Palo Alto & ATT Residential Fiber
Figured out a few things about AT&T Residential fiber which you may find interesting.
****IPv4 Configuration & Troubleshooting****
I have a PA440 in use where I have been allocated a /29 IP block from AT&T. I have configured the PA440 with an IP in this IP Block and able to get out to the Internet just fine. In an attempt to configured a NAT rule for other services within my home on the order IPs within my IP block I have found that AT&T gateway does not seem capable to allow for G-ARP which allows the firewall to proxy any connections to any other IP I have configured. For example I attempted the following:
Let's say my IP block is 100.65.0.0/29 and AT&T GW is 100.65.0.6. I configure my PA440 UNTRUST interface as 100.65.0.1/29 then I configured my global NAT policy to NAT all outbound traffic as 100.65.0.2/29. I then have two services configured, two web servers, with an inbound NAT of 100.65.0.3 and 100.65.0.4 respectively.
I found this configuration does not work with the AT&T gateway and it seems to only send return traffic to which is the "latest" active IP to forward traffic through the gateway.
Fine, so that means I can't host some services like I want. I now go to configure everything with a single IP; my UNTRUST interface & my Global NAT now shares the same IP. Fine. Connectivity is fine outbound. I configure some PATs for specific ports such as 6000 or 6005. I find that some traffic seem to work on my custom PAT rules and some don't, almost like the traffic is asymmetric.
When looking at the gateway firewall logs, it seems that the traffic for my custom ports are being sent to the original IP AT&T provided me instead of my supplement IP Block.
Overall, it does not seem the gateway is intelligent enough to support G-ARP like a in normal network where a router is used.
****IPv6 Configuration & Troubleshooting****
I was able to find the link-local address of the AT&T GW in order to create my default IPv6 router as well as acquire the GUA prefix for IPv6. I have configured my UNTRUST interface within the prefix and can confirm I am able to at least ping sourcing from the UNTRUST interface of the PA440 outbound to Google, Cloudflare, and other external IPv6 services.
Now for NATv6. So I have configured NPTv6 which allows me to do a full address translation from my internal IPv6 subnet to the UNTRUST prefix configured on the UNTRUST interface. I can confirm I see the translations happening as expected.
Just as IPv4, it seems the AT&T gateway is not capable of determine the source IPv6 address since the address is different that the UNTRUST interface IPv6.
****AT&T Technical Folks****
Is there a fix for this behavior or am I missing something?