09-11-2011 1:13 PM - last edited on 04-24-2014 2:06 PM by ATTMarianaCM
I have worked out a way to simulate full bridged mode between a U-Verse RG and an enterprise grade router.
It's not identical to uverse in bridged mode, but it is pretty close.
The AT&T RG abuses ARP to ensure that a static IP has to be assigned by MAC address. One MAC = One static IP. This effectively prevents you from routing the whole block to an internal router or firewall, because such devices will respond for all usable addresses using the same MAC. Why the RG chooses to do this is beyond me, but it is what it is and we have to work around it.
(When the RG sees what it thinks is the internal device changing its IP while keeping the same MAC (due to multiple IPs on one interface), the RG will update the device's "current IP address" in the IP Address Allocation tab, and sever all TCP connections to the old address, and the firewall will block all attempts to connect to the old address as it does not see it being registered to any internal device.
Ultimately, this means that if we intend to use our own internal device to protect and control our static IP block, we have to get our device to lie to the RG and present itself as several unique MAC / IP pairs.
This is difficult because by definition, most routers and firewalls only have one MAC and are not capable of generating more. Even high-end Cisco routers do not allow you to add an arbitrary number of MAC addresses to an interface because it shouldn't be necessary -- they assume other devices know how to use ARP.)
To solve this, we have to fake out the RG into cooperating. We can accomplish this fakery by doing some protocol abuse of our own -- running a routing redundancy protocol even though we have no peer router to balance with. In this example I'll be using Cisco's HSRP, although in theory this will work with any redundancy protocol that creates virtual IPs and MACs. Routing redundancy protocols use these fake MAC + IP Pairs as floating "virtual interfaces" that would normally flip between two routers running the protocol, so that in the event of a failure none of the clients have to re-learn a MAC and IP. Nobody has to ARP and you get a very quick failover. We're going to use that to fake out the RG.
Step 1) Log in to the RG and make the following settings changes:
* Link Configuration
* Supplementary Network
* Check Enable
* Place the router's address (Last usable of the subnet) into the Router Address field.
* Fill in the subnet mask
* DO NOT check Auto Firewall Open
* Make sure "New Device DHCP Pool" is set to "Private Network"
* Enhanced Security
* Disable Stealth Mode (Useful for troubleshooting)
* Disable Block Ping (Useful for troubleshooting)
* Disable Strict UDP Session Control (I have found that this can interfere with VOIP apps)
* Attack Detection
* Disable Excessive Session Detection (The RG's definition of "excessive" is a bit small)
* Disable Invalid Source/Destination IP Address (For some reason this seemed to interfere)
* Disable Invalid ICMP Detection (Seems to block ALL ICMP??)
Step 2) Unplug all but your configuring PC from the RG.
Step 3) Under Diagnostics -> Resets, Clear the RG's device list.
Step 4) Unplug your PC from the RG and reconnect.
Step 5) The RG is now ready to accept statically assigned addresses from our router.
Step 6) Configure the router. This part will require familiarity with your chosen device. I'll provide the commands as a Cisco IOS configuration file with comments. If your device is not a cisco box, hopefully this will give you enough information to configure it properly.
! Cisco IOS Configuration File
! Version 12.4
! Set up the inside interface
description LAN (TO SWITCH)
ip address 172.16.0.1 255.255.255.0
ip nat inside
! Set up the outside interface
description WAN (TO RG)
! Assign the router the last usable IP in the range (right before the RG)
ip address 220.127.116.11 255.255.255.248
ip nat outside
! Slow the HSRP timers down (Don't need to check for a non-existent peer every 1 second)
standby timers 254 255
! This router should be the master (It will never come up otherwise)
! Create a virtual HSRP IP+MAC pair for each usable ip address (Except the one already assigned above)
! Make sure that your MACs are unique. I like to start them with 0000 to signify a locally-administered address, and end them with 1 + the three digit last octet of the IP it's associated with. This makes it easier to figure out which is which in the RG's configuration later if anything gets messed up.
standby 1 ip 18.104.22.168
standby 1 mac 0000.0000.1001
standby 2 ip 22.214.171.124
standby 2 mac 0000.0000.1002
standby 3 ip 126.96.36.199
standby 3 mac 0000.0000.1003
standby 4 ip 188.8.131.52
standby 4 mac 0000.0000.1004
! Configure our default gateway and default route to be the 3600HGV's address in the static block
ip default-gateway 184.108.40.206
ip route 0.0.0.0 0.0.0.0 220.127.116.11
! Use NAT to expose PC1, 172.16.0.100, to the internet on all ports as 18.104.22.168:
ip nat inside source static 172.16.0.100 22.214.171.124
! Use NAT to expose JUST the web service on PC2, 172.16.0.200, as 126.96.36.199:
ip nat inside source static tcp 172.16.0.100 80 188.8.131.52 80
! Create a NAT overload (PAT) to allow listed devices share our router's address for internet access:
ip nat inside source list ACL-INET interface FastEthernet1/0 overload
! Create the ACL-INET Access List and configure it to allow all PCs to use the overload:
ip access list standard ACL-INET
10 permit 172.16.0.0 255.255.255.0
(CONTINUED IN NEXT POST)
Solved! Go to Solution.
09-17-2011 12:07 AM
I'm beginning to understand the 2wire 3801 firmware design:
"This is how the RG is behaving. So yes, even with your Static IP's, the RG will still have a WAN address that is outside your static IP range. It doesn't matter though -- because the RG is Routing and not NATing, they will still show up as their rightfully assigned addresses on the internet."
It is doing both nat (att IP) and route(att static block) jobs actually. Your explanation is helpful but I figured that out after it was all setup. It nat's the att provided IP to my home network on my chosen LAN subnet or 172.x/192.x in the setup page ... which is kinda cool and useful because it gives that network everything it needs (fwall) and the supplemental setup is fairly close to what I would setup if I had a enterprise router. I hope no problems come from the supp network setup.. i.e. ... packets aren't free and clear of interference from the 3801. That remains to be seen. I've read of the 3801 interfering with traffic i.e. firewalling when it shouldn't do anything to the packets or only one subnet is allowed to use the full open features. My config page shows the 3 wide open though. The logs show it is doing some weird stuff right now to udp traffic. I might have to monitor things with a packet mon. to be sure like wireshark-tcpdump later.
03-03-2012 5:37 PM
I'm not sure. DDWRT appears to lack the required routing redundancy protocol capabilties that I'm abusing to work around the RG's ARP issues.
You might be able to pull it off if you can assign multiple virtual MAC addresses on the DDWRT's WAN interface, but I haven't used it enough to know if that is possible or not.
It boils down to this: You have to present your WAN interface to the RG as a set of unique MAC address + IP pairs that will respond to the RG's ARPs as such. If you can pull that off (and then NAT from there), it should work.
Welcome to the internet boards! Check out our troubleshooting articles below and don’t forget to search the forums - your question may have been answered already!
Service acting up? Click here to troubleshoot now!
Do you have questions about Internet and Email Security? Have them answered on Wednesday, April 26th at our Knowledge Sharing Session: Hack Attack!