Skip to main content
AT&T Community Forums
Jeysouth

Teacher

 • 

11 Messages

Tue, Nov 29, 2016 1:02 AM

How to reset 2Wire 3801HGV Gateway to allow 3rd party router to be main WiFi host with Guest Network

I have the Uverse 2Wire 3801HGV gateway that serves as the host of our WiFi signal as well as the ethernet connection for two periferal devices  - a printer and a ATT micro-cell (our phone reception is bad otherwise).   I want to add an Apple Time Capsule to the network for two main reasons - the Apple TC is a newer "a/c" router compared to the "g" Gateway AND I have had a Guest Network set-up with an Apple Extreme when I lived elsewhere and really found it useful with relatives, guests, etc. (The Apple TC can also handle the ethernet requirements)

The 3801HGV manual has instructions for putting it into Bridge Mode.  Will this work with the ATT system??  Or is it more complex??  The 3801 manual's only caution is, "Confirm with the ISP that the WAN protocol is compatible with bridging mode."    Can you advise what steps work to accomplish Bridge mode with this Gateway/3rd Party Router???    Thank you!!

 

Responses

Accepted Solution

Official Solution

ApexRon

Professor

 • 

2.2K Messages

4 years ago

"Do I infer from your response that all I do to the 3801HGV settings is turn WiFi off and have all ethernet connections (other than APExtreme & DVR) go to the APExtreme?" Yes. Understand that any device you hang off the 3801HGV may not be reachable by devices hung off the APE. This is because the only routing is "next hop", not a true routing protocol.

 

"Then the APE is configured as DHCP and handing out addresses to your devices & controling traffic?" Yes, to DHCP but not sure what you mean by controlling traffic. If the destination IP address is within the APE downstream network, the APE will handle. If the destination address is within the 3801HGV downstream network reachability may be an issue.

 

"Aren't the two devices - the 3801HGV and APE competing for control?" The 3801HGV only sees what is directly connected to it.

 

" I've seen things about going into the 3801's DMZ, double NAT, etc.?" For me, a later APE firmware notices the double NAT but does not complain about it as earlier versions did. I have my firewall on the AT&T provided equipment using the default settings.

 

"From your last comment, can I conclude you did not see a faster network by bypassing the "g" 3801 router and adding the "a/c" APE?" Actually the WiFi was faster using the APE because my devices supported the a/n where the the AT&T provided equipment did not at the time. Realize that by using this solution you are adding additional network delays but we are talking 1 or 2 msec which is significant when dealing with internet traffic.

 

"Can you use the Guest Network feature of the APE?" Yes, you can use the Guest network of the APE.

_____________________________________________________
ApexRon

Professor

 • 

2.2K Messages

4 years ago

I have had an Apple Airport Extreme downstream from my AT&T provided router/gateway for years.

 

I have the AT&T router/gateway's WiFi disabled and the only thing connected to its Ethernet is the DVR and the Airport Extreme. The IP is set up for the default network of 192.168.1.0 255.255.255.0.

 

The Airport Extreme is configured as if it has a direct connection to the internet (not bridging). You can configure the internet side with a static IP address on the 192.168.1.0 network or just use DHCP as I have done. On the LAN side I have a 192.168.64.0 255.255.255.0 network. All my devices are connected to this network either by WiFi or Ethernet. This installation is referred to as a cascaded router.

 

I initially installed this solution to provide higher WiFi speeds but it turns out that the AT&T provided router/gateway is not friendly in supporting Apple solutions.

_____________________________________________________
Jeysouth

Teacher

 • 

11 Messages

4 years ago

ApexRon, thank you for the quick response!  Do I infer from your response that all I do to the 3801HGV settings is turn WiFi off and have all ethernet connections (other than APExtreme & DVR) go to the APExtreme?  

Then the APE is configured as DHCP and handing out addresses to your devices & controling traffic? 

Aren't the two devices - the 3801HGV and APE competing for control?  I've seen things about going into the 3801's DMZ, double NAT, etc.?  (I am not anywhere near experienced with this, so simple step-by-step helps)

From your last comment, can I conclude you did not see a faster network by bypassing the "g" 3801 router and adding the "a/c" APE?

Jeysouth

Teacher

 • 

11 Messages

4 years ago

ApexRon, I forgot to ask..... Can you use the Guest Network feature of the APE?  Thanks very much for the help!

Jeysouth

Teacher

 • 

11 Messages

4 years ago

Thank you!  Very clear and very reassuring that this arrangement works!!

JefferMC

New Member

 • 

17.7K Messages

4 years ago

If you configure the APE to operate under the U-verse Gateway's DMZplus (or IP Passthrough on NVG gateways) mode, then there is no double-NAT and the APE retains all router functionality, including the ability to have a real Guest Network.

 

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
ApexRon

Professor

 • 

2.2K Messages

4 years ago

While that may work, you will be bypassing the firewall protection of the AT&T provided router/gateway. Here is the information from my 5268ac:

"Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the "Allow individual applications" feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.

Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers."

 

"... APE retains all router functionality, including the ability to have a real Guest Network." Not certain what would change regarding a Guest Network. 

_____________________________________________________
Jeysouth

Teacher

 • 

11 Messages

4 years ago

To JefferMC & ApexRon,  thank you for the attention to this issue...my simple way of thinking is that the 3801HGV gateway currently has a "phone jack" IN (that carries all the Uverse info).  I have a coax cable OUT to the Uverse STB/DVR (only one TV in network).  Then I have TWO ethernet connections OUT - one to a printer and one to the ATT micro-cell box (bad cell phone signal on our block).      

