BGW320-500 Bridge Mode and/or IP Passthrough Question

Yeah, 172.16.x.x is fine.  My main complaint there is that he set the Gateway's IP address at the .0 address, which is not wrong.  Most network layouts reserve the .0 as "the name" of the network and put the router at the address after that (.1) or the last non-broadcast (usually .254).  I especially like keeping the Gateway at .254 because that reminds me it's the AT&T Gateway and not mine (because I usually use .1).  Here is some long and involved reading about the reasons behind the convention.

Also, if all things are equal, I normally suggest leaving the AT&T Gateway at the 192.168.1.0/24 and move your router's IP somewhere else (e.g. 172.16.x.x) so that when following instructions about the Gateway that say, e.g. "go to http://192.168.1.254/ and...", you don't have to translate that.

Again, it's not wrong to change the Gateway's IP range, it's not wrong to use the .0, it's just not what I would do.

What I do consider wrong in his post is blindly telling people to disconnect everything from the Gateway (which could include AT&T U-verse IPTV gear if you have it; granted new customers won't) and move it to the router; that you should not do with the IPTV gear.  There are also use cases for leaving other stuff out there; it's sort of like a guest network.

And I still don't know what he was talking about on that Google Home setting re: Public vs Private Address.  

Hi Everyone, Hi @JefferMC , So we got this setup to work (IP Passthrough + Cascaded Router).  The 3rd party router (my Ubiquiti Dream Machine Pro) is handling my public static IP block.  This, is fantastic.  One problem we are now having is that, since the UDMP doesn't appear to have NAT (from what I can tell), we want to do port-forwarding (from a public static IP address to a LAN address).  However, that is were it's falling apart..we cannot get port forwarding to work.  I've screen shotted my AT&T gateway settings below.  Could you comment to see if the problem is with the setup/config, or, if its a problem with the UDMP itself?  Thank you.  BLUE LINE is my assigned network base address, and RED LINE is the "static" ip address assigned to my AT&T gateway itself (an IP address not part of the assigned block purchased from AT&T)

Also, to confirm the other settings are correct, you can see here:  (the TOP WHITE line is the router IP address given to me by AT&T, the BOTTOM WHITE line is the network base address)

The smallest assignment that AT&T will give you is a /29 block of 8 addresses of which 5 of them are usable.  The Subnet mask will be 255.255.255.248 (sorry if you wanted to keep that secret).  You need to know the block to set up your gateway properly.  

There are two ways to put the static subnet in your Gateway:

1) For the Gateway to handle the addresses for up to 5 devices itself

   1a) One (or all) of those 5 devices could be a router that does its own NAT.

2) For the Gateway to pass all the traffic for the entire static subnet to another router, who then needs to manage the entire block

Which of these you chose determines how you fill in the blanks on the Gateway.

Option #2

The public addresses do not go on the screen you've got there.  They go in the Home Network > Subnets and DHCP page.

Since you want a router to handle this whole block, the proper place is to NOT fill in the Public Subnet (leave Public Subnet mode off), but instead fill in the Cascaded Router section.  

I'm trying to word this as best I know how, because I had a long confusing conversation last month because I wasn't clear enough up front about what was going on.

1. Do you have computers/phones/clients that you want to use your dynamic public address via NAT from private addresses?
2. Will these be connecting to the Gateway or your own router?
3. Do you expect expect to have a mix of private and public addresses handled by the router that's going to be handling the public subnet?

Hello all, and to JefferMC, thanks for all of your guidance and assistance!

AT&T just installed 1G fiber and a BGW320-500 in our office. We are paying for 5 static IPs.

Rather than use Cascaded Router, I assigned one of the 5 static IPs to the WAN port of a Fortinet 60F firewall.  The LAN side of the Fortinet is 192.168.200.1.  This configuration is working as expected, except for a download speed issue, mentioned below.  PCs are assigned a private IP by the Fortinet and can access the Internet fine.

I have a VoIP server I would like to protect behind the Fortinet, but the server has to use of the 5 public, static IPs.  I could switch the AT&T BGW to Cascaded Router, or I could create a virtual IP on the Fortinet and port forward to the server's private address.

Question 1: From a performance perspective, which config do you think is better - Cascaded Router or port forwarding?

Question 2: If I connect my laptop directly to the BGW and use speedtest.net, I can get 900/900M.  If I connect the same laptop to the Fortinet, I get 450/900M.  Fortinet has reviewed the (very simple) firewall config in detail and cannot find anything that would affect the download speed (speed/duplex/MTU/etc.).  Do you have any experience with this?  I have seen recommendations to use fast.com (and increase the number of parallel connections) instead of speedtest.net to measure the speed, but is this really what's happening?  I'm still working with Fortinet support, but thought I'd pose the question here too.

I have seen similar reports of bandwidth loss at times when a router is installed behind a gateway.  You have to have fiber speeds for it to show up, and I don't, so I've never been able to investigate it.  I think it will take someone with a copy of Wireshark looking at the traffic between the two to figure it out (and even then...).  

It would be interesting to see if two different devices running a speedtest at the exact same time would have a combined speedtest of 450 or something higher, and also using Fast with multiple connections to see if that's any different.

Your issue with needing the public inside behind Gateway when the Gateway has itself been assigned a public was an issue that I was afraid you'd run into.  You could just connect the VOIP device directly to the Gateway and let it take its own IP, but that means you're limited to the Gateway's filtering capabilities in terms of a firewall.

I do not think the virtual IP address trick will work, unless the Fortinet will also provide a virtual MAC address to go with it.   While the BGW firmware could be different, the firmware for the older gateways required a 1:1 relationship between an IP address and a MAC address, i.e. a MAC address could not handle two IPs.  

Hi JefferMC,

Next time I'm onsite (4 hour drive) I'll test the Fortinet VIP behind the BGW. I did a test at home behind a cable modem and the VIP seemed to work OK.

I've been browsing the Fortinet forums and there are a few cases like mine... slow download speed on a fast fiber circuit (not necessarily AT&T).  In more than one case, placing a dumb gigabit switch between the fiber gateway and the Fortinet allowed the full download speed.  What do you think about that?

RE: the switch, I've seen stranger things.