From f71b21f5a0dba1ac691d54097e3e3cf726126d8c Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 27 Dec 2020 22:50:49 -0600
Subject: [PATCH 01/31] Update README.md

---
 README.md | 93 +++++++++++++++++++++----------------------------------
 1 file changed, 36 insertions(+), 57 deletions(-)

diff --git a/README.md b/README.md
index e85ded5..975aa68 100644
--- a/README.md
+++ b/README.md
@@ -4,8 +4,6 @@ This repository includes my notes on enabling a true bridge mode setup with AT&T
 
 There are a few other methods to accomplish true bridge mode, so be sure to see what easiest for you. True Bridge Mode is also possible in a Linux via ebtables or using hardware with a VLAN swap trick. For me, I was not using a Linux-based router and the VLAN swap did not seem to work for me.
 
-While many AT&T residential gateways offer something called _IP Passthrough_, it does not provide the same advantages of a true bridge mode. For example, the NAT table is still managed by the gateway, which is limited to a measly 8192 sessions (although it becomes unstable at even 60% capacity).
-
 The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. It survives reboots, re-authentications, IPv6, and new DHCP leases.
 
 # How it Works
@@ -23,56 +21,34 @@ First, let's talk about what happens in the standard setup (without any bypass).
 
 ## Bypass Procedure
 
-To bypass the gateway using pfSense, we can emulate the standard procedure. If we connect our Residential Gateway and ONT to our pfSense box, we can bridge the 802.1/X authentication sequence, tag our WAN traffic as VLAN0, and request a public IPv4 via DHCP using a spoofed MAC address.
+### Supplicant Method
+If you have valid certs that have been extracted from an authorized residential gateway device, you can utilize the native wpa_supplicant client in pfSense to perform 802.1X EAP-TLS authentication.
 
-Unfortunately, there are some challenges with emulating this process. First, it's against RFC to bridge 802.1/X traffic and it is not supported. Second, tagging traffic as VLAN0 is not supported through the standard interfaces.
+I will also note that EAP-TLS authentication authorizes the device, not the subscriber. Meaning, any authorized device (NVG589, NVG599, 5268AC, BGW210, etc) can be used to authorize the link. It does not have to match the RG assigned to your account. For example, an NVG589 purchased of eBay can authorize the link. The subscriber's service is authorized separately (probably by the DHCP MAC and/or ONT serial number).
 
-This is where netgraph comes in. Netgraph allows you to break some rules and build the proper plumbing to make this work. So, our cabling looks like this:
+In supplicant mode, the residential gateway can be permanently disconnected. We will still use netgraph to tag our traffic with VLAN0. Our cabling then looks pretty simple:
 
-```
-Residential Gateway
-[ONT Port]
-  |
-  |
-[nic0] pfSense [nic1]
-                 |
-                 |
-               [ONT]
-              Outside
-```
+   ```
+  Outside[ONT]---[nic0]pfsense
+   ```
+With netgraph, the procedure also looks a little simpler:
 
-With netgraph, our procedure looks like this (at a high level):
-
-1. The Residential Gateway initiates a 802.1/X EAPOL-START.
-1. The packet then is bridged through netgraph to the ONT interface.
-1. If the packet matches an 802.1/X type (which is does), it is passed to the ONT interface. If it does not, the packet is discarded. This prevents our Residential Gateway from initiating DHCP. We want pfSense to handle that.
-1. The ONT should then see and respond to the EAPOL-START, which is passed back through our netgraph back to the residential gateway. At this point, the 802.1/X authentication should be complete.
-1. netgraph has also created an interface for us called `ngeth0`. This interface is connected to `ng_vlan` which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
-1. pfSense can then be configured to use `ngeth0` as the WAN interface.
-1. Next, we spoof the MAC address of the residential gateway and request a DHCP lease on `ngeth0`. The packets get tagged as VLAN0 and exit to the ONT.
-1. Now the DHCP handshake should complete and we should be on our way!
-
-Hopefully, that now gives you an idea of what we are trying to accomplish. See the comments and commands `bin/pfatt.sh` for details about the netgraph setup.
+netgraph has created an interface for us called ngeth0. This interface is connected to ng_vlan which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
+wpa_supplicant binds to ngeth0 and initiates 802.1X EAP-TLS authentication
+pfSense can then be configured to use ngeth0 as the WAN interface.
+Next, we spoof the MAC address of the residential gateway and request a DHCP lease on ngeth0. The packets get tagged as VLAN0 and exit to the ONT.
+Now the DHCP handshake should complete and we should be on our way!
+Hopefully, that now gives you an idea of what we are trying to accomplish. See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 But enough talk. Now for the fun part!
 
-# Setup
-
 ## Prerequisites
 
-* At least __three__ physical network interfaces on your pfSense server
-* The MAC address of your Residential Gateway
 * Local or console access to pfSense
-* pfSense 2.4.5 running on amd64 architecture _(If you are running pfSense 2.4.4 please see instruction in the [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md))_
-
-At this time there is a bug in pFsense 2.4.5 and [ng_etf module is only included in pFsense 2.4.5 _amd64 build_](
-https://redmine.pfsense.org/issues/10463). Should be fixed in 2.4.5-p1.
-
-PFSense Builds for Netgate hardware may not include ng_etf (Confimred on SG4860-Desktop 2.4.5-p1). Confirm ng_etf exists before continuing and look at [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md) for gudiance if it doesn't exist.
-
-If you are running pfSense on anything other than amd64 architecture you should compile your own version of ng_etf. Look at [Before-pfSense-2.4.5 branch](https://github.com/MonkWho/pfatt/blob/Before-pfSense-2.4.5/README.md) for some guidance on compiling and running your own ng_etf.
-
-If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](https://www.amazon.com/gp/product/B00007IFED) as your third. It has the Asix AX88772 chipset, which is supported in FreeBSD with the [axe](https://www.freebsd.org/cgi/man.cgi?query=axe&sektion=4) driver. I've confirmed it works in my setup. The driver was already loaded and I didn't have to install or configure anything to get it working. Also, don't worry about the poor performance of USB or 100Mbps NICs. This third NIC will only send/recieve a few packets periodicaly to authenticate your Router Gateway. The rest of your traffic will utilize your other (and much faster) NICs.
+* pfSense 2.4.5 running on amd64 architecture
+* Two physical network interfaces on your pfSense server
+* The MAC address of your EAP-TLS Identity (which is the same as your residential gateway if you are using its certificates)
+* Valid certificates to perform EAP-TLS authentication (see Extracting Certificates)
 
 ## Install
 
@@ -89,15 +65,19 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](
     scp bin/pfatt.sh root@pfsense:/root/bin/
     ssh root@pfsense chmod +x /root/bin/pfatt.sh
     ```
-
-    **NOTE:** If you have the 5268AC, you'll also need to install `pfatt-5268AC-startup.sh` and `pfatt-5268.sh`. The scripts monitor your connection and disable or enable the EAP bridging as needed. It's a hacky workaround, but it enables you to keep your 5268AC connected, avoid EAP-Logoffs and survive reboots. Consider changing the `PING_HOST` in `pfatt-5268AC.sh` to a reliable host. Then perform these additional steps to install:
-    ```
-    scp bin/pfatt-5268AC-startup.sh root@pfsense:/usr/local/etc/rc.d/pfatt-5268AC-startup.sh
-    scp bin/pfatt-5268AC.sh root@pfsense:/root/bin/
-    ssh root@pfsense chmod +x /usr/local/etc/rc.d/pfatt-5268AC-startup.sh /root/bin/pfatt-5268AC.sh
-    ```
-
-3. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
+    
+3. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
+      ```
+      [2.4.4-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
+      total 19
+      drwxr-xr-x  2 root  wheel     5 Jan 10 16:32 .
+      drwxr-xr-x  4 root  wheel     5 Jan 10 16:33 ..
+      -rw-------  1 root  wheel  5150 Jan 10 16:32 ca.pem
+      -rw-------  1 root  wheel  1123 Jan 10 16:32 client.pem
+      -rw-------  1 root  wheel   887 Jan 10 16:32 private.pem
+      ```
+    
+4. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
     ```
     Command: /root/bin/pfatt.sh
     Shellcmd Type: earlyshellcmd
@@ -107,15 +87,14 @@ If you only have two NICs, you can buy this cheap USB 100Mbps NIC [from Amazon](
 
     This can also be acomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
 
-4. Connect cables:
-    - `$RG_IF` to Residential Gateway on the ONT port (not the LAN ports!)
+5. Connect cables:
     - `$ONT_IF` to ONT (outside)
     - `LAN NIC` to local switch (as normal)
 
-5. Prepare for console access.
-6. Reboot.
-7. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$RG_IF` or `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
-8. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
+6. Prepare for console access.
+7. Reboot.
+8. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$RG_IF` or `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
+9. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
 
-- 
2.45.2


From cb16a1932a0344520e708aeba7a08c7b4f11809b Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 27 Dec 2020 23:09:45 -0600
Subject: [PATCH 02/31] Delete pfatt-5268AC-startup.sh

---
 bin/pfatt-5268AC-startup.sh | 50 -------------------------------------
 1 file changed, 50 deletions(-)
 delete mode 100644 bin/pfatt-5268AC-startup.sh

diff --git a/bin/pfatt-5268AC-startup.sh b/bin/pfatt-5268AC-startup.sh
deleted file mode 100644
index 583f7cb..0000000
--- a/bin/pfatt-5268AC-startup.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-
-script_path="/root/bin/pfatt-5268AC.sh"
-
-name=`/usr/bin/basename "${script_path}"`
-
-rc_start() {
-    ### Lock out other start signals until we are done
-    /usr/bin/touch /var/run/${name}.lck
-
-    ${script_path} &
-    pid=$!
-    
-    if [ $pid ]; then
-        echo $pid > /var/run/${name}.pid
-        /usr/bin/logger -p daemon.info -i -t pfattStartup "Successfully started ${name}"
-    else
-        /usr/bin/logger -p daemon.error -i -t pfattStartup "Error starting ${name}"
-    fi
-    
-    ### Remove the lock
-    if [ -f /var/run/${name}.lck ]; then
-        /bin/sleep 2
-        /bin/rm /var/run/${name}.lck
-    fi
-}
-
-rc_stop() {
-    if [ -f /var/run/${name}.pid ]; then
-        kill -9 `cat /var/run/${name}.pid`
-        /bin/rm /var/run/${name}.pid
-    fi
-}
-
-case $1 in
-    start)
-        if [ ! -f /var/run/${name}.lck ]; then
-            rc_start
-        fi
-        ;;
-    stop)
-        rc_stop
-        ;;
-    restart)
-        if [ ! -f /var/run/${name}.lck ]; then
-            rc_stop
-            rc_start
-        fi
-        ;;
-esac
-- 
2.45.2


From d6182d7bc34a128b281ea54486aa8d58ad2860be Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 27 Dec 2020 23:10:00 -0600
Subject: [PATCH 03/31] Delete pfatt-5268AC.sh

---
 bin/pfatt-5268AC.sh | 31 -------------------------------
 1 file changed, 31 deletions(-)
 delete mode 100644 bin/pfatt-5268AC.sh

diff --git a/bin/pfatt-5268AC.sh b/bin/pfatt-5268AC.sh
deleted file mode 100644
index e886923..0000000
--- a/bin/pfatt-5268AC.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/sh
-PING_HOST=8.8.8.8
-SLEEP=5
-LOG=/var/log/pfatt.log
-
-getTimestamp(){
-    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt-5268AC.sh] ::"`
-}
-
-{
-    RG_CONNECTED="/usr/sbin/ngctl show laneapfilter:eapout"
-
-    echo "$(getTimestamp) Starting 5268AC ping monitor ..."
-    while
-    if /sbin/ping -t2 -q -c1 $PING_HOST > /dev/null ; then
-        if $RG_CONNECTED >/dev/null 2>&1 ; then
-        echo "$(getTimestamp) Connection to $PING_HOST is up, but EAP is being bridged!"
-        echo -n "$(getTimestamp) Disconnecting netgraph node ... "
-        /usr/sbin/ngctl rmhook laneapfilter: eapout && echo "OK!" || echo "ERROR!"
-        fi
-    else
-        if ! $RG_CONNECTED >/dev/null 2>&1 ; then
-        echo "$(getTimestamp) Connection to $PING_HOST is down, but EAP is not being bridged!"
-        echo -n "$(getTimestamp) Connecting netgraph node ... "
-        /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout  && echo "OK!" || echo "ERROR!"
-        fi
-    fi
-    sleep $SLEEP
-    do :; done 
-    echo "$(getTimestamp) Stopping 5268AC ping monitor ..."
-} >> $LOG
\ No newline at end of file
-- 
2.45.2


From 4a17fc8675d0633f2755d03d4cfe73646f9d611a Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 27 Dec 2020 23:13:16 -0600
Subject: [PATCH 04/31] Delete U-VERSE_TV.md

---
 U-VERSE_TV.md | 176 --------------------------------------------------
 1 file changed, 176 deletions(-)
 delete mode 100644 U-VERSE_TV.md

