Merge to implement latest changes #1
					 4 changed files with 167 additions and 64 deletions
				
			
		
							
								
								
									
										17
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										17
									
								
								README.md
									
									
									
									
									
								
							|  | @ -104,7 +104,18 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon]( | |||
|     scp bin/pfatt.sh root@pfsense:/root/bin/ | ||||
|     ssh root@pfsense chmod +x /root/bin/pfatt.sh | ||||
|     ``` | ||||
|     Now edit your `config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>` | ||||
|     Now edit your `/conf/config.xml` to include `<earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd>` above `</system>`.  | ||||
|      | ||||
|     **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268.sh` due to [issue #5](https://github.com/aus/pfatt/issues/5). The script monitors your connection and disables or enables the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install: | ||||
| 
 | ||||
|     Copy `bin/pfatt-5268AC` to `/usr/local/etc/rc.d/` | ||||
|      | ||||
|     Copy `bin/pfatt-5268AC.sh` to `/root/bin/`: | ||||
|     ``` | ||||
|     scp bin/pfatt-5268AC root@pfsense:/usr/local/etc/rc.d/ | ||||
|     scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/ | ||||
|     ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC /root/bin/pfatt-5268AC.sh | ||||
|     ``` | ||||
| 
 | ||||
| 4. Connect cables: | ||||
|     - `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!) | ||||
|  | @ -167,6 +178,10 @@ That's it! Now your clients should be receiving public IPv6 addresses via DHCP6. | |||
| 
 | ||||
| # Troubleshooting | ||||
| 
 | ||||
| ## Logging | ||||
| 
 | ||||
| Output from `pfatt.sh` and `pfatt-5268AC.sh` can be found in `/var/log/pfatt.log`. | ||||
| 
 | ||||
| ## tcpdump | ||||
| 
 | ||||
| Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface: | ||||
|  |  | |||
							
								
								
									
										50
									
								
								bin/pfatt-5268AC
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										50
									
								
								bin/pfatt-5268AC
									
									
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,50 @@ | |||
| #!/bin/sh | ||||
| 
 | ||||
| script_path="/root/bin/pfatt-5268AC.sh" | ||||
| 
 | ||||
| name=`/usr/bin/basename "${script_path}"` | ||||
| 
 | ||||
| rc_start() { | ||||
|     ### Lock out other start signals until we are done | ||||
|     /usr/bin/touch /var/run/${name}.lck | ||||
| 
 | ||||
|     ${script_path} & | ||||
|     pid=$! | ||||
|      | ||||
|     if [ $pid ]; then | ||||
|         echo $pid > /var/run/${name}.pid | ||||
|         /usr/bin/logger -p daemon.info -i -t pfattStartup "Successfully started ${name}" | ||||
|     else | ||||
|         /usr/bin/logger -p daemon.error -i -t pfattStartup "Error starting ${name}" | ||||
|     fi | ||||
|      | ||||
|     ### Remove the lock | ||||
|     if [ -f /var/run/${name}.lck ]; then | ||||
|         /bin/sleep 2 | ||||
|         /bin/rm /var/run/${name}.lck | ||||
|     fi | ||||
| } | ||||
| 
 | ||||
| rc_stop() { | ||||
|     if [ -f /var/run/${name}.pid ]; then | ||||
|         kill -9 `cat /var/run/${name}.pid` | ||||
|         /bin/rm /var/run/${name}.pid | ||||
|     fi | ||||
| } | ||||
| 
 | ||||
| case $1 in | ||||
|     start) | ||||
|         if [ ! -f /var/run/${name}.lck ]; then | ||||
|             rc_start | ||||
|         fi | ||||
|         ;; | ||||
|     stop) | ||||
|         rc_stop | ||||
|         ;; | ||||
|     restart) | ||||
|         if [ ! -f /var/run/${name}.lck ]; then | ||||
|             rc_stop | ||||
|             rc_start | ||||
|         fi | ||||
|         ;; | ||||
| esac | ||||
							
								
								
									
										31
									
								
								bin/pfatt-5268AC.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								bin/pfatt-5268AC.sh
									
									
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,31 @@ | |||
| #!/bin/sh | ||||
| PING_HOST=8.8.8.8 | ||||
| SLEEP=5 | ||||
| LOG=/var/log/pfatt.log | ||||
| 
 | ||||
| getTimestamp(){ | ||||
|     echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt-5268AC.sh] ::"` | ||||
| } | ||||
| 
 | ||||
| { | ||||
|     RG_CONNECTED="/usr/sbin/ngctl show laneapfilter:eapout" | ||||
| 
 | ||||
|     echo "$(getTimestamp) Starting 5268AC ping monitor ..." | ||||
|     while | ||||
|     if /sbin/ping -t2 -q -c1 $PING_HOST > /dev/null ; then | ||||
|         if $RG_CONNECTED >/dev/null 2>&1 ; then | ||||
|         echo "$(getTimestamp) Connection to $PING_HOST is up, but EAP is being bridged!" | ||||
|         echo -n "$(getTimestamp) Disconnecting netgraph node ... " | ||||
|         /usr/sbin/ngctl rmhook laneapfilter: eapout && echo "OK!" || echo "ERROR!" | ||||
|         fi | ||||
|     else | ||||
|         if ! $RG_CONNECTED >/dev/null 2>&1 ; then | ||||
|         echo "$(getTimestamp) Connection to $PING_HOST is down, but EAP is not being bridged!" | ||||
|         echo -n "$(getTimestamp) Connecting netgraph node ... " | ||||
|         /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout  && echo "OK!" || echo "ERROR!" | ||||
|         fi | ||||
|     fi | ||||
|     sleep $SLEEP | ||||
|     do :; done  | ||||
|     echo "$(getTimestamp) Stopping 5268AC ping monitor ..." | ||||
| } >> $LOG | ||||
							
