hhf/pfatt
1
0
Fork 0
Code Issues 26 Pull requests Projects Releases Packages Wiki Activity Actions

Merge to implement latest changes #1

Merged
MonkWho merged 33 commits from master into master 2020-05-03 02:30:07 +05:30
Conversation 0 Commits 33 Files changed 7 +167 -64
4 changed files with 167 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 509a928481 - Show all commits

17
README.md
View file

@ -104,7 +104,18 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](
scp bin/pfatt.sh root@pfsense:/root/bin/ scp bin/pfatt.sh root@pfsense:/root/bin/
ssh root@pfsense chmod +x /root/bin/pfatt.sh ssh root@pfsense chmod +x /root/bin/pfatt.sh
``` ```
Now edit your `config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>` Now edit your `/conf/config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>`.
**NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install:
Copy `bin/pfatt-5268AC` to `/usr/local/etc/rc.d/`
Copy `bin/pfatt-5268AC.sh` to `/root/bin/`:
```
scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/
scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/
ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC /root/bin/pfatt-5268AC.sh
```
4. Connect cables: 4. Connect cables:
- `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!) - `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!)
@ -167,6 +178,10 @@ That's it! Now your clients should be receiving public IPv6 addresses via DHCP6.
# Troubleshooting # Troubleshooting
## Logging
Output from `pfatt.sh` and `pfatt-5268AC.sh` can be found in `/var/log/pfatt.log`.
## tcpdump ## tcpdump
Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface: Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface:

50
bin/pfatt-5268AC Normal file
View file

@ -0,0 +1,50 @@
#!/bin/sh
script_path="/root/bin/pfatt-5268AC.sh"
name=`/usr/bin/basename "${script_path}"`
rc_start() {
### Lock out other start signals until we are done
/usr/bin/touch /var/run/${name}.lck
${script_path} &
pid=$!
if [ $pid ]; then
echo $pid > /var/run/${name}.pid
/usr/bin/logger -p daemon.info -i -t pfattStartup "Successfully started ${name}"
else
/usr/bin/logger -p daemon.error -i -t pfattStartup "Error starting ${name}"
fi
### Remove the lock
if [ -f /var/run/${name}.lck ]; then
/bin/sleep 2
/bin/rm /var/run/${name}.lck
fi
}
rc_stop() {
if [ -f /var/run/${name}.pid ]; then
kill -9 `cat /var/run/${name}.pid`
/bin/rm /var/run/${name}.pid
fi
}
case $1 in
start)
if [ ! -f /var/run/${name}.lck ]; then
rc_start
fi
;;
stop)
rc_stop
;;
restart)
if [ ! -f /var/run/${name}.lck ]; then
rc_stop
rc_start
fi
;;
esac

31
bin/pfatt-5268AC.sh Normal file
View file

@ -0,0 +1,31 @@
#!/bin/sh
PING_HOST=8.8.8.8
SLEEP=5
LOG=/var/log/pfatt.log
getTimestamp(){
echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt-5268AC.sh] ::"`
}
{
RG_CONNECTED="/usr/sbin/ngctl show laneapfilter:eapout"
echo "$(getTimestamp) Starting 5268AC ping monitor ..."
while
if /sbin/ping -t2 -q -c1 $PING_HOST > /dev/null ; then
if $RG_CONNECTED >/dev/null 2>&1 ; then
echo "$(getTimestamp) Connection to $PING_HOST is up, but EAP is being bridged!"
echo -n "$(getTimestamp) Disconnecting netgraph node ... "
/usr/sbin/ngctl rmhook laneapfilter: eapout && echo "OK!" || echo "ERROR!"
fi
else
if ! $RG_CONNECTED >/dev/null 2>&1 ; then
echo "$(getTimestamp) Connection to $PING_HOST is down, but EAP is not being bridged!"
echo -n "$(getTimestamp) Connecting netgraph node ... "
/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout && echo "OK!" || echo "ERROR!"
fi
fi
sleep $SLEEP
do :; done
echo "$(getTimestamp) Stopping 5268AC ping monitor ..."
} >> $LOG

133
bin/pfatt.sh
View file

@ -3,84 +3,91 @@ set -e
ONT_IF='em0' ONT_IF='em0'
RG_IF='em1' RG_IF='em1'
RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
LOG=/var/log/pfatt.log
echo "$0: pfSense + AT&T U-verse Residential Gateway for true bridge mode" getTimestamp(){
echo "Configuration: " echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
echo " ONT_IF: $ONT_IF" }
echo " RG_IF: $RG_IF"
echo "RG_ETHER_ADDR: $RG_ETHER_ADDR"
echo -n "loading netgraph kernel modules... " {
/sbin/kldload ng_etf echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