diff --git a/U-VERSE_TV.md b/U-VERSE_TV.md
deleted file mode 100644
index 653262e..0000000
--- a/U-VERSE_TV.md
+++ /dev/null
@@ -1,176 +0,0 @@
-# U-verse TV 
-
-If you have a U-verse TV subscription, you will need to perform some additional setup in order to get it working with your new pfSense system in-line with the residential gateway (RG).
-
-## Preface
-
-This guide was intially written by [0xC0ncord](https://github.com/0xC0ncord) in conjunction with the setup detailed by [/u/MisterBazz](https://www.reddit.com/r/PFSENSE/comments/ag43rb/att_bgw210_true_independent_bridge_mode_uverse/) and my personal experience in getting this entire setup working properly. The reason why I am mentioning this is to ~~shamelessly credit myself~~ make note that [aus had previously stated he does not have a TV subscription](https://github.com/aus/pfatt/issues/3#issue-362961147) at the time of writing and that there may be a disconnect between my point of view and his. Therefore, I want to point out that this portion of the guide is a community effort, and if you run into any issues or need assistance even after [troubleshooting](#Troubleshooting), please do not be afraid to ask for support.
-
-## Overview / Prerequisites
-
-Bypassing your AT&T residential gateway (RG) for U-verse TV is mostly straightforward (albeit sometimes a pain) from here on, but there is one major consideration that needs to be addressed.
-
-U-verse TV streams are received through both IPv4 unicast and multicast streams. When selecting a channel through the Digital Video Receiver (DVR), the DVR will request the channel video stream while simultaneously sending an IGMP membership report and will receive the unicast stream for approximately 10 seconds before seamlessly switching to multicast. The amount of bandwidth consumed by the digital video stream for TV in general is a force to be reckoned with, and depending on how you choose to proceed with the setup may introduce noticeable network degradation. Because of the way IPv4 multicast traffic operates, you will end up in a situation where digital video traffic is being propogated throughout your network in ways that may not be desireable.To quote [/u/MisterBazz](https://www.reddit.com/r/PFSENSE/comments/ag43rb/att_bgw210_true_independent_bridge_mode_uverse/) on where I obtained most of this documentation, "it is way easier to set up a whole separate U-verse LAN than to pump all of this through your switch and configure the switch appropriately. It also makes it easy in setting up firewall rules as well."
-
-For this guide, there are two paths to take:
-1. Isolate the DVR on its own internal network (recommended).
-2. Keep the DVR on the same internal LAN.
-
-The prerequisites and so forth for each of these are documented below in their respective sections. Personally, I chose to put the DVR in its own network and so I cannot say for sure whether not doing so would actually result in noticeable network degradation, but your mileage may vary depending on your setup.
-
-In summary, these are the basic steps performed by the DVR when selecting a channel to watch:
-1. The DVR requests the unicast stream and sends an IGMP membership report for the desired channel.
-2. The DVR begins playing the unicast stream and waits for the multicast stream.
-3. The DVR begins receiving the multicast stream and stops receiving the unicast stream after approximately 10 seconds of video output.
-4. Periodically, the DVR receives an IGMP general membership query from AT&T's network and will respond with another IGMP membership report while the channel is still being watched.
-
-If the DVR were to change channels, it sends an IGMP leave group message for the current channel and repeats the steps above for the new channel.
-
-On a final note, you need to ensure that the U-verse TV DVR you have supports IP video input. At the time of writing, I was unable to find any documentation of any sort of U-verse DVR that did not support this, especially since the manuals for them did not explicitly say so. In my case, I had an AT&T/Motorola VIP 2250, which was previously receiving video via a coaxial cable plugged into the back of the residential gateway before doing this setup. The manual for this particular DVR documents the RJ45 port on the back of the device but states it is for output and says nothing about input. After a little Google-fu I just barely confirmed my suspicious that this port could also be used for video input, but your DVR may be different if you have a different model.
-
-With all that mess out of the way, let's get started!
-
-## Setup
-
-Refer to the above two paths and pick whichever works for you.
-
-### Isolate the DVR on its Own Internal Network (Recommended)
-
-#### Prerequisites
-
-Since we will be plugging the DVR more or less directly into your pfSense box, you will need an additional physical interface. If you followed the rest of the pfatt guide, this brings the total number of required interfaces to **4**. Obviously, this means you must also have a way to physically connect the RJ45 port on your DVR to the interface on your pfSense box. The coaxial port on your DVR will no longer be needed if you were using it previously.
-
-#### Setup
-
-1. Re-cable your DVR.
-    - Start by unplugging the coaxial cable from the back of the DVR if you are using it. You may as well unplug the coaxial cable from the back of your residential gateway as well.
-    - Connect your DVR to your pfSense box using the RJ45 port on the back next to the coaxial port.
-2. Configure the UVerseDVR interface.
-    1. On pfSense, navigate to _Interfaces > Interface Assignments_
-    2. Under **Available network ports** find and add the interface you connected your DVR to. Take note of the name it is added as.
-    3. Navigate to the interface's configuration by going to _Interfaces > (Newly created interface)_
-    4. Change the interface's description to something more meaningful. I chose `UverseDVR`
-    5. Ensure that **Enable** is checked.
-    6. Set your pfSense's static IPv4 address for this new interface under **Static IPv4 Configuration**. This should be an RFC 1918 address that is not already in use on any other LAN in your network. You should also keep the size of the network relatively small. I chose `10.5.5.1/29`.
-    7. Hit **Save**
-3. Configure the DHCP server on the DVR interface.
-    1. Navigate to _Services > DHCP Server_
-    2. Select the DVR interface tab.
-    3. Check **Enable**
-    4. Configure the DHCP address range in **Range**. Make sure this range is inside the network you allocated in step 2-6. I chose `10.5.5.2` - `10.5.5.5`
-    5. Enter AT&T's DNS servers in **DNS Servers** (optional but highly recommended):
-        - `68.94.156.1`
-        - `68.94.157.1`
-        (These may be different depending on your location)
-    6. Hit **Save**
-4. Configure the IGMP Proxy.
-    1. Navigate to _Services > IGMP Proxy_
-    2. Check **Enable IGMP**
-    3. Click **Add**
-    4. Select your WAN interface under **Interface**
-    5. Enter a meaningful description if you so choose. I used `U-verse IPTV`
-    6. Set **Type** to `Upstream interface`
-    7. For _Networks_, enter `0.0.0.1/1`
-    8. Hit **Save**
-    9. Click **Add**
-    10. Select your DVR interface under **Interface**
-    11. Enter a meaningful description if you so choose. I used `U-verse IPTV`
-    12. Set **Type** to `Downstream interface`
-    13. For **Networks**, enter the network you created in step 2-6. I chose `10.5.5.0/29`
-    14. Hit **Save**
-5. Configure the firewall.
-    1. Navigate to _Firewall > Rules_
-    2. Select the _Floating_ tab.
-    3. Create a rule as follows:
-        - **Action**: `Pass`
-        - **Quick**: `Checked`
-        - **Interface**: `WAN, UverseDVR`
-        - **Protocol**: `Any`
-        - **Destination**: `Network` `224.0.0.0/8`
-        - **Description**: `Allow multicast to U-verse IPTV`
-        - **Allow IP options**: `Checked`
-    4. Create another rule as follows:
-        - **Action**: `Pass`
-        - **Quick**: `Checked`
-        - **Interface**: `WAN, UverseDVR`
-        - **Protocol**: `Any`
-        - **Destination**: `Network` `239.0.0.0/8`
-        - **Description**: `Allow multicast to U-verse IPTV`
-        - **Allow IP options**: `Checked`
-    5. Save and apply your new rules.
-
-If you made it this far your new setup should be complete!
-
-### Keep the DVR on the Same Internal LAN
-
-#### Prerequisites
-
-If you were previously using the coaxial port on your DVR to connect it to your residential gateway, you will need to now connect your DVR to your LAN using the RJ45 next to it. The coaxial port on your DVR will no longer be needed if you were using it.
-
-#### Setup
-1. Re-cable your DVR.
-    - Start by unplugging the coaxial cable from the back of the DVR if you are using it. You may as well unplug the coaxial cable from the back of your residential gateway as well.
-    - Connect your DVR to your LAN using the RJ45 port on the back next to the coaxial port.
-2. Create a static DHCP lease for the DVR.
-    1. Go to _Services > DHCP Server > LAN_
-    2. Under **DHCP Static Mappings for this Interface** choose **Add**
-    3. Enter your DVR's MAC address in **MAC Address**
-    4. Assign some IP address to the DVR in **IP Address**. It **must** be an IPv4 address.
-    5. Enter AT&T's DNS servers in **DNS Servers** (optional but highly recommended):
-        - `68.94.156.1`
-        - `68.94.157.1`
-        (These may be different depending on your location.)
-    6. Hit **Save**
-3. Configure the IGMP Proxy.
-    1. Navigate to _Services > IGMP Proxy_
-    2. Check **Enable IGMP**
-    3. Click **Add**
-    4. Select your WAN interface under **Interface**
-    5. Enter a meaningful description if you so choose. I used `U-verse IPTV`
-    6. Set **Type** to `Upstream interface`
-    7. For **Networks**, enter `0.0.0.1/1`
-    8. Hit **Save**
-    9. Click **Add**
-    10. Select your LAN interface under **Interface**
-    11. Enter a meaningful description if you so choose. I used `U-verse IPTV`
-    12. Set **Type** to `Downstream interface`
-    13. For **Networks**, enter the network address in CIDR notation of your LAN.
-    14. Hit **Save**
-4. Configure the firewall.
-    1. Navigate to _Firewall > Rules_
-    2. Select the _Floating_ tab.
-    3. Create a rule as follows:
-        - **Action**: `Pass`
-        - **Quick**: `Checked`
-        - **Interface**: `WAN, LAN`
-        - **Protocol**: `Any`
-        - **Destination**: `Network` `224.0.0.0/8`
-        - **Description**: `Allow multicast to U-verse IPTV`
-        - **Allow IP options**: `Checked`
-    4. Create another rule as follows:
-        - **Action**: `Pass`
-        - **Quick**: `Checked`
-        - **Interface**: `WAN, LAN`
-        - **Protocol**: `Any`
-        - **Destination**: `Network 239.0.0.0/8`
-        - **Description**: `Allow multicast to U-verse IPTV`
-        - **Allow IP options**: `Checked`
-    5. Save and apply your new rules.
-
-If you made it this far your new setup should be complete!
-
-## Troubleshooting
-
-### My DVR isn't getting any channels!
-
-Make sure that your DVR has a proper connection to the internet. Double-check your configuration and make sure that the DVR is allowed to receive traffic.
-
-### I can select a channel and watch it, but after about 10 seconds the TV goes black or the video freezes!
-
-This means your DVR isn't able to receive the multicast video stream. Recall that the first 10 seconds of watching a new channel are done via unicast while the DVR simultaneously requests IGMP membership, and then after about 10 seconds you should start seeing multicast traffic passing through your firewall. If you don't see multicast traffic at all, make sure that your IGMP proxy is setup correctly. It's possible that the server sending the video stream is not receiving your DVR's IGMP membership request. If you *do* see the multicast traffic, double-check your firewall rules and make sure that multicast traffic is allowed to pass and that it can reach the DVR.
-
-## Afterthoughts
-
-For the purposes of this guide, when configuring the upstream networks for the IGMP proxy, we entered `0.0.0.1/1`, when in fact this is just a catch-all for a majority of the IPv4 address space. While I was still doing my initial research on the proper setup for this, I could not find a definitive list of source IP addresses that AT&T's U-verse TV streams seem to come from, and other sources claimed there were just too many. The proper configuration for this would be to enter each of those networks/addresses, but I simply could not get an accurate list of them. If you're reading this and you would like to share your findings, please consider submitting an issue or pull request to edit this documentation.
-
-If you did not isolate your DVR on its own network in your setup, you may need to configure additional network devices on your LAN if you have any. Since multicast traffic is now propogating throughout your LAN, if you are able to, you should do what is possible to limit the areas of your network where this traffic is allowed to propogate, especially if it is not needed except towards the DVR. This is especially true for wireless networks. Unfortunately, the exact procedures for doing this for each network device vary from vendor to vendor and are far beyond the scope of this guide, but the end goal is to simply disallow multicast traffic from passing through devices and into areas of the network where it is not needed.
-- 
2.45.2


From 96d7054889586646abd5fa2d9188e9aaefb80ca7 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 27 Dec 2020 23:14:37 -0600
Subject: [PATCH 05/31] Update README.md

---
 README.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/README.md b/README.md
index 975aa68..f98e9ca 100644
--- a/README.md
+++ b/README.md
@@ -291,10 +291,6 @@ follow the pfSense instructions, EXCEPT:
 
 I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience.
 
-# U-verse TV
-
-See [U-VERSE_TV.md](U-VERSE_TV.md)
-
 # References
 
 - http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits
-- 
2.45.2


From 5383f20a588a5f4865185986b8fe7660207a0790 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 13:11:45 -0600
Subject: [PATCH 06/31] Update to configure for supplicant mode

---
 bin/pfatt.sh | 59 +++++++---------------------------------------------
 1 file changed, 7 insertions(+), 52 deletions(-)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index 5a69c8a..f08bfb0 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -2,7 +2,6 @@
 set -e
 
 ONT_IF='xx0'
-RG_IF='xx1'
 RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
 LOG=/var/log/pfatt.log
 
@@ -11,74 +10,30 @@ getTimestamp(){
 }
 
 {
-    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
+    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway bypass mode"
     echo "$(getTimestamp) Configuration: "
     echo "$(getTimestamp)        ONT_IF: $ONT_IF"
-    echo "$(getTimestamp)         RG_IF: $RG_IF"
     echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
 
     echo -n "$(getTimestamp) attaching interfaces to ng_ether... "
     /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$ONT_IF');"
-    /usr/local/bin/php -r "pfSense_ngctl_attach('.', '$RG_IF');"
     echo "OK!"
 
     echo "$(getTimestamp) building netgraph nodes..."
-
-    echo -n "$(getTimestamp)   creating ng_one2many... "
-    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
-    /usr/sbin/ngctl name $ONT_IF:lower o2m
-    echo "OK!"
-
+    
     echo -n "$(getTimestamp)   creating vlan node and interface... "
-    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
-    /usr/sbin/ngctl name o2m:many0 vlan0
+    /usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
+    /usr/sbin/ngctl name $ONT_IF:lower vlan0
     /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
-
+    
     /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
     /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
-    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
-    /usr/sbin/ngctl name o2m:many1 waneapfilter
-    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
-    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
-    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
-    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
-    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
-    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   enabling one2many links... "
-    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
-    /usr/sbin/ngctl rmhook waneapfilter: nomatch
-    echo "OK!"
-
-    echo -n "$(getTimestamp) enabling $RG_IF interface... "
-    /sbin/ifconfig $RG_IF up
-    echo "OK!"
-
+    echo "OK!" 
+        
     echo -n "$(getTimestamp) enabling $ONT_IF interface... "
     /sbin/ifconfig $ONT_IF up
     echo "OK!"
 
-    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
-    /sbin/ifconfig $RG_IF promisc
-    echo "OK!"
-
     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
     /sbin/ifconfig $ONT_IF promisc
     echo "OK!"
-- 
2.45.2


From de66cd7653d3b525a373cf2222cff6ed6aad390b Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 13:13:10 -0600
Subject: [PATCH 07/31] Delete opnatt.sh

---
 bin/opnatt.sh | 92 ---------------------------------------------------
 1 file changed, 92 deletions(-)
 delete mode 100644 bin/opnatt.sh

diff --git a/bin/opnatt.sh b/bin/opnatt.sh
deleted file mode 100644
index ff404b2..0000000
--- a/bin/opnatt.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/bin/sh
-set -e
-
-ONT_IF='em0'
-RG_IF='em1'
-RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
-LOG=/var/log/pfatt.log
-
-getTimestamp(){
-    echo `date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::"`
-}
-
-{
-    echo "$(getTimestamp) pfSense + AT&T U-verse Residential Gateway for true bridge mode"
-    echo "$(getTimestamp) Configuration: "
-    echo "$(getTimestamp)        ONT_IF: $ONT_IF"
-    echo "$(getTimestamp)         RG_IF: $RG_IF"
-    echo "$(getTimestamp) RG_ETHER_ADDR: $RG_ETHER_ADDR"
-
-    echo -n "$(getTimestamp) loading netgraph kernel modules... "
-    /sbin/kldload -nq netgraph
-    /sbin/kldload -nq ng_ether
-    /sbin/kldload -nq ng_etf
-    /sbin/kldload -nq ng_vlan
-    /sbin/kldload -nq ng_eiface
-    /sbin/kldload -nq ng_one2many
-    echo "OK!"
-
-    echo "$(getTimestamp) building netgraph nodes..."
-
-    echo -n "$(getTimestamp)   creating ng_one2many... "
-    /usr/sbin/ngctl mkpeer $ONT_IF: one2many lower one
-    /usr/sbin/ngctl name $ONT_IF:lower o2m
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   creating vlan node and interface... "
-    /usr/sbin/ngctl mkpeer o2m: vlan many0 downstream
-    /usr/sbin/ngctl name o2m:many0 vlan0
-    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
-
-    /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
-    /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining etf for $ONT_IF (ONT)... "
-    /usr/sbin/ngctl mkpeer o2m: etf many1 downstream
-    /usr/sbin/ngctl name o2m:many1 waneapfilter
-    /usr/sbin/ngctl connect waneapfilter: $ONT_IF: nomatch upper
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining etf for $RG_IF (RG)... "
-    /usr/sbin/ngctl mkpeer $RG_IF: etf lower downstream
-    /usr/sbin/ngctl name $RG_IF:lower laneapfilter
-    /usr/sbin/ngctl connect laneapfilter: $RG_IF: nomatch upper
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   bridging etf for $ONT_IF <-> $RG_IF... "
-    /usr/sbin/ngctl connect waneapfilter: laneapfilter: eapout eapout
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   defining filters for EAP traffic... "
-    /usr/sbin/ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-    /usr/sbin/ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   enabling one2many links... "
-    /usr/sbin/ngctl msg o2m: setconfig "{ xmitAlg=2 failAlg=1 enabledLinks=[ 1 1 ] }"
-    echo "OK!"
-
-    echo -n "$(getTimestamp)   removing waneapfilter:nomatch hook... "
-    /usr/sbin/ngctl rmhook waneapfilter: nomatch
-    echo "OK!"
-
-    echo -n "$(getTimestamp) enabling $RG_IF interface... "
-    /sbin/ifconfig $RG_IF up
-    echo "OK!"
-
-    echo -n "$(getTimestamp) enabling $ONT_IF interface... "
-    /sbin/ifconfig $ONT_IF up
-    echo "OK!"
-
-    echo -n "$(getTimestamp) enabling promiscuous mode on $RG_IF... "
-    /sbin/ifconfig $RG_IF promisc
-    echo "OK!"
-
-    echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
-    /sbin/ifconfig $ONT_IF promisc
-    echo "OK!"
-
-    echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
-    echo "$(getTimestamp) done!"
-} >> $LOG
-- 
2.45.2


