Pace 5268AC DMZ+ to Netgear R7000 WAN DHCP lease

@albamd

Though I don't have gigapower I had the exact same problem with an Apple Airport Extreme. I now cascade the router off of the 5268ac and am very pleased with network performance expecially after I disabled IPv6 on 5268ac. Since I am in NC as well, could it be a local problem?

@ATTDSLCare @ATTHelpForums

Thanks for the comment.  Which symptoms did you experience?  The 5min lease time, and network diconnects/drops while in DMZ+ mode?

I just got gigapower and have set up the same configuration, except with a Soekris based monowall firewall. First I noticed that there were lots of link up/link down events in the Pace router log. Then I looked at the monowall log and saw that the Pace router is providing very short DHCP leases (4 to 5 minutes). The expiration of the lease correlates with the link up/link down events on the Pace side.

It's pretty silly for the Pace router to provide such a short lease period. The general DHCP lease period setting for the internal network is set to 24 hours. I can't find a setting for DMZ+ mode DHCP clients.

In case it's relevant, I changed my private DHCP LAN range due to a conflict with the default 192.168.1.x LAN.

I have not explored the cascade option because it wasn't clear what that does. My current DMZ+ configuration makes sense to me (given that there's no real bridge mode option). But having the firewall's link reset every 5 minutes is not good.

Anyone have a solution?

The 10 minutes DHCP lease (which means renewal after 5min) comes from AT&T's upstream servers, so that's not something that you have any control over, or can configure anywhere.

It seems like their servers are doing something odd and unique which does not fully comply with the RFC standards for DHCP, and many off the shelf consumer firewalls have a problem with it.

I switched my Netgear R7000 router's firmware from the stock Netgear firmware to XWRT-VORTEX, ASUSWRT-MERLIN for non-asus routers.

Since changing the firmware of my router (all other settings on AT&T's gateway the same) the problem has gone away.

I still see the status check in the gateway logs "host blahblahblah is up" every 5 minutes, but I no longer see the DMZ+ firewall reconfiguration, and I no longer see the link on my router dropping and re-establishing, so something in the DHCP client used by the Merlin firmware makes AT&T's DHCP servers happy.

@albamd

When I put my router in the DMZ I had the same experience as @acronce namely up/down events in log.

I've tried going the "Cascaded Router" route to avoid the link flapping, following this link:

https://forums.att.com/t5/AT-T-Internet-Equipment/Setup-Static-IP-s-Router-behind-RG-5031NV/td-p/3693517#M16064

But I keep getting a "The configured Cascaded Router is not valid" error trying to enter the public IP address and mask. It's not very helpful because there are several options and it's not telling me which one is wrong.

I've tried a couple of external IPs for the Network Address (using the same known subnet mask). And I've tried both selecting the router from the list obtained via DHCP and statically setting the router's internal IP address from the fixed range.

Any thoughts?

@acronce

The 5268ac does not behave in the same manner as the the R/G mentioned in the link that you quoted. With a subscribed static, public IP address your only option is to use DMZ for your router.

However, at this point I am confused as to whether or not you are trying to use a static IP address from AT&T or not. At this point, I would factory reset your Soekris and try implementing as a cascaded router again. Additionally, state specific information about your Soekris so I can research.

@ApexRon

Thanks for getting back to me. But resetting my Soekris is really not an option. I've got a lot of time invested configuring this box. Besides, doing a factory reset won't affect any of the link level settings.

Regarding the Cascading Router approach, I think that I just didn't understand how that worked. It sounds like the only way to get that to work is to already have one or more static IP addresses. I was trying to use the WAN IP address of the router itself. I don't have a pool of fixed addresses with my current service.

At this stage I think that I might simply swap out my Soekris and see if the link level issue persists. The issue there is that my Soekris net6501-70 tops out at just under 500gbs. Searching online indicates that this box simply cannot reach full gigabit speeds. I'm not interested in losing nearly 40% of the bandwidth to the firewall.

So I'll try moving to a higher power box (probably running pfSense since M0n0wall is defunct). If the problem goes away, then great.

If the problem persists, then probably my only choice will be to get some fixed IPs and try to get the Cascading Router approach to work. Since I've spent several hours on the phone with tech support, including their higher end "ConnectTect" personel, and no one knew what I was talking about or had any understanding of the problem, I'll probably just hit up sales and try to convince them to give me the IP address. I don't want to pay for it if the only reason is to do so is to work around their router bugs.