5268ac firewall blocking public static IP addresses

Hi @SteveOC,

We will be happy to help!

Here's a great support page that may shed some light on your configuration. 

For expert advise on your home networking and set up, we suggest finding to correct answers to your networking issues from our ConnecTech team of experts.

Thank you for contacting us on AT&T Community Forums!

Lafayette, AT&T Community Specialist

I appreciate the response, but DMZ+ mode won't work for me as I've tried it in a variety of ways.  The biggest problem with DMZ+ mode is it requires the device behind the Pace to obtain one of my public IP addresses via DHCP in the PACE.  That is not an option in my configuration and I've never needed to do that before.  I have the Fortigate behind the Pace and it has a static public IP address, plus it ARPs for the additional public static IP addresses in use on my network.  I cannot configure my equipment to request IPs via DHCP as they all appear to come from the same MAC address (the Fortigate).  And I shouldn't have to.  This was all working fine until the firmware upgrade broke it.

I've tried to use DMZ plus but it won't let me specify additional IP addresses in my public range that I have statically configured, it just fails.  And as previously mentioned, I've never needed DMZ+ before.

I appreciate the suggestion for ConnecTech experts but I doubt any of them have seen a home setup like mine.  I have Enterprise grade equipment with four managed access points, multiple network switches, VLANs and a DMZ.  I have decades of network design and security experience.  It's often the simple things that trip you up and this seems to be one of them.

I might point out that this also shows that the "Auto Firewall Open" checkbox under Settings->Broadband->Link Configuration (where I added my public subnet) does not work.  If it did, the Pace would pass all my static IPs without firewall interference, but that has never worked.  I've always had to disable the firewall for each public static IP in use under Settings->LAN->LAN IP Address Allocation.

I very much would appreciate additional suggestions or perhaps find a way to down-rev my modem firmware.  If I can't resolve this problem I will need to switch Internet providers.

@SteveOC,

We are out of suggestions for the correct path to your issue in finding an solution with out further research in your network blueprint. I do recommend contacting ConnecTec for assistance.   

Thanks again,

Lafayette, AT&T Community Specialist

So you don't have a way to escalate problems like this to senior engineers or the modem manufacturer?  Clearly something is broken and they need to know about it.  It's rather disappointing that there's no further support path.

Hello @SteveOC,

We understand that you're still having issues with your setup. Don't worry we can point you in the right direction.

In this case you would need to contact connecTech for your advance setup. Also check out this page here that could help with your static IP issue.

Charles, AT&T Community Specialist

So what exactly will ConnecTech do that I haven't done myself?  Reading their website does not instill confidence.  Do they have access to senior AT&T engineers?  If they don't solve this problem, do I still have to pay?  Doesn't seem right that I have to pay for support for something AT&T broke.  Can anyone give me feedback on ConnecTech and what they'll do for me?  I'm hesitant to go down that road since I've done everything they are likely to do.

And I looked at the Static IP help page that was suggested.  It didn't tell me anything I didn't already know or have tried.  As previously mentioned, I can't use DHCP for my public IP address and shouldn't have to .  I should be able to statically assign an IP to my equipment and it should work (as it did for years until the f/w update.)

Any additional information would be appreciated.

I finally resolved my problem and ConnecTech was not involved.  I asked around to other contacts I have and someone ultimately pointed me to the AT&T Investor Relations page and the Executive Customer Care Contact link.  A little information here describing my problem and I had a phone call from the "Office of the President" the next day.  They had the engineers start looking at the problem immediately, contacting me twice on the first day.  A few days later (after a weekend) they called me and had the problem resolved.

The guy I spoke to was relaying information from the engineers and wasn't entirely clear on the root problem but identified two things.  1) Since I'm running a set of fixed public IPs that I pay for, the firmware upgrade should not have gone out to my modem.  2) They logged into my modem and disabled entirely the DMZ+ feature.  After they did this, all my static, public IPs in use appear in the LAN IP Address Allocation screen and I can disable the firewall on each IP.  Everything is working as it was. I'm fairly confident ConnecTech would have been no help in this scenario.

I'm happy AT&T got the right, knowledgeable engineers involved and was able to quickly resolve my problem.  I did ask if I could have disable DMZ+ mode myself and the guy I spoke with said yes but wasn't clear how to do this.  I spend a lot of time tinkering with that feature never found a way to completely disengage the DMZ+ feature.  As it stands now, looking through the menus, there is no mention of the DMZ+ feature on my modem any more.

At any rate, I'm glad it's done and will leave this note here in case anyone else comes across this problem in the future.