From c65b9c23a6e2bb6d1e736538126ed7000721f933 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 13:59:29 -0600
Subject: [PATCH 08/31] Add files via upload

---
 img/netgraph.png | Bin 0 -> 15068 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 img/netgraph.png

diff --git a/img/netgraph.png b/img/netgraph.png
new file mode 100644
index 0000000000000000000000000000000000000000..d818ac283458fe6ff275e867c8ddf544af166b7f
GIT binary patch
literal 15068
zcmdVBcT`hf@Glxf0R<IQx-<dlpwgrl=^bfO0!ooUAV`-Q5J5zWQl<Caq)RBVP^5Q4
zN9hoXv;YYS_r&jSt#|)>>#lXzdh7iGC&`>WXJ+=y-k&`)=e>cR`t@r}*FYf9bxjSG
zryvliBM3xtlY$KRrOUH50JxBNK2=u+RSn+V1ioB$RMJ%ffokF?&tF^tzF&Q%VeSb6
z(Qy<1NHm{v{RM%f-8EH|j9**t%wPX<XSHp8|9<mH#O3R({Y+sItCvjcpVMn8-MV9h
zAhD@7tX2yYGIBTRpXXYVfvBRRB1QgK_uZ=3=@jStUZNDkU|m*!4>BGm?DFZ6$))|W
z@4pZ7ZdJP{v^cJxWDwZ0#){W7Ql&)a_4VNjCb~mMN2!cOxQnAhICiu6otKFUAR#Ek
zDu_Rel=#U*#e=99h=g5=_&o&lF@prSDuOfyfeVNo#04l10#SqFMTu7mP!A*VdO2i;
zig>-G`2Wf9=Ne|J=U=&BTAeAMQz*hG=e&*2DRT3zNS&WF)7|J5%8~F(u}tN1yfdhH
z5t(57B7lUHQ}4$Q42X<QIb*nz=Kqf9bUC;69&<1~ve!7L0?lOi$|ePYLU<8)%q+P1
zD{LO|`fBf+6)F?gd4xFP{GczNhEwh9C1p=Jln01c+Qk3mK-y}rr0#N8j3;egri^bF
z6r|{0vi+2?sJ6dXJjtEwb*HjNgfX)uEc(8F)?Fd%)~PF)AK{ewoN=<F026)@P?XDb
zt;5LC=2-qjxtY4>`k=Q%hE>2$!-(H{<~l2>qQLa@!--}x?c+zs@&=4WD>@D{+tYRV
z>a2bpN#0zLP9=c<wcYs^Uv&Y~ipbrzlZA~mXw`euDyvQYhZe!hF_K--ONuomxALt)
zEG#S|*kg45+2MN2BiP~EK-Ip}M45@OA8Cjnz?3I={43kVX?K;Zk(}<ac#=~YvXqsF
z9_;lgoimWjapQ^5<FbsBc#ly{o=)wSfmG4%fzq!a-m-4ifPV2ur6zv;pC9gz!Xy_1
z>(UkWJ8r{nfK*@2x;8a8PmD!xxt9&OPS+OlIc^O5b2)|{;%-2L7lTeZtB;C8w5??x
zx-GQI&)-Zk)=hm>=qM)_yq4;?WY*GlG^z~?o-}uCZg#uCpZF?OMa8hKV6FWXf^0xv
zLSshxNiB*{WK5ufnd93|drsBU4YiH!@|?{C&mp<>HJ+^3dFi+!z09q(t=)~fgQO}Y
z#r+8*>&Q&kCg|UUgvIAz?dC!cmA(mW&GDV#NnKpv#8|~{(cZ@j=%$;ohz#L$87wE{
zwAP;rgB{C^EN<Y*_}_h!i?0jeqn^0sfthw}85?i$*@+Tv*{+pWDrL_Wb9!10<w;bW
z_eWRmiZvO2_ZXB~{|cIvwlEXo<H-*6sD85=c2oY<p<%vSvtRs`b~sb;*}*D|uw6HV
zkP7jTS&HPGJ6~70XimquOm7xv@2)u+J4vs6d}6h#N=tcxeQy^hC*l44p7*BVbaCzQ
zq?rh)a!=B@?Sg=V$$PA5NS>IV6?u#n4<*st1da@l+_9`&4d)Hrul{a!i_5M%)_drt
z%=Uv5D|oT@SQTy*XR%aR+YM){%wJEtA%FV3sejI+PpB%ZNIKWr%%kY!1pUU8O&fFh
z!OwR$eLc$;-xI0{cS$y#Yux(H=@pbK`M=K;>KgHhA^3ZYTI<W9KO?Tgnu}Oud^)sS
z5d7g`mPM!_D5`45ywSGvT9Y34i04quLUDfnPu(tg8+f+b-lxEzo_KDUdExKKlpNL$
z&6+Q5WJR^w4sUvkxdiIYJ#>alFbqlHo<|18T@Y}Rl)TWGap_8jHe%DyBgnFeDd}Ag
zYOGi8DDLr9%2_)R0a9l^kqSbh6{`0kGCEDh7nY5rPhz&nst7apOE#^Vg7U|mV>6Q~
zgWCosD^1C@%k#}MM@4*T)G}VJ2|m9m`&Y5r^yB;6Jcv5T!9kx$OY>lw$)yP)6uLb>
zP9EVn{p6<H${NZB-j>eXaI2hKqq3vH2PJj>_vf;D0N8)Cu&n1Rr2&beLyASAiTv5T
z*U?mOMg6X%nuD36qhogRZ>O=M=H|sqF5^*^l)r=4vjVEpaf>h5nNlS*+bE5@O0BLK
z1U4kor%Skccm@nudGv6@+FfTQB<VB3<y^W|dMifFxkGiLe~*WKkI=sSx4pY`j~gxA
zT*ZRVPftgz{q>Wam}D=%;E<wx_GtQ+c67y;FTxT|R}+S+vWGXJnb%H=Ey8A7&(_lS
zIYA}6OCLmhJdx0RIr*LXvAIC@t@{ONp^8@j(?9Q)&9F};^PIQ%*2SDTLokyS2S0do
zjegjp-f|bKakofe&pW;-?6n^1ol~ePdYInw!N0}w@$jJCTKC#<h-R?BQ=!kyeD$Ej
zp=d_Yxj8qX#%_!ST&!e-zWwhN-?s21Gv`!R!OW2aXNT0mZITe3&kw#2B%sn4;1_rp
z43$3ZZNsl{E}g7vQB~($`Fyd)V)@L{t&LVendW0g(py>z>2R=Xt*E!pA4tRVMoNcD
z#Y-V#llU%#ghfi%be-eLY@y+Jj6oO^-=~=`FP`X2HTdkzypHLbb}Vj?wmf@z^=^nq
z9gS7ebEoIxnODYg*!cUzzN97bOn$3;G*oSQmO$nM4IhFN4q?`n-+K_Dmbc!0`IK=*
zQ0SL+z>c_N6I$2>)>mEw<#le}{jqR3qR!^+ncbeC_W0@IW+=ZI=((i4iLV-Z^mQ*^
z@mD`MYv5lcNt=3zp)>v7_s6?mm*>vSkl3Vj++>CM@){H4bx`n8K3jA1t%u-yd0e{S
zY<gj<4cK$HiVXkNB(phLZ6Bcue`Rj<v^(gUR~xzS5K=$XJm?;PAMBB*-V(U-dGL)n
zyK~jLMV3zM(Hz;?musVMu29a+6%YM=H`+vLmh_gJ{A%;zpv?UFR(Z9L=g*))P{DqS
zgvD7>YjaQ<u;mR6D4hR&B1xZQf(Lt=mWvL_jtxwxj*8eFpH{W(dc-BrA9-er=44n0
z9h*pA4EnY&$3My>8IyGdi5*`XcHnY4DKJ^~IcTpfVnn^&tm{OE$Cm^b*9DdtVMzr`
zV}At={!sCt<3&Hs$DMB=D0LC)5nSr@wd?+1G@sH_Rpk@;I{8umsuSZ?4f^jh{?e+|
zL&I~vC-c57XQjniGib4Peo_By`_6D&28l+#=yuti5|12B2SXv@*1yV<3K!>x0lfm=
zA_vUzOoi8?EWVq(9}U3nRjcu}CCgeC*BX5tVl)tzesbTr-t>`O!eCW-@XCn?Vymp&
ziZpRovm9ko1$o+BjBNT;7jtY}>z};VaP&&cF1u1R04p1yFu!QpH=#S%9W;1pa>91b
zEI$~r{`USnsm94f$>pRLdR1;dkCR!A{8d1mX#`?10?x)UA}4%)%pV?ZS^d;03N@vD
zGCzFs7d5fSvuHHBn;SYq!_)Z#Qx-SRqhZv5d%G!~B-w7?Y^r(Szq_9x2puI@Z(GY_
zXStFrdptZhM+^7M+cx(a^cwc!+9MObe38SH6}K9g+o91lx~4uQv1_Ogz}6+5V2vv9
zHd!c`$Ud?*9U5DF7St~<S=nE6@C$j7y5V-5)|S176?XEL-Stcse*2g)56;hA>_7x!
z^=no6OOBvXYNA+|$ka04hVK|EczaJq)<~n1d_G*yOnn-6@4B&lN_x(ea^!7<_$2^_
zUG))qrml{qKAkKaQFFeW7WxlYY793NC-CU|pz^S&kDJmaU}QDAL5y0xPCZez`O`my
z$_IdyX;I$Dc>{|uD6f<y!pkXJX(r_Ry?;3NDWt>vdivt@^fWqRRBOhWC5Wzs{QnTT
zK0%1FLMR8m9)zFLgb*s4(Iuxe%IeKz;}IT0cM~lYT@Qqt9%&BpX8i1u=w+MDc{XMJ
z$Bub5&Xt<3QT=pE?TqpT^ZzxhDG~DjV9kL?&`H6QmYKvW7l&Oj%=98xdSA>VykUz-
zAP$$gA&t1*mTEJp{KeKJm-HF0v(=RDYEWm5=ek~#2y}PMb7!m(UM?T8mOppxW)Gvs
zJ^{Daas~j)`NRTc^CS&!L%MH9MLO=`8u{CGU9l|80P^Ctz6KiD|4z>K^$fszU~^Fb
zDx9=hm$jDscx2l_VTN(4TDNS1#h^BTJ-=^w1+7REc+#>MQ>35Gia+gEh)wZo+3#Y`
z@BBco-pvMYo$WrEbwi%giW$}Q3e~wxKQgnaL!@uH2VYWa7Jm?5cWp;jIw5Qu>^UF~
zJK!@Y*2`o91GrYWL@4rP5q<#yFweflaox~T1!IV*^vRqjAkxeJ&#yIivi#N<%?wSh
zbn|O#4H|1^%KCX!*HQXk)IYkzdrSOtZ;4_4+#D~N{c3L#jIC)M67xOLQq56vNNPO;
za<V%w=Pj9JNodTUV`Atr?;l)YhdX8mHOkaAcx{emDVry-LNA5*9AjqPh-f=z;q`J1
zgm8XVwLRPFS6BYK<j3KZU0f&h(vA|&&&<p$Tg_u<PZ}Cw`&rV>y54z$A5~KDsBa6V
z)emeYwAJAjA2T?3oyDz@!EKbV!IzhK)3rs~#!XBojK2B)gRS05mqH9Sq6w8v3tNM4
z76SI#_MeKCxh9Bu$7rML_I$7Ilj95;-SBqh+*b(V25ADHG>rNjKY;I)qD#hWpQBUG
z#_?nN3Oj4kZPw)$@V(F}cJ9h{2094c?Bdvz>H_I?(5QxAVYg|pvoqI1uNqSSK-wZn
zig@NgZP?^%rZyJeZ@gJs<nbf6Jgt7OI7uA<%sW$-m9Uqn3>33=S@{`C(WE69>|MR$
zKe6TKV2E~WdpW=)iCl@-o(ufaYYl5~@F>bu11pZJ+sJ&vwzB%IeA;b(vmk*{r3bHA
z-*&)FDqwz4ig@(}Vq0cmEd$=oMk%*5^W@G}5^%;VP`t|`=}p<+*bQg(@x}JzNy~kK
z)jI!UXGsO@M*e&td(8R5gzUjDP8b0IBM2#KY4ldIX{bT-J-j#N=wj)%QDH}w+rctV
z%z_z8<^3cI2gL*1*pSc@8?BI=QY+NHEIa+FqVs!2i<S<9HQlUe>%F*MDSQ|4xRdIb
z#VEq^IaYs0L9C5{Meje&IW{gT$ryeJ_P)P!n8#pXrw1>a7-+{%R8O*KYY7^g8BtB)
zemSIoC(8*%dn+~qg?kl!0!K{_t`Dl$n}P{v>+^v#^-eH(hD1wRun;Cj3caL0U26Oc
zabz<Kz>L-cONVZcz7#?8TOyl94oTP4&MPDV^yokIKbSaK7`&Bi7T@q%v&mmRU}vTQ
zmRi(%gH2?>nsxS9Fp3K&cZ8dfPUF8)kBd2XWj}^NOEJ?k$re>R@eQ(#Buw<Zm|72B
z^I&6sT3GYa&u4!5QxBrz>c7@9>@W9<R3A0VcRG6DTUTphD&{nkIk4b*p?YxOL@!@u
zF-pt{2Vuc?;gfVN)MtfC<A<C1nq%q|o9U7(8sA}Tc06Ysp?sEQow_sfV0}Szsm~ZW
z<A~{6S^?9q$MMHfZLs}>q`YLyM(}Z3usZ&we^qmqnT!O4rMI$uX171pg28*>se@zW
zeZ33@k)4-9u`$u7#mSd0m_V6@G(pKuM|A=+3PE1C$KMpb@DvDL7#mG;8F0finxda^
z-*=XWlCQXSMKi*(T&5d@?*pfonsl>#bh<HytJ+PP2$%wgvgBa9<y@3<tJyVGf*F~b
z#RsKzb#+6$kjdVR?b@#ZPDWW&YOZD(^Yf3$?6oelqMo$Lig7nR9OmbTdrd9_&}X-9
zakJucNsBG#)_ZPdS)QGM5~@0fn{r1V({14RV;JlRF*$a@J*{0vwI$S~;$X_1`T@W{
z(q_I!`q35v6sN?90DE9YwMCkn)ojK$UEoapyk-*-bQ5|ICcI0_Fmu4BuSxir8qN<`
zxWOl6+;)@U<tDRCyw_O1jz7-r4O?s&L5Nu#NKmtg(Ynzo49VkM&b4gv)#GB>j!o8t
zryC3;p{_i*Ot#?DKc`6x<BA0l_jF}^wqJ3g%5;qLlhjm5l`(UkL(R=h2Cg<uJqYA=
zQ=uCB)v43{<@r{omJH>q`4?dEi3EfCa*IA8L-WG7gIh4B7qhX3J-De{HtC>AE%R*F
z`msv9ZW0T(bxV43VWugqj7fUe!q7NwdQw*do>DBU_s0|m-tpD4LssLhV_bj}arzqf
z+p&!ju*R&wbb}$-;An1dl-FrB1`+*Cwm>&nGKJ7vZtoJo9_MP0d{P_mu|HF$Y28;>
zui+eq!9hnQ^hOVyyK7nvs=~R;cSdYdZ4(x`t1RXq=77IJ1*cCmKB(Iq$c+{`&mW{!
zmaLk>kqt>;r`g(>1KDr`Si^j3-JhTDTKpV}4R>U`ohLdo{epd33{aUC`vIi$j@@@8
z8>=l-x&*3QM+b18K<)!Gm!jtQQV@2>2*T>hd|k9scsohUdT7t8w7vsM)xQU;gvBYA
zcxk?YTr>vBNtJ4QbEeT~Yntx;McR01SxXy|9iLA&4vgG&P05(vM5C+&1_tU9*BzTE
zV<@<s@GXmhhq{v44_>@UKMWvktNvhsO7KUB%^d3>b}KAUu2c)aNq=MQ1D%kw7PlLa
z?TBF``9nM^&Yw3S@s;V4MshXwsKFaYa$exX66X7uvh}7(aff(`nFg>xKnIQbS1Gbd
zpPp0;dT-ZwVMQHEF%#@qG8(oPHnHJoS3RaDGcd5%yv`~qiJf=h-7GaKMmP)*+DyJr
z$jSD;{v#5#lW3&pe%P|t-s1Q%!$P>Ak<RWS`8J|!2{^38Walzgn4JB*so>=~;+EyJ
z6Vc0YfmO0Qad?_)rvJtagS)~JAi<7e@tymGSlo=($;a8r)p!L4GJmSy%VnrT_qcqF
zzd}j(wOJqT*mkS8C~I+siF6NnL9j+Pur9v(d3|^PJx|ugS_5xD^8}zp$(wr#_jNtU
zrCTBmCGU&}NxHCK%?FvLuv+>)ptnNdrZ;qvsd~8re@1^rH_BC*tT`&+%&WB=Md5Bi
zMX$0&?+j@2WUky2VkQ}2k|N97jm{&x`9ZuhyZ4D$+`P=;`QeZ+vL+acUz^|$LNvwq
zJ`fl(rrT=QndypCAiQp!{5C#ZAX=8jpn2PT#Qb%O{^#9<!hlHgv%GXh=<{?nHP$45
zTg@1TNr&0q$GTBMou9pLV$dwuU`#u90fX-=0rXp3Be+#|0~_dh)igeLu581(rd7CN
ztTUa7D$nBqy7{%?P{PSNO(m3G)LE<L*Ta|vOQWZi*{<}O*zA;dvW<ptWH}k%@Ncr7
zMSUbR&A+k180UhINrtxA3%#W@Fl?c2BHH^8#->wgrtO8ajLbZ`=Rj?!JC<cu-2Vu2
z(u4q6o#01273j+FZ5vC$mD#N}W?2VQYFO8@Bo3^u0IlK);(n53l9qP%qVcTW5Z=2X
z$oRf9-nl-jw~@<r%o(RrZU}@QdM7ui{pt6;>9_{A1z@g%mhyo(OeM(o#BnFd1Pc}>
zDfz=YKUP*hE^S-@j$d1oV+BaV<{6tgaZAHKq2-Iow4)~fIOqBstEM)t=^42`elGch
z_&U?R!@6<~y(sR;orVD4b9M}FvHPa2pMricG8)*Du;nZD77bc@S-hwp@jV!dHY=v>
zL%I}bqU9N7?woTUECw`;$$G79=Hja`d44qZ(;pT`lGsgarZN(7eLfC}-`VxZ&CKd1
zO(3aM@rbZ8N3IA?If~o;rDyj=MB-7%-KqzW-^}x;;sxvbsu+g?$~BY8dMsI^|Ak<m
z!E?nAblyA=E$4Q^@jpKLX?HHvXK${WDlUmagq}1-`~_s(#tNs`{)T5^Ro=aQ%$J<g
zh|&)pZ7J7<40*<PON@F821|`?!Ib^s7l&S83k{+s(-?zu5gS&8Qb^OfkV<nBlDfB&
z16zEsT;CrpU=#T-yG_MmOFUW_2)b1Nt%*74mY|@V<qUMmKM((MePfb>n9%+|P2saA
z07qd4h7$?C8@=K=5{b}1Idhks6MUN|4pyij4Km4XG%+kvg3`;MKkeTF9V0e*kRRG5
zayg}gd+C?CfAw_@u&MaU9;hAF`6VoKgVJ_#P25y*ff%<E8TQ9sP?bNfi^rPvr#*}6
z<<d>v+MsdhVWWboukh^lEz*^BeYT4U?w9;1!dLXr{!`FE!IVWiW`3i%d@(i!^oL#Q
z$sfGCukRH#TJ2k6Il)>KiB!K#K1ixs68?S)h<0(3DY;wcTH{Xn{?YI??W{l`h>GYX
zcA`@*y#R*hmLB)<KT>`}HZGES`D4!NGX0Pn+QjgDplBXQTMgtf94>En>b5MYD>7&d
z8bE?=Uuq18V7ZnxDti<H|9VTROBlc8Zh7XuMg<X;k=e1FKVt<)(%gv`y)%>Sx><?i
zf++3~PLgi|IXk`=V~k?;S^N=OFOv$QxRTUz{Ki4?lN%k=qHo`>P=%WcNsUqHcwN2Z
zoc~>Mv;>+@HmihwrXAc+muSosx;Fe=eM>qcB2<a`7LmI;+lBgh$t=Bk;C+inj!%!q
z{M1z>gK)#I`9hrIQLeomH9zyqU&ee$UVJ2;h95x2rR33$fAqpWw22b_e73q#auwID
zeWE2(el;g}>%J@|=S5Z4#}0Gnw{LM7xx-#=MGrX@*7?PM%HuX6m^cZ<HSUm^5^?j&
zt_$z&b@1Iv>kI3n&e)+>d)XN!I_VEr6`H%HJ)6B}ku56bns-Ci3|uyoY0a{OBANHi
zd!|EKp5(t@j_8Jh&N!r=SW3YO*p0#I+j*qwR52-_l6PtkEyvE_j}J3$_dduut}xsh
z?BnUs4tWI}id{P!&VAeI6-W(4yq)Y5zXeY1P-^stOpZ?1*6+qBQfLego9bl~xP4J@
zP>kV;l!?W7ZL~}2kH@eT`F&APWgdEBlRw(vQ$}uONvAm~%l(DO@Z-U()hCXFkO6WF
zeNH*Fzc;%Imm@@GYv$MAF~w!E#}tk^b;aKmj%G<ALW3C`_C#XY+_|kQwoL~_)gR$i
z?XxFTAF(Sb>9g|X6gXEJPB#u2#EZUtze44zPOIGzHPS!>nXA9bIrl5(7g<;+X!?aB
z_1kEGs!6Mjkhl~x#t4ChWU!Etl7J|B7-!<+MfsBzm%sXmTF&|gDQnArr0HaKET!R(
z7p>=xkth~6w-O~4Q={(_J#g|F|J?DMT@hWXlh1LPgA*|4(@u}IMAEM>$rvsVW;wk3
zt{CF7QNhS5evc@)rE@re=*^;_<0V9$%ha?c!knbC7%g*in|+d67<hnC1J;uhoZ~(h
zEzOMJ5GG1H3>gH%@)uy+#&K7rq&|~OAX@<1`tI#G{rmwnD1<nPxS6*%5Dp|^-@F|w
zy8(fGyo&t$e+_jGh5Y>p7~8PsGTA%yphX-Y&UT3<C+Qn@qBzh=A?WhUs&o>j7pP2k
z%cx0%6hjj_MykudB6@3sBH}YRtbn@$M0wb#i9U8tr6@Q4Ew@e@h-Smq%L4_%rWxX-
zwfQ4V&0V*N%FoIGi;kD;Will&Gh;)IxERB)sW6SfkP5(ca*1@i4yos_ymr<O8uq$|
zhIOdOF4?OegHV;9R;Wk-I$w!LGa{iXMv-&7|Hk#Z1OI6<87(?N!P3L1_2*5hP0=bF
z!&|4@YQqgRJq&=LbYY=6fZG{dBR=*W$8q`)*saT4lwFjH?9Dx3O>ufPB%0&ip?}!?
ziD}dJihaa)MT5&+j=V8W%jzn~XDvd(WI3!EK`?n>_G=4aF+U@MrGv?czEk+neeRWH
zvBy=hh&soCPQa**jeCT*uowzfK$h@c?%~H(GEmlr-=Yi@AB7O&c|<YzjfF$IbnnV!
z&@iXl_p!+XiH?sCuT%Vh#Qf8slRpKJbITEx$yf93_XA*{TxLy?C8x5wN5oUZ)p(pZ
zNsJNd`I6&bqHb9*8znQ_x3PdM`PW9=Bz9u6NlM7UVd-H+uPW`Pavb=l3yTFIw5t^Q
zmonW4v8x23B07!T1L`|h06Epe>-aza&qCh2q<)o&DIbb~d?&9hRHGpyRRWUgxrxB;
z5LRWb7`8F<_%Rce%2nZzZAgI{lj=X_+`GPHV!P3HYPS@^ayoqeITgr06c)pKEnYM+
z{u<=^RXvnoPO$0sKgoAuMxL{0NRj?;hWr2s@7?8PaS^JvnS7^1A5T=Q8#A8`xJ0<3
zN5p8F)GCNSMKSE_ZpA~uA6CNthjX&GYXOwbKmn#X!T`+8K`x2XjqTsj;y;L{GP>e<
zHsibO2y#|kR<k3reAlv8@$@AL(aTD~4-WfAwgyjtwC2|LlHy~)7VK<5DF0~4;=K$A
z%~W{-g!gWRymNE$8wz{<?$=evDu#e1jv#n)rhHLFD_>I??w58qndlTqKhgqb`a~oa
z#jw%fy^d#r=xuoFpk6t`ESZoqq5NJD%oMu4S#d1?M03!93h=EqV09e>)*NcbA?M;x
zOvHG~Qgbe_<ctF9$|X5a&S3_yZ&ze-gW)Zi{}x8`T!0AdJ0%8J5`h2NOcE;d5eAvp
z$&}G@AKP|X6y8T%cVGy*L)yb=kXvQG<)MO7%L$IkChnct95MghC&#2_z{TaL7|yRV
zc0c;}HsdfTVw~+WLM)c0M<Yhj8p5CiC`s~=+tK(zD0U#j19Y94bU4+Iy9QKSoQ@oO
z{3Z|RCa{&*x{DeF9UFcS<IKY7_b>{bfI>ov<Ipp|8blTG<6pl|*KK(Xd<f<QO&guF
zJhp|LQ&BMYF#a}d%3pMuVF7jrfhw7D7~uXMVKlGSsD5P)ZU8|-RPZn4*(+EH<#^mw
zX)NHx=da>K?_4JiC8?s50M_DT!|hk|=F-Fo&qx0{Vbt=7SOSE)^-}NUic}7bbb#9S
zk!qjZ$83dNAZ((-SEw|eKYNw)(8@PC78auz47sZ`0?2xGQcjzGpR^=%KK4?;^mF#;
zJLD@*=A*i!&#eGi*?Jg1D$m!MR>MVr=%;g@8fMIkN!J{vl0;rP=uG`5(Z?lVv57VH
zjn5!Ceu`2X%-Si0WdX(w7GtOQXXR^vIevL628}nk|8qrya=9=X(Ah``yV%DZ4PepZ
zXYjjGve@DNb3P*?1_rn`h?vSY2#*-Q*xYI&`mVU^4~mq;5}8j`3IUJ_%fd~If{Svn
zCvnvyH11*FGN|MNx|l@EL7wTO)XMFJgAY#j%R!^O9EN7{;x1MXE+#h0I@7HryKAjJ
zRzv%b;92gglp{CU0_T%hf`5?ZG~9vutXX>^X!9WvUM3xJB(IH25uVd8Q8r*9H~*@)
zu00u=`%Iu{CSkEiy&1+w;CDXjtGAaNcXZ!BYY^SlGN2zy)ew*$R`wMP$aho}>CEWm
z0vF|UO^WygcF9fF+@+v(91MADBa0M5Y%S<kO<aWQ%FL&N%3pcxP<({VoYIuOPfaYn
z=hgL)b6GtIEDpW<o^jX~!S(%FYJpwzEs4y|bsZ*P@gw6ZdC-J*i2rJK?V}!P=$w=c
ze*1F-N`x|r#wkgG+ts;-eAt5jLmBsTgzk-QcjA($@%8Vip@}83&$#FER-x9&wi_Yn
z+@-oU(_QcWi>=90EshYE0`a#HbGTz;r~zO{KI88?0v(%^6i52*qMp4AFjeP5VM{Z4
zB#pYzDS*}tEYP7;+{{nzz<~+mB~D;s&RLQUsG-?^l0!}i<=`?rochQx++daBJ>y5A
z&J6gud=NH;;qv8hB@eQrCrLU2zb7sYcAhJ`dNpcjYB36^lrfaG8feR*Qc2Ffh)zYR
zB1H2v7_`_*LL=5DUSS;=Z^&+<&`oNKHh+!JsY-^B)^O*e;~qO;0`&JiCi2$vkmr8-
zt(Qx{(@TX(gV{)V1a|w$-0>Gh!^B5Y`FZcv&Uc1`zz*fnv;zV#oP*cNoST|Do4mC3
zwegqpP&c*3mg64Ci1&p-)K?Dc2Mi7$QcUwcU5@E($udK%M3eH6g+<*rK-P9#-+%Lx
zU5Q!NmL}#J2SGl_2<Xz;p{Zb~FtnKwVN%%rwn0vr6?KEfQ&G&{Uj1AP$6-Az=n%=g
zbY<Xa(Xx&J^#_J%>ZNM29>(ucFLU#*j#p<cN4!?5`;;Rd@k~W@g#})yF-T!5#!Rc5
z6THJ9*+FR$ez{V<<6auy&?ywR68&7Y++gJL7D~_kNo&r8#<24f!93c7C}g7^Fsz>G
z-!N)mSgrD#Nd;S)%0%_^23HTYFZTqD#X_;PQm{yR`<Tl@EH#mW_AGGM)C`)6U;jp_
zMgv0naVVi<o~b0)Mk5=w0fsB#M78gA0&2H@%JJr;`}D42sk$;=^bM_FK2drKKn(Uf
z4*J89sw;dSPNC^U33*E(myRikk9u2Fah0hilDb}+Fmq3e^BD~jf0`m*nfRz&e#<v%
