VPN Server behind Pace router - How to configure router

I also have the 5268 U-verse router.  I have no problems switching to the Arris, have we proven it works for pptp?

I also had the same issue.  Our VPN works without issues for 7 years, then the modem failed and was replaced with a Pace 5268 modem.  We work with the tech dispatch and set our device on the DMZplus, as it's called and the only available option, this did not allow a complete VPN tunnel (pretty much just a one way out and not in). So, I searched the Wiki pages and found that DMZplus mode still has the Pace firewall in place, which explains our partly working VPN.    Also there is a bridge mode, but the Pace 5268 modem that we received had the old firmware, so this option was not available. Nor, was it possible to upgrade the firmware, as there are no options to do so.  Possibly locked by AT&T.  

I think the easiest option would be to replace the Pace 5268ac with Arris 599, since it will work out of the box with more available setting options.

https://wiki.sonic.net/wiki/Pace_5268AC.

@fordtrbo The Arris allows pass-through/bridging (whereas the Pace does not). With pass-through enabled (and pointed at the MAC addr of your router), ATT will issue an address directly to your router and then IP/VPN/firewall/traffic management is all yours.

PK

Just to add to the last comment from piersonk to fordtrbo: while the Arris does allow a passthrough mode which will pass PPTP traffic, it is still not true bridging, and there is no way to get around the ~2000 NAT table entries limit of AT&T's modems. If you are a power user and have a lot of incoming/outgoing connections, you may run into issues with packet loss.

I just had AT&T swap out the Pace 5268 with an Arris BGW210.  Now I can connect my companies VPN and pass traffic!

We just moved to new apartments with AT&T service and Gigabit fiber and the 5268ac gateway.     The Asus n66u router's MAC is set in the gateway as DMZ+ box checkmarked.  Everything was working fine.  The portforwarding, reserved IPs, NAT loopback, etc all handled by the Asus just fine.  but...

Same as many of you I initially couldn't access the VPN on the asus router from outside my LAN even though the router was set in DMZ+ mode on the 5268ac gateway.

It is working now though.  In the 5268ac Advanced Firewall Configuration I disabled a bunch of stuff.  I disabled "Stealth Mode" and also disabled ALL of the "Attack Detection" settings.  Apparently, even in DMZ+, those settings were blocking the Asus VPN traffic.  Now I can use vpn on the Asus n66u that is in DMZ+ mode behind the 5268ac gateway.

Hi Benny,

I tried what you suggested and I'm still unable to get my VPN working. I was on the phone with ATT for 1 hour and 24 minutes, they are reluctant to send me another router and instead are telling me to contact Netgear instead. I'm getting the error message: TLS error: TLS handskae failed.

Can anyone help me?

Thanks.

Hi @mikah_no

Is your VPN server on or behind a device that has DMZ+ as mine does?  I have an Asus router behind the 5268 Gateway and the Asus MAC has been put in DMZ+ mode on the Gateway pinhole settings page.  My VPN Server is PPTP and it resides on the Asus router.  Then I had to disable all of those firewall settings on the gateway as shown in my screenshot earlier.  Also, if you have any port forwarding or firewall between the gateway and the VPN server make sure it allows UDP as I think openVPN uses UDP.

I'm using PPTP rather than openVPN on my Asus N66U router. 

I'm connecting to the remote PPTP VPN remotely using Windows VPN software.  I had to tell Windows to specifically use PPTP because when windows would otherwise try to automatically detect the VPN type it would always fail.  

Let me know if this helps or not and maybe I can post more screenshots of my setup to avoid any ambiguity.

Windows VPN client settings when connecting to remote PPTP VPN

My VPN used to work with my NVG599, and it stopped working a couple months ago. I'm not happy. I've moved ports around and it just doesn't seem to help. So the NVG599 worked and now it doesn't. Hardware hasn't changed. I'm guessing the Deathstar started filtering for some reason.

Most likely modem blocking inbound protocols ESP(50) and AH(51). You can establish an IPsec tunnel but encrypted traffic will be dropped after Phase1 and Phase2 are established. My advice, request AT&T to replace your Modem, apparently the latest model is Arris BGW210.