10-16-2013 9:24 PM
I am trying to move from TWC to AT&T and need to have static IP's. I have a block of 5 usable and have been working with AT&T Level 2 support to try and get them working. They cannot figure this out. I would prefer to setup bridge mode in the device and let my firewall do all the routing and protection. This is my current setup. I have tried a few different things since the AT&T Level 2 guys can't figure it out. I've read that this model does not do bridging well, if at all. I've tried the DMZ route and that assigned a completely different public IP to my device than what I was given. How do I configure this device to work the way I need it to? If I can't get this to work, I'm going to seriously cancel the service. I'm on day 5 of trying to get this working.
Any help is greatly appreciated.
Solved by: Go to Solution.
10-17-2013 8:11 AM
10-17-2013 10:32 PM
10-18-2013 9:51 AM
Just wanted to check in with you to see if you were ever able to get your issue resolved. There are different setups to produce the desired result, based off the modem you have. With the static IPs though, are you even able to browse when having one device directly connected?
Let us know how it's going, and if any issues, I am positive this community will be able to help.
10-20-2013 10:14 AM
I am having similar problems. I have managed to get ssh working, somehow, but https and mail don't work. It would be very nice if there were a step-by-step howto for setting up static IPs on this device.
10-20-2013 4:05 PM
I'm trying to open up port 1194, UDP for openvpn. I see this in the 5031NV log:
INF 2013-10-20T17:51:45-05:00 fw, src=188.8.131.52 dst=184.108.40.206 ipprot=17 sport=34923 dport=1194 Session Matches User Pinhole, Packet Passed
INF 2013-10-20T17:51:45-05:00 fw, src=220.127.116.11 dst=18.104.22.168 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF 2013-10-20T17:51:53-05:00 fw, src=22.214.171.124 dst=126.96.36.199 ipprot=17 sport=34923 dport=1194 Unknown inbound session stopped
So, the firewall says, "Yes, I recognize this request as a valid user pinhole request, and I'm passing the packet on".
Then it says, "What the heck is this?!? Dropping it on the floor..."
I honestly don't know what to make of this. I had Uverse installed last Wednesday (16 Oct. 2013) and am already seriously considering cancelling the service. I called AT&T about this, and got handed off to several different
individuals, none of whom seemed to have any clue what I was trying to tell them. The last person I talked to told me that I was now talking to a "fee-based" tech support team. His English was very difficult to understand, but it
sounded very much like he was reading from a script, and was of no help whatsoever.
AT&T used to have awesome customer support. What happened?
- edited 10-21-2013 8:33 AM by Taylarie
Without knowing the entire details of how this connection is operating, what it appears is that there is some kind of acknowledgement/negative acknowledgement request happening. It appears that outside connection is sending the information to your device behind our router, which forwards it with no problems, from there, it sends a request back to that destination IP trying to establish a connection, but it gets an unreachable error, causing the inbound session to completely terminate at that point.
So with that, it appears the forwarding rules are working right, but you may need to add a few more to handle this acknowledgement request, or you may need to look into the rules on the other device to see if it is blocking traffic from your U-verse modem.
One thing to try is putting the device in DMZ mode, and seeing if that helps.
To do so, on the Pace 5031
Let me know how it goes.
10-22-2013 8:29 AM
I'm not sure what to make of the conversation. As you say, you've got a message incoming from a Comcast served address using UDP which is passed through, but then it (the RG) discovers it doesn't know how to route the packet, so it replies back with that fact (the ICMP message) and closes the connection.
Something is hosed with the routing setup. Work with @DavidCS, as he can get the proper information for you.
I'm assuming that you're dealing with a Static IP block, as that is the title of the thread you've posted in. Have you been to the Settings/Broadband/Link Configuration page and added the suplementary network?
03-09-2014 4:57 PM
I have an ISA firewall behind my 5031NV. I have assigned all 5 ofv my IP addresses to my ISA Server yet my 5031NV only recognizes the 1st IP address in the list. I need it to recognize all 5 so that my ISA firewall can handle traffic instead of my modem.
05-23-2014 3:47 PM
05-23-2014 5:16 PM
05-23-2014 7:39 PM
05-28-2014 12:06 PM
Got it working. Others probably already know this but there is a key assumption in "Cascaded Router" mode that I was missing. You have to make the WAN port on your internal router contain an IP address from the private range given by the 5031NV RG.
If my public block was 188.8.131.52-15 (.9 - .13 useable) then I would do the following:
Check the "Enable Cascaded Router" box in the Broadband link screen
Network Address = 184.108.40.206
Subnet mask = 255.255.255.248
Router Address = 192.168.1.14 (pick an IP address from the private static range below 192.168.1.33)
On your inside router:
WAN port set to static IP 192.168.1.14
Gateway = 192.168.1.254
Subnet mask = 255.255.255.0
Once this is all set up. The Public Static IP addresses (220.127.116.11-13 in this example) will come through the WAN port on your router without any interference from the 5031NV RG. With my ZyWALL 50 these addresses can be subject to virtual server mapping or "many 1:1 NET" from WAN to DMZ without any trouble. It's confusing to have your WAN port be set to a private IP address while sending the public IPs through but it works fine on my router.
05-28-2014 2:55 PM
Thank you @gimp_dad for posting your configuration and that you were able to get it working.
Actually, that makes sense to me. You're telling the RG that the next hop for traffic arriving at its WAN port on the public static addresses is the router on its LAN which it can reach at a private IP address, and telling your internal router that the next hop for the default route from its LAN side is the private IP address on the LAN side of the RG. The traffic arrives at the next hop, that router knows how to route that address and away the packet goes.
05-28-2014 3:16 PM
I agree that it all makes sense. This seems like a configuration that would be commonly desired. ATT should do a better job of explaining it. There is zero documentation on this mode. Part of what makes it unintuitive is because the identification of my router by using a private IP address from the RG is totally different treatment than used for either Supplementary Network or LAN IP modes.
By the way, my solution has one more level of complexity. I am actually mapping the Public IP block to a private block (192.168.3.xx). As a result the public static IP block is never specifically sent to my internal DMZ port. I have a WAN to DMZ NAT conversion in between. This, of course, makes it much easier to do two things:
1. have other supporting file or compute servers on the DMZ network for supporting my public servers,
2. allow more levels of virtual server mapping to be taken care of on my ZyWALL router (e.g. can map one public IP address to a mail server and a different web server).
Thanks for the help that got me started down the right path here.
Visit these related resourcesView New Device Help!