The new layout would be for the 3801HGV >>>the "phone jack" IN, the coax cable out to the STB/DVR, ONE ethernet connection OUT to the APE.  The APE would have the two ethernet OUT connections for printer & micro-cell. (I may add a back-up drive as a third ethernet out or get a Time Capsule inplace of the APE).  Ideally the APE would handle all wireless traffic for out laptops & iPads.

Does this simple set-up help in determining what settings i need for the 3801HGV and the APE??  I have been in the settings of the 3801HGV and looked around and downloaded a manual for it, but do not ahave experience in actually changing or resetting stuff.  So your patience in defining the steps is again appreciated!!  Again, thank you both

ApexRon

Professor

 • 

2.2K Messages

4 years ago

Not sure if micro-cell will work behind APE but worth a try.

My APE comes with a USB connection and I have a hard drive connected to it which I use for network backup.

As long as you have DHCP and NAT being used on the APE, the APE firewall will be enabled.

_____________________________________________________
Jeysouth

Teacher

 • 

11 Messages

4 years ago

ApexRon, thank you!  I had the same thought about USB port.  But, sorry for my ignorance, is it straight forward to set-up the APE to have DHCP & NAT being used?  Do I need to take special steps during install to set these?

ApexRon

Professor

 • 

2.2K Messages

4 years ago

Hope this helps:

 

Screen Shot 2016-11-30 at 8.21.01 PM.JPG

Screen Shot 2016-11-30 at 8.23.48 PM.JPG

_____________________________________________________
Jeysouth

Teacher

 • 

11 Messages

4 years ago

Again thank you.  These are screen shots from the APE settings and should give me what I need to duplicate your sloution!  Thanks!!!

JefferMC

New Member

 • 

17.7K Messages

4 years ago


@ApexRon wrote:

While that may work, you will be bypassing the firewall protection of the AT&T provided router/gateway. Here is the information from my 5268ac:

"Allow all applications (DMZplus mode) - Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the "Allow individual applications" feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer.

Note: On LAN devices which have a Private IP address, once DMZplus mode is selected and you click save, the system will issue a new IP address to the selected computer. The computer must be set to DHCP mode to receive the new IP address from the system, and you must reboot the computer. If you are changing DMZplus mode from one computer to another computer, you must reboot both computers."

 


Sure, but as long as you're operating the APE as a router (as opposed to an Access Point), it provides every bit as good a firewall protection as the U-verse Gateway.  You're just passing the responsibility one node in.

If you operate the Gateway and the APE as routers, you're just doing double work.  Double firewall.  Double NAT.

I would only suggest using DMZplus to a computer if you're running a software firewall on that computer and understand how to configure it properly.

 


@ApexRon wrote:

"... APE retains all router functionality, including the ability to have a real Guest Network." Not certain what would change regarding a Guest Network. 


 

If you operate the APE as an Access Point, then it can't segregate traffic and keep clients on the "guest network" from accessing the LAN, because all it can do is repeat traffic from its WLAN onto the LAN it's serving as an access point for.  When it's operating as a router, then it will only route between the Guest Network and the public interface, isolating it from the local subnet/LAN.

 

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
ApexRon

Professor

 • 

2.2K Messages

4 years ago

"Sure, but as long as you're operating the APE as a router (as opposed to an Access Point), it provides every bit as good a firewall protection as the U-verse Gateway." You can't say that because, at least for my APE, you have no access to the firewall and you really don't know if they are protecting the same way.

 

"If you operate the Gateway and the APE as routers, you're just doing double work. Double firewall. Double NAT." In this day and age there is nothing wrong with two firewalls. Double work? This is not a Cisco router, the APE is very easy to configure.

 

"I would only suggest using DMZplus to a computer if you're running a software firewall on that computer and understand how to configure it properly." Today, you can have more types of devices on an at home network than a computer. My two Macs each have a firewall, so my computers pass through three firewalls to the internet. Default firewall options work just fine on all three.

 

"If you operate the APE as an Access Point, then it can't segregate traffic and keep clients on the "guest network" from accessing the LAN, because all it can do is repeat traffic from its WLAN onto the LAN it's serving as an access point for. When it's operating as a router, then it will only route between the Guest Network and the public interface, isolating it from the local subnet/LAN." Ultimately it depends on what the Guest Network will be used for. For the APE it is merely another SSID so from my perspective it's useless except the SSID will have a different password or none at all. I don't see a way on my APE to segregate traffic.

_____________________________________________________
JefferMC

New Member

 • 

17.7K Messages

4 years ago

A true guest network setting normally blocks packets from the "guest" WLAN to anything but the public WAN interface, whereas non-Guest WAN nodes can talk to each other and LAN hosts, such as media servers, etc.  While you could have a "Guest" SSID that is just a convenience to avoid giving out the credentials to your "private" SSID, that's not how the term is typically understood.

 

More than one firewall that is doing the same thing is redundant without benefit.  Yes, defense in depth is an important part of security. But when you have too many layers, consumers tend to get frustrated and start removing things "just to get it to work."  Thus, I try to guide them to set up a security perimiter at one place.  If they have a third-party router, that's the most likely place: it normally has a more straight forward interface than the U-verse gateway.  And more horse power.  And a larger NAT translation pool.  NAT alone provides 99.44% of the firewall requirements for the typical home.

 

Double NAT is a bad thing.  I breaks some protocols (especially IPSEC).  I means two NAT translation lookups.  Double firewalls mean adding latency for processing of packets that pass the outer firewall a second time on the inner firewall, where they will likely also pass, because you need to set them the same to pass the traffic through both.

 

 

Award for Community Excellence 2019 Achiever*
*I am not an AT&T employee, and the views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Get started...

Ask a new question