								
								
									
										133
									
								
								bin/pfatt.sh
									
									
									
									
									
								
							
							
						
						
									
										133
									
								
								bin/pfatt.sh
									
									
									
									
									
								
							|  | @ -3,84 +3,91 @@ set -e | |||
| 
 | ||||
| ONT_IF='em0' | ||||
| RG_IF='em1' | ||||
| RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'                      | ||||
| RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' | ||||
| LOG=/var/log/pfatt.log | ||||
| 
 | ||||
| echo "$0: pfSense + AT&T U-verse Residential Gateway for true bridge mode" | ||||
| echo "Configuration: " | ||||
| echo "       ONT_IF: $ONT_IF" | ||||
| echo "        RG_IF: $RG_IF" | ||||
| echo "RG_ETHER_ADDR: $RG_ETHER_ADDR" | ||||
| getTimestamp(){ | ||||
|     echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"` | ||||
| } | ||||
| 
 | ||||
| echo -n "loading netgraph kernel modules... " | ||||
| /sbin/kldload ng_etf | ||||
| echo "OK! (any 'already loaded' errors can be ignored)" | ||||
| { | ||||
|     echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode" | ||||
|     echo "$(getTimestamp) Configuration: " | ||||
|     echo "$(getTimestamp)        ONT_IF: $ONT_IF" | ||||
|     echo "$(getTimestamp)         RG_IF: $RG_IF" | ||||
|     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR" | ||||
| 
 | ||||
| echo -n "attaching interfaces to ng_ether... " | ||||
| /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"  | ||||
| /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp) loading netgraph kernel modules... " | ||||
|     /sbin/kldload -nq ng_etf | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo "building netgraph nodes..." | ||||
|     echo -n "$(getTimestamp) attaching interfaces to ng_ether... " | ||||
|     /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"  | ||||
|     /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');" | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  creating ng_one2many... " | ||||
| /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one | ||||
| /usr/sbin/ngctl name $ONT_IF:lower o2m | ||||
| echo "OK!" | ||||
|     echo "$(getTimestamp) building netgraph nodes..." | ||||
| 
 | ||||
| echo -n "  creating vlan node and interface... " | ||||
| /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream | ||||
| /usr/sbin/ngctl name o2m:many0 vlan0 | ||||
| /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether | ||||
|     echo -n "$(getTimestamp)   creating ng_one2many... " | ||||
|     /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one | ||||
|     /usr/sbin/ngctl name $ONT_IF:lower o2m | ||||
|     echo "OK!" | ||||
| 
 | ||||
| /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' | ||||
| /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   creating vlan node and interface... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream | ||||
|     /usr/sbin/ngctl name o2m:many0 vlan0 | ||||
|     /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether | ||||
| 
 | ||||
| echo -n "  defining etf for $ONT_IF (ONT)... " | ||||
| /usr/sbin/ngctl mkpeer o2m: etf many1 downstream | ||||
| /usr/sbin/ngctl name o2m:many1 waneapfilter | ||||
| /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper | ||||
| echo "OK!" | ||||
|     /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' | ||||
|     /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  defining etf for $RG_IF (RG)... " | ||||
| /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream | ||||
| /usr/sbin/ngctl name $RG_IF:lower laneapfilter | ||||
| /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... " | ||||
|     /usr/sbin/ngctl mkpeer o2m: etf many1 downstream | ||||
|     /usr/sbin/ngctl name o2m:many1 waneapfilter | ||||
|     /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  bridging etf for $ONT_IF <-> $RG_IF... " | ||||
| /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... " | ||||
|     /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream | ||||
|     /usr/sbin/ngctl name $RG_IF:lower laneapfilter | ||||
|     /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  defining filters for EAP traffic... " | ||||
| /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
| /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... " | ||||
|     /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  enabling one2many links... " | ||||
| /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   defining filters for EAP traffic... " | ||||
|     /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  removing waneapfilter:nomatch hook... " | ||||
| /usr/sbin/ngctl rmhook waneapfilter: nomatch | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   enabling one2many links... " | ||||
|     /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }" | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo "enabling interfaces..." | ||||
| echo -n "  $RG_IF ... " | ||||
| /sbin/ifconfig $RG_IF up | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... " | ||||
|     /usr/sbin/ngctl rmhook waneapfilter: nomatch | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "  $ONT_IF ... " | ||||
| /sbin/ifconfig $ONT_IF up | ||||
| echo "OK!" | ||||
|     echo "$(getTimestamp) enabling interfaces..." | ||||
|     echo -n "$(getTimestamp)   $RG_IF ... " | ||||
|     /sbin/ifconfig $RG_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "enabling promiscuous mode on $RG_IF... " | ||||
| /sbin/ifconfig $RG_IF promisc | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp)   $ONT_IF ... " | ||||
|     /sbin/ifconfig $ONT_IF up | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo -n "enabling promiscuous mode on $ONT_IF... " | ||||
| /sbin/ifconfig $ONT_IF promisc | ||||
| echo "OK!" | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... " | ||||
|     /sbin/ifconfig $RG_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
| echo "ngeth0 should now be available to configure as your pfSense WAN" | ||||
| echo "done!" | ||||
|     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... " | ||||
|     /sbin/ifconfig $ONT_IF promisc | ||||
|     echo "OK!" | ||||
| 
 | ||||
|     echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN" | ||||
|     echo "$(getTimestamp) done!" | ||||
| } >> $LOG | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue