10-12-2017 12:53 PM
I just had an AT&T fiber system installed, and I'm really not a fan of the modem/router box that was given to me. With all the other boxes I've had, I've been able to turn them into a simple pass-through and get a WAN address on my PFSense box, which handles the majority of my network service needs (NAT, port forwarding, DHCP, DNS, firewall, monitoring). I need to be able to set up the same thing with this new hardware. Is it possible to set the AT&T box into a simple bridge mode and for my PFSense box to get an external IP on it's WAN port? I've heard DMZ+ mode may be what I'm looking for, but I would much rather not use that if I don't have to. If that's my only option, could someone explain to me the difference between a "bridge" mode, and DMZ+?
Solved by: Go to Solution.
10-13-2017 7:09 AM
In DMZplus mode, the gateway still looks at all the packets coming in to decide what to do with them (whereas in bridge mode, it just forwards everything). Unsolicited traffic that is not filtered (per any filtering rules) is forwarded to the DMZplus device, where VOIP/IPTV traffic, or any traffic that matches an established NAT connection, is processed or forwarded based on the NAT table. When the DMZplus device requests an IP address via DHCP, it is given the public IP address from the external interface of the Gateway.
Thus DMZplus mode operates pretty much like bridge WRT the device designated in DMZplus mode, but does have additional overhead, and can still handle other directly connected devices.
10-13-2017 7:22 AM
Thanks JefferMC, exactly the explanation I was looking for. I will try to setup DMZ+ and report back.
Just to be clear...this device does *not* support any pure bridge mode; DMZ+ is the only option?
10-13-2017 9:00 AM
Yes, because this device is positioned as a multi-service gateway, the custom AT&T firmware does not have a bridge mode.
10-14-2017 8:24 AM
So another question: I want to make my PFSense box the authoritative machine offering network services. In particular, DHCP and DNS. Should I disable these on the at&t box, which would make the pfsense box the sole DHCP server on the lan?
- edited 10-14-2017 5:07 PM
You cannot turn off DHCP or DNS on the Gateway. However, if you disable WiFi on the Gateway, and hook all your devices to your PF Sense, then it will be the only DHCP server that any of your clients see (as the PF Sense should not pass the requests through). The PF Sense will be told to use the Gateway as its DNS Resolver during its DHCP negotiation with the Gateway, but you can override that if you wish (you can also lock the public IP address in as a static if you wish to prevent any temporary disconnects from a DHCP renewal failure), and it will likely default to handing out its own IP as the DNS server address.
01-24-2018 7:53 AM
Your response was extremely helpful. I have one further complication in that I have/use additional 8 IP's, and one of them I use all the time. If I place the Pace in DMZPlus mode how can I be assured that all ports on my 'additional' IP's, or as they call it (User Defined Supplemental Networks) will get forwarded. I, too, want to manage everything at my ASUS RT-AC66U.
- edited 01-24-2018 9:19 AM
... If I place the Pace in DMZPlus mode how can I be assured that all ports on my 'additional' IP's, or as they call it (User Defined Supplemental Networks) will get forwarded. I, too, want to manage everything at my ASUS RT-AC66U.
So you've purchased a public static /29 IP block from AT&T and have it configured as a Supplemental Network. The default DMZplus configuration would not cause that the be routed to your DMZplus device, as DMZPlus is really only intended for traffic on the public "dynamic" address. The Cascaded Router feature is intended to allow you to define a router. I do not run this configuration myself, so I don't have concrete guidance here. Another poster was having difficulty with Cascaded Router and switched to Supplemental Networks (without the router) and was happy. Normally I would say turn off Supplemental Networks and turn on Cascaded Router in its place. If that doesn't work for you, try turning them both on, I guess. Post back here and let us know how it turns out.
01-25-2018 11:13 AM
03-19-2018 4:20 PM
Did you ever come up with a solution to this problem?? I am in the same situation and would really like to get my ATT Pace 5268AC into true bridge mode.
03-19-2018 6:19 PM
There is NO BRIDGE MODE available in the 5268ac, or any other AT&T Gateway for Fiber or VDSL2/ADSL2+ service. (Yes, the DSL modems do.have bridge mode).
DMZplus is as close as you can get with a 5268ac.
