11-26-2012 02:38:43 PM
Would it be possible to run 2 routers behind ATT RG. I have a renter who insists on using his own router. They have VDSL in my area. Would appreciate your help.
11-26-2012 05:03:27 PM
If you really want two different routers running in routing mode so that the two systems are as completely separate as they can possibly be, then there are only a few ways to do it:
1. Static IPs. You would get Internet service, add on the $15/month static IP package which gives you 5 usable static IP addresses, and use 2 of them -- one for your router and one for his. Both routers have control of their inbound traffic and firewall.
2. Double-NAT. Each router can operate in routing mode with 192.168.1.x addresses on the WAN port, and a different private subnet of your choice on the LAN port. Neither router has control of their inbound traffic, requiring firewall configuration on the 2Wire for inbound ports.
3. One router using double-NAT, one using DMZ. This would allow one of the routers to have control of it's inbound traffic and firewall (the DMZ one), but not the other.
11-26-2012 06:15:11 PM
Thanks for your reply SomeJoe7777.
I really can't afford option 1, so it looks like it's between options 2 and 3. What's the downside/upside to using DMZ and double NAT. The routers we use have firewalls built in so threats coming in from the internet should not be a problem correct? Also, I am only using port forwarding in one instance on my router. Not trying to do anything fancy, just trying to get internet for the most part.
I guess I could put my router in the the DMZ and have my renter double-NAT his. Would each of our routers have to be on different subnets? For example, the RG would be 192.168.1.154, my router would be 192.168.2.1 and my renter's router would be 192.168.3.1. Does that look right? Also, I normally have all my computers on my router set up with static IP addresses so DHCP is turned off on my router. Any conflict there? Sorry for all the questions. Just want to make sure it will work. They offered me a 18/1 package so I'm not sure which router I will get.
11-26-2012 07:10:25 PM
So for that, I'd use option 3. Set his router up as the DMZ device, that way if he wants to configure inbound ports, he can do it on his router alone.
Set yours up for double-NAT, and then if you need an inbound port, you'll have to configure it in two places -- one on the 2Wire, and one on your own router also.
Yes, it's best if your LAN and his LAN are on two different subnets so there's no confusion, and those subnets should also be different from the one the 2Wire is using.
No problem with no DHCP on your own router if you want to assign everything statically.
One thing you do need to make sure of is that the two networks (yours and the renter's) are physically separated. That means different Ethernet wiring for the downstream computers off of each router. If you share Ethernet wiring, then it's trivial to statically assign an IP address in the other subnet and have access to the other party's computers. Same thing with wireless -- he needs to set his up with his own SSID, encryption, and password that he doesn't give you, and vice versa. You will also need to turn off wireless on the 2Wire gateway.
This setup is rather complex, but it should work fine on any of the 2Wire gateways. If you get a Motorola NVG510, however, then I can't help you.
11-26-2012 07:48:39 PM
Thanks SomeJoe7777. Yes, everything will be wired separately. The RG will be kept in my room and my router WAN will be connected to one of its LAN ports. Then my renter will have a Cat5e connection from his room to my room to the RG. This will be connected from his WAN to the RG LAN just like mine. The confusion I have is in my router's settings. I currently have PPPOE setting. Should this be set to "obtain an IP automatically"? This wont affect my routers device IP address of 192.168.1.1 (standard for most routers). Because if it did, it would defeat the idea of setting different subnets for all three routers. Maybe I am confused on how this works.
11-26-2012 07:51:59 PM
However, you will need to go into your router and change the LAN subnet. Since the WAN side will use the RG's subnet of 192.168.1.x, your LAN side needs to use something else, like 192.168.2.x.
11-26-2012 09:02:34 PM
So on my side with the double-NAT, is there anything else I should change? Will simply connecting my WAN to one of the RG's LAN ports get me internet?
11-26-2012 09:09:23 PM
11-28-2012 06:00:39 PM
I just received news that I will be getting the 2wire 3801 RG. There should not be any problems setting this up as we discussed using this particular router, correct?
11-28-2012 08:00:43 PM
12-01-2012 10:48:02 PM
My window7 VPN fails to work after installing U-verse 2Wire 3600HGV-B. I recently switched from ATT DSL to U-verse Internet and was provided with a 2Wire 3600HGV-B. I can not connect to my company's VPN. After gone thru 2wire's support page "VPN Connectivity and Troubleshooting", tried DMZPlus mode, verified IP scheme. VPN is still not connect. From the support page, it is either the VPN is using the IPSec 50 or 51, I have no problem with the old ATT DSL modem before. is there any work around? Please help
Thanks for your time.
