Bridge-mode vs IP Pass-through - Info from the AT&T Community

Hi all!  Like many, I'm having trouble getting a VPN set up for remote access.  I've spent hours looking through this forum and have gotten IP passthrough to work on my BGW210-700 on to my Asus RT-AC3100 (it shows my external IP address).

But for the life of me I still can't access any ports no matter what port forwarding or OpenVPN setting I try.

Any tips on troubleshooting this or common issues with the BGW210/Asus setup are more than welcome.  And I'm happy to provide any settings or screenshots needed to help this.

But for a quick settings overview on the Asus:

-BGW210 network192.168.1.x

-Asus network192.168.2.x

-Subnet for both 255.255.255.0

-IPv6 off

-Asus Firewall on, BGW210 firewall off

-Asus Port forwarding on: port 1194 pointing to my static LAN assigned IP Synology NAS

-Asus DMZ off

-Asus DDNS off

Thank you for any and all help!!!

Hi all. Jared, thanks for starting this discussion years ago.

This is an extremely frustrating task. I’m now 2 years into fighting with this and have only now finally gotten almost everything I need working. ATT, please stop using the term IP Passthrough. This is misleading to the customer. Also, doesn’t the demarcation point end at the ONT within the customer premises? Why do you require the ability to remotely login to your modem to troubleshoot my own network? These are rhetorical questions. However, part of the definition of traditional/standard IP Passthrough means that a device can no longer be managed via its WAN interface (cause it’s bridged!)…

First off, let me say it was Professor_FERPS post that truly got me forward and on the right path. I was skeptical of all the posts from dunnjo, but ultimately I do believe he is correct and helpful, and finally Jens2040 is totally on the right path. Thank you all for your insights and care to actually share your findings.

I have a Ubiquity Unifi USG-3P router with 2 US-8-150W switches and 4 UAP-AC-PRO access points. Bottom line, I have my own network.

I changed nothing in my own router. WAN interface using DHCP and DNS 1.1.1.2, 1.0.0.2.

I use private LAN networks – 192.168.1.0/24, ..2.0/24, ..3.0/24

We need to disable as much as possible in the ATT modem, configure “passthrough”, AND use DHCP to let the modem give the public IP to the router. I think this is the true definition of this whole feature. Use DHCP to pass an unknown special IP, not one from its own pool, to a specific MAC address. So don’t use DHCP to give your router a known private IP, no, use DHCP to magically do something unexpected.

In the ATT modem, Arris BGW210-700…

Firewall – same steps 1 through 3 as Professor_FERPS.
Disable/remove all from Packet Filter, NAT/Gaming, Firewall Advanced. I agree with others that this is only relating to the NAT part of this.
IP Passthrough, set the Allocation Mode to Passthrough, DHCP-fixed, choose from list, use your router MAC, leave the DHCP lease alone.

Home Network – Subnets & DHCP – same as Jens2040 – skip step 4, don’t mess with Cascade.
First, I changed the device IP and DHCP reservations to use the 192.168.0..0/24 network. I understand that this isn’t ideal. If the ATT modem resets it will go back to the same network I use for my own private network. Technically this shouldn’t matter, but for some reason I went down the path of changing this here instead of redoing my entire network.
As with a bunch of others, I only allow a small range of DHCP leases (100-105 in this case, total of 5 IP can be given out). All this is not necessary as the Professor mentioned.

Initially I kept trying to enable Cascaded Router as Professor_FERPS said. After I got this working and realized why it worked, I disabled this and things still work. I agree with all the others that this isn’t needed.

IP allocation, I had previously assigned a private fixed address to my router. This was the main issue causing me so much grief. I couldn’t help but feel like I needed to use a fixed address so that the ATT modem would always know where to “passthrough” all traffic. I was worried that if someone plugged a device into one of the ATT modem LAN ports, it could switch everything to that. Not knowing how the “passthrough” feature was implemented or having any documentation on how all the settings relate to this, it was very much trial and error. Once I changed my router to use the pool, everything else started to work.

So this is really what dunnjo was talking about. It’s very simple. In a way, it’s almost just using defaults and turning on “passthrough”… so simple…

I did a DHCP renew in my own router and bam! Public IP showed up. No reboots.

So here is it, my own router finally showing my public IP address on its WAN interface. It’s weird to me that the DNS server here is not the public ATT DNS addresses. I use my own choice of public DNS, but if there is a double NAT issue, is there also a double DNS issue? What happens when the DNS server fails or caches something wrong on the ATT modem? Has this also contributed to my connection issues in the past? Yet another thing I need to investigate…

interface  : eth0
ip address : XXX.XXX.XXX.XXX     [Active]
subnet mask: 255.255.252.0
router     : XXX.XXX.XXX.1
name server: 192.168.0.254
dhcp server: 192.168.0.254
lease time : 600
last update: Sat Jun 5 08:01:31 EDT 2021
expiry     : Sat Jun 05 08:11:28 EDT 2021
reason     : RENEW

Here you can see on the Device, Status page of the ATT modem my router has the proper public IP (hidden) and a status of “on”. “laptop” is my real laptop from when I connected to the ATT modem Wi-Fi to make changes.

