I'm assuming you already know what this project is. The original repo disappeared for some reason. The original project has two modes, bridge mode and supplicant mode. I have no interest in the older proxy-based method, but (for now) it remains here.
If you want any of the stuff in the original repo's readme, see README-orig.md.
I assume you already have certificates extracted. If not, head over to eBay or do some Googling to figure it out.
- Grab this repo to your local machine.
git clone https://github.com/ReimuHakurei/pfatt
-
Next, edit all configuration variables in
pfatt.sh
. -
Upload the pfatt directory to
/conf
on your pfSense box.
scp -r pfatt root@pfsense:/conf/
- Upload your extracted certs (from EAP-TLS_8021x_xxxxxx-xxxxxxxxxxxxxxx.tar.gz or otherwise) to
/conf/pfatt/wpa
. You should have three files in the wpa directory as such. You may also need to match the permissions.
[2.4.4-RELEASE][[email protected]]/conf/pfatt/wpa: ls -al
total 19
drwxr-xr-x 2 root wheel 5 Jan 10 16:32 .
drwxr-xr-x 4 root wheel 5 Jan 10 16:33 ..
-rw------- 1 root wheel 5150 Jan 10 16:32 ca.pem
-rw------- 1 root wheel 1123 Jan 10 16:32 client.pem
-rw------- 1 root wheel 887 Jan 10 16:32 private.pem
-
Edit your
/conf/config.xml
to include<earlyshellcmd>/conf/pfatt/bin/pfatt.sh</earlyshellcmd>
above</system>
. -
Connect cables
$ONT_IF
to ONT (outside)LAN NIC
to local switch (as normal)
-
Prepare for console access.
-
Reboot.
-
pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure
ngeth0
as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage$EAP_BRIDGE_IF
or$ONT_IF
. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph. -
In the webConfigurator, configure the WAN interface (
ngeth0
) to DHCP using the MAC address of your Residential Gateway.
If everything is setup correctly, EAP authentication should complete. Netgraph should be tagging the WAN traffic with VLAN0, and your WAN interface is configured with a public IPv4 address via DHCP.
User @KhoasT posted instructions for dumping the NAND. See the comment on devicelocksmith's site here.
Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's post on DSLReports for sharing your notes.
This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.4.
DUID Setup
- Go to System > Advanced > Networking
- Configure DHCP6 DUID to DUID-EN
- Configure DUID-EN to 3561
- Configure your IANA Private Enterprise Number. This number is unique for each customer and (I believe) based off your Residential Gateway serial number. You can generate your DUID using gen-duid.sh, which just takes a few inputs. Or, you can take a pcap of the Residential Gateway with some DHCPv6 traffic. Then fire up Wireshark and look for the value in DHCPv6 > Client Identifier > Identifier. Add the value as colon separated hex values
00:00:00
. - Save
WAN Setup
- Go to Interfaces > WAN
- Enable IPv6 Configuration Type as DHCP6
- Scroll to DCHP6 Client Configuration
- Enable DHCPv6 Prefix Delegation size as 60
- Enable Send IPv6 prefix hint
- Enable Do not wait for a RA
- Save
LAN Setup
- Go to Interfaces > LAN
- Change the IPv6 Configuration Type to Track Interface
- Under Track IPv6 Interface, assign IPv6 Interface to your WAN interface.
- Configure IPv6 Prefix ID to 1. We start at 1 and not 0 because pfSense will use prefix/address ID 0 for itself and it seems AT&T is flakey about assigning IPv6 prefixes when a request is made with a prefix ID that matches the prefix/address ID of the router.
- Save
If you have additional LAN interfaces repeat these steps for each interface except be sure to provide an IPv6 Prefix ID that is not 0 and is unique among the interfaces you've configured so far.
DHCPv6 Server & RA
- Go to Services > DHCPv6 Server & RA
- Enable DHCPv6 server on interface LAN
- Configure a range of ::0001 to ::ffff:ffff:ffff:fffe
- Configure a Prefix Delegation Range to 64
- Save
- Go to the Router Advertisements tab
- Configure Router mode as Stateless DHCP
- Save
That's it! Now your clients should be receiving public IPv6 addresses via DHCP6.
If it freezes at waiting for EAP (give it a couple of minutes first, sometimes it takes a bit), Ctrl-C and drop to shell, then wpa_cli status. Have fun.
Oh and, is your clock set correctly? :)