OpnSense 22.1 Issue #65

New issue

Open

opened 2022-01-30 03:18:00 +05:30 by dkowis · 66 comments

dkowis commented 2022-01-30 03:18:00 +05:30 (Migrated from github.com)

Copy link

https://opnsense.org/opnsense-22-1-released/

Has anyone had experience with it yet? I haven't gotten around to it and probably won't have time for a while. Starting an issue thread to keep track of it.

EDIT: reported working well with wpa_supplicant

EDIT MORE: https://github.com/MonkWho/pfatt/issues/65#issuecomment-1043984610 seems to be the victorious solution that covers both WPA and Tethered operating modes.

https://opnsense.org/opnsense-22-1-released/ Has anyone had experience with it yet? I haven't gotten around to it and probably won't have time for a while. Starting an issue thread to keep track of it. EDIT: [reported working well with wpa_supplicant](https://github.com/MonkWho/pfatt/issues/65#issuecomment-1025294502) EDIT MORE: https://github.com/MonkWho/pfatt/issues/65#issuecomment-1043984610 seems to be the victorious solution that covers both WPA and Tethered operating modes.

🎉 1

ehassett commented 2022-01-30 04:19:39 +05:30 (Migrated from github.com)

Copy link

I upgraded to 22.1 without even recalling that I had this script running. Haven't been able to get connection through the gateway since the upgrade. I've verified that the upgrade didn't overwrite/remove the script from /usr/local/etc/rc.syshook.d/early/. The opnatt log is also showing as everything as having been setup properly. Investigating more now as I'm not sure what would have caused the break with the update.

I upgraded to 22.1 without even recalling that I had this script running. Haven't been able to get connection through the gateway since the upgrade. I've verified that the upgrade didn't overwrite/remove the script from `/usr/local/etc/rc.syshook.d/early/`. The opnatt log is also showing as everything as having been setup properly. Investigating more now as I'm not sure what would have caused the break with the update.

👍 1 ❤️ 2

ehassett commented 2022-01-30 04:45:37 +05:30 (Migrated from github.com)

Copy link

Looks like DHCP traffic is not being bridged between ngeth0 and $ONT_IF now. Will update as I troubleshoot more...

Looks like DHCP traffic is not being bridged between `ngeth0` and `$ONT_IF` now. Will update as I troubleshoot more...

👍 1

smplman commented 2022-01-31 06:53:51 +05:30 (Migrated from github.com)

Copy link

I tried my hand at this over the weekend with trying to use supplicant mode. When I reboot the system hangs at waiting EAP for authorization... which is in this while true loop here https://github.com/MonkWho/pfatt/blob/supplicant_OPNsense_testing/bin/opnatt.sh#L212. I'm testing on the supplicant_OPNsense_testing branch. I'm trying to get some insight and logging to see if I can figure out what's going on.

For some reason none of my logs are being output to /var/log/opnatt.log or /var/log/pfatt.log. I'm no BSD expert, but /usr/bin/logger -st "pfatt" "starting pfatt..." seems like it would log straight to STDOUT.

Edit: I was able to get some better logging through the web ui. It appears something with dhclient is causing issues. I'm going to try running through the commands in the script one by one to see if I can track down what is going on.

2022-01-31T01:50:02	Error	opnsense	/usr/local/etc/rc.linkup: DEVD: Ethernet attached event for dynamic wan(ngeth0)	
2022-01-31T01:50:02	Notice	pfatt	waiting EAP for authorization...	
2022-01-31T01:50:02	Notice	pfatt	setting wpa_supplicant network configuration...	
2022-01-31T01:50:02	Notice	pfatt	wpa_supplicant running on PID 35917...	
2022-01-31T01:50:02	Notice	pfatt	starting wpa_supplicant...	
2022-01-31T01:50:02	Notice	pfatt	enabling promisc for em1...	
2022-01-31T01:50:02	Notice	pfatt	creating vlan node and ngeth0 interface...	
2022-01-31T01:50:02	Notice	pfatt	ONT---[] [em1]	
2022-01-31T01:50:02	Notice	pfatt	cabling should look like this:	
2022-01-31T01:50:02	Notice	pfatt	configuring EAP environment for supplicant mode...	
2022-01-31T01:50:00	Error	dhcp6c	invalid interface(ngeth0): Device not configured	
2022-01-31T01:50:00	Notice	opnsense	plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,Array))	
2022-01-31T01:50:00	Notice	opnsense	plugins_configure dhcp (,inet6,Array)	
2022-01-31T01:50:00	Error	opnsense	/usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(ngeth0)	
2022-01-31T01:50:00	Critical	dhclient	exiting.	
2022-01-31T01:50:00	Error	dhclient	connection closed	
2022-01-31T01:50:00	Critical	dhclient	exiting.	
2022-01-31T01:50:00	Error	dhclient	No live interfaces to poll on - exiting.	
2022-01-31T01:50:00	Error	dhclient	Interface ngeth0 no longer appears valid.	
2022-01-31T01:50:00	Error	dhclient	ioctl(SIOCGIFFLAGS) on ngeth0: Operation not permitted	
2022-01-31T01:50:00	Error	dhclient	receive_packet failed on ngeth0: Device not configured	
2022-01-31T01:50:00	Notice	pfatt	resetting netgraph...	
2022-01-31T01:50:00	Notice	pfatt	EAP_BRIDGE_5268AC = 0	
2022-01-31T01:50:00	Notice	pfatt	EAP_BRIDGE_IF = xx1	
2022-01-31T01:50:00	Notice	pfatt	EAP_SUPPLICANT_IDENTITY = (redacted)
2022-01-31T01:50:00	Notice	pfatt	EAP_MODE = supplicant	
2022-01-31T01:50:00	Notice	pfatt	RG_ETHER_ADDR = (redacted)	
2022-01-31T01:50:00	Notice	pfatt	ONT_IF = em1	
2022-01-31T01:50:00	Notice	pfatt	configuration:	
2022-01-31T01:50:00	Notice	pfatt	starting pfatt...	
2022-01-31T01:49:59	Notice	sudo	smplman : TTY=pts/0 ; PWD=/home/smplman ; USER=root ; COMMAND=/usr/local/etc/rc.syshook.d/early/99-opnatt

Edit Edit: I was able to get this working with the steps below. To me it seems like there is something going on with the order of operations of the script. After a reboot I still get stuck on waiting EAP for authorization.. and have to repeat the steps below. My /etc/wpa_supplicant.conf is the one that got generated when I extracted my certs from the device locksmith. So it seems like running wpa_supplicant directly instead of with wpa_cli is making some sort of difference?

