Use *sense without netgraph #82
Comments
|
This is really great. With enough input we could build a supported list of models. I'm going to try with a newer model (DGS-1100-05V2) and report back. |
|
|
|
Found this thread on reddit, Based on the above, supposedly TpLink SG108E will also do it. I don't have that switch to test, but if others can comment/confirm? |
Purchased SG108E and SG105E, will test. |
|
From the Reddit thread, possibily working:
|
|
Hey everyone, I got it to work with the Dlink DGS-1100-05V2 on firmware 1.00.003 (only available firmware) and I essentially used the same setup as @gpz1100. |
Can you add the hardware version as well? |
|
@owenthewizard revision A1 for that D Link switch I mentioned. |
|
I can confirm that:
Works! Do note the hardware version - there are seven of them that exist!
|
|
@owenthewizard Why do you even need pcp 7 with this method? |
I just tested, and in fact you don't! |
|
I noticed you guys are setting VLAN ID to 100, is that accurate? EDIT: I see you are just using any VLAN ID to strip the tags from the ONT. Has anyone tried using a unifi switch? |
I used VLAN 4040. The VLAN itself is arbitrary. I haven't tried with a unifi switch (I ran out of physical ports.). The UI makes it hard to tell what's going on. It's stylized like it's doing port-based VLANs. If the incoming traffic to a client through an access port does not have a VLAN tag, then it stands a good chance of working. |
|
I tried with a unifi flex mini and it didn't work. |
|
|
This is what I did, didn't work. |
|
What didn't work? Did you see any traffic from the authenticator going into the WAN port or just nothing at all? |
No eap traffic other than the eapol frame sent by my wpa client. |
Then it's probably that it's dropping/rejecting VLAN 0 frames coming into the port. Either the USW firmware or the switch is doing it at the hardware level. Seems like that's always going to be a factor. |
|
Dlink dgs-1210-10 HW F1, fw 6.31.002 also works |
|
Hello, pfSense Plus 23.05 includes several features that makes this possible natively without netgraph: Ability to set VLAN 0 PCP tag and enable promiscuous mode per interface: Ethernet (L2) Filtering Support: |
|
@rcmcdonald91 This thread pertains to the supplicant bypass method, not bridge. Does wpa_supplicant respond to vlan0 tagged traffic in 23.05ß? |
|
wpa_supplicant needs patches to support VLAN0 tagging, as it doesn't support it right now. Being worked on. |
|
Yes. wpa_supplicant needs a patch to support VLAN0. |
|
@rcmcdonald91 Glad to help test once something is available. |
pfSense Plus 23.05 Release fails to get WAN address via DHCP (EAP is successful) - tested with DLink DGS-1100-08v2 hardware A1 fw 1.00.003. Has anyone seen/fixed this (assuming the same occurs with the other switches reported working in this thread, including DGS-1100-05v2)? |
Did you spoof your RG MAC on your WAN interface? I had this issue but I had just forgotten to spoof. |
Yes, it was spoofed. Got it working with DLink DGS-1100-05v2 (5-port) with same HW A1 and FW 1.00.003. It also required setting PCP (Priority Tag) to 1 on WAN as DHCP would not work without it -- inspiration from pfsense configuration recipe here: https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html . 8-port dlink (DGS-1100-08v2) still did not work with the same config. |
Why do you have a switch in front of your WAN at all? Just plug the WAN directly into the ONT. |
Had tried that before and it had not worked with wpa supplicant (EAP failed). Will test again with PCP set and see |
except it may not work without the stripper switch until wpa_supplicant is patched (#82 (comment)) |
|
I added this table to my fork:
|
|
I think it's safe to close this thread with the recent developments in wpa_supplicant - it now listens on vlan0, negating any need for switches to strip vlan 0 tags. Thoughts? |
I agree. |
I agree, no need for stripper switches with the new wpa supp |
|
There may still be a reason to use this method for those with external ont/gpon configurations. A number of tools in *sense don't work properly on the wan interface due to the asymmetric vlan - that is, inbound traffic is vlan 0 tagged, outbound is not. Tools including tcpdump and iftop (probably others too). For both of those only one side of the conversation is reported. For tcpdump, a carefully crafted filter can capture both, but no such option exists for iftop. Given I do use these tools periodically it would be nice for them to work as expected. I've since (pun intended) reimplemented a switch for vlan 0 stripping. |
Someone over on the discord channel mentioned they were able to get opnsense 23 to work without using netgraph at all.
Wpa_supplicant is still required, but the only change is flagging the wan port with vlanpcp 7. No promisc, no -vanhwfilter, etc.
ifconfig igb0 vlanpcp 7I could not replicate this. In testing, eapol traffic was coming as 888e from the ONT. A logon command from wpa_cli would leave as 8100 from the wan interface.
It was then suggested to use a smart switch with port based vlans. That is configure 2 unused ports on a separate untagged vlan. Similar to the old school dumb switch method.
I first tested with a dumb switch (dgs-1005) just to see if it would strip the vlan0 tags, with no success. Same issue as above
Then used a managed switch. Looks like this on a dlink dgs-1100-08;
A comparable configuration on a netgear gs308t did NOT work. There was no traffic passed as the switch completely ignored the inbound vlan0 tagging from the ONT.
On the dlink however, this was successful. Tcpdump showed no vlan or priority tags for the wan interface. Wpa_supplicant worked flawlessly without netgraph as did dhcp. It would appear the dlink switch successfully striped the vlan0 tags.
All eapol traffic contained 888e for ethertype in both directions. Success present in both opnsense 23.1.5.x and pfsense+ 23.01. I did not test older versions.
I expect other switches to work as well, but it matters in what the default behavior is with vlan0 packets. Does it ignore the traffic entirely (netgear gs308t), or does it treat it as native vlan and allow to pass (dlink dgs-1100-08)?
20230408 - dlink dgs-1100-08 hw B1 fw 1.00.b031 per above
20230412 - dlink dgs-1100-05v2 hardware A1 fw 1.00.003 confirmed working per @topsecretsauce
20230413 - tplink TL-SG108E hw v5.0, fw 1.0.0 Build 20191021 Rel.53360 per @owenthewizard
20230414 - Dlink DGS-1210-10 hw F1, fw 6.31.002 per me.
The text was updated successfully, but these errors were encountered: