Cascade Instructions (LAN to WAN) for AT&T Fiber BGW320-505 To Second Router With Public Static IP Block

I got the static for my wife working from home. Thought it better stable with her vpn. 

Also these Xbox’s keep having issues with the double Nat

Okay, @PCE , so you have multiple XBOXes (but fewer than 5) that you want to all be on the network at the same time, correct?   You want all these XBOXes to connect to your router (not the Gateway)?  What other devices do you need to connect to the router (and work)?

Are you willing to consider connecting the XBOXes directly to the Gateway instead of your router?  Perhaps by Ethernet?

EDIT: how does your wife use VPN?  Does she connect a client from her PC to a VPN server somewhere else?

Client to vpn somewhere. It’s for Apple. I have 4 routers. My first is att bgw320-505, then  ax11000, then one in ap mode, and one in media mode. The last two go thru ax11000. I have 67 devices. I need the internet to pass thru att to ax11000. I have a static. Also two switches. A lot of hard wiring. 

@PCE there are basically two different ways to set up a public static block, and the questions I'm asking are intended to try to figure out which one of these two will suit you best.  In a nutshell:

1) The Gateway can have 5 different MAC addresses assigned to the 5 different public static IP addresses and handle them for you.  This would take care of your multiple XBOXen wanting to play simultaneously on public static addresses.  Your router can take care of everything else via NAT.  

2) The Gateway can be set to expect that another router that is directly connected to it will handle the 5 public static addresses.  That router will own the router address for the public static block.  The problem here is that most routers cannot do this and do what most people expect that a router behind the gateway will do, i.e. perform NAT for a bunch of random devices.  So you'd need two routers, one to handle the XBOX and their public static, and the other router in IP Passthrough mode to handle all your other Internet requirements.

The switches, the Access Points, and even the Media Bridge are not all that important to the conversation at this point: they're all operating as layer 2 devices just getting the IP traffic to the endpoints after its been routed.

I’m trying to achieve #2. 

I really appreciate your help and time. 

Okay, your ASUS router is a fancy and powerful home router.  However, the UI won't give you the capability (at least that I know of) to simultaneously be able to do NAT for some clients (most of your devices) and not for others (your XBOXes and your PC running the VPN client).  It's probably possible to do with some poking under the hood, given the architecture, but I'm going to have to beg off on how you would do so.  Maybe someone at the Small Network Builders forum (https://www.snbforums.com/) can help there.

If you had two of these, then you could dedicate one to the Xboxes to handle the public static subnet (which is Cascaded Router), and the other could use the public dynamic address and do NAT for your other traffic (which is a normal, basic IP Passthrough configuration).  If you really want the VPN client to have the public static, then it would have to be attached to the XBOXes' router.

@JefferMC I truly appreciate your thoroughness, here. I'm interested in using the second option you described for PCE - it seems like that would be the "cascaded router(CR from here on out)" option. 

If it is, could you point me to documentation that details how it works generally and how to implement it on the BGW320-500? I actually enjoy the RTFM and can't find anything that resembles a thorough admin guide. Else, any knowledge you can unload would be appreciated... From what I gathered, CR seems like it's merely pointing routes to the gateway defined but because I don't understand what's fundamentally happening I'm wary of implementing it. And it leads to more questions like: why the sparse instructions indicate that it'd prefer I specify a default route if using passthrough mode or... how does it interact with passthrough mode? Is an RFC1918 address space required in the CR config? Could I simply assign the public address space to the firewalls behind the BGW320? 

As for environment details: I have a couple of enterprise grade firewalls that I'd prefer own the static block I purchased and host several environments behind them. So they're equipped to handle janky NAT's and then some. 

Manual?  Manual?  We don't need to give the customers no stinkin' manual.

Setting up Cascaded Router causes the Gateway to set up a static route to the local IP given for all traffic to the public static block.  All traffic that comes in gets forwarded to that local address.  And, of course, all traffic from there gets sent to the Internet without NAT.  Filtering rules and flags still apply.  The Gateway is still a hop, but a very inobtrusive hop.  The customer router then has a "regular LAN" IP address from the Gateway as its WAN IP and needs to adopt the router address of the public static subnet as its LAN IP.  It can either give out the 5 IPs via DHCP or you can statically assign them as you desire.

It is possible in the Gateway to use the IP Passthrough router as the Cascaded Router as well, you just specify 0.0.0.0 as the address of the Cascaded Router.   However, most consumer routers have no idea how to deal with this situation.  If you're using something like ASUSWRT-Merlin and can do addons behind the scenes, it should be possible.  But you have to convince it to handle both a private subnet and provide NAT for it, and handle the public subnet and not provide NAT for it (which is exactly what the Gateway does in the non-cascaded router configuration).  The customer router GUIs do not contemplate such a thing.