pfSense Forum

pfSense English Support => Post a bounty => Topic started by: dc81 on April 29, 2016, 02:30:43 pm

Title: ATT Uverse RG Bypass (0.2 BTC)
Post by: dc81 on April 29, 2016, 02:30:43 pm
I'm trying to avoid using the gateway provided by ATT. It seems like it's been solved for EdgeRouter and *nix based routers (https://www.dslreports.com/forum/r29903721-AT-T-Residential-Gateway-Bypass-True-bridge-mode~start=264). Hopefully someone will be able to get this working on pfsense too.

0.2 Bitcoins (~$90) to anyone that can get it done.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: zevlag on May 09, 2016, 06:28:02 pm
i'm willing to talk about this and help if you want.

But first we need to define the problem, and the desired solution.

Having read the linked thread, there are two options:
Which are you hoping for?

I think the first can be done with a kernel patch.  The latter would be more difficult for me.

Also, if I understand the thread correctly, this solves only the authentication issue, it isn't any configuration for TV or phone services.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: dc81 on May 10, 2016, 01:11:22 pm
Goal is for my traffic to bypass the RG. I have a pfsense box with multiple gigabit ports. I want to connect the ONT and RG to the pfsense box and have LAN traffic on the remaining ports.

Currently:

ONT > RG > pfSsense > LAN

Want:
Code: [Select]
ONT > pfSense
      |    |
      RG   LAN

So I'm not really concerned with any specific option, but I would want to be able to keep my gigabit speed. My box has an Atom C2558 if that matters.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: zevlag on May 10, 2016, 01:23:59 pm
If I provide a kernel patch, are you familiar with compiling kernels in FreeBSD?
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: dc81 on May 10, 2016, 02:04:43 pm
I have not, but it seems fairly straightforward. I have a backup pfsense in a vm so the downtime is not an issue.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: dc81 on June 02, 2016, 10:36:28 am
any progress?
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: dc81 on April 26, 2017, 02:08:49 pm
bump... anyone?
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: ermax on May 11, 2017, 07:43:00 am
I would love to see this too.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: pyrodex on September 21, 2017, 01:07:26 pm
Looks like it maybe more viable now with a python script:

https://github.com/jaysoffian/eap_proxy

See https://github.com/jaysoffian/eap_proxy/issues/2 also since it seems PFRING is required but BSD doesn't have PFRING.

I've heard someone got this working on a debian box running shorewall so maybe just adapting it for BSD could be the solution.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: variance on October 24, 2017, 05:00:15 pm
Looks like it maybe more viable now with a python script:

https://github.com/jaysoffian/eap_proxy

See https://github.com/jaysoffian/eap_proxy/issues/2 also since it seems PFRING is required but BSD doesn't have PFRING.

I've heard someone got this working on a debian box running shorewall so maybe just adapting it for BSD could be the solution.

I've seen a report of this solution (https://github.com/kuwerty/eapolproxy)
eap proxy sucessfully compiled and running on pfsense after installing some dependencies  (libstdc++).
and it passing packets.


Quote
I checked out the eapolproxy, and successfully compiled it on my freebsd dev box.  After getting some dependencies (libstdc++) onto pfsense, it does start and appears to be passing the EAP traffic from the RG on OPT1 up to the WAN interface where the ONT is, but nothing ever comes back - it just keeps spamming the EAPOL start and logoffs.  I will have to keep playing with it, but I feel like the solution is close.  It would be good to have some others try this...


Source: (http://www.dslreports.com/forum/r31632582-)


as for pfring dependency.. i don't know if thats kernel or something that needs to be compiled specifically for freebsd...
my gigapower install doesn't happen for another day or 2. I'm going to go ahead and try compiling the this eapolproxy myself to see if I can get it working.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: rajl on November 21, 2017, 01:11:42 pm
If this feature bounty still open?  I may have an elegant FreeBSD solution to the problem.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: random003 on December 08, 2017, 06:48:03 am
I'll give you $100 in bitcoin for a set-and-forget solution that works on pfsense.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: PnoT on December 14, 2017, 08:43:39 am
Any progress on this?
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: random003 on December 20, 2017, 08:12:41 pm
$200 for a set-and-forget solution.

I may consider other payments methods besides bitcoin if preferred.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: rajl on January 10, 2018, 02:04:28 pm
There's been a surprising amount of progress, although I've encountered some issues with PFSense specifically (vanilla FreeBSD and OPNSense work more smoothly).

Here's a summary so far of what I've done, and the issues I am encountering.

For background, here are links for Linux specific solutions:

http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits (http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-limits)
https://strscrm.io/bypassing-gigapowers-provided-modem.html (https://strscrm.io/bypassing-gigapowers-provided-modem.html)

To summarize, there are two Linux approaches:
(1a) Create a Bridge and enable the Bridge to Forward EAPOL traffic - Use ebtables (Linux layer 2 firewall) to filter what is forwarded across the bridge.
(1b) Run a Python script called EAP-Proxy that proxies EAPOL traffic in order to avoid creating the bridge
(2) Create a Virtual Interface for your WAN assigned VLAN 0 and assign your services to it.

However, FreeBSD is not Linux and there are some issues due to FreeBSD's undying commitment to standard's compliance:
(1) The FreeBSD bridge code does not allow for EAPOL traffic to be forwarded across the bridge because this violates the IEEE 802.1D standard.
(2) The EAP-Proxy Script that is circulating is pretty specific to Linux and requires a lot of massaging to work with FreeBSD.  Also, it requires installing python on your firewall, which you may not want to do for security reasons.
(3) FreeBSD's vlan code does not allow you to create a virtual interface assigned to VLAN 0 because IEEE 802.1Q specifies that vlan 0 is reserved.

So there are two technical issues that need to be resolved:
(1) Make FreeBSD forward EAPOL traffic between the RG and the ONT.
(2) Allow the FreeBSD WAN interface to communicate on vlan 0 so that it can communicate with the ONT.

I have solved the first problem and can demonstrate two working solutions on FreeBSD and OPNSense.  However, the preferred solution does not work on PFSense yet.  To briefly summarize my work:
(1) The universally working (but not preferred) solution is to patch the kernel's bridge code to forward EAPOL traffic.  I've created a kernel patch for the bridge code that allows you to enable or disable forwarding of EAPOL traffic on a bridge using a sysctl variable.  However, it's definitely not a set and forget solution as you have to manually patch your kernel and then potentially repatch the kernel with every update.  Long-term, it can be a set and forget solution once I submit the patch to -CURRENT and it migrates to -STABLE and it then makes it to -RELEASE.  But that's a long migration path.
(2) I've created a set and forget solution for forwarding EAPOL traffic using FreeBSD's builtin Netgraph framework.  Basically, I use Netgraph to create a layer 2 firewall that forwards all EAPOL frames between interfaces and forwards all other Ethernet frames on up the network stack per normal.  I've tested it successfully on vanilla FreeBSD and OPNSense.  However, it's not currently working on PFSense for two reasons. 
I am still attempting to solve the second problem (communicating on VLAN 0).  Looking at TCPDump, I can see the DHCP request and response between my WAN and the ONT, but I am not getting an IP address assigned to my WAN interface.  I suspect this is because the traffic is tagged as VLAN 0 in a non-standard compliant manner, which is causing FreeBSD to disregard the DHCP response as invalid.  I may be able to solve this problem as well using Netgraph, but I need to investigate further when I have some more time and I can test my solution (which is when my family is not home streaming Netflix).

If anyone else is a networking ninja, I would be glad to partner with them to finish this project more quickly. 



Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: random003 on January 13, 2018, 12:20:24 am
Do you have a bitcoin address? I'd like to give you $100 worth right now to keep the progress going. I don't mind a kernel patch.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: Ryu945 on January 14, 2018, 10:34:44 pm
I see that ATT uses IP-DSL to do the log in.  I wonder if there is a way to get Pfsense to do the log in directly.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: rajl on January 18, 2018, 12:00:06 pm
Do you have a bitcoin address? I'd like to give you $100 worth right now to keep the progress going. I don't mind a kernel patch.

I'm doing this for the love and the technical challenge, but tips are always welcome!  ;)

My bitcoin wallet address for any donations towards this project (from you or any other generous souls) is:

1H8CaLNXembfzYGDNq1NykWU3gaKAjm8K5

If anyone is going to tip me for my efforts, I figure I should at least give them something in return. 

Here’s the Netgraph based solution I have so far (which I have tested more thoroughly than the kernel patch):

Step 1: Copy the ng_etf.ko module from a FreeBSD 11.1 system to /boot/kernel.  If you are security conscious, you will copy this module yourself from a FreeBSD 11.1 system you already own/control.  For convenience, I have uploaded a copy of the module here (https://cloud.johnllyon.com/s/cm6WlpWEWdiC6nn) which trusting souls may download at their convenience. 

Step 2: Add the following line to your /boot/loader.conf file – ng_etf_load=”YES” (include quotation marks)
Step 3: Reboot so that the kernel modules are loaded
Step 4: Clone the MAC address of the RG to your “WAN” port.
Step 5: Use the following Netgraph commands to create the EAP Netgraph Bridge.  As of right now you need to enter these commands at the console or include them in a startup/boot script.  Because you are disconnecting and reconnecting your Ethernet interfaces to create the necessary graph, you will lock yourself out of your own box if you are doing this over SSH.  Hence, you need physical access to your machine when entering these commands or they need to be executed automatically on boot.
Code: [Select]
## Replace “em0” and “em1” with your WAN and ONT Ethernet interfaces
    ## as appropriate for your machine

    ngctl mkpeer em0: etf lower downstream
    ngctl name em0:lower waneapfilter
    ngctl connect waneapfilter: em0: nomatch upper

    ngctl mkpeer em1: etf lower downstream
    ngctl name em1:lower laneapfilter
    ngctl connect laneapfilter: em1: nomatch upper

    ngctl connect waneapfilter: laneapfilter: eapout eapout

    ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'

If these commands throw a cryptic error message, one of three things happened.
 

Step 6: Connect the ONT to your PFSense Box and the RG to your PFSense Box (connecting from PFSense to the ONT port on the RG)

Step 7: Power cycle the RG in order to force authentication with ATT

Step 8: Confirm authentication.  After 1-2 minutes, you will see the “Broadband” light on your RG flash green and then go to solid green for a short period of time.  This means that the 802.1X port authentication has completed successfully.  However, your Broadband light will then start flashing read and then go blank.  This is because the RG is not receiving an IP address from the ATT network via DHCP (your PFSense Box is attempting request and receive the IP address).

At this point, I can see the DCHP requests and responses between the PFSense box and the ATT network using tcpdump.  However, the PFSense box is currently unable to use the IP address provided by ATT.  I assume this is because ATT is tagging all responses as being on VLAN 0 (you can see this in TCPDump).  With Linux based solutions, you can solve the problem by assigning vlan 0 to your WAN and then moving all your services over to the virtual interface created for vlan0.  However, FreeBSD doesn't handle frames explicitly tagged as vlan 0 very well. 

I submitted a bug report (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224961) to FreeBSD for to see if I could get this resolved.  The short answer is "no" but they suggested that the Netgraph VLAN code might be able to convert frames tagged as vlan 0 into untagged frames prior to forwarding them up the network stack.  I have not had time to investigate this, but it seems promising.  If it works, I'll update my netgraph script above to incorporate the appropriate ng_vlan nodes.
Title: Re: ATT Uverse RG Bypass (0.2 BTC)
Post by: rajl on January 18, 2018, 12:09:43 pm
I see that ATT uses IP-DSL to do the log in.  I wonder if there is a way to get Pfsense to do the log in directly.

Unfortunately, no.  ATT uses cryptographic certificates installed in the ROM of the RG to authenticate the RG with the ATT network.  This allows them to prevent "unauthorized" equipment from being attached to the network.  Unless you feel like dumping the contents of the ROM, identifying the cryptographic certificates, uploading them to your PFSense box, and creating a custom authorization script, it's easier to just perform a man-in-the-middle attack on the 802.1X authentication.