zg7>&8qme&&94`wftE%2EvC$y%^K#Gx_`NML**DuD^4s{wj|1R$N413q(s56DGU`;o
z1<)$*-=q3Oi6q^Y`v55_XL?_<p!{C26~kqLD9Halx70yF2cKU%N!-UTBUMiNWnx|{
z{o#cXoCvo^BD&$!B2IEkS5%YKTkEfR%iYnf+w#kfS`R<KYrWL^k_V|rIwL0t>EysI
ziKt-h)||*0CuCvOyS$P1nP`7&js#JTXND@<O(4*Cgx&q9B1W9civ&?n=NE7EB;?me
zj*&<j&LwV8)b88cdavBu+?TsvUj^kbY7AZr31g3PnQe51wFjKQB*};6G27F(6)sWd
z0rjK#364D=J@xu35c#I;cQ2EGHX4B{m)ZVZNmxdCp!2Am&=?ei!Tt`rxuj0SO`v*E
zWs)MA_v~qPJhZw^Vy4zX+v|M4yG1juL8tmt4hio)pwA7$VIdH@1|)zF^N!Idb)XO#
z>$5#YQ)$&as>>|l5-BY$JqMLscx~4zG29NJa8V%k$mKi``!!r<Qa-l~bXRfB09^?4
zcBzluZN2u|P7vLF$wHo<IaI*SY{1QF%Ctp&BFMRzUI;39d^ElZXcmJ2g?u@9u~Tm%
zUnv|~jjoGd8%STb9`n_(+jE1L4^4Qs$af-rRMDm_Fx9>zMgqbghPDtWLYTf^^RLo`
z+quXE-PFYd6QtwMVQELWqZ9nmtP_i+4IB+u&%XYc3(HDabZVJWRKd=!V1j@KsW~XG
z#4LGPXSr=xV}MZN9jC<_yapV-r!B8=W3=~U{blGtnmDWq7H!vc)HZ@9wqaO>QEvv3
z<QO2XL6#UlEUB*=NP)baj4Ht`64te-SQZ%sov_uExZi<&Q*2ReY-|<KNa5=`^@YQ_
zJbiKu?JuOcX9q_*^d-OEwAM}*)Wll`71s^Px2(GzPy1(KzzsU+jerf&?TbRBW-!Vp
zxtlP%H8hSH^Qqq{bp=w`&raqRB@=)e$jo8dBx>;tC|+Z9?W&#NI<=@HdCkVXv+C(b
zJJkf=V+ET<o*rv`g2J(U-bDh^3h269>5l8nAK1Z*Nn(*a3i=6I&`~I1FaPVPKfW^C
zzIq7AHUlj8@)vuv(Be3xlSPfK>bYKJf_H!74ujolzzl%{gV<TN#p%{oG~rDWCN+1p
zdzL@It;!nXoLI71JmdR<Fegq9sx8nIe3Oeiq{4c=J7h_#@BCoFmdAB;k;!t1un;F+
zS!`!29%Tj((v2E&hTB!6J-0vSl_G~A>S6P~nuFIAWe`5QD@q13a5(u7d&QDlg%195
zJ=WTUn3}!c$f9nHB$m~pTSO;*&o1f36_*3{jB{i|oh)Y26kfE$Rwj1r`}glOA&1XA
zbQIbc2Z29yN>Uji=~&P<dNkb>_V&V>u#T=f4;qdmzi4yGMqQwaS9|tW*r>-&kugi%
z7xU5hD#8h!0tSDA^3|1@!uEI`h~ubqr731l{@#|;_20grvoPz!Yblo7vxqv#be--e
z=wx+Z#NmMd+&A}u!iVKI_l5|BGJID`H0i~m5UgSEY`d<!GkLsLuf_SFZFqw#AV^g3
zcFKtVfUWj^394eDu(@)tJGJw3tf6TU4qnVBq<6j?(bg0ssoV36PN-=wr`y8DXnN_@
z7o2d9Imwh>mMjHU1_@U*`fbsv8M=ym8M<ax+cAkstgzq0Z;K1usjw{%(QQw;M%7j{
zRC~;A&ZtKKo3GSdG#-dHu(-AqnQRN@j;@Ra7dbdxX+6b#8o|v5oZ*ryp?j%1nC+0I
zJ<mo3(^>i*xAU+lmX)#~$LvbWogDjWp5>0Iy|TSeUG2!;P>W~LJjl2tPNxeVq({a%
zP;(n`Ht*J%j(up0Q}Vd@vXe2VU(S+JR>PpXTTMqkGnC+-v+gf+CN<GsUY+bcW74vX
zbcp?F!MxI8TQbuQtA>sSoOW+IUuVb40*hDA0*y4?6tw5GX=tS2vq<^(-4-iPQ-iIR
zJsawslNMCx2!b6E|F~KHWKzLqe9tDBaG2fFY~JSIz<jI)&+l$eu?e0Y5TISmqOAUx
z>qi2;0rOX;<b%`-L)^3RSafx_c0j;ZX)*SkC2F%U#oEKu^{^hT&=tqVrm&@ptIP=4
zZH8sp<I3Rkkqb7slBr<6A%%<9|EgW>foC3)^x*EiPqX~w3FAS#zc}M`z{HNr&N$5I
zg(01YwbgN2wLjQ*-n)%V>;b05^hUvMTF#1BC#~66ROMZUUmGL&%j%n>jX(eX`8hAU
zBYDsyjyk@xNGuMo0i}LqI<rhLFY6d)%z`EG@Av(Duc)RK9J;yl?(lAfbunV<{OoYK
zaQ+S@P$uz+%MQYrOID{Wm~p0I9ZoW&Jm+Nng4TeR$F*dW_@<451ih#fpRpRnZXv(@
zPWpM-(s*jj-JgaE@pW%%ubDSotNGV3w`*n`C$+{Pd2;)KiM0s{z@{iYUI}|Nrr&Z#
ztPro+!Y_WZ5gs%wo%RY;e?^U5GFv>`$d8N7&fOrBQ67Ksj)hL4EQaZ72S&T5>k5mQ
zm|5VnC3~E$=#4x67lqm>h;F8hWlEdVH_YF1XnWq{tD@BL@c4vVdLtK-nv3c^`D_V2
zT9Uu(l*GIQ|B~;%{vAp_cmA&!W3ll$53m2w5tl7~AEbfWCTlM6XHv`x*p-qr<8+?!
zty$J=P}wK;@UrF7a5-M_1<F7jan5$+&rP<yK(ytptlr~>a^$~l@LOgu;pE8a#VG#h
zyc11RCh=+X?fW{fJaf$3k1O4pn|D&mG%S|iOwA2e$PwFdt@T%H70O<19gaULse3K`
zK_Uq2l~T~~=0*m19z1MRJUBS`dZ0~mZQ{i6V57UBUDP0k->J@V$S1DSG2B+$p%rsz
zkM<L15;s9ZFN`_|F$z$fUs2+N(M;mK1EIs$i<GLSf!@6!Nt8S1PRrDO!Gbie^Aiu#
zN7A6#RC4X!iUVoyEn`W|+NJUz>^oHRGYwE9foO>de?@ga6Et?qmvPQ_F=$zR-m%*F
zY%I7GKW4$KFT1Y-*d=T#ReYy!YjmnV$gn0S`TIb+q&l$sxc4O%oH^b-$VuPb`d0cH
zTw@#FB30d)7q6M4Fd6a!94n+*XV;}Dwv8utUo7c5ex}WDyx4p;BG}F1n~`n?Z7`dD
zK|Ad~)KBVHUaV9#;Wej$yCK2dVv{EY0GHhfGn*K;V~5HIxSgi#^z?uAHX%NvRg>`0
zTavnEQ=8w4M4_hpZKq2g=I?5xNw}t^3-JBD&3`z%NRS8~Pj4WcIXVUTRDQTsvvRCw
zYCcYInir`kui$=B##<JUZNXtVeS!z-$UB>KwT?rql5S)H`uHlJ<N)@@g#pRM?O^gw
zQ3HV;QLTzZ<4snd<bvtxt<YAWg9271`YNi~8N5s0=WlN;;E5HG0kL}l-XcEyU32@J
zbI<3R-S=9(<D=ER<qaxP*Wc!lW`L{Le4Xx;-vyfde!^l8o<1$m`nb^_qmRn8@|kwn
zuUn{UJ<yUg(+)ULtJ5m0NdFCJzq2MUBU6MQW1<h7QE0GP1UiFvo54`2XJxPMlV37a
zws*|Miw3R{tBGtA-BsDQfgre=mW6I9n5URQvg#k<7JO!1_eFE0(K99J_mwD>wyUwW
zqj5Byo}$%KMz@?C27QsZdF$*#yR;-0x(h`bu~Bvue{ps&BHgpnLmrrfUWLb-Ot&w7
z7j#QM-uzbP9sfQllf`J&`}><Ku+&UEwE(;Ez6nR}iAH0H_3J<3u&OF6pk**SVB09X
z#su}7U6!fAs9qtOS#oeEfm1E|6)N+YgNWw)*ft-aFZ<|xK9SF8PTXil;TSQf!);E9
z#0=R3G4os89~}R1m=~wu#7-S#rW<uLh@9IXm>bhCI^^Y<8Qyr2zIHtPoC*uyk~@;Z
zx^7F3dIqI5Ee6Y2%S5%GwCy!FBU!{yd*#QWp;P9M&~(rAtFP`HHX>O)esRd*%9fg^
zS>fmICqQEVNC7%ppeg5|E->_&bU@-WnUqsK$Ag&IR3AF9w-hp#Z;~S3_ttb3V2l16
zdeYR`BvqCYW2rHy1y3b3f#ucCcAA2J-Zct*rHRXqV5)wSUHLO~e<Xh;=FC6vpoix~
ziuujt^jE)EocC`eW5~fqc|oe-&D_U`UCk!%VL}0)X7%RG9dU}OMJM<qZfenVnJ1`6
z)Y0cTO`BOA;sk%Fa8ZX2t0paJFTXE0S-V20BD;=fJCd2Y7*I1fo_=-gbmxOx>wX0D
z;Ir)fMYTP<o}6GA1-}WOVMk{$P6vMjAv~xyU;Zwr$sPr<L%Po}KDm=%qco0TDS7d8
z5i_$sG4KpmgfW~oYq)Tx*sFh(V~EYd3JQ=PnMd7Bx)Sw)&>LGjw!akDLb$8&L}SbK
zW5P?Z%lG+`g(8fzkI<j}-NfHO{6t$0evX+aI<!1|vHE-&wvpnKKc{u2e_ponR=u1g
zVa#s+*#o~P`q_l4r=YLL0_39re)X~Y;hYWSr~Pj2n~5seD@URnPrd4Z-^}jgcaY2r
zuaW4{7J}J%g^z&EnH@@UtpbfWd0z?M+dY45jWA<$TYHcBbW8xwO25i>kUoJUHMWN`
z@Tiovb$Hder0;fFQH6U6&=Y5nu$-<3ecGnyU0i4a+pa)-wz+AwG5^sbE}<{bv|DGv
zz{2=Kd-CCNTfLxbP+JxD`Sf+4MHZkjQ{iQ<4z?TqUP6`-cFJfV=!C1bc$88dB<cUc
z$QKnV?(1!1WKs@P0rF*1Tw}9UM+|Rc;)HQ)8ynwfp3HmNlBp*DC*L{#1Sr>u&m6pq
z%j?v~FANOCOC{vhkYE3hy}DeKeLl!?cq9iDpd5VX4rt!-mH{Zm3wqh3po;rL_IZ%k
zSlB!{Up}d`9Oi6$u_F$#*(Ut?!r5!0E!}E~48(hr<w@}Vc_T3cHMhd^^3ir(b}ZX!
zcdRECrZw)>n%BZjtqSCV9~I$!=Z6S<SRm<@Kasgtc;A*-8ap*SA=%E4yWk9_Q@HRv
zIm`;1ZH&X-4Ge;x9cFDrP$F*y*=;R$YlqlAJDEuzQ5b;V8+&B)(0{0PEHD2i8;b}@
zl+ylz0^Ru|CWTGt2nL+pp^d{XMGmQu`*@vHP$NS{Qol|EFD4X;&|kQnui~hVS$QVS
z+~Q&^vDPATp1mZyIx|-<g02Fm;?d`ai9hZ;-hFJS;`941K8e#P;gP8O_TM)0j?<iV
zHui+-P4)_V5l!?ayX3Z;LTnWhy}7a5yvPMJV2DcDo5$MMZy?~2?efjyC;eK7=wr)#
zARWWK|3-O#c{OrB->RBQ98}co>2tF4x<8xHdh$9^R>FMwdG@M1XYOe=H}h@X15vCt
ztM~Q{#tr#l7qNuyV82$#cs(jyXYlc>yvTT3U2mzg&KcKI@)G}Q@?ml47Q)u+xe<DK
za|}7|InU@GcCSa^p=bwXRDnfnNqWxl=wBhEgR?%TjkPdtBtl+J{wQ<&aj9CT@4~zu
zRh~hb_Z;>}mv(>o2ZLNKr?gi;$;eGQS=tyj-{)dm+M7RRNpm$Qr+yL++ea9?qrK*}
z$Aw1RTxD0G<Z7Jq7ry&-p_^{mgaNjBJC>=n%nRC-j5BhZB{J1dzP9%PA@Y!~M;<DY
zx<ar>I3B+HjI%CQ<}tPfIp8}*!cyn6clIHmV$TobPOiGB;OXMkTfe)^_Av6E)0%tv
z$DUN`dfuqeOFnZ-xUXEgj=h8fRMp1LiF}oe)R>Ylx)B}+BVb;PR9yJHnm}^Hs1ek+
zM2YE@hOQ5>SA*jvR)=HR<3(8x1^HyQklTyvF024+2nJw1&lKb(r}T^I>ND@d;RgFj
zmKxef=C`~B9sTO9>?*lk+LdBuU*JLB@JOY%Wwh?krbHbhOljYijf9v`Itr1Oe`kkL
zr+pMi>!4INI_l6-WBJ>hHncz!MqyaK^yM#6a0*?T8yOwfm6cjS4bXQT6*L{}%A>uH
zT|TVnP*}Xp(;(MdBJ<<44w*?32WE?1d3fuwOFEIZQW^P=#zCaX5orgBs&^YrJnml>
zI(WK5%HtkZK_jBLqtWlrNk&Xpec6c@<$!!@@Ok{|mgKK%`<KRJI|NxCMhZGGz60`K
zSCu|g)Q^QGd{rv{Zx~jc>K>(e_lw#4j>^M%6EpkYH0N?mBI$E{xL!7Jkd0{hb-b|T
zA<|4{&WN<>|7gbm?V4Zbi`jp)>E2hrxnRSB9h3$#x9Ym6!yrYn%U|vgRfi-$VtM?Y
znTqb8C@!xemBgMbxIg}vw7Q10Mv5br8g0~khwv}Gj{f8?7b?2;`u{eb3q*Q+A!XXH
zMrCWYg2eePTk9`*%Zc&7^|#)P7ya|?{rBJBu7VV&O3=B6eyBsO)c;;{gviql5#M(N
qN&VM1{{NHrAOBz8zTC~*xFGE+({gmU&S6T_PE%D+rAqnvoBstHz`wTu