Device IP Address / Name Status Connection Frequency, Type, Name Mesh Client
192.168.0.105 / laptop off Wi-Fi 2.4 GHz, Home, test No
XXX.XXX.XXX.XXX / router on Ethernet   No

Oddly enough, while I can also see my router in the Device List under Device in the ATT modem, when I go to Home Network, IP Allocation, there is nothing there. So we used DHCP to assign an IP to our router, but DHCP has no record of it.

During the time messing with this, the ATT modem would constantly do broadcast pings to find all my devices in my network (what are you up to ATT?). I spent a lot of time trying to block this from my router, but that’s tricky due to broadcast and ICMP behavior. Once I got “passthrough” working, this seems to have stopped. I think the broadcast pings were a side effect of having “passthrough” setup wrong (which is laughable).

I am still being routed through my ATT modem.. or rather, the modem is still acting as a router.. After having disabled all the firewall rules in the ATT modem, I no longer have NAT issues, but this is lame. But there is a separate port for this issue…

traceroute to google.com (142.251.33.206), 30 hops max, 60 byte packets
 1  router (192.168.1.1)  0.388 ms  0.427 ms  0.544 ms
 2  192.168.0.254 (192.168.0.254)  2.631 ms  2.748 ms  3.720 ms

ATT, before you go and say, we told you we don’t support bridged mode, please focus on making this crazy “passthrough” option a whole lot more straightforward. Maybe just call it ATT’s Residential Public IP Reuse. I’m embarrassed it’s taken me so long to get this far, but I have a job and a life and my goal is to spend as little time on this as possible. Actually, let’s keep work at work. I don’t want to spend any more of my personal time troubleshooting your equipment so I can use my own network.

Good job on the bandwidth though.

IP Passthrough is fairly straight forward, as I think you've finally gotten to.  People add on crazy requirements (such as the cascaded router setup) which are not useful and can, in fact, be harmful.

What makes them "harmful"?

Att is rolling out a new gateway apparently.  Might have a whole new set of issues.

I just got ATT Gigfiber and a BGW320-505. I would like to be able to ssh into a Mac with a wired connection to the BGW320-505. 

Do I need to use a separate router to get full speed as someone a few messages earlier said? If not, is there some documentation on how to get IP Passthrough to assign a public IP address to this MAC in a secure manner with no loss of speed. Riight now I'm getting over 950 MB up and down and would like to keep it that way.

Is there a way to configure the BGW320-505 modem/router to use multiple ports, one for passthru to my pfSense router and another for a separate wifi router?  It works fine today using one port in passthru mode connected to my pfSense box giving it the ATT WAN IP (which I do need for my pfSense VPN). 

I'd like to connect a wifi router to another port on the BGW320-505 for my IOT stuff and insure that my IOT stuff has absolutely no access to anything behind the pfSense box. 

Yeah, I know the pfSense box can do lots of cool stuff like this but if I can keep it simple and just plug in an old ASUS wifi router to another port on the ATT modem I'd like to take the low road.

Is this possible?

@gordonshumway , you could, but you'd have to get a block of public static IP addresses from AT&T (for $15/month) so you could assign one of those addresses to the second rounter.

My internal router is running OPNSense firmware.  I wanted to know if there are any WAN interface settings I need to make on the internal router once it is connected to BGW in passthrough mode?  Do I need to input the BGW MAC address or Gateway IPv4 Address?  Or, will just plugging in the OPNSense WAN to the BGW LAN interface will do the trick?

Assuming the OPNSense comes configured for Dynamic IP configuration, just plug the OPNSense WAN into the BGW LAN.  Then go to the IP Passthrough screen an choose DHCP-Fixed and select the OPNSense in the dropdown.  Once you've saved it, reboot both.  

Also note that you should have different LAN subnets on the two routers.

Yes, thank you.  I set the BGW to 192.168.0.254 and the OPNsense router to 192.168.1.254.  Followed the instructions, and the OPNsense router came up perfectly.

Note for anyone attempting this with OPNsense firmware:  Do NOT plug in the OPNsense router until you have completed all changes on the BGW router and re-booted it.  I know this presents a problem when trying to set the Passthrough Fixed MAC Address, but if you can get it in advance and enter it manually, that would be best.  The problem (I ran into) is that when you bring up the OPNsense router the first time, it configures the WAN and LAN based upon the BGW (assuming it's connected). 

Because I did this before I had changed the BGW subnet, the initial setup was incorrect and I ended up having to reset the firmware to factory default and start over.  And, another note on factory default reset: In my case (installing OPNsense firmware on a mini pc), after reset, the "installer" login name no longer works.  You must use root | opensense.  Took me a while to figure that one out.  Not documented anywhere I can find.

So, by connecting and running the OPNsense install AFTER setting BGW to passthrough mode and changing it's subnet, the firmware configured the WAN interface perfectly.  

Huge thanks to everyone who has contributed here.