Move WAN from ngeth0 to em1 in the web gui
sudo /usr/sbin/wpa_supplicant -Dwired -iem1 -c/etc/wpa_supplicant.conf
Move WAN from em1 to ngeth0 in the web gui
stop wpa_supplicant with CTRL + C
sudo /usr/sbin/wpa_supplicant -Dwired -ingeth0 -c/etc/wpa_supplicant.conf
stop wpa_supplicant with CTRL + C

sudo /usr/local/etc/rc.syshook.d/early/99-opnatt
IP4 and IP6 addresses acquired and speed is okay. I'm getting 400/400, but I think it's because my box is running on an old Intel Atom SuperMicro Intel(R) Atom(TM) CPU D525 @ 1.80GHz (2 cores, 4 threads). Might need to test out some better hardware. Nothing special was done for IP6, it was acquired about a minuet after the IP4

I tried my hand at this over the weekend with trying to use `supplicant` mode. When I reboot the system hangs at `waiting EAP for authorization...` which is in this while true loop here https://github.com/MonkWho/pfatt/blob/supplicant_OPNsense_testing/bin/opnatt.sh#L212. I'm testing on the `supplicant_OPNsense_testing` branch. I'm trying to get some insight and logging to see if I can figure out what's going on. For some reason none of my logs are being output to `/var/log/opnatt.log` or `/var/log/pfatt.log`. I'm no BSD expert, but `/usr/bin/logger -st "pfatt" "starting pfatt..."` seems like it would log straight to STDOUT. Edit: I was able to get some better logging through the web ui. It appears something with `dhclient` is causing issues. I'm going to try running through the commands in the script one by one to see if I can track down what is going on. ``` 2022-01-31T01:50:02 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for dynamic wan(ngeth0) 2022-01-31T01:50:02 Notice pfatt waiting EAP for authorization... 2022-01-31T01:50:02 Notice pfatt setting wpa_supplicant network configuration... 2022-01-31T01:50:02 Notice pfatt wpa_supplicant running on PID 35917... 2022-01-31T01:50:02 Notice pfatt starting wpa_supplicant... 2022-01-31T01:50:02 Notice pfatt enabling promisc for em1... 2022-01-31T01:50:02 Notice pfatt creating vlan node and ngeth0 interface... 2022-01-31T01:50:02 Notice pfatt ONT---[] [em1] 2022-01-31T01:50:02 Notice pfatt cabling should look like this: 2022-01-31T01:50:02 Notice pfatt configuring EAP environment for supplicant mode... 2022-01-31T01:50:00 Error dhcp6c invalid interface(ngeth0): Device not configured 2022-01-31T01:50:00 Notice opnsense plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,Array)) 2022-01-31T01:50:00 Notice opnsense plugins_configure dhcp (,inet6,Array) 2022-01-31T01:50:00 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(ngeth0) 2022-01-31T01:50:00 Critical dhclient exiting. 2022-01-31T01:50:00 Error dhclient connection closed 2022-01-31T01:50:00 Critical dhclient exiting. 2022-01-31T01:50:00 Error dhclient No live interfaces to poll on - exiting. 2022-01-31T01:50:00 Error dhclient Interface ngeth0 no longer appears valid. 2022-01-31T01:50:00 Error dhclient ioctl(SIOCGIFFLAGS) on ngeth0: Operation not permitted 2022-01-31T01:50:00 Error dhclient receive_packet failed on ngeth0: Device not configured 2022-01-31T01:50:00 Notice pfatt resetting netgraph... 2022-01-31T01:50:00 Notice pfatt EAP_BRIDGE_5268AC = 0 2022-01-31T01:50:00 Notice pfatt EAP_BRIDGE_IF = xx1 2022-01-31T01:50:00 Notice pfatt EAP_SUPPLICANT_IDENTITY = (redacted) 2022-01-31T01:50:00 Notice pfatt EAP_MODE = supplicant 2022-01-31T01:50:00 Notice pfatt RG_ETHER_ADDR = (redacted) 2022-01-31T01:50:00 Notice pfatt ONT_IF = em1 2022-01-31T01:50:00 Notice pfatt configuration: 2022-01-31T01:50:00 Notice pfatt starting pfatt... 2022-01-31T01:49:59 Notice sudo smplman : TTY=pts/0 ; PWD=/home/smplman ; USER=root ; COMMAND=/usr/local/etc/rc.syshook.d/early/99-opnatt ``` Edit Edit: I was able to get this working with the steps below. To me it seems like there is something going on with the order of operations of the script. After a reboot I still get stuck on `waiting EAP for authorization..` and have to repeat the steps below. My `/etc/wpa_supplicant.conf` is the one that got generated when I extracted my certs from the device locksmith. So it seems like running `wpa_supplicant` directly instead of with `wpa_cli` is making some sort of difference? Move WAN from ngeth0 to em1 in the web gui `sudo /usr/sbin/wpa_supplicant -Dwired -iem1 -c/etc/wpa_supplicant.conf` Move WAN from em1 to ngeth0 in the web gui stop wpa_supplicant with CTRL + C `sudo /usr/sbin/wpa_supplicant -Dwired -ingeth0 -c/etc/wpa_supplicant.conf` stop wpa_supplicant with CTRL + C `sudo /usr/local/etc/rc.syshook.d/early/99-opnatt` IP4 and IP6 addresses acquired and speed is okay. I'm getting 400/400, but I think it's because my box is running on an old Intel Atom SuperMicro `Intel(R) Atom(TM) CPU D525 @ 1.80GHz (2 cores, 4 threads)`. Might need to test out some better hardware. Nothing special was done for IP6, it was acquired about a minuet after the IP4

👍 3

zombielinux commented 2022-01-31 08:44:51 +05:30 (Migrated from github.com)

Copy link

I'll have to give this a go. Glad to see its working.

If I recall, when I made my PR to go from wpa_cli to wpa_supplicant, there was some poor escaping or bash interpretation happening in the arguments list. Switching to the .conf file is far more supported anyways in the *nix community at large.

I'll have to give this a go. Glad to see its working. If I recall, when I made my PR to go from wpa_cli to wpa_supplicant, there was some poor escaping or bash interpretation happening in the arguments list. Switching to the .conf file is far more supported anyways in the *nix community at large.

dkowis commented 2022-01-31 08:58:40 +05:30 (Migrated from github.com)

Copy link

I've got a non-wpa_supplicant setup, so I'm not sure those steps will apply to me. May be a reconfiguration of the interface did something, however.

I've got a non-wpa_supplicant setup, so I'm not sure those steps will apply to me. May be a reconfiguration of the interface did something, however.

👍 1

ehassett commented 2022-02-05 04:26:29 +05:30 (Migrated from github.com)

Copy link

I have not been able to get any more figured out for non-wpa_supplicant setup, has anyone else made any progress?

I have not been able to get any more figured out for non-wpa_supplicant setup, has anyone else made any progress?

👀 1

MrCaturdayNight commented 2022-02-05 04:44:49 +05:30 (Migrated from github.com)

Copy link

I have not been able to get any more figured out for non-wpa_supplicant setup, has anyone else made any progress?

Not yet but I'm working on it too. I also tried converting to the wpa supplicant method and can't get it going either but that's true for me on 21.7. If I figure either out I'll report back.

> I have not been able to get any more figured out for non-wpa_supplicant setup, has anyone else made any progress? Not yet but I'm working on it too. I also tried converting to the wpa supplicant method and can't get it going either but that's true for me on 21.7. If I figure either out I'll report back.

👀 2

owenthewizard commented 2022-02-08 01:04:34 +05:30 (Migrated from github.com)

Copy link

21.7 works for me with supplicant but 22.1 doesn't.

21.7 works for me with supplicant but 22.1 doesn't.

Hou-dev commented 2022-02-08 03:57:21 +05:30 (Migrated from github.com)

Copy link

I am also having problems with the latest version of OPNsense, I had to revert to 21.7.8

I am also having problems with the latest version of OPNsense, I had to revert to 21.7.8

dkowis commented 2022-02-08 04:20:33 +05:30 (Migrated from github.com)

Copy link

Since we've got multiple methods of PFATT in this issue, could you please be specific as to which method you're using?

To summarize:

• 22.1 does not work with the "tethered" method, where the router remains on and connected.
• At least one report of 22.1 working with the wpa_supplicant method

Since we've got multiple methods of PFATT in this issue, could you please be specific as to which method you're using? To summarize: * 22.1 does not work with the "tethered" method, where the router remains on and connected. * At least one report of 22.1 working with the **wpa_supplicant** method

Hou-dev commented 2022-02-08 05:49:15 +05:30 (Migrated from github.com)

Copy link

Since we've got multiple methods of PFATT in this issue, could you please be specific as to which method you're using?

To summarize:

• 22.1 does not work with the "tethered" method, where the router remains on and connected.
• At least one report of 22.1 working with the wpa_supplicant method

I am using the supplicant method. After the update the scripts hangs on "waiting on EAP for authorization". On occasion running the script manually worked. I decided to move back to the older release of OPNsense since if I had to reboot for any reason the script would not terminate unless it gets a IP address.

> Since we've got multiple methods of PFATT in this issue, could you please be specific as to which method you're using? > > To summarize: > > * 22.1 does not work with the "tethered" method, where the router remains on and connected. > * At least one report of 22.1 working with the **wpa_supplicant** method I am using the supplicant method. After the update the scripts hangs on "waiting on EAP for authorization". On occasion running the script manually worked. I decided to move back to the older release of OPNsense since if I had to reboot for any reason the script would not terminate unless it gets a IP address.

zombielinux commented 2022-02-08 06:44:30 +05:30 (Migrated from github.com)

Copy link

Are you using my pull request? Or the script in the repository? I had mine
hang at the same place, but it was the wpa-cli code block that was failing.
There was some bash interpretation and escaping that failed.

Try my pull request script and see if it works.

On Mon, Feb 7, 2022 at 19:19 Hou-dev @.***> wrote:

Since we've got multiple methods of PFATT in this issue, could you please
be specific as to which method you're using?

To summarize:

• 22.1 does not work with the "tethered" method, where the router
  remains on and connected.
• At least one report of 22.1 working with the wpa_supplicant method

I am using the supplicant method. After the update the scripts hands on
"waiting on EAP for authorization". On occasion running the script manually
worked. I decided to move back to the older release of OPNsense since if I
had to reboot for any reason the script would not terminate unless it gets
a IP address.

—
Reply to this email directly, view it on GitHub
https://github.com/MonkWho/pfatt/issues/65#issuecomment-1032078001, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AABN74JWQQTNWVJXMG26OALU2BOQ5ANCNFSM5NDL4CRQ
.
Triage notifications on the go with GitHub Mobile for iOS
https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675
or Android
https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID:
@.***>

--
No trees were harmed in the sending of this message, but a rather large
number of electrons were terribly inconvenienced.

Are you using my pull request? Or the script in the repository? I had mine hang at the same place, but it was the wpa-cli code block that was failing. There was some bash interpretation and escaping that failed. Try my pull request script and see if it works. On Mon, Feb 7, 2022 at 19:19 Hou-dev ***@***.***> wrote: > Since we've got multiple methods of PFATT in this issue, could you please > be specific as to which method you're using? > > To summarize: > > - 22.1 does not work with the "tethered" method, where the router > remains on and connected. > - At least one report of 22.1 working with the *wpa_supplicant* method > > I am using the supplicant method. After the update the scripts hands on > "waiting on EAP for authorization". On occasion running the script manually > worked. I decided to move back to the older release of OPNsense since if I > had to reboot for any reason the script would not terminate unless it gets > a IP address. > > — > Reply to this email directly, view it on GitHub > <https://github.com/MonkWho/pfatt/issues/65#issuecomment-1032078001>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AABN74JWQQTNWVJXMG26OALU2BOQ5ANCNFSM5NDL4CRQ> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > > You are receiving this because you commented.Message ID: > ***@***.***> > -- No trees were harmed in the sending of this message, but a rather large number of electrons were terribly inconvenienced.

owenthewizard commented 2022-02-08 06:58:52 +05:30 (Migrated from github.com)

Copy link

I tried the zombielinux fork and it had the same issue.

I tried the zombielinux fork and it had the same issue.

smplman commented 2022-02-08 07:23:42 +05:30 (Migrated from github.com)

Copy link

I'm running in supplicant mode with zombilunix's branch.

@zombielinux I also tried your script and it still hangs at waiting EAP for authorization.. I still have to do the dance of reassigning the WAN port and running wpa_supplicant manually. I did have a thought though that maybe the script is running before the interfaces are fully initialized? But that doesn't line up because if I run the script manually after breaking out and letting the system fully boot it hangs at the same spot.

I want to try updating the script to manually set the WAN back to em1, run wpa_supplicant, then once authenticated set the WAN back to ngeth0. I have had good luck getting wpa_supplicant to auth against em1 instead of ngeth0. Or maybe it's the other way around? I'm getting inconsistent results in my testing.

I'm running in supplicant mode with zombilunix's branch. @zombielinux I also tried your script and it still hangs at `waiting EAP for authorization..` I still have to do the dance of reassigning the WAN port and running `wpa_supplicant` manually. I did have a thought though that maybe the script is running before the interfaces are fully initialized? But that doesn't line up because if I run the script manually after breaking out and letting the system fully boot it hangs at the same spot. I want to try updating the script to manually set the WAN back to `em1`, run `wpa_supplicant`, then once authenticated set the WAN back to `ngeth0`. I have had good luck getting wpa_supplicant to auth against `em1` instead of `ngeth0`. Or maybe it's the other way around? I'm getting inconsistent results in my testing.

dangeist commented 2022-02-11 21:20:31 +05:30 (Migrated from github.com)

Copy link

I was able to get this working with @zombielinux's updates at the encouragement of @MrCaturdayNight
I'm on OPNsense 21.7.8 on protectli hardware ( uses Intel(R) I210 gig copper ports for reference ). I tried running all the commands on the CLI one by one and kept getting erroneous behavior with ngctl, then I tried inserting the kernel module prior to that point in the script explicitly and it worked. So, this is NEARLY identical to the pfatt pull request above. Perhaps the new(er) kernels were removing unused modules (or similar). Interestingly, I noticed the dhcpclient had to iterate over a few retries before success. Not sure if that's relevant or if I simply hadn't seen it run before. Files included / attached for reference:

# cat /conf/pfatt/wpa/wpa_supplicant.conf
eapol_version=1
ap_scan=0
fast_reauth=1
network={
        ca_cert="/conf/pfatt/wpa/CA.pem"
        client_cert="/conf/pfatt/wpa/Client.pem"
        eap=TLS
        eapol_flags=0
        identity="C0:A0:0D:**:**:**"
        key_mgmt=IEEE8021X
        phase1="allow_canned_success=1"
        private_key="/conf/pfatt/wpa/PrivateKey.pem"

# cat /usr/local/etc/rc.syshook.d/early/99-opnatt-supplicant
#!/usr/bin/env sh
#Required Config
# ===============
ONT_IF="igb0"
RG_ETHER_ADDR="C0:A0:0D:**:**:**"
EAP_MODE="supplicant"

# Supplicant Config
# =================
EAP_SUPPLICANT_IDENTITY="C0:A0:0D:**:**:**"

##### DO NOT EDIT BELOW #################################################################################

/sbin/kldload -nq ng_ether

/usr/bin/logger -st "pfatt" "starting pfatt..."
/usr/bin/logger -st "pfatt" "configuration:"
/usr/bin/logger -st "pfatt" "  ONT_IF = $ONT_IF"
/usr/bin/logger -st "pfatt" "  RG_ETHER_ADDR = $RG_ETHER_ADDR"
/usr/bin/logger -st "pfatt" "  EAP_MODE = $EAP_MODE"
/usr/bin/logger -st "pfatt" "  EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY"

/usr/bin/logger -st "pfatt" "resetting netgraph..."
/sbin/kldload -nq ng_ether
/usr/sbin/ngctl shutdown waneapfilter:
/usr/sbin/ngctl shutdown laneapfilter:
/usr/sbin/ngctl shutdown $ONT_IF:
/usr/sbin/ngctl shutdown o2m:
/usr/sbin/ngctl shutdown vlan0:
/usr/sbin/ngctl shutdown ngeth0:

/usr/bin/logger -st "pfatt" "configuring EAP environment for $EAP_MODE mode..."
/usr/bin/logger -st "pfatt" "cabling should look like this:"
/usr/bin/logger -st "pfatt" "  ONT---[] [$ONT_IF]$HOST"
/usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..."

/usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream

/usr/sbin/ngctl name $ONT_IF:lower vlan0

/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'

/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR

/usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..."

/sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR
/sbin/ifconfig $ONT_IF up

/sbin/ifconfig $ONT_IF promisc

/usr/bin/logger -st "pfatt" "starting wpa_supplicant..."

WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant -c /conf/pfatt/wpa/wpa_supplicant.conf"

# kill any existing wpa_supplicant process
PID=$(pgrep -f "wpa_supplicant.*ngeth0")
if [ ${PID} > 0 ];
then
  /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..."
  RES=$(kill ${PID})
fi

# start wpa_supplicant daemon
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant.*ngeth0")
/usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..."

# Set WPA configuration parameters.
/usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..."
IFS=","
for STR in ${WPA_PARAMS};
do
  echo $STR
  STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
  RES=$(eval wpa_cli ${STR})
done

# wait until wpa_cli has authenticated.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"

/usr/bin/logger -st "pfatt" "waiting EAP for authorization..."

# TODO: blocking for bootup
while true;
do
  WPA_STATUS=$(eval ${WPA_STATUS_CMD})
  if [ X${WPA_STATUS} = X"Authorized" ];
  then
    /usr/bin/logger -st "pfatt" "EAP authorization completed..."
     IP_STATUS=$(eval ${IP_STATUS_CMD})
     if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
    then
      /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..."
      RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
      IP_STATUS=$(eval ${IP_STATUS_CMD})
    fi
    /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..."
    break
  else
    sleep 1
  fi
done
/usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..."
/usr/bin/logger -st "pfatt" "done!"

I was able to get this working with @zombielinux's updates at the encouragement of @MrCaturdayNight I'm on OPNsense 21.7.8 on protectli hardware ( uses Intel(R) I210 gig copper ports for reference ). I tried running all the commands on the CLI one by one and kept getting erroneous behavior with ngctl, then I tried inserting the kernel module prior to that point in the script explicitly and it worked. So, this is NEARLY identical to the pfatt pull request above. Perhaps the new(er) kernels were removing unused modules (or similar). Interestingly, I noticed the dhcpclient had to iterate over a few retries before success. Not sure if that's relevant or if I simply hadn't seen it run before. Files included / attached for reference: ``` # cat /conf/pfatt/wpa/wpa_supplicant.conf eapol_version=1 ap_scan=0 fast_reauth=1 network={ ca_cert="/conf/pfatt/wpa/CA.pem" client_cert="/conf/pfatt/wpa/Client.pem" eap=TLS eapol_flags=0 identity="C0:A0:0D:**:**:**" key_mgmt=IEEE8021X phase1="allow_canned_success=1" private_key="/conf/pfatt/wpa/PrivateKey.pem" ``` ``` # cat /usr/local/etc/rc.syshook.d/early/99-opnatt-supplicant #!/usr/bin/env sh #Required Config # =============== ONT_IF="igb0" RG_ETHER_ADDR="C0:A0:0D:**:**:**" EAP_MODE="supplicant" # Supplicant Config # ================= EAP_SUPPLICANT_IDENTITY="C0:A0:0D:**:**:**" ##### DO NOT EDIT BELOW ################################################################################# /sbin/kldload -nq ng_ether /usr/bin/logger -st "pfatt" "starting pfatt..." /usr/bin/logger -st "pfatt" "configuration:" /usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF" /usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR" /usr/bin/logger -st "pfatt" " EAP_MODE = $EAP_MODE" /usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY" /usr/bin/logger -st "pfatt" "resetting netgraph..." /sbin/kldload -nq ng_ether /usr/sbin/ngctl shutdown waneapfilter: /usr/sbin/ngctl shutdown laneapfilter: /usr/sbin/ngctl shutdown $ONT_IF: /usr/sbin/ngctl shutdown o2m: /usr/sbin/ngctl shutdown vlan0: /usr/sbin/ngctl shutdown ngeth0: /usr/bin/logger -st "pfatt" "configuring EAP environment for $EAP_MODE mode..." /usr/bin/logger -st "pfatt" "cabling should look like this:" /usr/bin/logger -st "pfatt" " ONT---[] [$ONT_IF]$HOST" /usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..." /usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream /usr/sbin/ngctl name $ONT_IF:lower vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." /sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR /sbin/ifconfig $ONT_IF up /sbin/ifconfig $ONT_IF promisc /usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant -c /conf/pfatt/wpa/wpa_supplicant.conf" # kill any existing wpa_supplicant process PID=$(pgrep -f "wpa_supplicant.*ngeth0") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi # start wpa_supplicant daemon RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant.*ngeth0") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." # Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do echo $STR STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done # wait until wpa_cli has authenticated. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2" /usr/bin/logger -st "pfatt" "waiting EAP for authorization..." # TODO: blocking for bootup while true; do WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." IP_STATUS=$(eval ${IP_STATUS_CMD}) if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." break else sleep 1 fi done /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." /usr/bin/logger -st "pfatt" "done!" ```

🎉 4

zombielinux commented 2022-02-11 21:40:48 +05:30 (Migrated from github.com)

Copy link

@dangeist Thanks for the excellent work!

I've updated the pull request with the explicit module loading.

Also, the DHCP taking a few attempts was observed over here too, I'd say its normal behavior.

@dangeist Thanks for the excellent work! I've updated the pull request with the explicit module loading. Also, the DHCP taking a few attempts was observed over here too, I'd say its normal behavior.

👍 3

dangeist commented 2022-02-11 21:52:40 +05:30 (Migrated from github.com)

Copy link

Purely selfish reasons. I'm moving all my home network gear over to battery-backed DC power and the RGW was a non-standard voltage and power pigtail :)

Purely selfish reasons. I'm moving all my home network gear over to battery-backed DC power and the RGW was a non-standard voltage and power pigtail :)

smplman commented 2022-02-12 10:42:47 +05:30 (Migrated from github.com)

Copy link

I tried the updates from @dangeist and @zombielinux and i'm still getting hungup on boot. I should note that i'm running on 22.1 and not 21.x.

After boot i'm able to get authenticated by running sudo wpa_supplicant -Dwired -ingeth0 /conf/pfatt/wpa/wpa_supplicant.conf I'm not sure why it won't auth with em1, my WAN port, but it will with ngeth0

A big thank you to all of those who are putting work into this. If I find a work around I will report back.

I tried the updates from @dangeist and @zombielinux and i'm still getting hungup on boot. I should note that i'm running on `22.1` and not `21.x`. After boot i'm able to get authenticated by running `sudo wpa_supplicant -Dwired -ingeth0 /conf/pfatt/wpa/wpa_supplicant.conf` I'm not sure why it won't auth with `em1`, my WAN port, but it will with `ngeth0` A big thank you to all of those who are putting work into this. If I find a work around I will report back.