literal 0
HcmV?d00001

-- 
2.45.2


From e152ea354058517e9d659637fb0de6c855dd24c4 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 14:00:27 -0600
Subject: [PATCH 09/31] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f98e9ca..90ad4fa 100644
--- a/README.md
+++ b/README.md
@@ -198,7 +198,7 @@ The netgraph system provides a uniform and modular system for the implementation
 
 Your netgraph should look something like this:
 
-![netgraph](img/ngctl.png)
+![netgraph](img/netgraph.png)
 
 In this setup, the `ue0` interface is my `$RG_IF` and the `bce0` interface is my `$ONT_IF`. You can generate your own graphviz via `ngctl dot`. Copy the output and paste it at [webgraphviz.com](http://www.webgraphviz.com/).
 
-- 
2.45.2


From 66783e9c43d019af62df8d5558b7e8d115f8adca Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 14:12:19 -0600
Subject: [PATCH 10/31] Update README.md

---
 README.md | 59 +++++--------------------------------------------------
 1 file changed, 5 insertions(+), 54 deletions(-)

diff --git a/README.md b/README.md
index 90ad4fa..ca8bdaa 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,6 @@
 # About
 
-This repository includes my notes on enabling a true bridge mode setup with AT&T U-Verse and pfSense. This method utilizes [netgraph](https://www.freebsd.org/cgi/man.cgi?netgraph(4)) which is a graph based kernel networking subsystem of FreeBSD. This low-level solution was required to account for the unique issues surrounding bridging 802.1X traffic and tagging a VLAN with an id of 0. I've tested and confirmed this setup works with AT&T U-Verse Internet on the ARRIS NVG589, NVG599 and BGW210-700 residential gateways (probably others too). For Pace 5268AC see special details below.
-
-There are a few other methods to accomplish true bridge mode, so be sure to see what easiest for you. True Bridge Mode is also possible in a Linux via ebtables or using hardware with a VLAN swap trick. For me, I was not using a Linux-based router and the VLAN swap did not seem to work for me.
+This repository allows bypassing the AT&T U-Verse fiber gateway using pfSense. This method utilizes [netgraph](https://www.freebsd.org/cgi/man.cgi?netgraph) which is a graph-based kernel networking subsystem of FreeBSD. This low-level solution was required to account for the unique issues surrounding bridging 802.1X traffic and tagging a VLAN with an id of 0. I've tested and confirmed this setup works with AT&T U-Verse Internet on the BGW210-700 residential gateway. It probably works with others too.
 
 The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. It survives reboots, re-authentications, IPv6, and new DHCP leases.
 
@@ -15,7 +13,7 @@ Before continuing to the setup, it's important to understand how this method wor
 First, let's talk about what happens in the standard setup (without any bypass). At a high level, the following process happens when the gateway boots up:
 
 1. All traffic on the ONT is protected with [802.1/X](https://en.wikipedia.org/wiki/IEEE_802.1X). So in order to talk to anything, the Router Gateway must first perform the [authentication procedure](https://en.wikipedia.org/wiki/IEEE_802.1X#Typical_authentication_progression). This process uses a unique certificate that is hardcoded on your residential gateway.
-2. Once the authentication completes, you'll be able to properly "talk" to the outside. However, all of your traffic will need to be tagged with VLAN ID 0 (a.k.a. VLAN Priority Tagging<sup>[[1]](https://wikipedia.org/wiki/IEEE_802.1Q#Frame_format)[[2]](https://www.cisco.com/c/en/us/td/docs/switches/connectedgrid/cg-switch-sw-master/software/configuration/guide/vlan0/b_vlan_0.html)</sup>) before the IP gateway will respond.  
+2. Once the authentication completes, you'll be able to properly "talk" to the outside. However, all of your traffic will need to be tagged with VLAN ID 0 (a.k.a. VLAN Priority Tagging<sup>[[1]](https://wikipedia.org/wiki/IEEE_802.1Q#Frame_format)[[2]](https://www.cisco.com/c/en/us/td/docs/switches/connectedgrid/cg-switch-sw-master/software/configuration/guide/vlan0/b_vlan_0.html)</sup>) before the IP gateway will respond.
 3. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Other than that, there's nothing special about the DCHPv4 handshake.
 4. After the DHCP lease is issued, the WAN setup is complete. Your LAN traffic is then NAT'd and routed to the outside.
 
@@ -254,58 +252,11 @@ $ ngctl show ue0:
 
 In some circumstances, pfSense may alter your netgraph. This is especially true if pfSense manages either your `$RG_IF` or `$ONT_IF`. If you make some interface changes and your connection breaks, check to see if your netgraph was changed.
 
-# Virtualization Notes
-
-This setup has been tested on physical servers and virtual machines. Virtualization adds another layer of complexity for this setup, and will take extra consideration.
-
-## QEMU / KVM / Proxmox
-
-Proxmox uses a bridged networking model, and thus utilizes Linux's native bridge capability. To use this netgraph method, you do a PCI passthrough for the `$RG_IF` and `$ONT_IF` NICs. The bypass procedure should then be the same.
-
-You can also solve the EAP/802.1X and VLAN0/802.1Q problem by setting the `group_fwd_mask` and creating a vlan0 interface to bridge to your VM. See *Other Methods* below.
-
-## ESXi
-
-I haven't tried to do this with ESXi. Feel free to submit a PR with notes on your experience. PCI passthrough is probably the best approach here though.
-
-# Other Methods
-
-## Linux
-
-If you're looking how to do this on a Linux-based router, please refer to [this method](http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits) which utilizes ebtables and some kernel features.  The method is well-documented there and I won't try to duplicate it. This method is generally more straight forward than doing this on BSD. However, please submit a PR for any additional notes for running on Linux routers.
-
-## VLAN Swap
-
-There is a whole thread on this at [DSLreports](http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode). The gist of this method is that you connect your ONT, RG and WAN to a switch. Create two VLANs. Assign the ONT and RG to VLAN1 and the WAN to VLAN2. Let the RG authenticate, then change the ONT VLAN to VLAN2. The WAN the DHCPs and your in business.
-
-However, I don't think this works for everyone. I had to explicitly tag my WAN traffic to VLAN0 which wasn't supported on my switch.
-
-## OPNSense / FreeBSD
-For OPNSense 20.1:
-follow the pfSense instructions, EXCEPT:
-1) use file opnatt.sh
-2) do *NOT* install the ng_etf.ko, as OPNSense already has this module installed.
-3) put the opnatt.sh script into `/usr/local/etc/rc.syshook.d/early` as `99-opnatt.sh`
-4) do *NOT* modify config.xml, nor do any of the duid stuff
-5) note: You *CAN* use IPv6 Prefix id 0, as OPNSense does *NOT* assign a routeable IPv6 address to ngeth0
-
-I haven't tried this with native FreeBSD, but I imagine the process is ultimately the same with netgraph. Feel free to submit a PR with notes on your experience.
-
 # References
 
-- http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits
-- https://forum.netgate.com/topic/99190/att-uverse-rg-bypass-0-2-btc/
-- http://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode
-- https://www.dslreports.com/forum/r32127305-True-Bridge-mode-on-pfSense-with-netgraph
-- https://www.dslreports.com/forum/r32116977-AT-T-Fiber-RG-Bypass-pfSense-IPv6
-- http://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf
+- [MonkWho](https://github.com/MonkWho/pfatt) - Many references on his page
 
 # Credits
 
-This took a lot of testing and a lot of hours to figure out. A unique solution was required for this to work in pfSense. If this helped you out, please buy us a coffee.
-
-- [rajl](https://forum.netgate.com/user/rajl) - for the netgraph idea - 1H8CaLNXembfzYGDNq1NykWU3gaKAjm8K5
-- [pyrodex](https://www.dslreports.com/profile/1717952) - for IPv6 - ?
-- [aus](https://github.com/aus) - 31m9ujhbsRRZs4S64njEkw8ksFSTTDcsRU
-- [/u/MisterBazz](https://www.reddit.com/user/MisterBazz/) - [for the initial setup guide on U-verse TV documentation](https://www.reddit.com/r/PFSENSE/comments/ag43rb/att_bgw210_true_independent_bridge_mode_uverse/) that formed the basis for [U-VERSE_TV.md](U-VERSE_TV.md)
-- [0xC0ncord](https://github.com/0xC0ncord) - for the [U-Verse TV Documentation](U-VERSE_TV.md)
+- [MonkWho](https://github.com/MonkWho/pfatt) - For the code that was forked. Other credits on his page
+- [aus](https://github.com/aus) - 31m9ujhbsRRZs4S64njEkw8ksFSTTDcsRU - For the original work
-- 
2.45.2


From a2acf2825abe5e7f979403c7e4108716c84470ca Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 15:45:08 -0600
Subject: [PATCH 11/31] Update README.md

---
 README.md | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index ca8bdaa..36f5c33 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 This repository allows bypassing the AT&T U-Verse fiber gateway using pfSense. This method utilizes [netgraph](https://www.freebsd.org/cgi/man.cgi?netgraph) which is a graph-based kernel networking subsystem of FreeBSD. This low-level solution was required to account for the unique issues surrounding bridging 802.1X traffic and tagging a VLAN with an id of 0. I've tested and confirmed this setup works with AT&T U-Verse Internet on the BGW210-700 residential gateway. It probably works with others too.
 
-The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. It survives reboots, re-authentications, IPv6, and new DHCP leases.
+The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. It survives reboots, re-authentications, IPv6 and new DHCP leases.
 
 # How it Works
 
@@ -17,35 +17,31 @@ First, let's talk about what happens in the standard setup (without any bypass).
 3. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Other than that, there's nothing special about the DCHPv4 handshake.
 4. After the DHCP lease is issued, the WAN setup is complete. Your LAN traffic is then NAT'd and routed to the outside.
 
-## Bypass Procedure
+## Bypass Procedure: Supplicant Method
+
+### Notes
 
-### Supplicant Method
 If you have valid certs that have been extracted from an authorized residential gateway device, you can utilize the native wpa_supplicant client in pfSense to perform 802.1X EAP-TLS authentication.
 
-I will also note that EAP-TLS authentication authorizes the device, not the subscriber. Meaning, any authorized device (NVG589, NVG599, 5268AC, BGW210, etc) can be used to authorize the link. It does not have to match the RG assigned to your account. For example, an NVG589 purchased of eBay can authorize the link. The subscriber's service is authorized separately (probably by the DHCP MAC and/or ONT serial number).
+Note that EAP-TLS authentication authorizes the device, not the subscriber. Meaning, any authorized device (BGW210) can be used to authorize the link. It does not have to match the residential gateway assigned to your account. For example, a BGW210 purchased of eBay can authorize the link. The subscriber's service is authorized separately (probably by the DHCP MAC and/or ONT serial number).
 
-In supplicant mode, the residential gateway can be permanently disconnected. We will still use netgraph to tag our traffic with VLAN0. Our cabling then looks pretty simple:
+In supplicant mode, the residential gateway can be permanently disconnected. We will use netgraph to tag our traffic with VLAN0 and spoof the MAC address from the residential gateway.
 
-   ```
-  Outside[ONT]---[nic0]pfsense
-   ```
-With netgraph, the procedure also looks a little simpler:
+### Bypass Procedure
 
-netgraph has created an interface for us called ngeth0. This interface is connected to ng_vlan which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
+Netgraph creates an interface for us called ngeth0. This interface is connected to vlan0 which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
 wpa_supplicant binds to ngeth0 and initiates 802.1X EAP-TLS authentication
 pfSense can then be configured to use ngeth0 as the WAN interface.
 Next, we spoof the MAC address of the residential gateway and request a DHCP lease on ngeth0. The packets get tagged as VLAN0 and exit to the ONT.
 Now the DHCP handshake should complete and we should be on our way!
-Hopefully, that now gives you an idea of what we are trying to accomplish. See the comments and commands bin/pfatt.sh for details about the netgraph setup.
-
-But enough talk. Now for the fun part!
+See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 ## Prerequisites
 
 * Local or console access to pfSense
 * pfSense 2.4.5 running on amd64 architecture
 * Two physical network interfaces on your pfSense server
-* The MAC address of your EAP-TLS Identity (which is the same as your residential gateway if you are using its certificates)
+* The MAC address of your EAP-TLS Identity (from residential gateway used for certificates)
 * Valid certificates to perform EAP-TLS authentication (see Extracting Certificates)
 
 ## Install
@@ -53,7 +49,6 @@ But enough talk. Now for the fun part!
 1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device. In my environment, it's:
     ```shell
     ONT_IF='xx0' # NIC -> ONT / Outside
-    RG_IF='xx1'  # NIC -> Residential Gateway's ONT port
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
     ```
 
-- 
2.45.2


From 8a057af98eafebfe9cd5380b448a9d287e1540b5 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 15:46:45 -0600
Subject: [PATCH 12/31] Update README.md

---
 README.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 36f5c33..77476e4 100644
--- a/README.md
+++ b/README.md
@@ -29,11 +29,12 @@ In supplicant mode, the residential gateway can be permanently disconnected. We
 
 ### Bypass Procedure
 
-Netgraph creates an interface for us called ngeth0. This interface is connected to vlan0 which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
-wpa_supplicant binds to ngeth0 and initiates 802.1X EAP-TLS authentication
-pfSense can then be configured to use ngeth0 as the WAN interface.
-Next, we spoof the MAC address of the residential gateway and request a DHCP lease on ngeth0. The packets get tagged as VLAN0 and exit to the ONT.
-Now the DHCP handshake should complete and we should be on our way!
+1. Netgraph creates an interface for us called ngeth0. This interface is connected to vlan0 which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
+2. wpa_supplicant binds to ngeth0 and initiates 802.1X EAP-TLS authentication
+3. pfSense can then be configured to use ngeth0 as the WAN interface.
+4. Spoof the MAC address of the residential gateway and request a DHCP lease on ngeth0. The packets get tagged as VLAN0 and exit to the ONT.
+5. Now the DHCP handshake should complete and we should be on our way!
+
 See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 ## Prerequisites
-- 
2.45.2


From 5baec46e103e9711f7cf38b2a1c3212137ae57d7 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:01:14 -0600
Subject: [PATCH 13/31] Update README.md

---
 README.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 77476e4..d0ad451 100644
--- a/README.md
+++ b/README.md
@@ -47,13 +47,13 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 ## Install
 
-1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device. In my environment, it's:
+1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device.
     ```shell
     ONT_IF='xx0' # NIC -> ONT / Outside
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
     ```
 
-2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory):
+2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory) and make executable:
     ```
     ssh root@pfsense mkdir /root/bin
     scp bin/pfatt.sh root@pfsense:/root/bin/
@@ -92,6 +92,15 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
 
+## Extracting Certificates
+Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here is a good way to do it using windows: https://github.com/iwleonards/extract-mfg
+
+References
+
+https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
+https://www.nomotion.net/blog/sharknatto/
+https://github.com/MakiseKurisu/NVG589/wiki
+
 # IPv6 Setup
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.
-- 
2.45.2


From 861248554b7a70a86571d9fc6aa37ebf2d26ca62 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:11:50 -0600
Subject: [PATCH 14/31] Update README.md

---
 README.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index d0ad451..e25bc55 100644
--- a/README.md
+++ b/README.md
@@ -93,13 +93,13 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
 
 ## Extracting Certificates
-Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here is a good way to do it using windows: https://github.com/iwleonards/extract-mfg
+Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
 
-References
+Be careful, you have sole responsibility for not bricking your residential gateway.
 
-https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
-https://www.nomotion.net/blog/sharknatto/
-https://github.com/MakiseKurisu/NVG589/wiki
+In case they are needed, here are firmware archives:
+[1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
+[Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
 
 # IPv6 Setup
 
@@ -265,3 +265,4 @@ In some circumstances, pfSense may alter your netgraph. This is especially true
 
 - [MonkWho](https://github.com/MonkWho/pfatt) - For the code that was forked. Other credits on his page
 - [aus](https://github.com/aus) - 31m9ujhbsRRZs4S64njEkw8ksFSTTDcsRU - For the original work
+- [iwleonards](https://github.com/iwleonards/extract-mfg) - Residential gateway certificate extraction
-- 
2.45.2


From 3e164750e8379f8d554c4d60218a2185aeb34278 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:17:51 -0600
Subject: [PATCH 15/31] Update README.md

---
 README.md | 30 ++++--------------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index e25bc55..0205366 100644
--- a/README.md
+++ b/README.md
@@ -193,7 +193,7 @@ If you don't see traffic being bridged between `ngeth0` and `$ONT_IF`, then netg
 
 ## Promiscuous Mode
 
-`pfatt.sh` will put `$RG_IF` in promiscuous mode via `/sbin/ifconfig $RG_IF promisc`. Otherwise, the EAP packets would not bridge. I think this is necessary for everyone but I'm not sure. Turn it off if it's causing issues.
+`pfatt.sh` will put `$ONT_IF` in promiscuous mode via `/sbin/ifconfig $ONT_IF promisc`. I think this is necessary for everyone but I'm not sure. Turn it off if it's causing issues.
 
