How to stop uverse equipt with DMZPlus enabled from responding to external internet ping requests?
TLDR: How do I stop my Uverse 5031NV Residential Gateway from responding to ping requests from the internet when DMZPlus is enabled?
My reason for going into "bridge mode" is lack of confidence AT&T is adequately patching firmware in their UVerse RGs. Considering how many zero day and other defects have been published this year in software, firmware, and hardware, I need to do my part to protect myself.
Making my situation different from most, my apartment is literally 15 yards away from a high speed rail/public transit stop. The transit line next to my apartment has high traffic as it goes directly downtown. Additionally, several community colleges are on this transit line. I have concerns of a young network eng using my WiFi network to test concepts they just learned in class or read about online. Although my wifi power setting is very low, the elevated position of my apartment relative to the transit stop, results in me providing 4 bars of wifi coverage to strangers at the train stop.
Although, I have a different model UVerse RG, this article from the AT&T Community Forum, outline the same problem: "Pace 5268AC Responds to Pings in DMZplus mode": https://forums.att.com/t5/AT-T-Internet-Features/Pace-5268AC-Responds-to-Pings-in-DMZplus-mode/td-p/5130591
Regrettably, the article does not indicate steps needed to stop Uverse equipment with DMZPlus enabled from responding to ping requests.
Here is what I have done:
1. Determined status of my LAN to the outside world before making any config changes by running shields up from GRC.com: https://www.grc.com/x/ne.dll?bh0bkyd2
2. I noted all tests passed.
3. Placed 5031NV in "bridge mode" by following these steps: https://forums.att.com/t5/AT-T-Internet-Equipment/How-to-Bridge-PACE-5031-NV-to-3rd-Party-Router/td-p/3612175#M12227
4. Ran shields up from GRC.com, all port in stealth mode but failed due to network responding to ping requests.
5. The Asus RT-N66U is running AsusWRT-Merlin. Under Firewall, I confirmed RESPOND TO ICMP ECHO (PING) REQUEST FROM WAN is set to NO.
6. From the Google Play Store, I loaded Ping Test by B.G. Best Games and ran ping using my cell network.
7. The ping from my cell phone was successful. This confirmed GRC.com's finding, my LAN's edge device is visible to the whole internet - BAD!
8. Restored Uverse Residential Gateway to normal config.
9. Ran tests from GRC.com and my cell phone, my LAN's edge device is not visible to the world.
10. Tried "bridge mode" again with a Netgear WNDR3400v2 using Netgear's firmware.
11. GRC.com test results same as step #4 and ping from cell phone was successful. Again, my LAN's edge device is visible to the world - BAD.
12. Restored RG to normal Uverse config.
13. Ran shields up from GRC.com, all tests passed and ping from phone failed - GOOD.
14. On Uverse 5031NV, I went to FIREWALL-->ADVANCED SETTING and unchecked BLOCK PING and saved.
15. Ping was successful from both GRC.com and my phone - BAD.
16. Restored check in box for BLOCK PING and saved.
17. As expected, ping failed from both GRC.com and my phone - GOOD.
Based on the above actions, along with the complaint stated in question "Pace 5268AC Responds to Pings in DMZplus mode", it appears as if some Unverse gateways respond to ping requests by default when DMZPlus is enabled. Can someone with more knowledge of UVerse tell me how do I disable this feature?
In the event this feature cannot be disabled, what steps do I take to effectively combat hack attempts while in "bridge mode"?