echo "OK! (any 'already loaded' errors can be ignored)" echo "$(getTimestamp) Configuration: "
echo "$(getTimestamp) ONT_IF: $ONT_IF"
echo "$(getTimestamp) RG_IF: $RG_IF"
echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
echo -n "attaching interfaces to ng_ether... " echo -n "$(getTimestamp) loading netgraph kernel modules... "
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');" /sbin/kldload -nq ng_etf
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" echo "OK!"
echo "OK!"
echo "building netgraph nodes..." echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"
/usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
echo "OK!"
echo -n " creating ng_one2many... " echo "$(getTimestamp) building netgraph nodes..."
/usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
/usr/sbin/ngctl name $ONT_IF:lower o2m
echo "OK!"
echo -n " creating vlan node and interface... " echo -n "$(getTimestamp) creating ng_one2many... "
/usr/sbin/ngctl mkpeer o2m: vlan many0 downstream /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
/usr/sbin/ngctl name o2m:many0 vlan0 /usr/sbin/ngctl name $ONT_IF:lower o2m
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether echo "OK!"
/usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' echo -n "$(getTimestamp) creating vlan node and interface... "
/usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
echo "OK!" /usr/sbin/ngctl name o2m:many0 vlan0
/usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
echo -n " defining etf for $ONT_IF (ONT)... " /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
/usr/sbin/ngctl mkpeer o2m: etf many1 downstream /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
/usr/sbin/ngctl name o2m:many1 waneapfilter echo "OK!"
/usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
echo "OK!"
echo -n " defining etf for $RG_IF (RG)... " echo -n "$(getTimestamp) defining etf for $ONT_IF (ONT)... "
/usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
/usr/sbin/ngctl name $RG_IF:lower laneapfilter /usr/sbin/ngctl name o2m:many1 waneapfilter
/usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
echo "OK!" echo "OK!"
echo -n " bridging etf for $ONT_IF <-> $RG_IF... " echo -n "$(getTimestamp) defining etf for $RG_IF (RG)... "
/usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
echo "OK!" /usr/sbin/ngctl name $RG_IF:lower laneapfilter
/usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
echo "OK!"
echo -n " defining filters for EAP traffic... " echo -n "$(getTimestamp) bridging etf for $ONT_IF <-> $RG_IF... "
/usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
/usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' echo "OK!"
echo "OK!"
echo -n " enabling one2many links... " echo -n "$(getTimestamp) defining filters for EAP traffic... "
/usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
echo "OK!" /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
echo "OK!"
echo -n " removing waneapfilter:nomatch hook... " echo -n "$(getTimestamp) enabling one2many links... "
/usr/sbin/ngctl rmhook waneapfilter: nomatch /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
echo "OK!" echo "OK!"
echo "enabling interfaces..." echo -n "$(getTimestamp) removing waneapfilter:nomatch hook... "
echo -n " $RG_IF ... " /usr/sbin/ngctl rmhook waneapfilter: nomatch
/sbin/ifconfig $RG_IF up echo "OK!"
echo "OK!"
echo -n " $ONT_IF ... " echo "$(getTimestamp) enabling interfaces..."
/sbin/ifconfig $ONT_IF up echo -n "$(getTimestamp) $RG_IF ... "
echo "OK!" /sbin/ifconfig $RG_IF up
echo "OK!"
echo -n "enabling promiscuous mode on $RG_IF... " echo -n "$(getTimestamp) $ONT_IF ... "
/sbin/ifconfig $RG_IF promisc /sbin/ifconfig $ONT_IF up
echo "OK!" echo "OK!"
echo -n "enabling promiscuous mode on $ONT_IF... " echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
/sbin/ifconfig $ONT_IF promisc /sbin/ifconfig $RG_IF promisc
echo "OK!" echo "OK!"
echo "ngeth0 should now be available to configure as your pfSense WAN" echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
echo "done!" /sbin/ifconfig $ONT_IF promisc
echo "OK!"
echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
echo "$(getTimestamp) done!"
} >> $LOG