Treo600user's profile

Teacher

 • 

3 Messages

Wednesday, March 16th, 2011 3:18 PM

U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?

 

I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)

 

In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:

- DHCP - OFF (at min, it appears you must leave one available?)

- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)

- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)

- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?

 

Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!

 

AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...

 

For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)  

 

help?

Expert

 • 

9.4K Messages

11 years ago

It should not matter in your case unless the NetGear has Gigabit Ethernet. If it does, then use the NetGear for higher speeds between computers on the LAN.

Contributor

 • 

1 Message

11 years ago

SomeJoe7777, this is an older post so hopefully you are still monitoring it.  I have been trying to figure out how to enable Time Limits and other Parental Controls on my network and the 2Wire unfortunately lacks any of these.  After reading your post it seems that since I cannot do away with the 2Wire 3800HGV I can simply park a 'good' router with parental features in the DMZ+ behind the 2Wire GW, setting the GW up as you have specified.  Then, for all intents, the new router's features will be fully accessable.  Right?  I have tried to make it work with a 2Wire LAN port connected to one of my router's LAN ports but it does not protect this path.  It  would be nice if I could implement the controls via any port, or macID, or IP but it only seems to work if the network is coming in the WAN port.

 

Have I driven off the road?  I primarily want the time limits so if you have an alternate idea, I'd love to hear it.

 

Thanks again for all your insight.

Expert

 • 

9.4K Messages

11 years ago

You're correct -- you need a router with parental controls set up behind the 2Wire as the DMZ device, set up according to post #2 in this thread.

On parental controls/time limits, remember that physical security is also required otherwise it's trivial to bypass. The 2Wire and your router need to be in a locked area, inaccessible to those who would attempt such things. 🙂

Voyager

 • 

1 Message

11 years ago

I just wanted to thank SomeJoe for this great tutorial. I can confirm that these steps work perfectly for the new flagship Centria (WNDR4700) from Netgate. It took me a couple of reboots of the Netgate on step 8 before it would pick up the IP, but other than that the setup was flawless! Thanks again!

 

Edit: I actually have the 2wire i38HG unit with the iNID outside of the house. 🙂

Contributor

 • 

1 Message

11 years ago

Somejoe - one more question? If I have AT&T Uverse Reciever hooked on to the 2Wire gateway, can I leave that on the 2-Wire gateway or should I move that to the Linksys? Which would be better and preffered?

Thanks

Expert

 • 

9.4K Messages

11 years ago

U-Verse IPTV receivers must always be connected to the RG. They will not work correctly if connected behind your own router.

Explorer

 • 

15 Messages

11 years ago


@SomeJoe7777 wrote:
You need to configure the Linksys such that it's LAN IP address is a different subnet than the RG's LAN.

If the RG is using 192.168.1.x on it's LAN, you need to change the Linksys to use something else.

Use the 192.168.2.x subnet. Configure the Linksys LAN IP address to 192.168.2.1, subnet mask 255.255.255.0.

Somejoe7777, first let me just say I can not adequately express how much I appreciate you being here and helping people, thank you!

 

If you would be so kind as to advise me what you think I should do. I've been doing network engineering for many years, I worked for a company for 7 years doing it as a field engineer and now do it with my own small business. I've setup countless ADSL, SDSL, MetroE, Bonded T1 etc. Prior to 2008 I was using a dedicated Qwest T1 on a Cisco 1721 as you know quite expensive but I was on the same backbone as a major client and needed very good latency which was 5-10ms.

 

Had to reduce costs in 2008 and switched from T1 to Comcast Cable (don't think Uverse was available yet) and since I am 12k feet from CO the DSL was only 1.5. Jan 2010 Comcast wanted to keep my business and offered me 50/10 for 99.95 a month couldn't refuse so signed up for 2 yr contract, then Jan 2011 they started dinging me for a $7 a month modem fee claiming it was supposed to be there all along.