12-02-2012 11:57:27 AM
- Windows PPTP
- IPSec type 50
- IKE/IPSec using IPSec type 50 (only if the DMZPlus device)
IPSec type 51 probably will not work.
You also may want to contact your company's IT department and make sure they know you switched ISP services. They may need to make a security change on their end.
12-02-2012 01:15:26 PM
I just use Window7 preload VPN and my wife's NB uses Cisco Anyconnect VPN client. Both VNP don't connect. Thanks.
12-02-2012 07:14:39 PM
I would suspect that there's something wrong with your 2Wire. I would recommend you reset it to factory defaults using the reset button at the bottom of the following page:
Use the button at the bottom that says "Reset to Factory Defaults". If you have any custom settings in the 2Wire RG, like a custom wireless SSID or password, or custom DHCP settings, firewall settings, etc. you need to write those down before you do the reset so that you can put them back in later.
12-02-2012 11:15:01 PM
After resetting 2Wire back to factory defaults and open DMZplus mode. The VPN is not connecting. I have been using this VPN for few years and travel to many companies/places with my NB and I don't have this problem before switching to U-verse.
12-03-2012 06:13:22 AM
Unfortunately, I don't know what else to tell you. I use PPTP, L2TP/IPSec, and IKE/IPSec VPN connections all the time through my U-Verse connection with a 2Wire 3800 without any issues.
I would recommend that you send a Private Message to ATTCustomerCare. They are part of the AT&T customer service team and may be able to resolve your Issue. You can expect a reply via return PM between the hours of 7am-10pm CST.
AT&T customer care can also be found online through these channels.
12-06-2012 08:56:44 PM
I just bought the Netgear R6300. I have the Uverse 2Wire 3600. Currently my desktop is plugged into a LAN port on the 2Wire, and everything else in the house is on the wireless network of the 2Wire.
I bought the Netgear to improve the strength and range of my wireless signal. After reading thru all 12 pages here, it looks like my best option is to follow post #13. To make sure I understand things correctly:
1) Turn off DHCP on the Netgear (uncheck the box at routerlogin.net that says "Use Router as DHCP Server."
2) Change it to LAN to LAN. (I currently have it as LAN to WAN on the Netgear so I can access routerlogin.net - otherwise I wouldn't know how to access routerlogin.net for the Netgear).
3) I'm not quite sure how to determine what my range is for the 2Wire, but all assigned IP addresses show as 192.168.1.64-87. I assume the example you gave of setting it to 192.168.1.10 would be alright.
I do this on the same screen where it says "LAN TCP/IP Setup IP Address 10.0.0.1 and IP Subnet Mask 255.255.255.0" Just change the 10.0.0.1 to 192.168.1.10, correct?
4) Do I need to do anything else? Turn off the wireless on the 2Wire? Reboot any systems? Plug my desktop into the Netgear LAN or keep it in the 2Wire LAN?
I appreciate your time here... it is very much appreciated!
12-06-2012 09:24:46 PM
See the following thread for an example and some detailed pointers on what to do and what to try to accomplish:
12-07-2012 07:10:04 AM
Followed the directions at the link you provided. Thank you.
Looks like things are good... final question - does it matter if I have my desktop plugged into the Netgear or the 2Wire? It is not wireless and needs the wired connection into one of the routers. Was just wondering if it mattered.
Thank you once again!
12-07-2012 07:46:31 AM
12-12-2012 02:21:12 PM
SomeJoe7777, this is an older post so hopefully you are still monitoring it. I have been trying to figure out how to enable Time Limits and other Parental Controls on my network and the 2Wire unfortunately lacks any of these. After reading your post it seems that since I cannot do away with the 2Wire 3800HGV I can simply park a 'good' router with parental features in the DMZ+ behind the 2Wire GW, setting the GW up as you have specified. Then, for all intents, the new router's features will be fully accessable. Right? I have tried to make it work with a 2Wire LAN port connected to one of my router's LAN ports but it does not protect this path. It would be nice if I could implement the controls via any port, or macID, or IP but it only seems to work if the network is coming in the WAN port.
Have I driven off the road? I primarily want the time limits so if you have an alternate idea, I'd love to hear it.
Thanks again for all your insight.
12-12-2012 05:48:30 PM
On parental controls/time limits, remember that physical security is also required otherwise it's trivial to bypass. The 2Wire and your router need to be in a locked area, inaccessible to those who would attempt such things.
01-01-2013 12:44:48 PM - edited 01-01-2013 01:04:01 PM
I just wanted to thank SomeJoe for this great tutorial. I can confirm that these steps work perfectly for the new flagship Centria (WNDR4700) from Netgate. It took me a couple of reboots of the Netgate on step 8 before it would pick up the IP, but other than that the setup was flawless! Thanks again!
Edit: I actually have the 2wire i38HG unit with the iNID outside of the house.
01-12-2013 11:54:08 AM
Somejoe - one more question? If I have AT&T Uverse Reciever hooked on to the 2Wire gateway, can I leave that on the 2-Wire gateway or should I move that to the Linksys? Which would be better and preffered?
01-12-2013 12:42:20 PM
01-17-2013 07:40:11 AM
You need to configure the Linksys such that it's LAN IP address is a different subnet than the RG's LAN.
If the RG is using 192.168.1.x on it's LAN, you need to change the Linksys to use something else.
Use the 192.168.2.x subnet. Configure the Linksys LAN IP address to 192.168.2.1, subnet mask 255.255.255.0.
Somejoe7777, first let me just say I can not adequately express how much I appreciate you being here and helping people, thank you!
If you would be so kind as to advise me what you think I should do. I've been doing network engineering for many years, I worked for a company for 7 years doing it as a field engineer and now do it with my own small business. I've setup countless ADSL, SDSL, MetroE, Bonded T1 etc. Prior to 2008 I was using a dedicated Qwest T1 on a Cisco 1721 as you know quite expensive but I was on the same backbone as a major client and needed very good latency which was 5-10ms.
Had to reduce costs in 2008 and switched from T1 to Comcast Cable (don't think Uverse was available yet) and since I am 12k feet from CO the DSL was only 1.5. Jan 2010 Comcast wanted to keep my business and offered me 50/10 for 99.95 a month couldn't refuse so signed up for 2 yr contract, then Jan 2011 they started dinging me for a $7 a month modem fee claiming it was supposed to be there all along.
At that point Jan 2011 I had Uverse Business Class 24mbps installed with a 2wire 3801 and static IP (running Exchange and Activesync), I already had existing wiring in place for the T1 (this is a home office location) ran tests to laptop directly from 3801 and no problems 21-22mbps down and forget my upload I think it was 2.8-2.9 normal tcp overhead. Did note that the latency time (ping) was double or more of my Comcast cable and I've read that it has to do with interleaving which standard DSL doesn't have (fastpath usually) and nothing can be done about it. All testing of signal margins, line attenuations, distance to vrad and I forget the other "DSL/VDSL" areas I checked were all Good to Excellent in quality. Also the line did not drop at all for a week straight with packet loss testing and connection testing to my laptop (not yet connected to my network)
Here's where the problem comes in... I'm running ESXi server with Exchange and part of that is also my Astaro Firewall (linux based app quite popular) its been flawless for 4 years (almost 5 years now) with my comcast SMC router that has a static IP and NAT&DHCP disabled so it is bridged and on its public IP. Also have many other clients running Astaro firewalls no problems.
I figured out pretty quickly the 2Wire was a problem and it wasn't going to be straight forward, calls to Tech Support didn't work out too well so reading found your post and other's posts as well including someone running a "pFsense" linux based firewall. I followed your directions precisely but am not 100% sure only about 95% sure that I changed the LAN IP subnet of the 3801. Pretty sure I did. Because changing my LAN side on my network would involve a lot of changes including server's IP, Firewall LAN, ESXi server IP and a few other static IPs on my network something I really don't want to do.
Was able to get the 3801 working through my firewall eventually following your directions BUT.... as someone else posted somewhere on here or another forum my speed tests were greatly reduced to erratic behavior 12-18 down, 0.5-0.7 up.... and the results were terrible and different every time I tested. So here are my questions and sorry for this being SO long. I won't go into the fact AT&T should have business class modems/routers available for businesses. This is Internet Only no phone no TV.
1. My network is 192.168.1.x, you mention it must be different than the RG, I seem to recall changing the RG LAN (not sure) and DHCP is there any issues with doing this? If I recall correctly it offered 10.x and 172.x but wouldn't let me specify exactly what I wanted to use.
2. Can DHCP be turned off on the RG? My Server hands out DHCP
3. Is the RG doing NAT still in this DMZPlus mode following your directions could my slow issues and erratic speed tests have been a result of a double NAT scenario with my firewall?
4. I remember having to set my WAN NIC on my firewall to DHCP, I think you mentioned after it initially gets an IP (mine would be static) that I could set my WAN NIC to the static IP and subnet mask and default gateway? Is this true or does it have to be left as DHCP?
5. I also remember at one point my WAN NIC of my firewall received a private 192.168.1.x IP from the 2wire, just to confirm if setup correctly it should be receiving the public static IP (goes with #4)
6. Have the 2wires had any improvements in the last year Jan 2012-present that would maybe help my issue?
When I completely my order yesterday they advised me that this deal was only going to be for 12 months and that normally this was going to run me 140 a month and I was getting the discounted 60 off to make it 80 a month. Do I have to worry when my 12 months is up that they won't extend the deal offered? Comcast has 27/7 @ 110 right now without promotions so wouldn't make sense.