👍 2

jasonsansone commented 2022-02-14 23:24:27 +05:30 (Migrated from github.com)

Copy link

pfatt.sh also breaks on pfSense 2.6.0. I wasn't able to get it to work and I had to downgrade to 2.5.2.

pfatt.sh also breaks on pfSense 2.6.0. I wasn't able to get it to work and I had to downgrade to 2.5.2.

ChronicledMonocle commented 2022-02-15 01:03:53 +05:30 (Migrated from github.com)

Copy link

I can also confirm this is broken on pfSense Plus 22.01 and pfSense 2.6.0 CE. Seems something broke in the newer FreeBSD kernel, I'd imagine.

I can also confirm this is broken on pfSense Plus 22.01 and pfSense 2.6.0 CE. Seems something broke in the newer FreeBSD kernel, I'd imagine.

Hou-dev commented 2022-02-15 01:40:28 +05:30 (Migrated from github.com)

Copy link

I did some testing last night and it seems with Opnsense 22.1 there are some problems with my setup (Intel nic) with the updated kernel. There is a option to update the kernel only using opnsense-update -kr 22.1 I was able to get authenticated when using my other Broadcom nic but it had issues with its driver dropping packets. I had to revert to use my Intel 350 nic with the older 21.7.8 kernel.

Edit 0: I also tried ZombieLinux's version but the same issue with the latest version 22.1 with my Intel nic.

Edit 1: There might be some change in FreeBSD 12.3 that broke compatibility with the script since I am seeing reports that pfsense 2.6 is broken. Opnsense skipped 12.3 and used FreeBSD 13's kernel.

I did some testing last night and it seems with Opnsense 22.1 there are some problems with my setup (Intel nic) with the updated kernel. There is a option to update the kernel only using `opnsense-update -kr 22.1` I was able to get authenticated when using my other Broadcom nic but it had issues with its driver dropping packets. I had to revert to use my Intel 350 nic with the older 21.7.8 kernel. Edit 0: I also tried ZombieLinux's version but the same issue with the latest version 22.1 with my Intel nic. Edit 1: There might be some change in FreeBSD 12.3 that broke compatibility with the script since I am seeing reports that pfsense 2.6 is broken. Opnsense skipped 12.3 and used FreeBSD 13's kernel.

👍 1

bigjohns97 commented 2022-02-15 07:05:51 +05:30 (Migrated from github.com)

Copy link

Had the issue this morning when I moved over to 2.6 and ended up trying out OPNsense but haven't tried implementing this, watching closely to look for a solution.

Silver lining is this gave me an opportunity to take a good look at OPNsense and it's pretty nice.

Had the issue this morning when I moved over to 2.6 and ended up trying out OPNsense but haven't tried implementing this, watching closely to look for a solution. Silver lining is this gave me an opportunity to take a good look at OPNsense and it's pretty nice.

neydah700 commented 2022-02-16 01:08:24 +05:30 (Migrated from github.com)

Copy link

Sounds like a similar issue with us pfSense people. I am a bit lost thought. Has anyone gotten @zombielinux fork working with Opnsense 22.1? Looking at his code it looks like the only major difference between what I was using was is adding "/sbin/kldload -nq ng_ether" at the start of the script. If someone was successful with 22.1 I'll upgrade again and try it on pfSense 22.01.

Sounds like a similar issue with us pfSense people. I am a bit lost thought. Has anyone gotten @zombielinux fork working with Opnsense 22.1? Looking at his code it looks like the only major difference between what I was using was is adding "/sbin/kldload -nq ng_ether" at the start of the script. If someone was successful with 22.1 I'll upgrade again and try it on pfSense 22.01.

bigjohns97 commented 2022-02-16 04:29:01 +05:30 (Migrated from github.com)

Copy link

Sounds like a similar issue with us pfSense people. I am a bit lost thought. Has anyone gotten @zombielinux fork working with Opnsense 22.1? Looking at his code it looks like the only major difference between what I was using was is adding "/sbin/kldload -nq ng_ether" at the start of the script. If someone was successful with 22.1 I'll upgrade again and try it on pfSense 22.01.

I can try this later on once the fam goes to bed.

> Sounds like a similar issue with us pfSense people. I am a bit lost thought. Has anyone gotten @zombielinux fork working with Opnsense 22.1? Looking at his code it looks like the only major difference between what I was using was is adding "/sbin/kldload -nq ng_ether" at the start of the script. If someone was successful with 22.1 I'll upgrade again and try it on pfSense 22.01. I can try this later on once the fam goes to bed.

bigjohns97 commented 2022-02-16 05:53:22 +05:30 (Migrated from github.com)

Copy link

Well this is quite different than with pfsense which I am used to, only been running opnsense for a couple of days now.

When I boot up it says it can't find the file so I don't know what the issue is, when I try and run the file manually using ./filename it says the same thing so IDK.

Well this is quite different than with pfsense which I am used to, only been running opnsense for a couple of days now. When I boot up it says it can't find the file so I don't know what the issue is, when I try and run the file manually using ./filename it says the same thing so IDK.

bigjohns97 commented 2022-02-16 05:57:33 +05:30 (Migrated from github.com)

Copy link

root@OPNsense:/usr/local/etc/rc.syshook.d/early # ./99-opnatt-supplicant

No such file or directory
root@OPNsense:/usr/local/etc/rc.syshook.d/early # ls -l
total 15
-rwxr-xr-x 1 root wheel 135 Jan 25 03:35 05-upgrade
-rwxr-xr-x 1 root wheel 63 Jan 25 03:35 10-configd
-rwxr-xr-x 1 root wheel 77 Jan 25 03:35 15-templates
-rwxr-xr-x 1 root wheel 93 Jan 25 03:35 20-backup
-rwxr-xr-x 1 root wheel 631 Jan 25 03:35 90-carp
-rwxr-xr-x 1 root wheel 3563 Feb 15 17:33 99-opnatt-supplicant

root@OPNsense:/usr/local/etc/rc.syshook.d/early # ./99-opnatt-supplicant : No such file or directory root@OPNsense:/usr/local/etc/rc.syshook.d/early # ls -l total 15 -rwxr-xr-x 1 root wheel 135 Jan 25 03:35 05-upgrade -rwxr-xr-x 1 root wheel 63 Jan 25 03:35 10-configd -rwxr-xr-x 1 root wheel 77 Jan 25 03:35 15-templates -rwxr-xr-x 1 root wheel 93 Jan 25 03:35 20-backup -rwxr-xr-x 1 root wheel 631 Jan 25 03:35 90-carp -rwxr-xr-x 1 root wheel 3563 Feb 15 17:33 99-opnatt-supplicant

neydah700 commented 2022-02-18 01:23:22 +05:30 (Migrated from github.com)

Copy link

I know this is focused on OpnSense but I was able to do a lot of troubleshooting on the possibly related pfSense issue and may have found a solution. If not a solution for you all hopefully it adds some insight.

https://github.com/MonkWho/pfatt/issues/67#issuecomment-1043358822

And more info on possibly the root issue in FreeBSD

https://github.com/MonkWho/pfatt/issues/67#issuecomment-1043433763

I know this is focused on OpnSense but I was able to do a lot of troubleshooting on the possibly related pfSense issue and may have found a solution. If not a solution for you all hopefully it adds some insight. https://github.com/MonkWho/pfatt/issues/67#issuecomment-1043358822 And more info on possibly the root issue in FreeBSD https://github.com/MonkWho/pfatt/issues/67#issuecomment-1043433763

👀 1

lnxsrt commented 2022-02-18 08:23:31 +05:30 (Migrated from github.com)

Copy link

I really do think this is related...

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260068

Unfortunately, it appears than OPNsense has if_em compiled into the kernel. I can confirm their 22.1 branch of the FreeBSD-13 kernel does not have the patch applied...

https://github.com/opnsense/src/tree/stable/22.1/sys/dev/e1000

However, master does...

https://github.com/opnsense/src/tree/stable/13/sys/dev/e1000

I really do think this is related... https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260068 Unfortunately, it appears than OPNsense has if_em compiled into the kernel. I can confirm their 22.1 branch of the FreeBSD-13 kernel does not have the patch applied... https://github.com/opnsense/src/tree/stable/22.1/sys/dev/e1000 However, master does... https://github.com/opnsense/src/tree/stable/13/sys/dev/e1000

neydah700 commented 2022-02-18 09:22:34 +05:30 (Migrated from github.com)

Copy link

I really do think this is related...

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260068

Unfortunately, it appears than OPNsense has if_em compiled into the kernel. I can confirm their 22.1 branch of the FreeBSD-13 kernel does not have the patch applied...

https://github.com/opnsense/src/tree/stable/22.1/sys/dev/e1000

However, master does...

https://github.com/opnsense/src/tree/stable/13/sys/dev/e1000

I agree. I feel very strongly this is part, if not all of the issues, that have cropped up on opn/pfsense.

> I really do think this is related... > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260068 > > Unfortunately, it appears than OPNsense has if_em compiled into the kernel. I can confirm their 22.1 branch of the FreeBSD-13 kernel does not have the patch applied... > > https://github.com/opnsense/src/tree/stable/22.1/sys/dev/e1000 > > However, master does... > > https://github.com/opnsense/src/tree/stable/13/sys/dev/e1000 I agree. I feel very strongly this is part, if not all of the issues, that have cropped up on opn/pfsense.

lnxsrt commented 2022-02-18 11:54:35 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this...
/sbin/ifconfig $ONF_IF promisc

To this...
/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

Victory! No custom module or kernel required. Just change this... `/sbin/ifconfig $ONF_IF promisc` To this... `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso`

👍 5 🎉 4

ChronicledMonocle commented 2022-02-18 12:01:45 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this... /sbin/if/config $ONF_IF promisc

To this... /sbin/if/config $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

Did you test this on OPNSense or pfSense? Wpa_supplicant or tethered?

> Victory! > > No custom module or kernel required. Just change this... `/sbin/if/config $ONF_IF promisc` > > To this... `/sbin/if/config $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` Did you test this on OPNSense or pfSense? Wpa_supplicant or tethered?

lnxsrt commented 2022-02-18 12:02:31 +05:30 (Migrated from github.com)

Copy link

OPNsense with WPA

OPNsense with WPA

neydah700 commented 2022-02-18 12:12:53 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this... /sbin/ifconfig $ONF_IF promisc

To this... /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

You got my hopes up! Just tried on pfSense and no luck. Glad it fixes it for you all on OPNSense! Maybe I made a mistake and someone has better luck on pfSense as well!

> Victory! > > No custom module or kernel required. Just change this... `/sbin/ifconfig $ONF_IF promisc` > > To this... `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` You got my hopes up! Just tried on pfSense and no luck. Glad it fixes it for you all on OPNSense! Maybe I made a mistake and someone has better luck on pfSense as well!

lnxsrt commented 2022-02-18 12:21:31 +05:30 (Migrated from github.com)

Copy link

I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script.

neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine...
igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script. neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... `igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>`

neydah700 commented 2022-02-18 12:26:51 +05:30 (Migrated from github.com)

Copy link

I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script.

neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

Gotta call it for the night. I'll give it a shot in the morning and let ya know!

> I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script. > > neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... `igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>` Gotta call it for the night. I'll give it a shot in the morning and let ya know!

bigjohns97 commented 2022-02-18 16:42:02 +05:30 (Migrated from github.com)

Copy link

I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script.

neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

Here is mine (pfsense 2.6)

Custom module with switches (no ip)
igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=6003ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6>

Default module with switches (no ip)
igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=e007ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6>

Custom module, tether script (works)
igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>

> I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script. > > neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... `igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>` Here is mine (pfsense 2.6) Custom module with switches (no ip) igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=6003ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6> Default module with switches (no ip) igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=e007ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6> Custom module, tether script (works) igb0: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>

neydah700 commented 2022-02-18 21:38:35 +05:30 (Migrated from github.com)

Copy link

I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script.

neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

@lnxsrt

Mine below. Only difference I noticed was the NOMAP at the end of yours.
igb5: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6>

> I also have "VLAN Hardware Filter" to "Disable VLAN Hardware Filtering" in "Interfaces: Settings". I thought this would disable it, but it only seems to act on assigned interfaces... i.e. when the WAN is set to igb0 not ngeth0. So that is why I had to manually set it in the pfatt.sh script. > > neydah700, after boot, what does you "ifconfig" look like? You should not see the 3 disabled vlan options. Here's mine... `igb0: flags=28963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=4e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>` @lnxsrt Mine below. Only difference I noticed was the NOMAP at the end of yours. `igb5: flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC> metric 0 mtu 1500 options=e027ab<RXCSUM,TXCSUM,VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6>`

Hou-dev commented 2022-02-19 00:44:05 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this... /sbin/ifconfig $ONF_IF promisc

To this... /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

This works for my supplicant setup using an Intel i350. I was able to boot and authenticate.

> Victory! > > No custom module or kernel required. Just change this... `/sbin/ifconfig $ONF_IF promisc` > > To this... `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` This works for my supplicant setup using an Intel i350. I was able to boot and authenticate.

dkowis commented 2022-02-19 00:46:33 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this... /sbin/ifconfig $ONF_IF promisc

To this... /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

Has anyone tried this with the "tethered" mode? Apparently Supplicant is popular and maybe I should figure that part out, heh.

> Victory! > > No custom module or kernel required. Just change this... `/sbin/ifconfig $ONF_IF promisc` > > To this... `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` Has anyone tried this with the "tethered" mode? Apparently Supplicant is popular and maybe I should figure that part out, heh.

bigjohns97 commented 2022-02-19 00:47:12 +05:30 (Migrated from github.com)

Copy link

Was able to get mine working in tethered mode, now just awaiting a fix for supplicant.

Was able to get mine working in tethered mode, now just awaiting a fix for supplicant.

👍 1

lnxsrt commented 2022-02-19 00:55:12 +05:30 (Migrated from github.com)

Copy link

There may be multiple problems here. I had no issue getting WPA to authenticate on the ONT_IF with the same script I was using with 21.7, but no traffic would flow and no DHCP lease could be acquired. Disabling the HW Vlan options seemed to fix the traffic flow issue. So I'd make sure you are getting a wpa auth by using the below command as a first step.

wpa_cli status

There may be multiple problems here. I had no issue getting WPA to authenticate on the ONT_IF with the same script I was using with 21.7, but no traffic would flow and no DHCP lease could be acquired. Disabling the HW Vlan options seemed to fix the traffic flow issue. So I'd make sure you are getting a wpa auth by using the below command as a first step. `wpa_cli status`

neydah700 commented 2022-02-19 00:56:35 +05:30 (Migrated from github.com)

Copy link

There may be multiple problems here. I had no issue getting WPA to authenticate on the ONT_IF with the same script I was using with 21.7, but no traffic would flow and no DHCP lease could be acquired. Disabling the HW Vlan options seemed to fix the traffic flow issue. So I'd make sure you are getting a wpa auth by using the below command as a first step.

wpa_cli status

With pfSense I was the same. Never had any issues with WPA. Was just traffic flow on VLAN 0 for DHCP. Unlike you, the script change did not resolve it for me.