03-19-2018 7:50 PM
To answer your question, I did get my Pace 5268AC to work as I wanted it too and am happy to say my router (ASUS RT66U) controls everything on my network. I am providing some commentary below to kind of grease the skids. The exact instructions are listed at the bottom step by step. Use them exactly as stated.
To be really specific, JefferMC's (with his oversized/multi colored lettering) statement is correct; there is no official bridge mode. The term that ATT uses for this device is DMZ Plus.
Call it what you want but in the end you get every port opened and transferred to your router. Additionally, and in an unexpectedly way, your router's WAN will share the Paces WAN static IP address. This makes your router accessible from outside should you want it to.
The fact of the matter is that the IP from the Pace will be Dynamically assigned as your router's WAN IP and is done so through the step by step process below. Its a funky way of using the DMZ function but it works.
Another neat thing is that the Pace will continue to assign DHCP address to things you want to attach to the ports on the back of it. This last part may sound a little confusing but after you go through this setup process it will all become clear.
The step by step directions below are a reprint from the author identified at the top. I added some clarifying detail to resolve some minor confusion.
I am confident you will be successful after applying this. Mine has been working just fine.
Dec 29, 2016 1:32 PM
Re: Is Pace 5268ac capable of bridge or IP passthrough mode?
The answer is YES! I just did it (with ATT support). All steps are done through Ethernet.
Step one: Connect the ATT router..(say ethernet port 1), connected to your WAN Ethernet port on your personal Router.
Step two: Connect an Ethernet cable from your computer to the LAN connection to your router.
Step three: Find the "DHCP IP address" from your WAN interport on your personal router (will likely be 192.168.1.x or the typically the DHCP Gateway Address)- Make note that the ATT Pace 5268AC's default is 192.168.1.254).
Step three .a: Log in, or while logged into your personal router, set the WAN Connection type to Automatic IP or what ever setting the router has that will automatically acquire an IP from the PACE 5268AC modem.
Step four: Go to the PACE FIREWALL page - "Applications/Pinholes and DMZ, and look for section "1". In that area there will be a Cell window where you can type in the known WAN address of your personal router (192.168.1.x).
Step five: Put that IP address in the window and click the button to the right called CHOOSE.
Step six: Scroll down to Options "2" area and at the bottom there is a radio button to ‘forward ALL traffic to your (it says computer, but we know it's your router)’. Enable that button and click on the save button.
Step seven: If you look at the STATUS tab on the ATT FIREWALL Status tab now, you'll see ALL/ALL inbound traffic to be directed to your ROUTER.
Step eight: Turn off your router now.
Step nine: Reboot the ATT PACE 5268AC router and wait until you see the "Service" light come on blinking actively. This will take oh....2 minutes? Once the Service light is on....turn your personal router on
Step ten: After your personal router boots, log into it and you should see the WAN interface with the PUBLIC IP on it.
Note: all ports will be forwarded and open. Make sure your router has only ports open that you want open.
- edited 03-24-2018 11:38 PM
Why in the world does AT&T not offer a modem for single-service customers, particularly for their fiber users?! And TWC had both single-service and multi-service modems (although they did not output coax like these do) and they all had a true bridge mode.
While I see a lot of claims that the dmz+ mode is just as good as a true bridge mode, the reality is that it causes a lot of issues and conflicts when you try to do anything other than just web browsing. It's not just "overhead", it causes lots of strange issues with services disconnecting randomly or being blocked altogether because the att modem is still filtering traffic that it should not be.
This is all likely just a software issue and should be turned off, especially when a customer is paying for gigabit service (my service just went up another $10 as well).
We need a better explanation than "we use these modems for other things as well so we need to have control over that whether you use them or not".
04-29-2018 9:25 PM
Totally agree with you wellivea1. When I set it up in 2016, it did NOT work with my Airport Extreme and it was maddening because some devices on the network worked, others did not. Finally had to put the Airport in Bridge Mode (yes, it has it), and stuff worked...but now I can't get a single WiFi network throughout my house using any of the new mesh systems because they ALL require full control of the network to take advantage of all the features...like Ethernet Backhaul. Maybe someone will hack together a modem to solve this problem...I would drop $100 on a DIY kit to solve this problem...
Visit these related resourcesView New Device Help!