Skip to content

AT&T Fiber / pfSense without using AT&T's gateway

Notifications You must be signed in to change notification settings

ReimuHakurei/pfatt

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

About

I'm assuming you already know what this project is. The original repo disappeared for some reason. The original project has two modes, bridge mode and supplicant mode. I have no interest in the older proxy-based method, but (for now) it remains here.

If you want any of the stuff in the original repo's readme, see README-orig.md.

I assume you already have certificates extracted. If not, head over to eBay or do some Googling to figure it out.

Install

  1. Grab this repo to your local machine.
git clone https://github.com/ReimuHakurei/pfatt
  1. Next, edit all configuration variables in pfatt.sh.

  2. Upload the pfatt directory to /conf on your pfSense box.

scp -r pfatt root@pfsense:/conf/
  1. Upload your extracted certs (from EAP-TLS_8021x_xxxxxx-xxxxxxxxxxxxxxx.tar.gz or otherwise) to /conf/pfatt/wpa. You should have three files in the wpa directory as such. You may also need to match the permissions.
[2.4.4-RELEASE][[email protected]]/conf/pfatt/wpa: ls -al
total 19
drwxr-xr-x  2 root  wheel     5 Jan 10 16:32 .
drwxr-xr-x  4 root  wheel     5 Jan 10 16:33 ..
-rw-------  1 root  wheel  5150 Jan 10 16:32 ca.pem
-rw-------  1 root  wheel  1123 Jan 10 16:32 client.pem
-rw-------  1 root  wheel   887 Jan 10 16:32 private.pem
  1. Edit your /conf/config.xml to include <earlyshellcmd>/conf/pfatt/bin/pfatt.sh</earlyshellcmd> above </system>.

  2. Connect cables

    • $ONT_IF to ONT (outside)
    • LAN NIC to local switch (as normal)
  3. Prepare for console access.

  4. Reboot.

  5. pfSense will detect new interfaces on bootup. Follow the prompts on the console to configure ngeth0 as your pfSense WAN. Your LAN interface should not normally change. However, if you moved or re-purposed your LAN interface for this setup, you'll need to re-apply any existing configuration (like your VLANs) to your new LAN interface. pfSense does not need to manage $EAP_BRIDGE_IF or $ONT_IF. I would advise not enabling those interfaces in pfSense as it can cause problems with the netgraph.

  6. In the webConfigurator, configure the WAN interface (ngeth0) to DHCP using the MAC address of your Residential Gateway.

If everything is setup correctly, EAP authentication should complete. Netgraph should be tagging the WAN traffic with VLAN0, and your WAN interface is configured with a public IPv4 address via DHCP.

Dumping the NAND

User @KhoasT posted instructions for dumping the NAND. See the comment on devicelocksmith's site here.

IPv6 Setup

Once your netgraph setup is in place and working, there aren't any netgraph changes required to the setup to get IPv6 working. These instructions can also be followed with a different bypass method other than the netgraph method. Big thanks to @pyrodex1980's post on DSLReports for sharing your notes.

This setup assumes you have a fairly recent version of pfSense. I'm using 2.4.4.

DUID Setup

  1. Go to System > Advanced > Networking
  2. Configure DHCP6 DUID to DUID-EN
  3. Configure DUID-EN to 3561
  4. Configure your IANA Private Enterprise Number. This number is unique for each customer and (I believe) based off your Residential Gateway serial number. You can generate your DUID using gen-duid.sh, which just takes a few inputs. Or, you can take a pcap of the Residential Gateway with some DHCPv6 traffic. Then fire up Wireshark and look for the value in DHCPv6 > Client Identifier > Identifier. Add the value as colon separated hex values 00:00:00.
  5. Save

WAN Setup

  1. Go to Interfaces > WAN
  2. Enable IPv6 Configuration Type as DHCP6
  3. Scroll to DCHP6 Client Configuration
  4. Enable DHCPv6 Prefix Delegation size as 60
  5. Enable Send IPv6 prefix hint
  6. Enable Do not wait for a RA
  7. Save

LAN Setup

  1. Go to Interfaces > LAN
  2. Change the IPv6 Configuration Type to Track Interface
  3. Under Track IPv6 Interface, assign IPv6 Interface to your WAN interface.
  4. Configure IPv6 Prefix ID to 1. We start at 1 and not 0 because pfSense will use prefix/address ID 0 for itself and it seems AT&T is flakey about assigning IPv6 prefixes when a request is made with a prefix ID that matches the prefix/address ID of the router.
  5. Save

If you have additional LAN interfaces repeat these steps for each interface except be sure to provide an IPv6 Prefix ID that is not 0 and is unique among the interfaces you've configured so far.

DHCPv6 Server & RA

  1. Go to Services > DHCPv6 Server & RA
  2. Enable DHCPv6 server on interface LAN
  3. Configure a range of ::0001 to ::ffff:ffff:ffff:fffe
  4. Configure a Prefix Delegation Range to 64
  5. Save
  6. Go to the Router Advertisements tab
  7. Configure Router mode as Stateless DHCP
  8. Save

That's it! Now your clients should be receiving public IPv6 addresses via DHCP6.

Troubleshooting

If it freezes at waiting for EAP (give it a couple of minutes first, sometimes it takes a bit), Ctrl-C and drop to shell, then wpa_cli status. Have fun.

Oh and, is your clock set correctly? :)

About

AT&T Fiber / pfSense without using AT&T's gateway

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages