Explore & discover

Helpful Links

How to fake bridged mode with U-Verse


How to fake bridged mode with U-Verse

I have worked out a way to simulate full bridged mode between a U-Verse RG and an enterprise grade router.


It's not identical to uverse in bridged mode, but it is pretty close.



  • AT&T U-Verse VDSL service with the Static IP add-on. (I'll be using the 8-ip block in this case)
  • A router capable of running a routing redundancy protocol, such as HSRP, VRRP, or GLBP.
  • A device connected to the internet that is NOT using your u-verse service (For testing functionality from the outside, where it matters. Smart phones work great for this, or just call a friend who has a PC handy)

The problem:

The AT&T RG abuses ARP to ensure that a static IP has to be assigned by MAC address. One MAC = One static IP. This effectively prevents you from routing the whole block to an internal router or firewall, because such devices will respond for all usable addresses using the same MAC. Why the RG chooses to do this is beyond me, but it is what it is and we have to work around it.

(When the RG sees what it thinks is the internal device changing its IP while keeping the same MAC (due to multiple IPs on one interface), the RG will update the device's "current IP address" in the IP Address Allocation tab, and sever all TCP connections to the old address, and the firewall will block all attempts to connect to the old address as it does not see it being registered to any internal device.

Ultimately, this means that if we intend to use our own internal device to protect and control our static IP block, we have to get our device to lie to the RG and present itself as several unique MAC / IP pairs.

This is difficult because by definition, most routers and firewalls only have one MAC and are not capable of generating more. Even high-end Cisco routers do not allow you to add an arbitrary number of MAC addresses to an interface because it shouldn't be necessary -- they assume other devices know how to use ARP.)

The solution:

To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with. In this example I'll be using Cisco's HSRP, although in theory this will work with any redundancy protocol that creates virtual IPs and MACs. Routing redundancy protocols use these fake MAC + IP Pairs as floating "virtual interfaces" that would normally flip between two routers running the protocol, so that in the event of a failure none of the clients have to re-learn a MAC and IP. Nobody has to ARP and you get a very quick failover. We're going to use that to fake out the RG.


  • The static IP range AT&T gave us is (.1 through .5 usable, .6 is the RG)
  • We will use .5 as our router's actual address, .1 through .4 will be virtual.
  • When I say "LAN IP range" I am NOT talking about the RG's default LAN range of, I mean the addressing space we choose to use behind our router handling the static IPs.
  • The LAN IP range behind our router is
  • We have two computers on the LAN:
  •         PC1 =, on which we want to expose all services to the world as
  •         PC2 =, on which we want to expose JUST a web server to the world as
  • We want to provide outbound internet access to all hosts in using the router's actual static IP, We will use a NAT overload (or PAT) to accomplish this.


Step 1) Log in to the RG and make the following settings changes:

    * Settings
        * Broadband
            * Link Configuration
                * Supplementary Network
                    * Check Enable
                    * Place the router's address (Last usable of the subnet) into the Router Address field.
                    * Fill in the subnet mask
                    * DO NOT check Auto Firewall Open
                    * Save
        * LAN
            * DHCP
                * Make sure "New Device DHCP Pool" is set to "Private Network"
                * Save
        * Firewall
            * Advanced
                * Enhanced Security
                    * Disable Stealth Mode (Useful for troubleshooting)
                    * Disable Block Ping (Useful for troubleshooting)
                    * Disable Strict UDP Session Control (I have found that this can interfere with VOIP apps)
                * Attack Detection
                    * Disable Excessive Session Detection (The RG's definition of "excessive" is a bit small)
                    * Disable Invalid Source/Destination IP Address (For some reason this seemed to interfere)
                    * Disable Invalid ICMP Detection (Seems to block ALL ICMP??)
                    * Save

Step 2) Unplug all but your configuring PC from the RG.

Step 3) Under Diagnostics -> Resets, Clear the RG's device list.

Step 4) Unplug your PC from the RG and reconnect.

Step 5) The RG is now ready to accept statically assigned addresses from our router.

Step 6) Configure the router. This part will require familiarity with your chosen device. I'll provide the commands as a Cisco IOS configuration file with comments. If your device is not a cisco box, hopefully this will give you enough information to configure it properly.