Sales also checked with Tech Support to verify I wouldn't be getting a 2wire 3801 or any 2wire at all even as I expressed my troubles a year ago, after 15-20 min she confirmed I would be getting a "Motorola 3600" and that Tech Support would easily bridge it just like my Comcast is with a static IP. After searching later on I realized there is no AT&T UVerse Motorola 3600 and called support, they checked the order and I'm getting an "Internet Gateway" which is the 2wire 3600.... I know that the 3800/3801 have TV/Phone etc and the 3600 is usually internet only, will it offer me less troubles than the 3801 did to setup with my firewall or is it pretty much the same thing minus capabilities.
Thanks in advance.
01-17-2013 02:49:33 PM
To answer your questions:
1. If you're using 192.168.1.x internally behind your firewall/router, then yes, you need to change the RG's LAN to something else to avoid routing difficulties. The RG's latest firmware update no longer allows the 10.x.x.x addresses, so you'll need to change it to 192.168.2.x or something in the 172.16.x.x space.
You can connect a computer directly to the RG, let it get an address via DHCP, and log into the RG from there to change it/configure it.
2. No, DHCP cannot be disabled on the RG. But if the networks you have (the RG's LAN and your private LAN) have a layer 3 router/firewall device in between, then this is no problem because the DHCP packets will not cross a router.
3. No, in DMZPlus mode, there is no NAT. It's not a straight bridge either, because the packets are still handled by the routing code (i.e. no fast-switching or Cisco express forwarding like the Cisco would do), but there will be no NAT.
Yes, slow or erratic speeds could be because of a double NAT scenario, but it's more likely routing difficulties with two 192.168.1.x networks as I described above.
4. You can change the firewall to static if you need to, but the RG is happier if everything uses DHCP. Some firewalls will need to have inbound UDP to port 68 open from all IP addresses for DHCP renewal to occur correctly. This is due to a bug in the RG DHCP code.
5. If you set up DMZPlus correctly, the WAN interface of the firewall should get the public IP address. If it's getting a private IP, the DMZPlus mode isn't setup correctly.
6. Not really, the last firmware update removed the ability for 10.x.x.x addresses to be used on the LAN. Other than that, there hasn't been any changes to the RG firmware in a couple years.
I would verify your DMZPlus setup and your different LAN subnet assignments, and correct those problems if required. After that, perform some further speed tests and see if you're getting close to the 24/3 speed.
01-17-2013 03:26:14 PM
Thank you so much for replying. I spoke to several people today at AT&T and also the engineer that qualified my line was nice enough to make a couple of calls. Is there any reason at all for me to get a 3600 right now? I've been told that AT&T wants to use the 3801 instead because it is a dual core processor and for 24mbps speeds it runs a little faster?
My install tech is scheduled for 11am tomorrow and if you could recommend either the 3600 or 3801 I'd appreciate it. If they both have the same DMZplus issues then shouldn't I get the faster/newer model? Speaking with billing/sales an hour ago the nice lady says AT&T has had several meetings about this issue on not offering a true bridged modem/router and they are planning to resolve that issue because it is creating a fair amount of cancelled orders for them.
Will I face any issues with getting my PTR record setup for RDNS with AT&T? With Comcast 4 years ago it was pretty easy and I've had that same static IP and PTR record without having any email issues. I'm assuming that the static IP I receive from AT&T will be on a business class block where the IP won't be blacklisted on various internet lists?
Really hoping I don't have that issue with speed problems after going through my firewall, a year ago I finally had it working with my firewall but that was after so much time spent so I gave up not having more time to troubleshoot and just kept my Comcast for another year. If you say DMZPlus mode there is no NAT then I wouldn't have a double NAT scenario the only problem is will my firewall (Astaro) WAN interface pass the traffic in the same manner as it did with the bridged SMC from Comcast.
If I set the firewall WAN NIC to DHCP to receive the IP then set it to static IP, subnet mask, default gateway what's the best way to access the RG after I set it up that way? I'm assuming set my laptop to LAN IP same subnet as the RG and access it that way? I seem to recall when I set the LAN IP it had a drop down of 192.168.1.x or 10.0.x.x or 172.x.x.x as you said with new firmware 10.0.x.x no longer available so can I not choose to put the LAN IP as 192.168.2.254 for the RG? Also setting the LAN IP of the RG should have nothing to do with the static public IP of the DMZPlus should it?