New Member
•
2 Messages
Palo Alto & ATT Residential Fiber
Aight folks,
Figured out a few things about AT&T Residential fiber which you may find interesting.
****IPv4 Configuration & Troubleshooting****
I have a PA440 in use where I have been allocated a /29 IP block from AT&T. I have configured the PA440 with an IP in this IP Block and able to get out to the Internet just fine. In an attempt to configured a NAT rule for other services within my home on the order IPs within my IP block I have found that AT&T gateway does not seem capable to allow for G-ARP which allows the firewall to proxy any connections to any other IP I have configured. For example I attempted the following:
Let's say my IP block is 100.65.0.0/29 and AT&T GW is 100.65.0.6. I configure my PA440 UNTRUST interface as 100.65.0.1/29 then I configured my global NAT policy to NAT all outbound traffic as 100.65.0.2/29. I then have two services configured, two web servers, with an inbound NAT of 100.65.0.3 and 100.65.0.4 respectively.
I found this configuration does not work with the AT&T gateway and it seems to only send return traffic to which is the "latest" active IP to forward traffic through the gateway.
Fine, so that means I can't host some services like I want. I now go to configure everything with a single IP; my UNTRUST interface & my Global NAT now shares the same IP. Fine. Connectivity is fine outbound. I configure some PATs for specific ports such as 6000 or 6005. I find that some traffic seem to work on my custom PAT rules and some don't, almost like the traffic is asymmetric.
When looking at the gateway firewall logs, it seems that the traffic for my custom ports are being sent to the original IP AT&T provided me instead of my supplement IP Block.
Overall, it does not seem the gateway is intelligent enough to support G-ARP like a in normal network where a router is used.
****IPv6 Configuration & Troubleshooting****
I was able to find the link-local address of the AT&T GW in order to create my default IPv6 router as well as acquire the GUA prefix for IPv6. I have configured my UNTRUST interface within the prefix and can confirm I am able to at least ping sourcing from the UNTRUST interface of the PA440 outbound to Google, Cloudflare, and other external IPv6 services.
Now for NATv6. So I have configured NPTv6 which allows me to do a full address translation from my internal IPv6 subnet to the UNTRUST prefix configured on the UNTRUST interface. I can confirm I see the translations happening as expected.
Just as IPv4, it seems the AT&T gateway is not capable of determine the source IPv6 address since the address is different that the UNTRUST interface IPv6.
****AT&T Technical Folks****
Is there a fix for this behavior or am I missing something?
JefferMC
ACE - Expert
•
31.4K Messages
1 year ago
I stopped reading after a couple of paragraphs, because I saw the hole you were walking into. With the AT&T Gateway you have two choices on how to implement the Static Public Subnet.
1) Give the entire block to a router behind the Gateway.
2) Keep the block on the Gateway's LAN.
If you do #1, then the router can manage the whole block however you want. Normally that router will have a WAN IP that is a private address on the Gateway's LAN. If you configure the router for IP Passthrough, then the WAN IP will be your Dynamic Public address. Either way, (assuming you configure your router to deal with the situation) the Static Subnet traffic will pass through the Gateway to and from the router without any NAT/PAT or other interference.
If you do #2, then you can assign up to 5 different MACs to have a different one of the public static IP addresses; the Gateway manages the router address. The Gateway cannot handle a MAC having more than one IP in this configuration. This is what you are trying to do and it won't work.
You might can get #1 to get close to what you want either with or without IP Passthrough.
RE your IPv6 questions, I didn't follow your issue as I am waiting for the IPv6 to become passé on the Internet before trying to live it.
(edited)
0
cbsr00
New Member
•
2 Messages
1 year ago
Thanks for your reply.
I believe I follow what you are saying for option #1.
Under the Supplementary Network, there is an option to add a cascade router which allows me to specify the network address and subnet mask. It then has a sub option to select the router or enter an IP address.
I am going to assume the IP address it will want me to input is the private LAN side IP address the AT&T GW is configured with for its LAN ports.
I've added a pic here
0
0
JefferMC
ACE - Expert
•
31.4K Messages
1 year ago
Oh, yeah, 5268AC. "None" is for no Public Static Block. "Add Additional Network" is #2 above. #1 is "Add Cascaded Router".
I'm not sure that the 5268AC lets you do Cascaded Router to the DMZplus address (as the BGW's let you do it to the IP Passthrough by using 0.0.0.0 as the IP address). You should be able to elect your router in the dropdown, or key in its IP on the 5268AC's LAN.
0
0