 

At that point Jan 2011 I had Uverse Business Class 24mbps installed with a 2wire 3801 and static IP (running Exchange and Activesync), I already had existing wiring in place for the T1 (this is a home office location) ran tests to laptop directly from 3801 and no problems 21-22mbps down and forget my upload I think it was 2.8-2.9 normal tcp overhead. Did note that the latency time (ping) was double or more of my Comcast cable and I've read that it has to do with interleaving which standard DSL doesn't have (fastpath usually) and nothing can be done about it. All testing of signal margins, line attenuations, distance to vrad and I forget the other "DSL/VDSL" areas I checked were all Good to Excellent in quality. Also the line did not drop at all for a week straight with packet loss testing and connection testing to my laptop (not yet connected to my network)

 

Here's where the problem comes in... I'm running ESXi server with Exchange and part of that is also my Astaro Firewall (linux based app quite popular) its been flawless for 4 years (almost 5 years now) with my comcast SMC router that has a static IP and NAT&DHCP disabled so it is bridged and on its public IP. Also have many other clients running Astaro firewalls no problems.

 

I figured out pretty quickly the 2Wire was a problem and it wasn't going to be straight forward, calls to Tech Support didn't work out too well so reading found your post and other's posts as well including someone running a "pFsense" linux based firewall. I followed your directions precisely but am not 100% sure only about 95% sure that I changed the LAN IP subnet of the 3801. Pretty sure I did. Because changing my LAN side on my network would involve a lot of changes including server's IP, Firewall LAN, ESXi server IP and a few other static IPs on my network something I really don't want to do.

 

Was able to get the 3801 working through my firewall eventually following your directions BUT.... as someone else posted somewhere on here or another forum my speed tests were greatly reduced to erratic behavior 12-18 down, 0.5-0.7 up.... and the results were terrible and different every time I tested. So here are my questions and sorry for this being SO long. I won't go into the fact AT&T should have business class modems/routers available for businesses. This is Internet Only no phone no TV.

 

1. My network is 192.168.1.x, you mention it must be different than the RG, I seem to recall changing the RG LAN (not sure) and DHCP is there any issues with doing this? If I recall correctly it offered 10.x and 172.x but wouldn't let me specify exactly what I wanted to use.

2. Can DHCP be turned off on the RG? My Server hands out DHCP

3. Is the RG doing NAT still in this DMZPlus mode following your directions could my slow issues and erratic speed tests have been a result of a double NAT scenario with my firewall?

4. I remember having to set my WAN NIC on my firewall to DHCP, I think you mentioned after it initially gets an IP (mine would be static) that I could set my WAN NIC to the static IP and subnet mask and default gateway? Is this true or does it have to be left as DHCP?

5. I also remember at one point my WAN NIC of my firewall received a private 192.168.1.x IP from the 2wire, just to confirm if setup correctly it should be receiving the public static IP (goes with #4)

6. Have the 2wires had any improvements in the last year Jan 2012-present that would maybe help my issue?

 

@When I completely my order yesterday they advised me that this deal was only going to be for 12 months and that normally this was going to run me 140 a month and I was getting the discounted 60 off to make it 80 a month. Do I have to worry when my 12 months is up that they won't extend the deal offered? Comcast has 27/7 @ 110 right now without promotions so wouldn't make sense.

 

Sales also checked with Tech Support to verify I wouldn't be getting a 2wire 3801 or any 2wire at all even as I expressed my troubles a year ago, after 15-20 min she confirmed I would be getting a "Motorola 3600" and that Tech Support would easily bridge it just like my Comcast is with a static IP. After searching later on I realized there is no AT&T UVerse Motorola 3600 and called support, they checked the order and I'm getting an "Internet Gateway" which is the 2wire 3600.... I know that the 3800/3801 have TV/Phone etc and the 3600 is usually internet only, will it offer me less troubles than the 3801 did to setup with my firewall or is it pretty much the same thing minus capabilities.

 

Thanks in advance.

 

 

 

Expert

 • 

9.4K Messages

11 years ago

HI Pentium,

To answer your questions:

1. If you're using 192.168.1.x internally behind your firewall/router, then yes, you need to change the RG's LAN to something else to avoid routing difficulties. The RG's latest firmware update no longer allows the 10.x.x.x addresses, so you'll need to change it to 192.168.2.x or something in the 172.16.x.x space.

You can connect a computer directly to the RG, let it get an address via DHCP, and log into the RG from there to change it/configure it.

2. No, DHCP cannot be disabled on the RG. But if the networks you have (the RG's LAN and your private LAN) have a layer 3 router/firewall device in between, then this is no problem because the DHCP packets will not cross a router.