 ## netgraph
 
@@ -203,8 +203,6 @@ Your netgraph should look something like this:
 
 ![netgraph](img/netgraph.png)
 
-In this setup, the `ue0` interface is my `$RG_IF` and the `bce0` interface is my `$ONT_IF`. You can generate your own graphviz via `ngctl dot`. Copy the output and paste it at [webgraphviz.com](http://www.webgraphviz.com/).
-
 Try these commands to inspect whether netgraph is configured properly.
 
 1. Confirm kernel modules are loaded with `kldstat -v`. The following modules are required:
@@ -218,48 +216,28 @@ Try these commands to inspect whether netgraph is configured properly.
 2. Issue `ngctl list` to list netgraph nodes. Inspect `pfatt.sh` to verify the netgraph output matches the configuration in the script. It should look similar to this:
 ```
 $ ngctl list
-There are 9 total nodes:
-  Name: o2m             Type: one2many        ID: 000000a0   Num hooks: 3
+There are 5 total nodes:
   Name: vlan0           Type: vlan            ID: 000000a3   Num hooks: 2
   Name: ngeth0          Type: eiface          ID: 000000a6   Num hooks: 1
   Name: <unnamed>       Type: socket          ID: 00000006   Num hooks: 0
   Name: ngctl28740      Type: socket          ID: 000000ca   Num hooks: 0
-  Name: waneapfilter    Type: etf             ID: 000000aa   Num hooks: 2
-  Name: laneapfilter    Type: etf             ID: 000000ae   Num hooks: 3
   Name: bce0            Type: ether           ID: 0000006e   Num hooks: 1
-  Name: ue0             Type: ether           ID: 00000016   Num hooks: 2
-```
-3. Inspect the various nodes and hooks. Example for `ue0`:
-```
-$ ngctl show ue0:
-  Name: ue0             Type: ether           ID: 00000016   Num hooks: 2
-  Local hook      Peer name       Peer type    Peer ID         Peer hook
-  ----------      ---------       ---------    -------         ---------
-  upper           laneapfilter    etf          000000ae        nomatch
-  lower           laneapfilter    etf          000000ae        downstream
 ```
+3. Inspect the various nodes and hooks.
 
 ### Reset netgraph
 
 `pfatt.sh` expects a clean netgraph before it can be ran. To reset a broken netgraph state, try this:
 
 ```shell
-/usr/sbin/ngctl shutdown waneapfilter:
-/usr/sbin/ngctl shutdown laneapfilter:
 /usr/sbin/ngctl shutdown $ONT_IF:
-/usr/sbin/ngctl shutdown $RG_IF:
-/usr/sbin/ngctl shutdown o2m:
 /usr/sbin/ngctl shutdown vlan0:
 /usr/sbin/ngctl shutdown ngeth0:
 ```
 
 ## pfSense
 
-In some circumstances, pfSense may alter your netgraph. This is especially true if pfSense manages either your `$RG_IF` or `$ONT_IF`. If you make some interface changes and your connection breaks, check to see if your netgraph was changed.
-
-# References
-
-- [MonkWho](https://github.com/MonkWho/pfatt) - Many references on his page
+In some circumstances, pfSense may alter your netgraph. This is especially true if pfSense manages either your `$ONT_IF`. If you make some interface changes and your connection breaks, check to see if your netgraph was changed.
 
 # Credits
 
-- 
2.45.2


From f6fe73ea8add4d0d9cd5ee4adad1ae1c9ab489ef Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:21:28 -0600
Subject: [PATCH 16/31] Update README.md

---
 README.md | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 0205366..686fc3b 100644
--- a/README.md
+++ b/README.md
@@ -59,8 +59,17 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     scp bin/pfatt.sh root@pfsense:/root/bin/
     ssh root@pfsense chmod +x /root/bin/pfatt.sh
     ```
-    
-3. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
+
+3. Extracting Certificates: 
+Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
+
+Be careful, you have sole responsibility for not bricking your residential gateway.
+
+In case they are needed, here are firmware archives:
+* [1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
+* [Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
+
+4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
       ```
       [2.4.4-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
       total 19
@@ -71,7 +80,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
       -rw-------  1 root  wheel   887 Jan 10 16:32 private.pem
       ```
     
-4. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
+5. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
     ```
     Command: /root/bin/pfatt.sh
     Shellcmd Type: earlyshellcmd
@@ -81,26 +90,17 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
     This can also be acomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
 
-5. Connect cables:
+6. Connect cables:
     - `$ONT_IF` to ONT (outside)
     - `LAN NIC` to local switch (as normal)
 
-6. Prepare for console access.
-7. Reboot.
-8. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$RG_IF` or `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
-9. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
+7. Prepare for console access.
+8. Reboot.
+9. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$RG_IF` or `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
+10. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
 
-## Extracting Certificates
-Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
-
-Be careful, you have sole responsibility for not bricking your residential gateway.
-
-In case they are needed, here are firmware archives:
-[1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
-[Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
-
 # IPv6 Setup
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.
-- 
2.45.2


From db2ffe6a1051d36f5ea78d6fa76540a63caf6d69 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:22:55 -0600
Subject: [PATCH 17/31] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 686fc3b..3a77d7c 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     ssh root@pfsense chmod +x /root/bin/pfatt.sh
     ```
 
-3. Extracting Certificates: 
+3. Extracting Certificates:
 Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
 
 Be careful, you have sole responsibility for not bricking your residential gateway.
-- 
2.45.2


From cf0555f07e1a89c3e9ab3cf1af54abdf92e21c4d Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:24:19 -0600
Subject: [PATCH 18/31] Update README.md

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 3a77d7c..8c9bd93 100644
--- a/README.md
+++ b/README.md
@@ -61,13 +61,13 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     ```
 
 3. Extracting Certificates:
-Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
+    Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
 
-Be careful, you have sole responsibility for not bricking your residential gateway.
+    Be careful, you have sole responsibility for not bricking your residential gateway.
 
-In case they are needed, here are firmware archives:
-* [1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
-* [Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
+    In case they are needed, here are firmware archives:
+    * [1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
+    * [Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
 
 4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
       ```
-- 
2.45.2


From 0c5a3da28f2308922b068cd74dbbf25bfbeba379 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:25:57 -0600
Subject: [PATCH 19/31] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8c9bd93..8bd29e6 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     It should look like this:
     ![Shellcmd Settings](img/Shellcmd.png)
 
-    This can also be acomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
+    This can also be accomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
 
 6. Connect cables:
     - `$ONT_IF` to ONT (outside)
-- 
2.45.2


From 95266a258d2e225a7b87ddf337cc93010ef7b12a Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 16:31:06 -0600
Subject: [PATCH 20/31] Update README.md

---
 README.md | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 8bd29e6..7276dbf 100644
--- a/README.md
+++ b/README.md
@@ -96,7 +96,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 7. Prepare for console access.
 8. Reboot.
-9. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$RG_IF` or `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
+9. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
 10. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
@@ -160,22 +160,11 @@ Output from `pfatt.sh` and `pfatt-5268AC.sh` can be found in `/var/log/pfatt.log
 
 ## tcpdump
 
-Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface and the `$RG_IF` interface:
+Use tcpdump to watch the authentication, vlan and dhcp bypass process (see above). Run tcpdumps on the `$ONT_IF` interface:
 ```
 tcpdump -ei $ONT_IF
-tcpdump -ei $RG_IF
 ```
-
-Restart your Residential Gateway. From the `$RG_IF` interface, you should see some EAPOL starts like this:
-```
-MAC (oui Unknown) > MAC (oui Unknown), ethertype EAPOL (0x888e), length 60: POL start
-```
-
-If you don't see these, make sure you're connected to the ONT port.
-
-These packets come every so often. I think the RG does some backoff / delay if doesn't immediately auth correctly. You can always reboot your RG to initiate the authentication again.
-
-If your netgraph is setup correctly, the EAP start packet from the `$RG_IF` will be bridged onto your `$ONT_IF` interface. Then you should see some more EAP packets from the `$ONT_IF` interface and `$RG_IF` interface as they negotiate 802.1/X EAP authentication.
+You should see some more EAP packets from the `$ONT_IF` interface as it negotiates 802.1/X EAP authentication.
 
