Netgate SG-1000 microFirewall

Author Topic: ATT Uverse RG Bypass (0.2 BTC)  (Read 3311 times)

0 Members and 1 Guest are viewing this topic.

Offline random003

  • Newbie
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #15 on: January 13, 2018, 12:20:24 am »
Do you have a bitcoin address? I'd like to give you $100 worth right now to keep the progress going. I don't mind a kernel patch.

Offline Ryu945

  • Full Member
  • ***
  • Posts: 122
  • Karma: +2/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #16 on: January 14, 2018, 10:34:44 pm »
I see that ATT uses IP-DSL to do the log in.  I wonder if there is a way to get Pfsense to do the log in directly.

Offline rajl

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #17 on: January 18, 2018, 12:00:06 pm »
Do you have a bitcoin address? I'd like to give you $100 worth right now to keep the progress going. I don't mind a kernel patch.

I'm doing this for the love and the technical challenge, but tips are always welcome!  ;)

My bitcoin wallet address for any donations towards this project (from you or any other generous souls) is:

1H8CaLNXembfzYGDNq1NykWU3gaKAjm8K5

If anyone is going to tip me for my efforts, I figure I should at least give them something in return. 

Here’s the Netgraph based solution I have so far (which I have tested more thoroughly than the kernel patch):

Step 1: Copy the ng_etf.ko module from a FreeBSD 11.1 system to /boot/kernel.  If you are security conscious, you will copy this module yourself from a FreeBSD 11.1 system you already own/control.  For convenience, I have uploaded a copy of the module here which trusting souls may download at their convenience. 

Step 2: Add the following line to your /boot/loader.conf file – ng_etf_load=”YES” (include quotation marks)
Step 3: Reboot so that the kernel modules are loaded
Step 4: Clone the MAC address of the RG to your “WAN” port.
Step 5: Use the following Netgraph commands to create the EAP Netgraph Bridge.  As of right now you need to enter these commands at the console or include them in a startup/boot script.  Because you are disconnecting and reconnecting your Ethernet interfaces to create the necessary graph, you will lock yourself out of your own box if you are doing this over SSH.  Hence, you need physical access to your machine when entering these commands or they need to be executed automatically on boot.
Code: [Select]
## Replace “em0” and “em1” with your WAN and ONT Ethernet interfaces
    ## as appropriate for your machine

    ngctl mkpeer em0: etf lower downstream
    ngctl name em0:lower waneapfilter
    ngctl connect waneapfilter: em0: nomatch upper

    ngctl mkpeer em1: etf lower downstream
    ngctl name em1:lower laneapfilter
    ngctl connect laneapfilter: em1: nomatch upper

    ngctl connect waneapfilter: laneapfilter: eapout eapout

    ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
    ngctl msg laneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'

If these commands throw a cryptic error message, one of three things happened.
  • Most likely, you omitted or added a colon (“:”) somewhere it didn’t belong (I speak from experience). 
  • Less likely, but possible, is that I accidentally omitted or added a colon while copying and pasting these commands into this writeup.  :)
  • Possibly, PFSense’s ng_eth module is not recognizing one or more of your interfaces.  This happens on some, but not all computers.  I’m not sure if this is a software or hardware bug.  For example, on my ZOTAC CI323, all of my interfaces are recognized.  However, on my QOTOM machine, only 2 of the 4 are recognized (OPNSense and vanilla FreeBSD recognize all four, which leads me to believe there is a subtle PFSense bug rather than an hardware issue).
 

Step 6: Connect the ONT to your PFSense Box and the RG to your PFSense Box (connecting from PFSense to the ONT port on the RG)

Step 7: Power cycle the RG in order to force authentication with ATT

Step 8: Confirm authentication.  After 1-2 minutes, you will see the “Broadband” light on your RG flash green and then go to solid green for a short period of time.  This means that the 802.1X port authentication has completed successfully.  However, your Broadband light will then start flashing read and then go blank.  This is because the RG is not receiving an IP address from the ATT network via DHCP (your PFSense Box is attempting request and receive the IP address).

At this point, I can see the DCHP requests and responses between the PFSense box and the ATT network using tcpdump.  However, the PFSense box is currently unable to use the IP address provided by ATT.  I assume this is because ATT is tagging all responses as being on VLAN 0 (you can see this in TCPDump).  With Linux based solutions, you can solve the problem by assigning vlan 0 to your WAN and then moving all your services over to the virtual interface created for vlan0.  However, FreeBSD doesn't handle frames explicitly tagged as vlan 0 very well. 

I submitted a bug report to FreeBSD for to see if I could get this resolved.  The short answer is "no" but they suggested that the Netgraph VLAN code might be able to convert frames tagged as vlan 0 into untagged frames prior to forwarding them up the network stack.  I have not had time to investigate this, but it seems promising.  If it works, I'll update my netgraph script above to incorporate the appropriate ng_vlan nodes.

Offline rajl

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #18 on: January 18, 2018, 12:09:43 pm »
I see that ATT uses IP-DSL to do the log in.  I wonder if there is a way to get Pfsense to do the log in directly.

Unfortunately, no.  ATT uses cryptographic certificates installed in the ROM of the RG to authenticate the RG with the ATT network.  This allows them to prevent "unauthorized" equipment from being attached to the network.  Unless you feel like dumping the contents of the ROM, identifying the cryptographic certificates, uploading them to your PFSense box, and creating a custom authorization script, it's easier to just perform a man-in-the-middle attack on the 802.1X authentication.

Offline random003

  • Newbie
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile

Offline rajl

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #20 on: January 24, 2018, 08:43:16 am »
Thanks for your work on this.

https://tradeblock.com/bitcoin/tx/5be26573726e21c9f70d18af1223fb8e307cae6194a656ca294cc4afa99ae767

Received.  Thanks!

Digging into this a little more, the VLAN netgraph node may provide the "missing link."  I'm hoping to be able to test it in the reasonably near future and see if it actually works.

Offline aus

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #21 on: February 14, 2018, 12:52:05 pm »
Hi rajl.

For the past few weeks, I've independently gone down similar avenues to explore a solution to this problem. I considered porting the EAP Proxy script, but that seemed painful. I opted to patch the kernal (if_bridge.c to be specific) to remove the drop on the 802.1X MAC 01:80:c2:00:00:03. That worked, but only for the EAP problem.

After discovering this post (a great start btw!) and reading more about netgraph, I agree that is probably the best approach. I hoping we can get this working using a combination of: ng_ether, ng_etf, ng_vlan, ng_tee and ng_eiface

For the VLAN0 problem, I expect the netgraph to look like something like this:

Code: [Select]
# em0 - ATT RG
# em1 - ONT
# em2 - LAN
# ngeth0 - "WAN" netgraph creates interface, removes VLAN0 tag from ONT traffic

# make eth devices addressable in netgraph
# (kernel module may already be loaded for you)
kldload ng_ether     

# from em1, create a vlan peer
# connect em1's lower hook to vlan's downstream hook
ngctl mkpeer em1: vlan lower downstream

# name peer vlan
ngctl name em1:lower vlan

# connect em1's upper hook to vlan's nomatch hook
ngctl connect em1: vlan: upper nomatch

# from vlan, create eiface peer (ngeth0)
# connect vlan's untagged hook to eiface's ether hook
ngctl mkpeer vlan: eiface untagged ether

# instruct vlan: to send vlan0 traffic to untagged hook
# which gets sent to the eiface ether hook (ngeth0)
ngctl msg vlan: addfilter '{ vlan=0 hook="untagged" }'

I've tested in locally in a VM and I think this part is working. However, the problem I'm struggling with now is combining the EAP netgraph solution with the VLAN netgraph solution. I think this is where ng_tee comes into play, but I'm still trying to wrap my head around it.

I think we need to use ng_tee to split out the ng_ether-em1 interface. Then hook up the EAP graph to one side and the VLAN graph to the other. But my head spins trying to keep left, right, right2left and left2right straight. :) The lacking documentation about netgraph doesnt help either. It seems no one talks about netgraph much.

Have you had any progress or success?

Offline aus

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: ATT Uverse RG Bypass (0.2 BTC)
« Reply #22 on: February 17, 2018, 11:47:10 pm »
I just wanted to report back that I got this working, but probably not in the sense you were hoping for.

I’m running pfSense in a VM on Proxmox (KVM/QEMU). For now, I’ve opted to let the hypervisor (Linux) do the EAP and VLAN work. (Same method basically) Here is my setup:

Nothing too special configuration was required for my pfSense VM. Here is my config:

Code: [Select]
balloon: 0
bootdisk: ide0
cores: 2
cpu: host
ide0: ssd0:vm-100-disk-1,size=32G
memory: 512
name: pfSense
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0
net1: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr1
numa: 0
ostype: other
serial0: socket
sockets: 1
tablet: 0

The net0 (LAN) interface bridges to vmbr0. vmbr0 bridges to physical eth0, which is connected to my switch.

The net1 (WAN) interface bridges to vmbr1. vmbr1 bridges to vlan0. The vlan0 interface is configured off physical eth1, which is connected to the ONT. net1 MAC address also matches my ATT Gateway. Change it in your pfSense WAN interface setting.


/etc/network/interfaces:

Code: [Select]
# LAN / eth0                                                                                                                                                                                         
# Connect to switch
iface eth0 inet manual

# ONT / eth1
# Connect to ONT box outside
iface eth1 inet manual

# RG / eth2
# Connect to ATT Gateway on ONT port
iface eth2 inet manual

# LAN Bridge / br0
# Bridge main switch to pfSense
# IP is Proxmox host
auto vmbr0
iface vmbr0 inet static
        address  192.168.1.2
        netmask  255.255.255.0
        gateway  192.168.1.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

# VLAN0 Bridge / br1
# Bridge vlan tagged WAN to pfSense
auto vmbr1
iface vmbr1 inet manual
        bridge_ports vlan0
        bridge_stp off
        bridge_fd 0

# EAP Bridge / br2
# Bridge ATT Gateway + ONT so EAP/802.1X auth can complete
# group_fwd_mask makes sure 802.1X traffic is bridged
auto vmbr2
iface vmbr2 inet manual
        bridge_ports eth1 eth2
        bridge_stp off
        bridge_fd 0
        post-up echo 8 > /sys/class/net/vmbr2/bridge/group_fwd_mask

Unfortunately, Proxmox conflicts with the vlan debian package, so you have to configure the vlan interface with the ip command instead of the interface file:

Code: [Select]
ip link add link eth1 name vlan0 type vlan id 0

And that’s pretty much it. I haven’t nailed down the timings yet from cold boot to online for a fully automated solution. For some reason, the EAP only takes under certain conditions. I have the best luck with the following:

1. Cold boot hypervisor
2. Wait for EAP to authenticate
3. Start vlan0
4. Start pfSense VM

It’s not perfect right now and it will take some more experimenting. But, it feels good to be off their RG!

 I’d still be interested in a pure BSD solution though.
« Last Edit: February 18, 2018, 02:28:44 pm by aus »