Skip to content

Instantly share code, notes, and snippets.

@bmorgenthaler
Created February 24, 2024 21:51
Show Gist options
  • Save bmorgenthaler/a0d9d5b1194f54829db6391bc297c7e4 to your computer and use it in GitHub Desktop.
Save bmorgenthaler/a0d9d5b1194f54829db6391bc297c7e4 to your computer and use it in GitHub Desktop.
OPNsense AT&T GPON Setup
#!/usr/bin/env sh
#
# CONFIG
# ======
#
# ONT_IF Interface connected to the ONT
#
# RG_ETHER_ADDR MAC address of your assigned Residential Gateway
#
# EAP_SUPPLICANT_IDENTITY Required only with supplicant mode. MAC address associated
# with your cert used as your EAP-TLS identity. If you extracted
# the cert from your stock issue residential gateway, this is the
# same as $RG_ETHER_ADDR.
#
# ELAN_MAC MAC address configured on the GPON, required for me to get access
# to the admin interface after the GPON is online.
#
# GPON_IP IP Address of the GPON normally 192.168.1.1 if it's not changed
#
# MGMT_IP IP address assigned to the gPON interface to access the admin interface
#
# Required Config
# ===============
ONT_IF='igb7'
RG_ETHER_ADDR='AA:BB:CC:DD:EE:FF'
ELAN_MAC='XX:XX:XX:XX:XX:XX'
GPON_IP='192.168.1.1'
MGMT_IP='192.168.1.2/25'
##### DO NOT EDIT BELOW #################################################################################
/usr/bin/logger -st "opnatt" "starting opnatt..."
/usr/bin/logger -st "opnatt" "configuration:"
/usr/bin/logger -st "opnatt" " ONT_IF = $ONT_IF"
/usr/bin/logger -st "opnatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR"
/usr/bin/logger -st "opnatt" "enabling promisc for $ONT_IF and spoofing MAC..."
/sbin/ifconfig ${ONT_IF} ether ${RG_ETHER_ADDR} -vlanhwtag -vlanhwfilter pcp 0
/sbin/ifconfig ${ONT_IF} up promisc
/usr/bin/logger -st "opnatt" "starting wpa_supplicant..."
WPA_DAEMON_CMD="/conf/wpa/opn_wpa_supplicant-d114ac638c389bfd1f7029ec22f47efc -B -Dwired -i${ONT_IF} -c/conf/wpa/wpa_supplicant.conf -C/var/run/wpa_supplicant"
# kill any existing wpa_supplicant process
PID=$(pgrep -f "wpa_supplicant")
if [ ${PID} > 0 ];
then
/usr/bin/logger -st "opnatt" "terminating existing wpa_supplicant on PID ${PID}..."
RES=$(kill ${PID})
fi
# start wpa_supplicant daemon
RES=$(${WPA_DAEMON_CMD})
PID=$(pgrep -f "wpa_supplicant")
/usr/bin/logger -st "opnatt" "wpa_supplicant running on PID ${PID}..."
# wait until wpa_cli has authenticated.
WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2"
IP_STATUS_CMD="ifconfig ${ONT_IF} | grep 'inet\ ' | cut -d' ' -f2"
/usr/bin/logger -st "opnatt" "waiting EAP for authorization..."
while true;
do
WPA_STATUS=$(eval ${WPA_STATUS_CMD})
if [ X${WPA_STATUS} = X"Authorized" ];
then
/usr/bin/logger -st "opnatt" "EAP authorization completed..."
break
else
sleep 1
fi
done
# Setup access to ONT
/usr/bin/logger -st "opnatt" "Setup access to ODI mgmt interface..."
/sbin/ifconfig ${ONT_IF} alias ${MGMT_IP}
/usr/sbin/arp -s ${GPON_IP} ${ELAN_MAC}
/usr/bin/logger -st "opnatt" "You should now be available to configure your WAN..."
eapol_version=1
ap_scan=0
fast_reauth=1
network={
ca_cert="/conf/wpa/ca.pem"
client_cert="/conf/wpa/client.pem"
eap=TLS
eapol_flags=0
identity="AA:BB:CC:DD:EE:FF" # Internet (ONT) interface MAC address must match this value
key_mgmt=IEEE8021X
phase1="allow_canned_success=1"
private_key="/conf/wpa/private.pem"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment