Our Community Forums will be closing on June 27, 2024. Please visit att.com/support for all your support needs.
Get superfast AT&T Fiber internet
MagicCarpet's profile

3 Messages

Tuesday, May 14th, 2024 12:33 AM

Firewall security for LAN ports when Gateway is in passthrough mode?

Context: I just got AT&T fiber service installed with a BGW320-505 Gateway.  I want to use my eero Pro 6E mesh with the ATT gateway in IP Passthrough mode.  On the gateway I have 3 eeros connected via ethernet backhaul.  On the Gateways's 4th ethernet port I have a switch that connects security cameras and two tv's.

Questions: Will the wired devices on port 4 of the gateway be without firewall protection if I setup the gateway in passthrough mode?  Also, how will they get a local IP assigned if they are upstream of the eeros?

Accepted Solution

ACE - Expert

 • 

35.9K Messages

1 month ago

All the devices wired to the Gateway or connected wirelessly, have the same protection, and is basically the protection afforded by a NAT gateway.  Since you have only one IPv4 for your entire household, traffic can only reach a device in your home if the Gateway chooses a device to send it to.  Normally, the Gateway tracks your outbound sessions in a NAT table and recognizes return traffic and allows it to return to the device that made the request.  To set up a server in your home, you could do something called "Port Forwarding", which tells the Gateway where to send incoming traffic for specific ports.   Normally, all traffic that reaches your gateway that doesn't match an existing session and doesn't match a port forwarding rule will be dropped.  That's your firewall protection.

If you turn on IP Passthrough, then one device is selected as the IP Passthrough device and all of that "unsolicited" traffic will be sent to it instead of dropped.  So that device no longer has the firewall protection of a NAT Gateway.  However, all the other devices in your network have exactly the same protection that they did before... the traffic will not come to them.  So, your router will normally also act as a NAT router, and will perform the same session tracking (which, incidentally, the Gateway will still do for traffic from the IP Passthrough device, but won't have to actually do NAT, which means no double-NAT) and can have port forwarding set up as desired.

Often, if one is setting up a router behind the Gateway, they would not want to hardwire other devices to the Gateway, but instead would want to put them behind the router.  It depends on your devices and what you'll be doing with them.

(edited)

ACE - Expert

 • 

35.9K Messages

1 month ago

When you put the Gateway in IP Passthrough mode, all unsolicited traffic is forwarded to the device that is the target of IP Passthrough mode; it essentially has almost no firewall protection and will have to provide its own.  All other devices have exactly the same amount of firewall protection that they had without IP Passthrough enabled.

As far as IPv4, that's a pretty good amount of protection.  For iPv6, you should review what the advanced firewall settings are and the packet filtering.

3 Messages

1 month ago

Thanks @JefferMC  for the fast answer.  I want to make sure I understand your comment.   If I follow the passthrough settings from ATT, then I am turning off all of the firewall settings on the gateway.  In that case, how will the devices wired to the gateway get firewall protection?

3 Messages

1 month ago

Thanks for the detailed description of how passthrough works with the NAT service.

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.