> There may be multiple problems here. I had no issue getting WPA to authenticate on the ONT_IF with the same script I was using with 21.7, but no traffic would flow and no DHCP lease could be acquired. Disabling the HW Vlan options seemed to fix the traffic flow issue. So I'd make sure you are getting a wpa auth by using the below command as a first step. > > `wpa_cli status` With pfSense I was the same. Never had any issues with WPA. Was just traffic flow on VLAN 0 for DHCP. Unlike you, the script change did not resolve it for me.

👍 1

MrCaturdayNight commented 2022-02-22 18:19:42 +05:30 (Migrated from github.com)

Copy link

Victory!

No custom module or kernel required. Just change this... /sbin/ifconfig $ONF_IF promisc

To this... /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso

Perfect. This worked for me on OPNsense 22.1.x using the supplicant method.

I upgraded from 27.1.8 with this tweak already in my script and my box booted right up, grabbed V4 and V6 and everything seems good so far. I'm on the em driver

Thanks for solving this one.

> Victory! > > No custom module or kernel required. Just change this... `/sbin/ifconfig $ONF_IF promisc` > > To this... `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` Perfect. This worked for me on OPNsense 22.1.x using the supplicant method. I upgraded from 27.1.8 with this tweak already in my script and my box booted right up, grabbed V4 and V6 and everything seems good so far. I'm on the em driver Thanks for solving this one.

❤️ 2

owenthewizard commented 2022-02-24 04:38:05 +05:30 (Migrated from github.com)

Copy link

-vlanhwtag -vlanhwfilter -vlanhwtso also worked for me on 22.1.x with supplicant.

`-vlanhwtag -vlanhwfilter -vlanhwtso` also worked for me on 22.1.x with supplicant.

sohilm09 commented 2022-02-27 01:39:22 +05:30 (Migrated from github.com)

Copy link

@zombielinux - Can you make the same change on the opnatt.sh? It worked, I just tested it on a non-supplicant setup and it worked.

@zombielinux - Can you make the same change on the opnatt.sh? It worked, I just tested it on a non-supplicant setup and it worked.

kageiit commented 2022-02-27 04:32:48 +05:30 (Migrated from github.com)

Copy link

Can confirm /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso works with 22.1.x on my protectli hardware using intel NIC and non supplicant setup. I edited the 99-pfatt.sh script manually for now. Thanks!

Can confirm `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` works with 22.1.x on my protectli hardware using intel NIC and non supplicant setup. I edited the `99-pfatt.sh` script manually for now. Thanks!

kd8bny commented 2022-02-27 06:49:02 +05:30 (Migrated from github.com)

Copy link

@neydah700
same here, no dice, pfsense 2.6

@neydah700 same here, no dice, pfsense 2.6

👍 1

tcurrence852 commented 2022-03-05 02:02:06 +05:30 (Migrated from github.com)

Copy link

I can confirm changing the script to /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso at the bottom of /usr/local/etc/rc.syshook.d/early/99-pfatt works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues.

I can confirm changing the script to `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` at the bottom of `/usr/local/etc/rc.syshook.d/early/99-pfatt` works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues.

🎉 1

wraithfive commented 2022-03-07 22:38:32 +05:30 (Migrated from github.com)

Copy link

I can confirm changing the script to /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso at the bottom of /usr/local/etc/rc.syshook.d/early/99-pfatt works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues.

Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1.

> I can confirm changing the script to `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` at the bottom of `/usr/local/etc/rc.syshook.d/early/99-pfatt` works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues. Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1.

ehassett commented 2022-03-07 22:54:41 +05:30 (Migrated from github.com)

Copy link

I can confirm changing the script to /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso at the bottom of /usr/local/etc/rc.syshook.d/early/99-pfatt works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues.

Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1.

I also was unable to get it working on non-supplicant 22.1 with just these changes. I have a BGW210 as well.

> > I can confirm changing the script to `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` at the bottom of `/usr/local/etc/rc.syshook.d/early/99-pfatt` works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues. > > Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1. I also was unable to get it working on non-supplicant 22.1 with just these changes. I have a BGW210 as well.

sohilm09 commented 2022-03-08 01:34:08 +05:30 (Migrated from github.com)

Copy link

Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have?

> Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have?

tcurrence852 commented 2022-03-08 01:55:46 +05:30 (Migrated from github.com)

Copy link

I can confirm changing the script to /sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso at the bottom of /usr/local/etc/rc.syshook.d/early/99-pfatt works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues.

Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1.

That's the only thing I did. Keep in mind mine was not a fresh 22.1 install, I already had the bypass up and running prior in 21.7, upgraded to 22.1 in place, bypass didn't work and I simply changed the startup script already present. I never tried changing the initial install script and essentially reinstalling the bypass setup.

> > I can confirm changing the script to `/sbin/ifconfig $ONF_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso` at the bottom of `/usr/local/etc/rc.syshook.d/early/99-pfatt` works for me as well using non-supplicant method, Opnsense 22.1.2_1 bare metal install on Dell R240 with Intel NICs and BGW-210 AT&T gateway. Survives reboots as always and no throughput or resource usage issues. > > Are you sure you didn't do any other changes? I spent all weekend trying to get it to work in non-supplicant mode and could not get it to pull a DCHP address for the WAN using a Qotom Q355G4. Clean install of opnsense 22.1. That's the only thing I did. Keep in mind mine was not a fresh 22.1 install, I already had the bypass up and running prior in 21.7, upgraded to 22.1 in place, bypass didn't work and I simply changed the startup script already present. I never tried changing the initial install script and essentially reinstalling the bypass setup.

👍 2

wraithfive commented 2022-03-08 02:33:41 +05:30 (Migrated from github.com)

Copy link

Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have?

It's intel nics. I will have to look up the exact ones later when I get home.

> > > > Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have? It's intel nics. I will have to look up the exact ones later when I get home.

👍 1

wraithfive commented 2022-03-08 05:34:48 +05:30 (Migrated from github.com)

Copy link

Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have?

4 x Intel I211-AT

> Honestly, that's the only change I did. I am running in a VM environment w/ NIC passthrough. What NIC does Qotom Q355G4 have? 4 x Intel I211-AT

sohilm09 commented 2022-03-08 06:19:27 +05:30 (Migrated from github.com)

Copy link

4 x Intel I211-AT

That should just work. Here is a few lines before and after my script. Hopefully it helps you.

echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
/sbin/ifconfig $RG_IF promisc
echo "OK!"

echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
/sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso
echo "OK!"

echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
echo "$(getTimestamp) done!"_**_

> 4 x Intel I211-AT That should just work. Here is a few lines before and after my script. Hopefully it helps you. echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " /sbin/ifconfig $RG_IF promisc echo "OK!" echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso echo "OK!" echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN" echo "$(getTimestamp) done!"_**_

wraithfive commented 2022-03-08 08:13:49 +05:30 (Migrated from github.com)

Copy link

I did finally get it to work but it won't work on a reboot of the OPNsense. After a reboot I have to clean up everything the script creates in netgraph then rerun it manually. Then it will pull an IP again just fine. Not sure where to go from there. Seems like I may have an additional issue on top of this one.

I did finally get it to work but it won't work on a reboot of the OPNsense. After a reboot I have to clean up everything the script creates in netgraph then rerun it manually. Then it will pull an IP again just fine. Not sure where to go from there. Seems like I may have an additional issue on top of this one.

sohilm09 commented 2022-03-08 19:55:15 +05:30 (Migrated from github.com)

Copy link

I did finally get it to work but it won't work on a reboot of the OPNsense. After a reboot I have to clean up everything the script creates in netgraph then rerun it manually. Then it will pull an IP again just fine. Not sure where to go from there. Seems like I may have an additional issue on top of this one.

what is your netgraph state after the reboot (before the cleanup)?

> I did finally get it to work but it won't work on a reboot of the OPNsense. After a reboot I have to clean up everything the script creates in netgraph then rerun it manually. Then it will pull an IP again just fine. Not sure where to go from there. Seems like I may have an additional issue on top of this one. what is your netgraph state after the reboot (before the cleanup)?

wraithfive commented 2022-03-08 22:50:11 +05:30 (Migrated from github.com)

Copy link

what is your netgraph state after the reboot (before the cleanup)?

I am very new to netgraph so could you be more specific in what you are asking for me? Do you just want the output of "ngctl list" or something more?

> what is your netgraph state after the reboot (before the cleanup)? I am very new to netgraph so could you be more specific in what you are asking for me? Do you just want the output of "ngctl list" or something more?

sohilm09 commented 2022-03-08 22:53:37 +05:30 (Migrated from github.com)

Copy link

what is your netgraph state after the reboot (before the cleanup)?

I am very new to netgraph so could you be more specific in what you are asking for me? Do you just want the output of "ngctl list" or something more?

That would be a good start

> > what is your netgraph state after the reboot (before the cleanup)? > > I am very new to netgraph so could you be more specific in what you are asking for me? Do you just want the output of "ngctl list" or something more? That would be a good start

wraithfive commented 2022-03-09 03:24:22 +05:30 (Migrated from github.com)

Copy link

I was all prepared to reboot, capture the netgraph output, fix things so I could get back but now it's working perfectly. Three reboots and pulls an IP every time. I do not recall doing anything at that would have made a difference. But as long as it's working now I guess.

I was all prepared to reboot, capture the netgraph output, fix things so I could get back but now it's working perfectly. Three reboots and pulls an IP every time. I do not recall doing anything at that would have made a difference. But as long as it's working now I guess.

sohilm09 commented 2022-03-09 03:58:47 +05:30 (Migrated from github.com)

Copy link

I was all prepared to reboot, capture the netgraph output, fix things so I could get back but now it's working perfectly. Three reboots and pulls an IP every time. I do not recall doing anything at that would have made a difference. But as long as it's working now I guess.

Happy to hear, sounds like a timing thing. Sometimes the modem is in an odd spot where it can't pass EAP auth.

> I was all prepared to reboot, capture the netgraph output, fix things so I could get back but now it's working perfectly. Three reboots and pulls an IP every time. I do not recall doing anything at that would have made a difference. But as long as it's working now I guess. Happy to hear, sounds like a timing thing. Sometimes the modem is in an odd spot where it can't pass EAP auth.

tman785 commented 2022-08-20 05:55:09 +05:30 (Migrated from github.com)

Copy link

For the non-supplicant method, I'm experiencing issues with Opnsense 2.7. I made the required change to the opnatt.sh file, but no change. Anything specific I can look at/test? This is a new build of Opnsense. I'm currently using pfsense 2.5.2 with no issue. One thing I've noticed is the opnatt.sh file - seems several versions out there. I'm using the one in the master branch here. I also require the 5268AC files.

Edit: 3rd restart magic - it works now. Also applied 22.7.2 and we survived. I think another poster above had the same thing - 3 restarts and it works.

For the non-supplicant method, I'm experiencing issues with Opnsense 2.7. I made the required change to the opnatt.sh file, but no change. Anything specific I can look at/test? This is a new build of Opnsense. I'm currently using pfsense 2.5.2 with no issue. One thing I've noticed is the opnatt.sh file - seems several versions out there. I'm using the one in the master branch here. I also require the 5268AC files. Edit: 3rd restart magic - it works now. Also applied 22.7.2 and we survived. I think another poster above had the same thing - 3 restarts and it works.

rountad commented 2022-09-02 05:23:33 +05:30 (Migrated from github.com)

Copy link

I set up Opnsense 22.7 and have tried numerous ways to get this working in supplicant mode. After trying the syntax that dangeist posted, I'm getting the same hanging at waiting EAP for authorization.. How do I get out of this loop? None of the boot options seem to bypass this problem and the loader option doesn't seem to have the options that I need to fix it (modify or delete the script in rc.syshook.d/early)

Thanks!

I set up Opnsense 22.7 and have tried numerous ways to get this working in supplicant mode. After trying the syntax that dangeist posted, I'm getting the same hanging at waiting EAP for authorization.. How do I get out of this loop? None of the boot options seem to bypass this problem and the loader option doesn't seem to have the options that I need to fix it (modify or delete the script in rc.syshook.d/early) Thanks!

aholmes55 commented 2022-11-05 04:16:17 +05:30 (Migrated from github.com)

Copy link

@SGC1990 Does the /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso fix need to be applied to the supplicant portion of the script? Your commit is only to the bridge section.

@SGC1990 Does the /sbin/ifconfig $ONT_IF promisc -vlanhwtag -vlanhwfilter -vlanhwtso fix need to be applied to the supplicant portion of the script? Your commit is only to the bridge section.

rountad commented 2022-11-09 22:09:24 +05:30 (Migrated from github.com)

Copy link

Still trying to get supplicant mode working with Opnsense 22.7, but ngeth0 does not have the WAN MAC address and em0 (physical WAN interface) is not set up as promiscuous. When early script is applied, the boot process never completes, so I can't manually change settings as far as I can tell.

Any advice?

 Still trying to get supplicant mode working with Opnsense 22.7, but ngeth0 does not have the WAN MAC address and em0 (physical WAN interface) is not set up as promiscuous. When early script is applied, the boot process never completes, so I can't manually change settings as far as I can tell. Any advice?

tman785 commented 2022-11-09 22:12:08 +05:30 (Migrated from github.com)

Copy link

Still trying to get supplicant mode working with Opnsense 22.7, but ngeth0 does not have the WAN MAC address and em0 (physical WAN interface) is not set up as promiscuous. When early script is applied, the boot process never completes, so I can't manually change settings as far as I can tell.

Any advice?

Don’t put the script in EARLY. Use START instead. I don’t know if this is a recent change but early scripts run before network startup.

https://docs.opnsense.org/development/backend/autorun.html

>  > > Still trying to get supplicant mode working with Opnsense 22.7, but ngeth0 does not have the WAN MAC address and em0 (physical WAN interface) is not set up as promiscuous. When early script is applied, the boot process never completes, so I can't manually change settings as far as I can tell. > > Any advice? Don’t put the script in EARLY. Use START instead. I don’t know if this is a recent change but early scripts run before network startup. https://docs.opnsense.org/development/backend/autorun.html

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

supplicant

supplicant_OPNsense_testing

No results found.

Labels

Clear labels   

bug

Something isn't working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

wontfix

This will not be worked on

No labels

bug

duplicate

enhancement

good first issue

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: hhf/pfatt#65

No description provided.