d3phoenix's profile

Teacher

 • 

9 Messages

Sunday, September 11th, 2011 8:13 PM

How to fake bridged mode with U-Verse

I have worked out a way to simulate full bridged mode between a U-Verse RG and an enterprise grade router.

 

It's not identical to uverse in bridged mode, but it is pretty close.

 

Prerequisites:

  • AT&T U-Verse VDSL service with the Static IP add-on. (I'll be using the 8-ip block in this case)
  • A router capable of running a routing redundancy protocol, such as HSRP, VRRP, or GLBP.
  • A device connected to the internet that is NOT using your u-verse service (For testing functionality from the outside, where it matters. Smart phones work great for this, or just call a friend who has a PC handy)



The problem:

The AT&T RG abuses ARP to ensure that a static IP has to be assigned by MAC address. One MAC = One static IP. This effectively prevents you from routing the whole block to an internal router or firewall, because such devices will respond for all usable addresses using the same MAC. Why the RG chooses to do this is beyond me, but it is what it is and we have to work around it.

(When the RG sees what it thinks is the internal device changing its IP while keeping the same MAC (due to multiple IPs on one interface), the RG will update the device's "current IP address" in the IP Address Allocation tab, and sever all TCP connections to the old address, and the firewall will block all attempts to connect to the old address as it does not see it being registered to any internal device.

Ultimately, this means that if we intend to use our own internal device to protect and control our static IP block, we have to get our device to lie to the RG and present itself as several unique MAC / IP pairs.

This is difficult because by definition, most routers and firewalls only have one MAC and are not capable of generating more. Even high-end Cisco routers do not allow you to add an arbitrary number of MAC addresses to an interface because it shouldn't be necessary -- they assume other devices know how to use ARP.)


The solution:

To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with. In this example I'll be using Cisco's HSRP, although in theory this will work with any redundancy protocol that creates virtual IPs and MACs. Routing redundancy protocols use these fake MAC + IP Pairs as floating "virtual interfaces" that would normally flip between two routers running the protocol, so that in the event of a failure none of the clients have to re-learn a MAC and IP. Nobody has to ARP and you get a very quick failover. We're going to use that to fake out the RG.


Assumptions:

  • The static IP range AT&T gave us is 9.1.1.0/29 (.1 through .5 usable, .6 is the RG)
  • We will use .5 as our router's actual address, .1 through .4 will be virtual.
  • When I say "LAN IP range" I am NOT talking about the RG's default LAN range of 192.168.1.0/24, I mean the addressing space we choose to use behind our router handling the static IPs.
  • The LAN IP range behind our router is 172.16.0.0/24
  • We have two computers on the LAN:
  •         PC1 = 172.16.0.100/24, on which we want to expose all services to the world as 99.1.1.2
  •         PC2 = 172.16.0.200/24, on which we want to expose JUST a web server to the world as 99.1.1.3:80
  • We want to provide outbound internet access to all hosts in 172.16.0.0/24 using the router's actual static IP, 99.1.1.5. We will use a NAT overload (or PAT) to accomplish this.

Setup:

Step 1) Log in to the RG and make the following settings changes:

    * Settings
        * Broadband
            * Link Configuration
                * Supplementary Network
                    * Check Enable
                    * Place the router's address (Last usable of the subnet) into the Router Address field.
                    * Fill in the subnet mask
                    * DO NOT check Auto Firewall Open
                    * Save
        * LAN
            * DHCP
                * Make sure "New Device DHCP Pool" is set to "Private Network"
                * Save
        * Firewall
            * Advanced
                * Enhanced Security
                    * Disable Stealth Mode (Useful for troubleshooting)
                    * Disable Block Ping (Useful for troubleshooting)
                    * Disable Strict UDP Session Control (I have found that this can interfere with VOIP apps)
                * Attack Detection
                    * Disable Excessive Session Detection (The RG's definition of "excessive" is a bit small)
                    * Disable Invalid Source/Destination IP Address (For some reason this seemed to interfere)
                    * Disable Invalid ICMP Detection (Seems to block ALL ICMP??)
                    * Save

Step 2) Unplug all but your configuring PC from the RG.

Step 3) Under Diagnostics -> Resets, Clear the RG's device list.

Step 4) Unplug your PC from the RG and reconnect.

Step 5) The RG is now ready to accept statically assigned addresses from our router.

Step 6) Configure the router. This part will require familiarity with your chosen device. I'll provide the commands as a Cisco IOS configuration file with comments. If your device is not a cisco box, hopefully this will give you enough information to configure it properly.


    ! Cisco IOS Configuration File
    ! Version 12.4

! Set up the inside interface
    interface FastEthernet0/0
        description LAN (TO SWITCH)
        ip address 172.16.0.1 255.255.255.0
        ip nat inside
        no shutdown

! Set up the outside interface
    interface FastEthernet1/0
        description WAN (TO RG)
    ! Assign the router the last usable IP in the range (right before the RG)
        ip address 99.1.1.5 255.255.255.248
        ip nat outside
        no shutdown
    ! Slow the HSRP timers down (Don't need to check for a non-existent peer every 1 second)
        standby timers 254 255
    ! This router should be the master (It will never come up otherwise)
        standby preempt
    ! Create a virtual HSRP IP+MAC pair for each usable ip address (Except the one already assigned above)
    ! Make sure that your MACs are unique. I like to start them with 0000 to signify a locally-administered address, and end them with 1 + the three digit last octet of the IP it's associated with. This makes it easier to figure out which is which in the RG's configuration later if anything gets messed up.
        standby 1 ip 99.1.1.1
        standby 1 mac 0000.0000.1001
        standby 2 ip 99.1.1.2
        standby 2 mac 0000.0000.1002
        standby 3 ip 99.1.1.3
        standby 3 mac 0000.0000.1003
        standby 4 ip 99.1.1.4
        standby 4 mac 0000.0000.1004

! Configure our default gateway and default route to be the 3600HGV's address in the static block
    ip default-gateway 99.1.1.6
    ip route 0.0.0.0 0.0.0.0 99.1.1.6

! Use NAT to expose PC1, 172.16.0.100, to the internet on all ports as 99.1.1.2:
    ip nat inside source static 172.16.0.100 99.1.1.2

! Use NAT to expose JUST the web service on PC2, 172.16.0.200, as 99.1.1.3:
    ip nat inside source static tcp 172.16.0.100 80 99.1.1.3 80

! Create a NAT overload (PAT) to allow listed devices share our router's address for internet access:
    ip nat inside source list ACL-INET interface FastEthernet1/0 overload

! Create the ACL-INET Access List and configure it to allow all PCs to use the overload:
    ip access list standard ACL-INET
        10 permit 172.16.0.0 255.255.255.0

 

(CONTINUED IN NEXT POST)

Accepted Solution

Official Solution

Teacher

 • 

9 Messages

13 years ago

(CONTINUED FROM FIRST POST)

 

Step 7) Connect the router's WAN interface to the RG.

Step 😎 Log back in to the RG, and do the following:
    * Go to Diagnostics -> IP Utilities
        * Ping all five usable addresses; the one on the router, and each of the virtual ones.
        * This will make each of the router's static addresses show up in the RG's LAN settings.
    * Go to LAN -> IP Address Allocation
        * Verify that each of your IPs is showing up.
        * Set the firewall to DISABLED on all of your static IPs. This ensures that all ports are open to the outside world, except 445 (and possibly a few others), which the RG will always block. You may now configure NAT and firewalling as you see fit on your own devices.

The key is in the F1/0 interface's configuration. When handling NAT, the router uses the most specific matched IP + MAC, whether it's physical or virtual, to handle packets. This successfully fakes out the RG and lets us NAT our public IP space however we want!


Caveats and other thoughts:

  • Cisco devices have a limit to the number of HSRP groups they can create, and each one you add adds to CPU overhead. On my device, the limit is 32, so I had no problem. Older devices, however, can have limits as low as 8. Make sure you check up on this before trying this with a larger block of addresses. I only recommend this solution for blocks of 8 or 16. (5 or 13 usable).
  • The NAT implementation I have above is very simple, but you can do a lot more complicated things. If you have a firewall that supports HSRP/VRRP/GLBP, then I imagine you could run it on that, too.
  • Security is not taken into account in the configuration above. Because we are bypassing the RG's firewall, you will probably want to incorporate a firewall or at the very least harden your systems and scan them for open ports, as they WILL be more exposed to the outside than before.

   
I hope that this helps someone out there. Good luck -- feel free to PM me if you have trouble implementing this.

 

Agreed -- it's still not perfect, but I've found it to be adequate for my needs. Fortunately I'm not running anything super esoteric that NAT will break.

 

If anyone out there is, though, I think that the workaround will be fairly simple: Remove one of the HSRP groups and then assign that freed static address directly to the device. Make sure to ping it from the diagnostics tab to get it to update in the RG properly. Also make sure that the device does not respond to ARPs on its exterior interface with the inside address of the box, or he RG will cause some very strange behavior.

 

Here is a link that I found very helpful in my initial troubleshooting of the design -- he includes a brief instruction on how to fix the interior/exterior ARP issue on Linux, too:

 

http://www.ka9q.net/Uverse/static-ip.html

 

I forgot to include that link in the main post -- it was very helpful in pointing me in the right direction as far as what the problem actually was, so that I could solve it.

 

Hopefully AT&T / 2Wire will realize that the RG has some serious limitations with regard to their static IP offerings, and their next RG model will conform a bit better to standards 🙂

 

 

Expert

 • 

9.4K Messages

13 years ago


d3phoenix wrote:

 

To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with.

 

Cunning and brilliant.  Hat's off, and kudos given.

 

I must point out that the end setup is still not quite like it should be -- which would be to insert a static route into the RG and actually run the static IPs behind the Cisco.  This method requires the 1-to-1 static NAT configuration on the Cisco, although in practice, that generally works perfectly for 99% of protocols, including esoteric setups like VPN.

 

Nevertheless, a big step forward from where the 2Wire had left us.  I run on a Cisco 2811 in my house myself, and I'm tempted to get a static IP block just to try this out. Smiley Wink

 

 

Teacher

 • 

9 Messages

13 years ago

Another credit I'd like to add -- thanks to user tmiw -- the ideas they posted about macvlans on linux were instrumental in giving me this crazy idea 🙂

 

http://forums.att.com/t5/forums/forumtopicprintpage/board-id/uverse-HSIA/message-id/22423/print-single-message/false/page/1

 

Expert

 • 

24.3K Messages

13 years ago

Good job. and thanks for sharing.

 

(referenced link is now dead?)

 

Teacher

 • 

9 Messages

13 years ago

Fixed, (I think? How did I mess up a simple copy paste? :))

Expert

 • 

24.3K Messages

13 years ago

LOL, it happens!  My first thought was it had been moved, but it's working now. Smiley Wink

Teacher

 • 

9 Messages

13 years ago

Another minor correction...

 

Under this part, the address in the router config should be .200:


! Use NAT to expose JUST the web service on PC2, 172.16.0.200, as 99.1.1.3:
    ip nat inside source static tcp 172.16.0.100 80 99.1.1.3 80

 

Like this:

 

! Use NAT to expose JUST the web service on PC2, 172.16.0.200, as 99.1.1.3:
    ip nat inside source static tcp 172.16.0.200 80 99.1.1.3 80

 

I didn't see a way to edit the original message. If there is a way, please let me know and I'll fix it. Thanks 🙂

Expert

 • 

9.4K Messages

13 years ago

The forum limits the edit time on posts to 1 hour.

If you PM one of the moderators (try pamelaz) they can edit it for you.

Tutor

 • 

4 Messages

13 years ago

I just upgraded from 3meg dry dsl direct to uverse "business" with a block of 5 static ip's a few days ago so I could run servers and be within the rules of ATT for running servers.  I admit to not researching this before I switched because I assumed ATT would treat me right as a business customer running a technical business....my bad mistake.  It feels like being punished for doing the right thing now with this 2wire/pace residential router as the ONLY CPE allowed. 

 

SO I have read back a few months in this forum and the only solution to come along since uverse was offered is this thread ? (which of itself is kudo worthy .. I agree... and am glad there's a few people working and posting on this issue) I googled for hours and there isn't anything else but this thread and the links in it for me and others to try and adapt and implement.  ATT 2nd tier said we'll help you set up one of your ip's in supplemental networks ..the rest you are on your own.   Ok...thanks.  If I could run a real router instead of this 2wire I wouldn't need you except in an outage or IP addressing issue. 

 

Now I looked at a Cisco 887v to solve it all and I hear the 2 wire must be used because of it's firmware tied to it'smac addy's by (bad and wrong and flagrant disregard for standards as joesomebody tells us) design!  wow.

 

I have each address assigned to a lan port and firewall off with a cheap dlink, etc router on each ip segment as the head end segment lan firewall.   Mickey mouse but it works for now.  I have no idea if it's going to be seen correctly yet from the rest of the internet.   Just wanted to say thanks for these threads and I will help in them as I try them out.  So next I have to build a linux FW/router per this thread with a compiled kernel and macvlans, iptables and who knows what else to make it work and secure.   All i can say is what have i got myself into?  😉

 

Tom

 

 

 

 

Teacher

 • 

9 Messages

13 years ago

You shouldn't need the linux box or the macvlans with my solution above.

 

I would recommend a Cisco 2811 series router. You can find them aftermarket for under $400. They're super reliable and come with two fast ethernet ports built in. If you're a bit tight on the budget like I am, then you could also piece together a 3640 -- you'll need maxed out RAM and Flash, and will need to add two fast ethernet ports on NM cards. (Either 2xNM-1FE* or 1xNM-2FE*). A fully loaded 3640 goes for around $200-250 on ebay. I have found through some testing of my own that the 3640 is just about the lowest end cisco router you can comfortably run U-Verse on. The 2600s don't quite have enough performance.

 

Do you have any cisco experience (CCNA?). If so my solution might be a good fit for you, otherwise you should find someone who is familiar with Cisco equipment to help you out, or do some studying and learn the basics of the gear first before trying to put it in to any sort of important service.

 

As far as the multiple D-Link solution, I think I really would just put a switch directly off of the RG and deal with it's idiotic firewall GUI instead of putting those inline. I'd be worried about them becoming a bottleneck. What are your goals with this setup? If you can post some details (nothing identifiable or security related obviously) then I might be able to get a better idea what you're trying to do and make some better recommendations.

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.