    ! Cisco IOS Configuration File
    ! Version 12.4

! Set up the inside interface
    interface FastEthernet0/0
        description LAN (TO SWITCH)
        ip address
        ip nat inside
        no shutdown

! Set up the outside interface
    interface FastEthernet1/0
        description WAN (TO RG)
    ! Assign the router the last usable IP in the range (right before the RG)
        ip address
        ip nat outside
        no shutdown
    ! Slow the HSRP timers down (Don't need to check for a non-existent peer every 1 second)
        standby timers 254 255
    ! This router should be the master (It will never come up otherwise)
        standby preempt
    ! Create a virtual HSRP IP+MAC pair for each usable ip address (Except the one already assigned above)
    ! Make sure that your MACs are unique. I like to start them with 0000 to signify a locally-administered address, and end them with 1 + the three digit last octet of the IP it's associated with. This makes it easier to figure out which is which in the RG's configuration later if anything gets messed up.
        standby 1 ip
        standby 1 mac 0000.0000.1001
        standby 2 ip
        standby 2 mac 0000.0000.1002
        standby 3 ip
        standby 3 mac 0000.0000.1003
        standby 4 ip
        standby 4 mac 0000.0000.1004

! Configure our default gateway and default route to be the 3600HGV's address in the static block
    ip default-gateway
    ip route

! Use NAT to expose PC1,, to the internet on all ports as
    ip nat inside source static

! Use NAT to expose JUST the web service on PC2,, as
    ip nat inside source static tcp 80 80

! Create a NAT overload (PAT) to allow listed devices share our router's address for internet access:
    ip nat inside source list ACL-INET interface FastEthernet1/0 overload

! Create the ACL-INET Access List and configure it to allow all PCs to use the overload:
    ip access list standard ACL-INET
        10 permit



Message 1 of 18

Re: How to fake bridged mode with U-Verse

d3phoenix wrote:


To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with.


Cunning and brilliant.  Hat's off, and kudos given.


I must point out that the end setup is still not quite like it should be -- which would be to insert a static route into the RG and actually run the static IPs behind the Cisco.  This method requires the 1-to-1 static NAT configuration on the Cisco, although in practice, that generally works perfectly for 99% of protocols, including esoteric setups like VPN.


Nevertheless, a big step forward from where the 2Wire had left us.  I run on a Cisco 2811 in my house myself, and I'm tempted to get a static IP block just to try this out. Smiley Wink



Message 2 of 18
Accepted by (Former Employee)
Accepted by ms_unicorn
‎09-30-2015 1:39 AM

Re: How to fake bridged mode with U-Verse



Step 7) Connect the router's WAN interface to the RG.

Step 8) Log back in to the RG, and do the following:
    * Go to Diagnostics -> IP Utilities
        * Ping all five usable addresses; the one on the router, and each of the virtual ones.
        * This will make each of the router's static addresses show up in the RG's LAN settings.
    * Go to LAN -> IP Address Allocation
        * Verify that each of your IPs is showing up.
        * Set the firewall to DISABLED on all of your static IPs. This ensures that all ports are open to the outside world, except 445 (and possibly a few others), which the RG will always block. You may now configure NAT and firewalling as you see fit on your own devices.

The key is in the F1/0 interface's configuration. When handling NAT, the router uses the most specific matched IP + MAC, whether it's physical or virtual, to handle packets. This successfully fakes out the RG and lets us NAT our public IP space however we want!

Caveats and other thoughts:

  • Cisco devices have a limit to the number of HSRP groups they can create, and each one you add adds to CPU overhead. On my device, the limit is 32, so I had no problem. Older devices, however, can have limits as low as 8. Make sure you check up on this before trying this with a larger block of addresses. I only recommend this solution for blocks of 8 or 16. (5 or 13 usable).
  • The NAT implementation I have above is very simple, but you can do a lot more complicated things. If you have a firewall that supports HSRP/VRRP/GLBP, then I imagine you could run it on that, too.
  • Security is not taken into account in the configuration above. Because we are bypassing the RG's firewall, you will probably want to incorporate a firewall or at the very least harden your systems and scan them for open ports, as they WILL be more exposed to the outside than before.

I hope that this helps someone out there. Good luck -- feel free to PM me if you have trouble implementing this.


Agreed -- it's still not perfect, but I've found it to be adequate for my needs. Fortunately I'm not running anything super esoteric that NAT will break.


If anyone out there is, though, I think that the workaround will be fairly simple: Remove one of the HSRP groups and then assign that freed static address directly to the device. Make sure to ping it from the diagnostics tab to get it to update in the RG properly. Also make sure that the device does not respond to ARPs on its exterior interface with the inside address of the box, or he RG will cause some very strange behavior.


Here is a link that I found very helpful in my initial troubleshooting of the design -- he includes a brief instruction on how to fix the interior/exterior ARP issue on Linux, too:




I forgot to include that link in the main post -- it was very helpful in pointing me in the right direction as far as what the problem actually was, so that I could solve it.


Hopefully AT&T / 2Wire will realize that the RG has some serious limitations with regard to their static IP offerings, and their next RG model will conform a bit better to standards Smiley Happy



Tags (1)
Message 3 of 18

Re: How to fake bridged mode with U-Verse

Another credit I'd like to add -- thanks to user tmiw -- the ideas they posted about macvlans on linux were instrumental in giving me this crazy idea Smiley Happy




Message 4 of 18

Re: How to fake bridged mode with U-Verse

Good job. and thanks for sharing.


(referenced link is now dead?)

Message 5 of 18

Re: How to fake bridged mode with U-Verse

Fixed, (I think? How did I mess up a simple copy paste? Smiley Happy)

Message 6 of 18

Re: How to fake bridged mode with U-Verse

LOL, it happens!  My first thought was it had been moved, but it's working now. Smiley Wink

Message 7 of 18

Re: How to fake bridged mode with U-Verse

Another minor correction...


Under this part, the address in the router config should be .200:

! Use NAT to expose JUST the web service on PC2,, as
    ip nat inside source static tcp 80 80


Like this:


! Use NAT to expose JUST the web service on PC2,, as
    ip nat inside source static tcp 80 80


I didn't see a way to edit the original message. If there is a way, please let me know and I'll fix it. Thanks Smiley Happy

Message 8 of 18

Re: How to fake bridged mode with U-Verse

The forum limits the edit time on posts to 1 hour.

If you PM one of the moderators (try pamelaz) they can edit it for you.
Message 9 of 18

Re: How to fake bridged mode with U-Verse

I just upgraded from 3meg dry dsl direct to uverse "business" with a block of 5 static ip's a few days ago so I could run servers and be within the rules of ATT for running servers.  I admit to not researching this before I switched because I assumed ATT would treat me right as a business customer running a technical business....my bad mistake.  It feels like being punished for doing the right thing now with this 2wire/pace residential router as the ONLY CPE allowed. 


SO I have read back a few months in this forum and the only solution to come along since uverse was offered is this thread ? (which of itself is kudo worthy .. I agree... and am glad there's a few people working and posting on this issue) I googled for hours and there isn't anything else but this thread and the links in it for me and others to try and adapt and implement.  ATT 2nd tier said we'll help you set up one of your ip's in supplemental networks ..the rest you are on your own.   Ok...thanks.  If I could run a real router instead of this 2wire I wouldn't need you except in an outage or IP addressing issue. 


Now I looked at a Cisco 887v to solve it all and I hear the 2 wire must be used because of it's firmware tied to it'smac addy's by (bad and wrong and flagrant disregard for standards as joesomebody tells us) design!  wow.


I have each address assigned to a lan port and firewall off with a cheap dlink, etc router on each ip segment as the head end segment lan firewall.   Mickey mouse but it works for now.  I have no idea if it's going to be seen correctly yet from the rest of the internet.   Just wanted to say thanks for these threads and I will help in them as I try them out.  So next I have to build a linux FW/router per this thread with a compiled kernel and macvlans, iptables and who knows what else to make it work and secure.   All i can say is what have i got myself into?  Smiley Wink







Message 10 of 18

Re: How to fake bridged mode with U-Verse

You shouldn't need the linux box or the macvlans with my solution above.


I would recommend a Cisco 2811 series router. You can find them aftermarket for under $400. They're super reliable and come with two fast ethernet ports built in. If you're a bit tight on the budget like I am, then you could also piece together a 3640 -- you'll need maxed out RAM and Flash, and will need to add two fast ethernet ports on NM cards. (Either 2xNM-1FE* or 1xNM-2FE*). A fully loaded 3640 goes for around $200-250 on ebay. I have found through some testing of my own that the 3640 is just about the lowest end cisco router you can comfortably run U-Verse on. The 2600s don't quite have enough performance.


Do you have any cisco experience (CCNA?). If so my solution might be a good fit for you, otherwise you should find someone who is familiar with Cisco equipment to help you out, or do some studying and learn the basics of the gear first before trying to put it in to any sort of important service.


As far as the multiple D-Link solution, I think I really would just put a switch directly off of the RG and deal with it's idiotic firewall GUI instead of putting those inline. I'd be worried about them becoming a bottleneck. What are your goals with this setup? If you can post some details (nothing identifiable or security related obviously) then I might be able to get a better idea what you're trying to do and make some better recommendations.

Message 11 of 18

Re: How to fake bridged mode with U-Verse

Hi d3phoenix.  Ty for the reply and suggestions.  Yes I have a budget of 500.00 for cpe equipment and I will learn whatever it takes to get this right as it can be.  The cisco 887v I mentioned does vdsl2 but att won't let us use anything but the 2wire. That seems like the best router for this type connection but I know many others can suffice.  My op is that uverse biz should be just like a T1 to set up.  It isn't so now I wish others would chime in with what they have done like you did.


Here's my idea goal:.


 ip block =  5th IP >  gateway IP  x.x.x.x  is the public ip that is seen from internet that routes to other 4

                   4th IP >   1st IP segment behind firewall this segment runs the mycomp..com servers and it's serverices/apps

                   3rd IP >   2nd IP segment    "             "                    "                          mycomp.net           "                               "

                   2nd IP >  3rd IP segment                   "                                                 mycomp.org           "                               "

                   2 Ip's left in reserve for future


To me this is quite standard and sane design.   The other way I can do this is to just hang each domains server box and it's nic mac off each of the lan ports of the 2wire RG  and harden them and use the 2wire for all firewalling.  That seems to be what ATT would have me do by the 2wires design (supplemental network).


I was under the understanding that the last usable IP addy is the gateway IP used on the WAN port of whatever cpe is chosen.  Right now I get a att dhcp assigned IP to me from it's pool and it's outside of my block which I don't want.


On using basic dlink etc routers:  I have 6 meg down/ 1 meg up service from uverse.  I don't see a bottleneck happening until and  If I ever get a higher rate like 12meg up to say 100 meg someday.  I know using a business router is the way to go.  I will buy that now if the solution is right from ebay or new.


Please critque freely...I'n not tied to any specific design right now.     Thanks , Tom








Message 12 of 18

Re: How to fake bridged mode with U-Verse

@trw2012 wrote:


I was under the understanding that the last usable IP addy is the gateway IP used on the WAN port of whatever cpe is chosen.  Right now I get a att dhcp assigned IP to me from it's pool and it's outside of my block which I don't want.

Actually, when you have static IP addressing, the AT&T RG functions like a full L3 router for the subnet block that you bought.You will still have that WAN address on the outside, and then the RG provides the highest usable IP of the subnet block you bought as a default gateway for your internal static IP devices to talk to. The problem then is that it restricts it further, such that each static IP must be assigned to a unique MAC address.


Imagine it like this:

  • You have a router with three ports on it -- WAN0, LAN0, and LAN1.
  • You have an internet T1 plugged in to WAN0.
  • WAN0 Pulls the internet address from DHCP from the provider.
  • The router uses address on LAN0.
  • The router provides DHCP for 192.168.1.*/24 on LAN0.
  • The router provides NAT translation between the 192.168.1.*/24 addresses and on the LAN0 Interface.
  • The router uses address on LAN1
  • The router provides L3 routing to the internet for devices on the LAN1 interface.
  • The router CAN provide DHCP to the LAN1 devices, but only if you set up a reservation (assign statics by DHCP) or tell it to give out WAN addresses to ALL new devices (Set the DHCP scope to "public pool").

Now, imagine what happens if you plug both LAN0 and LAN1 into the same L2 segment on a switch, and give the end user access to 4 other ports on said switch.


This is how the RG is behaving. So yes, even with your Static IP's, the RG will still have a WAN address that is outside your static IP range. It doesn't matter though -- because the RG is Routing and not NATing, they will still show up as their rightfully assigned addresses on the internet.


All that said, if you only have 6Mb from U-Verse, then I don't see any problem using several gateway devices to NAT once for each of the three LANs. You can hard-code each NAT device's WAN port to one of your static addresses. Make sure to ping the devices from the RG after you set them up, or else they can take a long time to show up and work properly.


Just keep in mind that even though most consumer grade gear has 100Mb ports, their CPU can't usually keep up with true wire speed. 100Mb port does not necessarily mean 100Mb throughput. At most I would expect to get about 15-30 Mb, depending on the device and feature set enabled. Even Cisco gear will cap out well below interface speed if you run too many CPU intensive operations.


For example, here's a link to a PDF that shows the rated throughput of various Cisco devices. 2600's cap out at around 15Mb, which is why I strongly recommend getting nothing less than a 3640 if you do go Cisco. 2800's are even better:




I hope this answers your question, otherwise feel free to PM me.

Message 13 of 18

Re: How to fake bridged mode with U-Verse

This whole thread is above my brain functions. In simple terms why and what for would someone do this...

Im not Smart! The Voices in my Head are!!
Message 14 of 18

Re: How to fake bridged mode with U-Verse

@Kong57 wrote:

This whole thread is above my brain functions. In simple terms why and what for would someone do this...


For business service, it is a de-facto standard that a static IP block you obtain from the provider would come with no restrictions on how it is to be used.  AT&T unfortunately does not provide this functionality with their static IP blocks due to the design of the 2Wire router.  Specifically, it is impossible to properly run a static IP block behind your own router, which a business would likely want to do in order in implement their own firewall or VPN setup.


This thread is discussing a novel way to work-around this restriction using an unrelated functionality that a Cisco router can implement.


Message 15 of 18
Share this topic
Share this topic

Are you having trouble logging in? Is your email password not working? Let us show you how to Reset your Email Password using myAT&T!

Additional Support