 Once that completes, watch `$ONT_IF` and `ngeth0` for DHCP traffic.
 ```
-- 
2.45.2


From 91e50a2403c817c8cb5483d88b6c89eda15618b8 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 17:28:14 -0600
Subject: [PATCH 21/31] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 7276dbf..626a7e2 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,9 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     ```shell
     ONT_IF='xx0' # NIC -> ONT / Outside
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
+    CA_PEM='insert filename.pem' # File name of gateway certificate
+    CLIENT_PEM='insert filename.pem' # File name of gateway certificate
+    PRIVATE_PEM='insert filename.pem' # File name of gateway certificate
     ```
 
 2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory) and make executable:
-- 
2.45.2


From 1e8fd51835982c591e316c8ec9c296dcd5f6a27f Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 17:59:00 -0600
Subject: [PATCH 22/31] Update pfatt.sh

---
 bin/pfatt.sh | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index f08bfb0..e2c4fd9 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -3,6 +3,10 @@ set -e
 
 ONT_IF='xx0'
 RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
+CA_PEM='insert filename.pem'
+CLIENT_PEM='insert filename.pem'
+PRIVATE_PEM='insert filename.pem'
+
 LOG=/var/log/pfatt.log
 
 getTimestamp(){
@@ -37,7 +41,93 @@ getTimestamp(){
     echo -n "$(getTimestamp) enabling promiscuous mode on $ONT_IF... "
     /sbin/ifconfig $ONT_IF promisc
     echo "OK!"
+    
+    # Enable this if Need to map physical port to RG MAC address:
+    # echo -n "$(getTimestamp) mapping physical port to RG MAC address... "
+    # /sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR
+    # echo "OK!"
 
     echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
     echo "$(getTimestamp) done!"
 } >> $LOG
+
+
+## Added code
+
+    echo "$(getTimestamp) starting wpa_supplicant..."
+
+    WPA_PARAMS="\
+        set eapol_version 1,\
+        set fast_reauth 1,\
+        ap_scan 0,\
+        add_network,\
+        set_network 0 ca_cert \\\"/conf/pfatt/wpa/$CA_PEM\\\",\
+        set_network 0 client_cert \\\"/conf/pfatt/wpa/$CLIENT_PEM\\\",\
+        set_network 0 eap TLS,\
+        set_network 0 eapol_flags 0,\
+        set_network 0 identity \\\"$RG_ETHER_ADDR\\\",\
+        set_network 0 key_mgmt IEEE8021X,\
+        set_network 0 phase1 \\\"allow_canned_success=1\\\",\
+        set_network 0 private_key \\\"/conf/pfatt/wpa/$PRIVATE_PEM\\\",\
+        enable_network 0\
+    "
+
+    WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -ingeth0 -B -C /var/run/wpa_supplicant"
+    # if the above doesn't work try: WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
+
+    # kill any existing wpa_supplicant process
+    PID=$(pgrep -f "wpa_supplicant.*ngeth0")
+    if [ ${PID} > 0 ];
+    then
+        echo "$(getTimestamp) pfatt terminating existing wpa_supplicant on PID ${PID}..."
+        RES=$(kill ${PID})
+    fi
+
+    # start wpa_supplicant daemon
+    RES=$(${WPA_DAEMON_CMD})
+    PID=$(pgrep -f "wpa_supplicant.*ngeth0")
+    echo "$(getTimestamp) pfatt wpa_supplicant running on PID ${PID}..."
+
+    # Set WPA configuration parameters.
+    echo "$(getTimestamp) pfatt setting wpa_supplicant network configuration..."
+    IFS=","
+    for STR in ${WPA_PARAMS};
+    do
+        STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
+        RES=$(eval wpa_cli ${STR})
+    done
+
+    # wait until wpa_cli has authenticated.
+    WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
+    IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
+
+    echo "$(getTimestamp) pfatt waiting EAP for authorization..."
+
+    # TODO: blocking for bootup
+    while true;
+    do
+        WPA_STATUS=$(eval ${WPA_STATUS_CMD})
+        if [ X${WPA_STATUS} = X"Authorized" ];
+        then
+        echo "$(getTimestamp) pfatt EAP authorization completed..."
+
+        IP_STATUS=$(eval ${IP_STATUS_CMD})
+
+        if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ];
+        then
+            echo "$(getTimestamp) pfatt no IP address assigned, force restarting DHCP..."
+            RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0)
+            IP_STATUS=$(eval ${IP_STATUS_CMD})
+        fi
+        echo "$(getTimestamp) pfatt IP address is ${IP_STATUS}..."
+        break
+        else
+            sleep 1
+        fi
+    done
+    echo "$(getTimestamp) pfatt ngeth0 should now be available to configure as your WAN..."
+    echo "$(getTimestamp) pfatt done!"
+    else
+    echo "$(getTimestamp) pfatt error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..."
+    exit 1
+    fi
-- 
2.45.2


From a5c103fd5ce0458685636e53d7f58a24c818f324 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 18:12:13 -0600
Subject: [PATCH 23/31] Update pfatt.sh

---
 bin/pfatt.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index e2c4fd9..0fd63c3 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -54,6 +54,7 @@ getTimestamp(){
 
 ## Added code
 
+{
     echo "$(getTimestamp) starting wpa_supplicant..."
 
     WPA_PARAMS="\
@@ -131,3 +132,4 @@ getTimestamp(){
     echo "$(getTimestamp) pfatt error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..."
     exit 1
     fi
+} >> $LOG
-- 
2.45.2


From 3a73f7c43feb72777dde28b96cd70dce480b7f12 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 18:16:29 -0600
Subject: [PATCH 24/31] Update pfatt.sh

---
 bin/pfatt.sh | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index 0fd63c3..0927b8c 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -127,9 +127,5 @@ getTimestamp(){
         fi
     done
     echo "$(getTimestamp) pfatt ngeth0 should now be available to configure as your WAN..."
-    echo "$(getTimestamp) pfatt done!"
-    else
-    echo "$(getTimestamp) pfatt error: unknown EAP_MODE. '$EAP_MODE' is not valid. exiting..."
-    exit 1
-    fi
+    echo "$(getTimestamp) pfatt done!"    
 } >> $LOG
-- 
2.45.2


From 302477544d87a9ee46756f41d558df9ba7f17d49 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 19:25:54 -0600
Subject: [PATCH 25/31] Update pfatt.sh

---
 bin/pfatt.sh | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index 0927b8c..34cb2cb 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -28,8 +28,7 @@ getTimestamp(){
     echo -n "$(getTimestamp)   creating vlan node and interface... "
     /usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream
     /usr/sbin/ngctl name $ONT_IF:lower vlan0
-    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether
-    
+    /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether    
     /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }'
     /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR
     echo "OK!" 
@@ -47,14 +46,8 @@ getTimestamp(){
     # /sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR
     # echo "OK!"
 
-    echo "$(getTimestamp) ngeth0 should now be available to configure as your pfSense WAN"
-    echo "$(getTimestamp) done!"
-} >> $LOG
-
-
 ## Added code
 
-{
     echo "$(getTimestamp) starting wpa_supplicant..."
 
     WPA_PARAMS="\
@@ -77,34 +70,39 @@ getTimestamp(){
     # if the above doesn't work try: WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant"
 
     # kill any existing wpa_supplicant process
+	echo -n "$(getTimestamp) killing any existing wpa_supplicant process... "
     PID=$(pgrep -f "wpa_supplicant.*ngeth0")
     if [ ${PID} > 0 ];
     then
         echo "$(getTimestamp) pfatt terminating existing wpa_supplicant on PID ${PID}..."
         RES=$(kill ${PID})
     fi
+    echo "OK!"
 
     # start wpa_supplicant daemon
+	echo -n "$(getTimestamp) starting wpa_supplicant daemon... "
     RES=$(${WPA_DAEMON_CMD})
     PID=$(pgrep -f "wpa_supplicant.*ngeth0")
     echo "$(getTimestamp) pfatt wpa_supplicant running on PID ${PID}..."
 
     # Set WPA configuration parameters.
-    echo "$(getTimestamp) pfatt setting wpa_supplicant network configuration..."
+    echo -n "$(getTimestamp) pfatt setting wpa_supplicant network configuration..."
     IFS=","
     for STR in ${WPA_PARAMS};
     do
         STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')"
         RES=$(eval wpa_cli ${STR})
     done
+	echo "OK!"
 
     # wait until wpa_cli has authenticated.
+	echo -n "$(getTimestamp) waiting until wpa_cli has authenticated..."
     WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
     IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2"
+	echo "OK!"
 
-    echo "$(getTimestamp) pfatt waiting EAP for authorization..."
-
-    # TODO: blocking for bootup
+    # Get authorization
+	echo "$(getTimestamp) pfatt waiting EAP for authorization..."
     while true;
     do
         WPA_STATUS=$(eval ${WPA_STATUS_CMD})
@@ -126,6 +124,7 @@ getTimestamp(){
             sleep 1
         fi
     done
-    echo "$(getTimestamp) pfatt ngeth0 should now be available to configure as your WAN..."
-    echo "$(getTimestamp) pfatt done!"    
+	
+	echo "$(getTimestamp) All done... ngeth0 should now be available to configure as your pfSense WAN"
+
 } >> $LOG
-- 
2.45.2


From cc192dcf7f0f73984f17c1c37565919ce6cb5a74 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Wed, 30 Dec 2020 22:51:00 -0600
Subject: [PATCH 26/31] Update README.md

---
 README.md | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 626a7e2..eccf809 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ First, let's talk about what happens in the standard setup (without any bypass).
 
 If you have valid certs that have been extracted from an authorized residential gateway device, you can utilize the native wpa_supplicant client in pfSense to perform 802.1X EAP-TLS authentication.
 
-Note that EAP-TLS authentication authorizes the device, not the subscriber. Meaning, any authorized device (BGW210) can be used to authorize the link. It does not have to match the residential gateway assigned to your account. For example, a BGW210 purchased of eBay can authorize the link. The subscriber's service is authorized separately (probably by the DHCP MAC and/or ONT serial number).
+Note that EAP-TLS authentication authorizes the device, not the subscriber. Meaning, any authorized device (e.g., BGW210) can be used to authorize the link. It does not have to match the residential gateway assigned to your account. For example, a BGW210 purchased of eBay can authorize the link. The subscriber's service is authorized separately (probably by the DHCP MAC and/or ONT serial number).
 
 In supplicant mode, the residential gateway can be permanently disconnected. We will use netgraph to tag our traffic with VLAN0 and spoof the MAC address from the residential gateway.
 
@@ -51,9 +51,9 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     ```shell
     ONT_IF='xx0' # NIC -> ONT / Outside
     RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx' # MAC address of Residential Gateway
-    CA_PEM='insert filename.pem' # File name of gateway certificate
-    CLIENT_PEM='insert filename.pem' # File name of gateway certificate
-    PRIVATE_PEM='insert filename.pem' # File name of gateway certificate
+    CA_PEM='xxx.pem' # Replace xxx with file name of gateway certificate
+    CLIENT_PEM='xxx.pem' # Replace xxx with file name of gateway certificate
+    PRIVATE_PEM='xxx.pem' # Replace xxx with file name of gateway certificate
     ```
 
 2. Copy `bin/pfatt.sh` to `/root/bin` (or any directory) and make executable:
@@ -64,7 +64,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     ```
 
 3. Extracting Certificates:
-    Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so with windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
+    Certificates can be extracted by the exploitation of the residential gateway to get a root shell. Here are instructions to do so in windows by [iwleonards](https://github.com/iwleonards/extract-mfg).
 
     Be careful, you have sole responsibility for not bricking your residential gateway.
 
@@ -72,7 +72,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     * [1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
     * [Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
 
-4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
+4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions. Do this with `sudo chmod -R 0600 /conf/pfatt/wpa`
       ```
       [2.4.4-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
       total 19
@@ -98,8 +98,11 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     - `LAN NIC` to local switch (as normal)
 
 7. Prepare for console access.
+
 8. Reboot.
+
 9. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure `ngeth0` as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage `$ONT_IF`. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.
+
 10. In the webConfigurator, configure the  WAN interface (`ngeth0`) to DHCP using the MAC address of your Residential Gateway.
 
 If everything is setup correctly, netgraph should be bridging EAP traffic between the ONT and RG, tagging the WAN traffic with VLAN0, and your WAN interface configured with an IPv4 address via DHCP.
-- 
2.45.2


From d1e36a8f6f5cd3240d52735edcc8f3145d1d61e3 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Fri, 1 Jan 2021 05:03:59 -0600
Subject: [PATCH 27/31] Update pfatt.sh

---
 bin/pfatt.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index 34cb2cb..ff42696 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-ONT_IF='xx0'
+ONT_IF='igb0'
 RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
 CA_PEM='insert filename.pem'
 CLIENT_PEM='insert filename.pem'
-- 
2.45.2


From 5e74390abb2472c05bc6f0cb98343fe4176cf5e6 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Fri, 8 Jan 2021 17:00:03 -0600
Subject: [PATCH 28/31] Update pfatt.sh

---
 bin/pfatt.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/bin/pfatt.sh b/bin/pfatt.sh
index ff42696..19c2f77 100755
--- a/bin/pfatt.sh
+++ b/bin/pfatt.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 set -e
 
-ONT_IF='igb0'
+ONT_IF='xxx0'
 RG_ETHER_ADDR='xx:xx:xx:xx:xx:xx'
-CA_PEM='insert filename.pem'
-CLIENT_PEM='insert filename.pem'
-PRIVATE_PEM='insert filename.pem'
+CA_PEM='xxx.pem'
+CLIENT_PEM='xxx.pem'
+PRIVATE_PEM='xxx.pem'
 
 LOG=/var/log/pfatt.log
 
-- 
2.45.2


From 490191aca1b01f02bd4faa3d586544bde1c166c3 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 16 May 2021 00:49:44 -0500
Subject: [PATCH 29/31] Updated readme

---
 README.md | 46 +++++++++++++++++-----------------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index eccf809..8df8ab2 100644
--- a/README.md
+++ b/README.md
@@ -4,22 +4,17 @@ This repository allows bypassing the AT&T U-Verse fiber gateway using pfSense. T
 
 The netgraph method will allow you to fully utilize your own router and fully bypass your residential gateway. It survives reboots, re-authentications, IPv6 and new DHCP leases.
 
-# How it Works
+# Bypass Procedure
 
-Before continuing to the setup, it's important to understand how this method works. This will make configuration and troubleshooting much easier.
+## Prerequisites
 
-## Standard Procedure
+* Local or console access to pfSense
+* pfSense 2.5.1+ running on amd64 architecture
+* Two physical network interfaces on your pfSense server
+* The MAC address of your EAP-TLS Identity (from residential gateway used for certificates)
+* Valid certificates to perform EAP-TLS authentication (see Extracting Certificates)
 
-First, let's talk about what happens in the standard setup (without any bypass). At a high level, the following process happens when the gateway boots up:
-
-1. All traffic on the ONT is protected with [802.1/X](https://en.wikipedia.org/wiki/IEEE_802.1X). So in order to talk to anything, the Router Gateway must first perform the [authentication procedure](https://en.wikipedia.org/wiki/IEEE_802.1X#Typical_authentication_progression). This process uses a unique certificate that is hardcoded on your residential gateway.
-2. Once the authentication completes, you'll be able to properly "talk" to the outside. However, all of your traffic will need to be tagged with VLAN ID 0 (a.k.a. VLAN Priority Tagging<sup>[[1]](https://wikipedia.org/wiki/IEEE_802.1Q#Frame_format)[[2]](https://www.cisco.com/c/en/us/td/docs/switches/connectedgrid/cg-switch-sw-master/software/configuration/guide/vlan0/b_vlan_0.html)</sup>) before the IP gateway will respond.
-3. Once traffic is tagged with VLAN0, your residential gateway needs to request a public IPv4 address via DHCP. The MAC address in the DHCP request needs to match that of the MAC address that's assigned to your AT&T account. Other than that, there's nothing special about the DCHPv4 handshake.
-4. After the DHCP lease is issued, the WAN setup is complete. Your LAN traffic is then NAT'd and routed to the outside.
-
-## Bypass Procedure: Supplicant Method
-
-### Notes
+## Notes
 
 If you have valid certs that have been extracted from an authorized residential gateway device, you can utilize the native wpa_supplicant client in pfSense to perform 802.1X EAP-TLS authentication.
 
@@ -27,7 +22,9 @@ Note that EAP-TLS authentication authorizes the device, not the subscriber. Mean
 
 In supplicant mode, the residential gateway can be permanently disconnected. We will use netgraph to tag our traffic with VLAN0 and spoof the MAC address from the residential gateway.
 
-### Bypass Procedure
+## High Level Steps
+
+Before continuing to the setup, it's important to understand how this method works. This will make configuration and troubleshooting much easier.
 
 1. Netgraph creates an interface for us called ngeth0. This interface is connected to vlan0 which is configured to tag all traffic as VLAN0 before sending it on to the ONT interface.
 2. wpa_supplicant binds to ngeth0 and initiates 802.1X EAP-TLS authentication
@@ -37,15 +34,7 @@ In supplicant mode, the residential gateway can be permanently disconnected. We
 
 See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
-## Prerequisites
-
-* Local or console access to pfSense
-* pfSense 2.4.5 running on amd64 architecture
-* Two physical network interfaces on your pfSense server
-* The MAC address of your EAP-TLS Identity (from residential gateway used for certificates)
-* Valid certificates to perform EAP-TLS authentication (see Extracting Certificates)
-
-## Install
+## Detailed Steps
 
 1. Edit the following configuration variables in `bin/pfatt.sh` as noted below. `$RG_ETHER_ADDR` should match the MAC address of your Residential Gateway. AT&T will only grant a DHCP lease to the MAC they assigned your device.
     ```shell
@@ -74,7 +63,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions. Do this with `sudo chmod -R 0600 /conf/pfatt/wpa`
       ```
-      [2.4.4-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
+      [2.5.1-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
       total 19
       drwxr-xr-x  2 root  wheel     5 Jan 10 16:32 .
       drwxr-xr-x  4 root  wheel     5 Jan 10 16:33 ..
@@ -83,7 +72,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
       -rw-------  1 root  wheel   887 Jan 10 16:32 private.pem
       ```
     
-5. To start pfatt.sh script at the beginning of the boot process pfSense team recomments you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
+5. To start pfatt.sh script at the beginning of the boot process pfSense team recommends you use a package called shellcmd. Use pfSense package installer to find and install it. Once you have shellcmd package installed you can find it in Services > Shellcmd. Now add a new command and fill it up accordingly (make sure to select earlyshellcmd from a dropdown):
     ```
     Command: /root/bin/pfatt.sh
     Shellcmd Type: earlyshellcmd
@@ -91,7 +80,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     It should look like this:
     ![Shellcmd Settings](img/Shellcmd.png)
 
-    This can also be accomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above </system>. This method is not recommended and is frowned upon by pfSense team.
+    This can also be accomplished by manually editing your pfSense /conf/config.xml file. Add <earlyshellcmd>/root/bin/pfatt.sh</earlyshellcmd> above. This method is not recommended and is frowned upon by pfSense team.
 
 6. Connect cables:
     - `$ONT_IF` to ONT (outside)
@@ -111,7 +100,7 @@ If everything is setup correctly, netgraph should be bridging EAP traffic betwee
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.
 
-This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.5.
+This setup assumes you have a fairly recent version of pfSense. I'm using 2.5.1.
 
 **DUID Setup**
 
@@ -220,7 +209,7 @@ There are 5 total nodes:
 ```
 3. Inspect the various nodes and hooks.
 
-### Reset netgraph
+## Reset netgraph
 
 `pfatt.sh` expects a clean netgraph before it can be ran. To reset a broken netgraph state, try this:
 
@@ -236,6 +225,5 @@ In some circumstances, pfSense may alter your netgraph. This is especially true
 
 # Credits
 
-- [MonkWho](https://github.com/MonkWho/pfatt) - For the code that was forked. Other credits on his page
 - [aus](https://github.com/aus) - 31m9ujhbsRRZs4S64njEkw8ksFSTTDcsRU - For the original work
 - [iwleonards](https://github.com/iwleonards/extract-mfg) - Residential gateway certificate extraction
-- 
2.45.2


From 204abbe605e5c2813311b7be8df69164c9be58ef Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 20 Feb 2022 10:51:11 -0600
Subject: [PATCH 30/31] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8df8ab2..267db10 100644
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
     Be careful, you have sole responsibility for not bricking your residential gateway.
 
     In case they are needed, here are firmware archives:
-    * [1.0.29 Firmware](https://mega.nz/file/35lBkbzC#MTrKdt57SEuz81Tn3MBKm-o_s1zv643MLmxyKILjsk8)
+    * [1.0.29 Firmware](https://drive.google.com/file/d/1VYxpTu9m3cLIv8vCTzs_ccFAblJjH8c0/view?usp=sharing)
     * [Firmware archive](https://drive.google.com/file/d/1AcP3gbjpZOsnGTFApQOlalLzpjidUDj4/view?usp=drivesdk)
 
 4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions. Do this with `sudo chmod -R 0600 /conf/pfatt/wpa`
-- 
2.45.2


From afb48421c818710214aac655f4a38e09d5e5b360 Mon Sep 17 00:00:00 2001
From: Greg Revelle <31642433+grevelle@users.noreply.github.com>
Date: Sun, 20 Feb 2022 11:02:58 -0600
Subject: [PATCH 31/31] Update README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 267db10..bd15927 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ See the comments and commands bin/pfatt.sh for details about the netgraph setup.
 
 4. Upload your extracted certs (see Extracting Certificates) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions. Do this with `sudo chmod -R 0600 /conf/pfatt/wpa`
       ```
-      [2.5.1-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
+      [2.5.2-RELEASE][root@pfsense.knox.lan]/conf/pfatt/wpa: ls -al
       total 19
       drwxr-xr-x  2 root  wheel     5 Jan 10 16:32 .
       drwxr-xr-x  4 root  wheel     5 Jan 10 16:33 ..
@@ -100,7 +100,7 @@ If everything is setup correctly, netgraph should be bridging EAP traffic betwee
 
 Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's [post](http://www.dslreports.com/forum/r32118263-) on DSLReports for sharing your notes.
 
-This setup assumes you have a fairly recent version of pfSense. I'm using 2.5.1.
+This setup assumes you have a fairly recent version of pfSense. I'm using 2.5.2.
 
 **DUID Setup**
 
-- 
2.45.2