Welcome to the new AT&T Community
We've got a fresh look! Take the tour to see what's new.
I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?
I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)
In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:
- DHCP - OFF (at min, it appears you must leave one available?)
- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)
- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)
- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?
Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!
AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...
For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)
There is no true bridge mode on the 2Wire routers. However, you can still configure it such that almost all functions of your own router will work properly.
1. Set your router's WAN interface to get an IP address via DHCP. This is required at first so that the 2Wire recognizes your router.
2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.
3. Restart your router, let it get an IP address via DHCP.
4. Log into the 2Wire router's interface. Go to Settings -> Firewall -> Applications, Pinholes, and DMZ
5. Select your router under section (1).
6. Click the DMZPlus button under section (2).
7. Click the Save button.
8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address. At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.
9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration
10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.
11. Check everything under Outbound Protocol Control except NetBIOS.
12. Uncheck NetBIOS under Inbound Protocol Control.
13. Uncheck all the Attack Detection checkboxes (7 of them).
14. Click Save.
Your router should now be able to route as if the 2Wire was a straight bridge, for the most part.
Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it.
This is how I have my 2Wire configured, and I have a Cisco 2811 behind it doing IPSec, IPv6 tunnels, etc.
Would it be possible to run 2 routers behind ATT RG. I have a renter who insists on using his own router. They have VDSL in my area. Would appreciate your help.
Thanks for your reply SomeJoe7777.
I really can't afford option 1, so it looks like it's between options 2 and 3. What's the downside/upside to using DMZ and double NAT. The routers we use have firewalls built in so threats coming in from the internet should not be a problem correct? Also, I am only using port forwarding in one instance on my router. Not trying to do anything fancy, just trying to get internet for the most part.
I guess I could put my router in the the DMZ and have my renter double-NAT his. Would each of our routers have to be on different subnets? For example, the RG would be 192.168.1.154, my router would be 192.168.2.1 and my renter's router would be 192.168.3.1. Does that look right? Also, I normally have all my computers on my router set up with static IP addresses so DHCP is turned off on my router. Any conflict there? Sorry for all the questions. Just want to make sure it will work. They offered me a 18/1 package so I'm not sure which router I will get.
Thanks SomeJoe7777. Yes, everything will be wired separately. The RG will be kept in my room and my router WAN will be connected to one of its LAN ports. Then my renter will have a Cat5e connection from his room to my room to the RG. This will be connected from his WAN to the RG LAN just like mine. The confusion I have is in my router's settings. I currently have PPPOE setting. Should this be set to "obtain an IP automatically"? This wont affect my routers device IP address of 192.168.1.1 (standard for most routers). Because if it did, it would defeat the idea of setting different subnets for all three routers. Maybe I am confused on how this works.
So on my side with the double-NAT, is there anything else I should change? Will simply connecting my WAN to one of the RG's LAN ports get me internet?
Awesome. Thanks so much for your help SomeJoe7777. I will try this out once I get service.
I just received news that I will be getting the 2wire 3801 RG. There should not be any problems setting this up as we discussed using this particular router, correct?
My window7 VPN fails to work after installing U-verse 2Wire 3600HGV-B. I recently switched from ATT DSL to U-verse Internet and was provided with a 2Wire 3600HGV-B. I can not connect to my company's VPN. After gone thru 2wire's support page "VPN Connectivity and Troubleshooting", tried DMZPlus mode, verified IP scheme. VPN is still not connect. From the support page, it is either the VPN is using the IPSec 50 or 51, I have no problem with the old ATT DSL modem before. is there any work around? Please help
Thanks for your time.
I just use Window7 preload VPN and my wife's NB uses Cisco Anyconnect VPN client. Both VNP don't connect. Thanks.
After resetting 2Wire back to factory defaults and open DMZplus mode. The VPN is not connecting. I have been using this VPN for few years and travel to many companies/places with my NB and I don't have this problem before switching to U-verse.
Unfortunately, I don't know what else to tell you. I use PPTP, L2TP/IPSec, and IKE/IPSec VPN connections all the time through my U-Verse connection with a 2Wire 3800 without any issues.
I would recommend that you send a Private Message to ATTCustomerCare. They are part of the AT&T customer service team and may be able to resolve your Issue. You can expect a reply via return PM between the hours of 7am-10pm CST.
AT&T customer care can also be found online through these channels.
I just bought the Netgear R6300. I have the Uverse 2Wire 3600. Currently my desktop is plugged into a LAN port on the 2Wire, and everything else in the house is on the wireless network of the 2Wire.
I bought the Netgear to improve the strength and range of my wireless signal. After reading thru all 12 pages here, it looks like my best option is to follow post #13. To make sure I understand things correctly:
1) Turn off DHCP on the Netgear (uncheck the box at routerlogin.net that says "Use Router as DHCP Server."
2) Change it to LAN to LAN. (I currently have it as LAN to WAN on the Netgear so I can access routerlogin.net - otherwise I wouldn't know how to access routerlogin.net for the Netgear).
3) I'm not quite sure how to determine what my range is for the 2Wire, but all assigned IP addresses show as 192.168.1.64-87. I assume the example you gave of setting it to 192.168.1.10 would be alright.
I do this on the same screen where it says "LAN TCP/IP Setup IP Address 10.0.0.1 and IP Subnet Mask 255.255.255.0" Just change the 10.0.0.1 to 192.168.1.10, correct?
4) Do I need to do anything else? Turn off the wireless on the 2Wire? Reboot any systems? Plug my desktop into the Netgear LAN or keep it in the 2Wire LAN?
I appreciate your time here... it is very much appreciated!
Followed the directions at the link you provided. Thank you.
Looks like things are good... final question - does it matter if I have my desktop plugged into the Netgear or the 2Wire? It is not wireless and needs the wired connection into one of the routers. Was just wondering if it mattered.
Thank you once again!
SomeJoe7777, this is an older post so hopefully you are still monitoring it. I have been trying to figure out how to enable Time Limits and other Parental Controls on my network and the 2Wire unfortunately lacks any of these. After reading your post it seems that since I cannot do away with the 2Wire 3800HGV I can simply park a 'good' router with parental features in the DMZ+ behind the 2Wire GW, setting the GW up as you have specified. Then, for all intents, the new router's features will be fully accessable. Right? I have tried to make it work with a 2Wire LAN port connected to one of my router's LAN ports but it does not protect this path. It would be nice if I could implement the controls via any port, or macID, or IP but it only seems to work if the network is coming in the WAN port.
Have I driven off the road? I primarily want the time limits so if you have an alternate idea, I'd love to hear it.
Thanks again for all your insight.
I just wanted to thank SomeJoe for this great tutorial. I can confirm that these steps work perfectly for the new flagship Centria (WNDR4700) from Netgate. It took me a couple of reboots of the Netgate on step 8 before it would pick up the IP, but other than that the setup was flawless! Thanks again!
Edit: I actually have the 2wire i38HG unit with the iNID outside of the house.
Somejoe - one more question? If I have AT&T Uverse Reciever hooked on to the 2Wire gateway, can I leave that on the 2-Wire gateway or should I move that to the Linksys? Which would be better and preffered?
You need to configure the Linksys such that it's LAN IP address is a different subnet than the RG's LAN.
If the RG is using 192.168.1.x on it's LAN, you need to change the Linksys to use something else.
Use the 192.168.2.x subnet. Configure the Linksys LAN IP address to 192.168.2.1, subnet mask 255.255.255.0.
Somejoe7777, first let me just say I can not adequately express how much I appreciate you being here and helping people, thank you!
If you would be so kind as to advise me what you think I should do. I've been doing network engineering for many years, I worked for a company for 7 years doing it as a field engineer and now do it with my own small business. I've setup countless ADSL, SDSL, MetroE, Bonded T1 etc. Prior to 2008 I was using a dedicated Qwest T1 on a Cisco 1721 as you know quite expensive but I was on the same backbone as a major client and needed very good latency which was 5-10ms.
Had to reduce costs in 2008 and switched from T1 to Comcast Cable (don't think Uverse was available yet) and since I am 12k feet from CO the DSL was only 1.5. Jan 2010 Comcast wanted to keep my business and offered me 50/10 for 99.95 a month couldn't refuse so signed up for 2 yr contract, then Jan 2011 they started dinging me for a $7 a month modem fee claiming it was supposed to be there all along.
At that point Jan 2011 I had Uverse Business Class 24mbps installed with a 2wire 3801 and static IP (running Exchange and Activesync), I already had existing wiring in place for the T1 (this is a home office location) ran tests to laptop directly from 3801 and no problems 21-22mbps down and forget my upload I think it was 2.8-2.9 normal tcp overhead. Did note that the latency time (ping) was double or more of my Comcast cable and I've read that it has to do with interleaving which standard DSL doesn't have (fastpath usually) and nothing can be done about it. All testing of signal margins, line attenuations, distance to vrad and I forget the other "DSL/VDSL" areas I checked were all Good to Excellent in quality. Also the line did not drop at all for a week straight with packet loss testing and connection testing to my laptop (not yet connected to my network)
Here's where the problem comes in... I'm running ESXi server with Exchange and part of that is also my Astaro Firewall (linux based app quite popular) its been flawless for 4 years (almost 5 years now) with my comcast SMC router that has a static IP and NAT&DHCP disabled so it is bridged and on its public IP. Also have many other clients running Astaro firewalls no problems.
I figured out pretty quickly the 2Wire was a problem and it wasn't going to be straight forward, calls to Tech Support didn't work out too well so reading found your post and other's posts as well including someone running a "pFsense" linux based firewall. I followed your directions precisely but am not 100% sure only about 95% sure that I changed the LAN IP subnet of the 3801. Pretty sure I did. Because changing my LAN side on my network would involve a lot of changes including server's IP, Firewall LAN, ESXi server IP and a few other static IPs on my network something I really don't want to do.
Was able to get the 3801 working through my firewall eventually following your directions BUT.... as someone else posted somewhere on here or another forum my speed tests were greatly reduced to erratic behavior 12-18 down, 0.5-0.7 up.... and the results were terrible and different every time I tested. So here are my questions and sorry for this being SO long. I won't go into the fact AT&T should have business class modems/routers available for businesses. This is Internet Only no phone no TV.
1. My network is 192.168.1.x, you mention it must be different than the RG, I seem to recall changing the RG LAN (not sure) and DHCP is there any issues with doing this? If I recall correctly it offered 10.x and 172.x but wouldn't let me specify exactly what I wanted to use.
2. Can DHCP be turned off on the RG? My Server hands out DHCP
3. Is the RG doing NAT still in this DMZPlus mode following your directions could my slow issues and erratic speed tests have been a result of a double NAT scenario with my firewall?
4. I remember having to set my WAN NIC on my firewall to DHCP, I think you mentioned after it initially gets an IP (mine would be static) that I could set my WAN NIC to the static IP and subnet mask and default gateway? Is this true or does it have to be left as DHCP?
5. I also remember at one point my WAN NIC of my firewall received a private 192.168.1.x IP from the 2wire, just to confirm if setup correctly it should be receiving the public static IP (goes with #4)
6. Have the 2wires had any improvements in the last year Jan 2012-present that would maybe help my issue?
When I completely my order yesterday they advised me that this deal was only going to be for 12 months and that normally this was going to run me 140 a month and I was getting the discounted 60 off to make it 80 a month. Do I have to worry when my 12 months is up that they won't extend the deal offered? Comcast has 27/7 @ 110 right now without promotions so wouldn't make sense.
Sales also checked with Tech Support to verify I wouldn't be getting a 2wire 3801 or any 2wire at all even as I expressed my troubles a year ago, after 15-20 min she confirmed I would be getting a "Motorola 3600" and that Tech Support would easily bridge it just like my Comcast is with a static IP. After searching later on I realized there is no AT&T UVerse Motorola 3600 and called support, they checked the order and I'm getting an "Internet Gateway" which is the 2wire 3600.... I know that the 3800/3801 have TV/Phone etc and the 3600 is usually internet only, will it offer me less troubles than the 3801 did to setup with my firewall or is it pretty much the same thing minus capabilities.
Thanks in advance.
Thank you so much for replying. I spoke to several people today at AT&T and also the engineer that qualified my line was nice enough to make a couple of calls. Is there any reason at all for me to get a 3600 right now? I've been told that AT&T wants to use the 3801 instead because it is a dual core processor and for 24mbps speeds it runs a little faster?
My install tech is scheduled for 11am tomorrow and if you could recommend either the 3600 or 3801 I'd appreciate it. If they both have the same DMZplus issues then shouldn't I get the faster/newer model? Speaking with billing/sales an hour ago the nice lady says AT&T has had several meetings about this issue on not offering a true bridged modem/router and they are planning to resolve that issue because it is creating a fair amount of cancelled orders for them.
Will I face any issues with getting my PTR record setup for RDNS with AT&T? With Comcast 4 years ago it was pretty easy and I've had that same static IP and PTR record without having any email issues. I'm assuming that the static IP I receive from AT&T will be on a business class block where the IP won't be blacklisted on various internet lists?
Really hoping I don't have that issue with speed problems after going through my firewall, a year ago I finally had it working with my firewall but that was after so much time spent so I gave up not having more time to troubleshoot and just kept my Comcast for another year. If you say DMZPlus mode there is no NAT then I wouldn't have a double NAT scenario the only problem is will my firewall (Astaro) WAN interface pass the traffic in the same manner as it did with the bridged SMC from Comcast.
If I set the firewall WAN NIC to DHCP to receive the IP then set it to static IP, subnet mask, default gateway what's the best way to access the RG after I set it up that way? I'm assuming set my laptop to LAN IP same subnet as the RG and access it that way? I seem to recall when I set the LAN IP it had a drop down of 192.168.1.x or 10.0.x.x or 172.x.x.x as you said with new firmware 10.0.x.x no longer available so can I not choose to put the LAN IP as 192.168.2.254 for the RG? Also setting the LAN IP of the RG should have nothing to do with the static public IP of the DMZPlus should it?
Sign up now to post, reply, and join the conversation.
© 2014 AT&T Intellectual Property© 2014 AT&T Intellectual Property link. This link will open a new window All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. AT&T 36USC220506