone
+key "exampleorgkey" {
+	algorithm hmac-md5;
+	secret "sf87HJqjkqh8ac87a02lla==";
+};
+zone "example.org" {
+	type master;
+	allow-update {
+		key "exampleorgkey";
+	};
+	file "/usr/local/etc/namedb/dynamic/example.org";
+};
+*/
+
+/* Example of a slave reverse zone
+zone "1.168.192.in-addr.arpa" {
+	type slave;
+	file "/usr/local/etc/namedb/slave/1.168.192.in-addr.arpa";
+	masters {
+		192.168.1.1;
+	};
+};
+*/

FreeBSD/var/cron/tabs/root

@@ -0,0 +1,8 @@
+# DO NOT EDIT THIS FILE - edit the master and reinstall.
+# (/tmp/crontab.q40BAzenoV installed on Sun Apr 18 22:56:27 2021)
+# (Cron version -- $FreeBSD$)
+# monthly zpool scrub
+0 2 1 * * /sbin/zpool scrub zrootmirror
+
+# nightly config backup
+0 3 * * * /root/fw/backup.sh

README.md

@@ -17,9 +17,9 @@ Before continuing to the setup, it's important to understand how this method wor
 First, let's talk about what happens in the standard setup (without any bypass). At a high level, the following process happens when the gateway boots up:
 
 1. All traffic on the ONT is protected with [802.1/X](https://en.wikipedia.org/wiki/IEEE_802.1X). So in order to talk to anything, the Router Gateway must first perform the [authentication procedure](https://en.wikipedia.org/wiki/IEEE_802.1X#Typical_authentication_progression). This process uses a unique certificate that is hardcoded on your residential gateway.
-1. Once the authentication completes, you'll be able to properly "talk" to the outside. But strangely, all of your traffic will need to be tagged with VLAN id 0 before the IP gateway will respond.  I believe VLAN0 is an obscure Cisco feature of 802.1Q CoS, but I'm not really sure.  
+2. Once the authentication completes, you'll be able to properly "talk" to the outside. However, all of your traffic will need to be tagged with VLAN ID 0 (a.k.a. VLAN Priority Tagging<sup>[[1]](https://wikipedia.org/wiki/IEEE_802.1Q#Frame_format)[[2]](https://www.cisco.com/c/en/us/td/docs/switches/connectedgrid/cg-switch-sw-master/software/configuration/guide/vlan0/b_vlan_0.html)</sup>) before the IP gateway will respond.  
-1. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Other than that, there's nothing special about the DCHPv4 handshake.
+3. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Other than that, there's nothing special about the DCHPv4 handshake.
-1. After the DHCP lease is issued, the WAN setup is complete. Your LAN traffic is then NAT'd and routed to the outside.
+4. After the DHCP lease is issued, the WAN setup is complete. Your LAN traffic is then NAT'd and routed to the outside.
 
 ## Bypass Procedure
 
@@ -63,60 +63,50 @@ But enough talk. Now for the fun part!
 * At least __three__ physical network interfaces on your pfSense server
 * The MAC address of your Residential Gateway
 * Local or console access to pfSense
-* pfSense 2.4.4 _(confirmed working in 2.4.3 too, other versions should work but YMMV)_
+* pfSense 2.4.5 running on amd64 architecture _(If you are running pfSense 2.4.4 please see instruction in the [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md))_
 
-If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](https://amzn.to/2P0yn8k) as your third. It has the Asix AX88772 chipset, which is supported in FreeBSD with the [axe](https://www.freebsd.org/cgi/man.cgi?query=axe&sektion=4) driver. I've confirmed it works in my setup. The driver was already loaded and I didn't have to install or configure anything to get it working. Also, don't worry about the poor performance of USB or 100Mbps NICs. This third NIC will only send/recieve a few packets periodicaly to authenticate your Router Gateway. The rest of your traffic will utilize your other (and much faster) NICs.
+At this time there is a bug in pFsense 2.4.5 and [ng_etf module is only included in pFsense 2.4.5 _amd64 build_](
+https://redmine.pfsense.org/issues/10463). Should be fixed in 2.4.5-p1.
+
+PFSense Builds for Netgate hardware may not include ng_etf (Confimred on SG4860-Desktop 2.4.5-p1). Confirm ng_etf exists before continuing and look at [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md) for gudiance if it doesn't exist.
+
+If you are running pfSense on anything other than amd64 architecture you should compile your own version of ng_etf. Look at [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md) for some guidance on compiling and running your own ng_etf.
+
+If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](https://www.amazon.com/gp/product/B00007IFED) as your third. It has the Asix AX88772 chipset, which is supported in FreeBSD with the [axe](https://www.freebsd.org/cgi/man.cgi?query=axe&sektion=4) driver. I've confirmed it works in my setup. The driver was already loaded and I didn't have to install or configure anything to get it working. Also, don't worry about the poor performance of USB or 100Mbps NICs. This third NIC will only send/recieve a few packets periodicaly to authenticate your Router Gateway. The rest of your traffic will utilize your other (and much faster) NICs.
 
 ## Install
 
-1. Copy the `bin/ng_etf.ko` amd64 kernel module to `/boot/kernel` on your pfSense box (because it isn't included):
+1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device. In my environment, it's:
-
-    a) Use the pre-compiled kernel module from me, a random internet stranger:
-    ```
-    scp bin/ng_etf.ko root@pfsense:/boot/kernel/
-    ssh root@pfsense chmod 555 /boot/kernel/ng_etf.ko
-    ```
-    **NOTE:** The `ng_etf.ko` in this repo was compiled for amd64 from the FreeBSD 11.2 release source code. It may also work on other/future versions of pfSense depending if there have been [significant changes](https://github.com/freebsd/freebsd/commits/master/sys/netgraph/ng_etf.c).  
-
-    b) Or you, a responsible sysadmin, can compile the module yourself from another, trusted FreeBSD machine. _You cannot build packages directly on pfSense._ Your FreeBSD version should match that of your pfSense version. (Example: pfSense 2.4.4 = FreeBSD 11.2)
-    ```
-    # from a FreeBSD machine (not pfSense!)
-    fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/11.2-RELEASE/src.txz
-    tar -C / -zxvf src.txz
-    cd /usr/src/sys/modules/netgraph
-    make
-    scp etf/ng_etf.ko root@pfsense:/boot/kernel/
-    ssh root@pfsense chmod 555 /boot/kernel/ng_etf.ko
-    ```
-
-    **NOTE:** You'll need to tweak your compiler parameters if you need to build for another architecture, like ARM.
-
-2. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device. In my environment, it's:
     ```shell
-    ONT_IF='bce0' # NIC -> ONT / Outside
+    ONT_IF='xx0' # NIC -> ONT / Outside
-    RG_IF='ue0'  # NIC -> Residential Gateway's ONT port
+    RG_IF='xx1'  # NIC -> Residential Gateway's ONT port
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
     ```
 
-3. Copy `bin/pfatt.sh` to `/root/bin` (or any directory):
+2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory):
     ```
     ssh root@pfsense mkdir /root/bin
     scp bin/pfatt.sh root@pfsense:/root/bin/
     ssh root@pfsense chmod +x /root/bin/pfatt.sh
     ```
-    Now edit your `/conf/config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>`. 
 
-    **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh`. The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install:
+    **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268AC-startup.sh` and `pfatt-5268.sh`. The scripts monitor your connection and disable or enable the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install:
-
-    Copy `bin/pfatt-5268AC` to `/usr/local/etc/rc.d/`
-    
-    Copy `bin/pfatt-5268AC.sh` to `/root/bin/`:
     ```
-    scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/pfatt-5268AC.sh
+    scp bin/pfatt-5268AC-startup.sh root@pfsense:/usr/local/etc/rc.d/pfatt-5268AC-startup.sh
     scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/
-    ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC.sh /root/bin/pfatt-5268AC.sh
+    ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC-startup.sh /root/bin/pfatt-5268AC.sh
     ```
 
+3. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
+    ```
+    Command: /root/bin/pfatt.sh
+    Shellcmd Type: earlyshellcmd
+    ```
+    It should look like this:
+    ![Shellcmd Settings](img/Shellcmd.png)
+
+    This can also be acomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
+
 4. Connect cables:
     - `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!)
     - `$ONT_IF` to ONT (outside)
@@ -133,14 +123,14 @@ If everything is setup correctly, netgraph should be bridging EAP traffic betwee
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.
 
-This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.4.
+This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.5.
 
 **DUID Setup**
 
 1. Go to _System > Advanced > Networking_
 1. Configure **DHCP6 DUID** to _DUID-EN_
 1. Configure **DUID-EN** to _3561_
-1. Configure your **IANA Private Enterprise Number**. This number is unique for each customer and (I believe) based off your Residential Gateway serial number. You can generate your DUID using [gen-duid.sh](https://github.com/aus/pfatt/blob/master/bin/gen-duid.sh), which just takes a few inputs. Or, you can take a pcap of the Residential Gateway with some DHCPv6 traffic. Then fire up Wireshark and look for the value in _DHCPv6 > Client Identifier > Identifier_. Add the value as colon separated hex values `00:00:00`.
+1. Configure your **IANA Private Enterprise Number**. This number is unique for each customer and (I believe) based off your Residential Gateway serial number. You can generate your DUID using [gen-duid.sh](https://github.com/MonkWho/pfatt/blob/master/bin/gen-duid.sh), which just takes a few inputs. Or, you can take a pcap of the Residential Gateway with some DHCPv6 traffic. Then fire up Wireshark and look for the value in _DHCPv6 > Client Identifier > Identifier_. Add the value as colon separated hex values `00:00:00`.
 1. Save
 
 **WAN Setup**
@@ -148,6 +138,7 @@ This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.4.
 1. Go to _Interfaces > WAN_
 1. Enable **IPv6 Configuration Type** as _DHCP6_
 1. Scroll to _DCHP6 Client Configuration_
+1. Enable **Request only an IPv6 prefix**
 1. Enable **DHCPv6 Prefix Delegation size** as _60_
 1. Enable _Send IPv6 prefix hint_
 1. Enable _Do not wait for a RA_
@@ -168,12 +159,15 @@ If you have additional LAN interfaces repeat these steps for each interface exce
 1. Go to _Services > DHCPv6 Server & RA_
 1. Enable DHCPv6 server on interface LAN
 1. Configure a range of ::0001 to ::ffff:ffff:ffff:fffe
-1. Configure a **Prefix Delegation Range** to _64_
+1. Leave **Prefix Delegation Range** _blank_.
+1. Configure **Prefix Delegation Size** to _64_
 1. Save
 1. Go to the _Router Advertisements_ tab
 1. Configure **Router mode** as _Stateless DHCP_
 1. Save
 
+If you have additional LAN interfaces repeat these steps for each interface.
+
 That's it! Now your clients should be receiving public IPv6 addresses via DHCP6.
 
 # Troubleshooting
@@ -307,16 +301,32 @@ There is a whole thread on this at [DSLreports](http://www.dslreports.com/forum/
 
 However, I don't think this works for everyone. I had to explicitly tag my WAN traffic to VLAN0 which wasn't supported on my switch.
 
-## OPNSense / FreeBSD
+## OPNSense
 For OPNSense 20.1:
 follow the pfSense instructions, EXCEPT:
 1) use file opnatt.sh
 2) do *NOT* install the ng_etf.ko, as OPNSense already has this module installed.
-3) put the opnatt.sh script into `/usr/local/etc/rc.syshook.d/early` as `99-opnatt.sh
+3) put the opnatt.sh script into `/usr/local/etc/rc.syshook.d/early` as `99-opnatt.sh`
 4) do *NOT* modify config.xml, nor do any of the duid stuff
 5) note: You *CAN* use IPv6 Prefix id 0, as OPNSense does *NOT* assign a routeable IPv6 address to ngeth0
 
-I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience.
+## FreeBSD (tested on 13.0-RELEASE)
+For FreeBSD:
+1) use file freeatt.sh
+2) ng_etf.ko is not needed, standard FreeBSD includes all of the required modules
+3) modules can be loaded from /boot/loader.conf, an example loader.conf with the modules listed is included (loading modules in the script should work, but lets do things "properly")
+4) put the freeatt.sh script into '/etc' and rename to `start_if.$ONT_IF` in my case the file is `/etc/start_if.igb0` this will depend on your hardware
+5) in rc.conf, add the line `ifconfig_$ONT_IF=""` this will trigger rc to run our start_if.$ONT_IF script to create the ngeth0 interface, and then do nothing else to the interface, in my case this line is `ifconfig_igb0=""` (using $RG_IF instead probably gives the same result)
+6) configure the rest of rc.conf, an example is provided with the essentials, gateway_enable, DHCP settings etc.
+7) configure pf, dhcpd, etc. to taste, generic examples provided
+
+Once you have IPv4 connectivity you're done, unless you want IPv6 as well.  The default dhclient still does not support IPv6, so:
+1) Install KAME dhcp6c 'pkg install dhcp6'
+2) Configure rc.conf with 'ipv6_cpe_wanif="ngeth0"' in addition to the other ipv6, dhcp6c, and rtadvd configuration in rc.conf, filling in with your lan interface(s)
+3) use the example configuration in `/usr/local/etc/dhcp6c.conf` to configure dhcp6c
+4) Set some inet6 rules in pf.conf and test
+
+Example configuration files are provided for bind, dhcpd, dhcpd6, rtadvd, etc. based off of a currently working dual stack router running FreeBSD 13, other versions of FreeBSD may work
 