3. No, in DMZPlus mode, there is no NAT. It's not a straight bridge either, because the packets are still handled by the routing code (i.e. no fast-switching or Cisco express forwarding like the Cisco would do), but there will be no NAT.

Yes, slow or erratic speeds could be because of a double NAT scenario, but it's more likely routing difficulties with two 192.168.1.x networks as I described above.

4. You can change the firewall to static if you need to, but the RG is happier if everything uses DHCP. Some firewalls will need to have inbound UDP to port 68 open from all IP addresses for DHCP renewal to occur correctly. This is due to a bug in the RG DHCP code.

5. If you set up DMZPlus correctly, the WAN interface of the firewall should get the public IP address. If it's getting a private IP, the DMZPlus mode isn't setup correctly.

6. Not really, the last firmware update removed the ability for 10.x.x.x addresses to be used on the LAN. Other than that, there hasn't been any changes to the RG firmware in a couple years.

I would verify your DMZPlus setup and your different LAN subnet assignments, and correct those problems if required. After that, perform some further speed tests and see if you're getting close to the 24/3 speed.

Explorer

 • 

15 Messages

11 years ago

Thank you so much for replying. I spoke to several people today at AT&T and also the engineer that qualified my line was nice enough to make a couple of calls. Is there any reason at all for me to get a 3600 right now? I've been told that AT&T wants to use the 3801 instead because it is a dual core processor and for 24mbps speeds it runs a little faster?

 

My install tech is scheduled for 11am tomorrow and if you could recommend either the 3600 or 3801 I'd appreciate it. If they both have the same DMZplus issues then shouldn't I get the faster/newer model? Speaking with billing/sales an hour ago the nice lady says AT&T has had several meetings about this issue on not offering a true bridged modem/router and they are planning to resolve that issue because it is creating a fair amount of cancelled orders for them.

 

Will I face any issues with getting my PTR record setup for RDNS with AT&T? With Comcast 4 years ago it was pretty easy and I've had that same static IP and PTR record without having any email issues. I'm assuming that the static IP I receive from AT&T will be on a business class block where the IP won't be blacklisted on various internet lists?

 

Really hoping I don't have that issue with speed problems after going through my firewall, a year ago I finally had it working with my firewall but that was after so much time spent so I gave up not having more time to troubleshoot and just kept my Comcast for another year. If you say DMZPlus mode there is no NAT then I wouldn't have a double NAT scenario the only problem is will my firewall (Astaro) WAN interface pass the traffic in the same manner as it did with the bridged SMC from Comcast.

 

If I set the firewall WAN NIC to DHCP to receive the IP then set it to static IP, subnet mask, default gateway what's the best way to access the RG after I set it up that way? I'm assuming set my laptop to LAN IP same subnet as the RG and access it that way? I seem to recall when I set the LAN IP it had a drop down of 192.168.1.x or 10.0.x.x or 172.x.x.x as you said with new firmware 10.0.x.x no longer available so can I not choose to put the LAN IP as 192.168.2.254 for the RG? Also setting the LAN IP of the RG should have nothing to do with the static public IP of the DMZPlus should it?

 

Thanks

Expert

 • 

9.4K Messages

11 years ago

The 3600 is actually the same hardware as a 3800, but with the coax section removed.

The 3801 is newer hardware, with a faster processor, better switch hardware, better VDSL chipset, and newer revision HPNA chipset. I would recommend you stay with the 3801.

All 3x00 gateways from AT&T run the same firmware, so the feature set and operation is identical.

Since you have business class service, you should be able to call and have PTR records set up for your static IPs, but I know some customers in the past have had trouble getting in contact with the right people to make this happen. If you run into problems, sent a PM to customer care here on the forum.

If the RG is at 192.168.2.254, and your DMZPlus is setup correctly, then the WAN interface of the Astaro will get a public IP. The LAN IP of the Astaro should be 192.168.1.x (different subnet than the RG). Now all you need to do is add a static route to the Astaro that 192.168.2.0/24 is accessible via the WAN interface. Once that's done, you can browse to the RG using http://192.168.2.254 from inside your firewall.

Correct, the LAN IP of the RG and the WAN IP of the Astaro do not have to be on the same subnet, which is weird, I know. This is because the RG routes packets to the Astaro at layer 2 via MAC address, so it's IP address becomes irrelevant as far as the RG is concerned.
Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.