How to fake bridged mode with U-Verse
I have worked out a way to simulate full bridged mode between a U-Verse RG and an enterprise grade router.
It's not identical to uverse in bridged mode, but it is pretty close.
- AT&T U-Verse VDSL service with the Static IP add-on. (I'll be using the 8-ip block in this case)
- A router capable of running a routing redundancy protocol, such as HSRP, VRRP, or GLBP.
- A device connected to the internet that is NOT using your u-verse service (For testing functionality from the outside, where it matters. Smart phones work great for this, or just call a friend who has a PC handy)
The AT&T RG abuses ARP to ensure that a static IP has to be assigned by MAC address. One MAC = One static IP. This effectively prevents you from routing the whole block to an internal router or firewall, because such devices will respond for all usable addresses using the same MAC. Why the RG chooses to do this is beyond me, but it is what it is and we have to work around it.
(When the RG sees what it thinks is the internal device changing its IP while keeping the same MAC (due to multiple IPs on one interface), the RG will update the device's "current IP address" in the IP Address Allocation tab, and sever all TCP connections to the old address, and the firewall will block all attempts to connect to the old address as it does not see it being registered to any internal device.
Ultimately, this means that if we intend to use our own internal device to protect and control our static IP block, we have to get our device to lie to the RG and present itself as several unique MAC / IP pairs.
This is difficult because by definition, most routers and firewalls only have one MAC and are not capable of generating more. Even high-end Cisco routers do not allow you to add an arbitrary number of MAC addresses to an interface because it shouldn't be necessary -- they assume other devices know how to use ARP.)
To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with. In this example I'll be using Cisco's HSRP, although in theory this will work with any redundancy protocol that creates virtual IPs and MACs. Routing redundancy protocols use these fake MAC + IP Pairs as floating "virtual interfaces" that would normally flip between two routers running the protocol, so that in the event of a failure none of the clients have to re-learn a MAC and IP. Nobody has to ARP and you get a very quick failover. We're going to use that to fake out the RG.
- The static IP range AT&T gave us is 18.104.22.168/29 (.1 through .5 usable, .6 is the RG)
- We will use .5 as our router's actual address, .1 through .4 will be virtual.
- When I say "LAN IP range" I am NOT talking about the RG's default LAN range of 192.168.1.0/24, I mean the addressing space we choose to use behind our router handling the static IPs.
- The LAN IP range behind our router is 172.16.0.0/24
- We have two computers on the LAN:
- PC1 = 172.16.0.100/24, on which we want to expose all services to the world as 22.214.171.124
- PC2 = 172.16.0.200/24, on which we want to expose JUST a web server to the world as 126.96.36.199:80
- We want to provide outbound internet access to all hosts in 172.16.0.0/24 using the router's actual static IP, 188.8.131.52. We will use a NAT overload (or PAT) to accomplish this.
Step 1) Log in to the RG and make the following settings changes:
* Link Configuration
* Supplementary Network
* Check Enable
* Place the router's address (Last usable of the subnet) into the Router Address field.
* Fill in the subnet mask
* DO NOT check Auto Firewall Open
* Make sure "New Device DHCP Pool" is set to "Private Network"
* Enhanced Security
* Disable Stealth Mode (Useful for troubleshooting)
* Disable Block Ping (Useful for troubleshooting)
* Disable Strict UDP Session Control (I have found that this can interfere with VOIP apps)
* Attack Detection
* Disable Excessive Session Detection (The RG's definition of "excessive" is a bit small)
* Disable Invalid Source/Destination IP Address (For some reason this seemed to interfere)
* Disable Invalid ICMP Detection (Seems to block ALL ICMP??)
Step 2) Unplug all but your configuring PC from the RG.
Step 3) Under Diagnostics -> Resets, Clear the RG's device list.
Step 4) Unplug your PC from the RG and reconnect.
Step 5) The RG is now ready to accept statically assigned addresses from our router.
Step 6) Configure the router. This part will require familiarity with your chosen device. I'll provide the commands as a Cisco IOS configuration file with comments. If your device is not a cisco box, hopefully this will give you enough information to configure it properly.
! Cisco IOS Configuration File
! Version 12.4
! Set up the inside interface
description LAN (TO SWITCH)
ip address 172.16.0.1 255.255.255.0
ip nat inside
! Set up the outside interface
description WAN (TO RG)
! Assign the router the last usable IP in the range (right before the RG)
ip address 184.108.40.206 255.255.255.248
ip nat outside
! Slow the HSRP timers down (Don't need to check for a non-existent peer every 1 second)
standby timers 254 255
! This router should be the master (It will never come up otherwise)
! Create a virtual HSRP IP+MAC pair for each usable ip address (Except the one already assigned above)
! Make sure that your MACs are unique. I like to start them with 0000 to signify a locally-administered address, and end them with 1 + the three digit last octet of the IP it's associated with. This makes it easier to figure out which is which in the RG's configuration later if anything gets messed up.
standby 1 ip 220.127.116.11
standby 1 mac 0000.0000.1001
standby 2 ip 18.104.22.168
standby 2 mac 0000.0000.1002
standby 3 ip 22.214.171.124
standby 3 mac 0000.0000.1003
standby 4 ip 126.96.36.199
standby 4 mac 0000.0000.1004
! Configure our default gateway and default route to be the 3600HGV's address in the static block
ip default-gateway 188.8.131.52
ip route 0.0.0.0 0.0.0.0 184.108.40.206
! Use NAT to expose PC1, 172.16.0.100, to the internet on all ports as 220.127.116.11:
ip nat inside source static 172.16.0.100 18.104.22.168
! Use NAT to expose JUST the web service on PC2, 172.16.0.200, as 22.214.171.124:
ip nat inside source static tcp 172.16.0.100 80 126.96.36.199 80
! Create a NAT overload (PAT) to allow listed devices share our router's address for internet access:
ip nat inside source list ACL-INET interface FastEthernet1/0 overload
! Create the ACL-INET Access List and configure it to allow all PCs to use the overload:
ip access list standard ACL-INET
10 permit 172.16.0.0 255.255.255.0
(CONTINUED IN NEXT POST)