 # U-verse TV
 

bin/freeatt.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+set -e
+
+ONT_IF='xx0'
+RG_IF='xx1'
+RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
+LOG=/var/log/freeatt.log
+
+getTimestamp(){
+    echo `date "+%Y-%m-%d %H:%M:%S :: [freeatt.sh] ::"`
+}
+
+{
+    echo "$(getTimestamp) FreeBSD pf + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) Configuration: "
+    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
+    echo "$(getTimestamp)         RG_IF: $RG_IF"
+    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
+
+    echo "$(getTimestamp) building netgraph nodes..."
+
+    echo -n "$(getTimestamp)   creating ng_one2many... "
+    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
+    /usr/sbin/ngctl name $ONT_IF:lower o2m
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   creating vlan node and interface... "
+    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
+    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
+
+    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
+    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
+    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
+    /usr/sbin/ngctl name o2m:many1 waneapfilter
+    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
+    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
+    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
+    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
+    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
+    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   enabling one2many links... "
+    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
+    echo "OK!"
+
+    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
+    /usr/sbin/ngctl rmhook waneapfilter: nomatch
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $RG_IF interface... "
+    /sbin/ifconfig $RG_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
+    /sbin/ifconfig $ONT_IF up
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
+    /sbin/ifconfig $RG_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
+    /sbin/ifconfig $ONT_IF promisc
+    echo "OK!"
+
+    echo -n "$(getTimestamp) set mac address on ngeth0..."
+    /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR
+    echo "OK!"
+
+    echo "$(getTimestamp) ngeth0 should now be available to configure as your pf WAN"
+    echo "$(getTimestamp) done!"
+} >> $LOG

bin/gen-duid.sh

@@ -6,13 +6,13 @@ printhexstring() { awk '{l=split($0,c,"");for(i=1;i<l-1;i=i+2)printf("%s:",subst
 echo
 echo "Step 1) RG information"
 echo
-while read -p "  Manufacturer [1=Pace, 2=Motorola]: " mfg; do
+while read -p "  Manufacturer [1=Pace, 2=Motorola/Arris, 3=Nokia]: " mfg; do
-        ([ "$mfg" = "1" ] || [ "$mfg" = "2" ]) && break
+        ([ "$mfg" = "1" ] || [ "$mfg" = "2" ] || [ "$mfg" = "3" ]) && break
 done
 while read -p "  Serial number: " serial; do [ -n "$serial" ] && break; done
 echo
 
-[ "$mfg" = "1" ] && mfg="00D09E" || mfg="001E46"
+[ "$mfg" = "1" ] && mfg="00D09E" || [ "$mfg" = "2" ] && mfg="001E46" || [ "$mfg" = "3" ] && mfg="207852"
 echo -n "Identifier: "
 ascii2hex "$mfg-$serial" | printhexstring
 

bin/pfatt.sh

@@ -1,16 +1,11 @@
 #!/bin/sh
 set -e
 
-ONT_IF='em0'
+ONT_IF='xx0'
-RG_IF='em1'
+RG_IF='xx1'
 RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
 LOG=/var/log/pfatt.log
 
-# Calculate pfsense version so we can manage some variations.
-VERSION_MAJOR=`sed -nre 's/([0-9])+\.([0-9])+\.([0-9])+.*/\1/p' /etc/version`
-VERSION_MINOR=`sed -nre 's/([0-9])+\.([0-9])+\.([0-9])+.*/\2/p' /etc/version`
-VERSION_PATCH=`sed -nre 's/([0-9])+\.([0-9])+\.([0-9])+.*/\3/p' /etc/version`
-
 getTimestamp(){
     echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
 }
@@ -22,15 +17,11 @@ getTimestamp(){
     echo "$(getTimestamp)         RG_IF: $RG_IF"
     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
 
-    if ( [ ${VERSION_MAJOR} -ge '2' ] && [ ${VERSION_MINOR} -ge '4' ] && [ ${VERSION_PATCH} -lt '5' ] ); then
-        echo -n "$(getTimestamp) loading netgraph kernel modules... "
-        /sbin/kldload -nq ng_etf
-        echo "OK!"
-    fi
-
     echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
-    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"
+    # Only needed for older versions of pfatt. Newer versions handle this automatically.
-    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
+    # Eventually this can be remove.
+    /usr/local/bin/php -r "function_exists('pfSense_ngctl_attach') && pfSense_ngctl_attach('.', '$ONT_IF');"
+    /usr/local/bin/php -r "function_exists('pfSense_ngctl_attach') && pfSense_ngctl_attach('.', '$RG_IF');"
     echo "OK!"
 
     echo "$(getTimestamp) building netgraph nodes..."
@@ -91,7 +82,8 @@ getTimestamp(){
     echo "OK!"
 
     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
-    /sbin/ifconfig $ONT_IF promisc
+    # Updated as per https://github.com/MonkWho/pfatt/issues/65
+    /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso
     echo "OK!"
 
     echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"