- edited 03-16-2011 8:59 AM
I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?
I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)
In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:
- DHCP - OFF (at min, it appears you must leave one available?)
- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)
- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)
- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?
Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!
AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...
For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)
Solved by: Go to Solution.
01-17-2013 4:08 PM
01-17-2013 4:10 PM
One more most important question. If the DMZPlus mode "pass through" goes from the RG to my Firewall (WAN NIC) with a static public IP then how could there be any conflicting traffic if my network is 192.168.1.x and the RG LAN IP is 192.168.1.x? Since I would have nothing else connected to the RG and my Firewall's NIC would be processing the traffic with its own NAT how could the RG get confused or interferance if it was just passing all traffic through?
Also even if the RG is processing/routing traffic through the DMZPlus mode that means it is seeing past my WAN NIC public IP and able to see the other LAN NIC on my firewall and see devices on my network? Doesn't make sense really.
Another concern is the Astaro firewall (linux based) runs on a VMWare ESXi box with my Server and Exchange. There are two physical NICs and two physical MAC addresses for each card and I've really only had Comcast SMC and an older Comcast modem/router in bridged mode where I just simply set the WAN NIC for public static IP with subnet mask and default gateway. So I'm concerned that this Vmware VNICS are maybe causing the RG confusion and resulting in that speed processing problem?
01-17-2013 4:18 PM
- edited 01-17-2013 4:26 PM
Astaro firewall management shows this for the interfaces.
Eth0 being my LAN on 192.168.1.x and Eth1 is the WAN with the static IP, snm, gw
Both seem to provide a different MAC address. As a side note I used to actually run all traffic LAN and WAN through a single VLAN NIC interface and some items such as my Bluray player, Samsung TV and other smaller devices had issues connecting to the internet, since I added a second physical NIC I've had none of those issues for about 2 years now.
01-18-2013 11:40 AM
does this allow for the Airports 1000base/T (Gigabit) speeds ? Tech is telling me they cannot turn off NAT services and do not offer a dedicated Modem.
- edited 01-18-2013 12:12 PM
does this allow for the Airports 1000base/T (Gigabit) speeds ? Tech is telling me they cannot turn off NAT services and do not offer a dedicated Modem.
I can at least help with this question. The 2wire 3801 has 10/100 ports, I'm going to assume the 3800 and 3600 are the same.
Even if you had gigabit ports on it the internet isn't going to come in any faster unless you approach a 100mbps internet connection actually even if you were at a 50mbps or higher you might want GB ports but I think even at 50mbps a 100mbps port would be ok. Suggest if you want to have gigabit on your LAN to use what a lot are doing in this thread and do the "ip passthrough" since none of AT&T Uverse VDSL (except older DSL tech) have a router/modem that will fully bridge.
With the help of SomeJoe7777 who is well known by AT&T techs I am going to be trying to "pass through" all my traffic this evening and see if my erratic download and upload speed tests are gone with his solutions. My install was excellent, less than 48 hours and I am fully installed!!! The disappointment however is as others have mentioned ping times tend to be a little higher. This might have mattered when I was younger in the BF2 days where I played a lot of ping sensitive games.
Speed tests 23-23.5mbps down and 2.8-2.9mbps up very nice... Max user rate 54mbps/8mbps Profile 32mbps/5mbps (pretty standard) I was told I was 1200-1700 ft from the vrad so when pair bonding and 48mbps comes out I should be good to go several pairs of copper available near my location.
Of note to some people I'm on AT&T Uverse Business Class, when I browsed online with the modem to agree to terms setup accounts etc. I noticed the 250GB limit (which they haven't started metering yet) but this limitation says clearly "Applies ONLY to residential customers" I confirmed that with tech support and a supervisor. Pretty much on par with Comcast no usage limitations on business. Already did checks on my static IP and it is clear from all spam/blacklist databases.
Remember everyone that is on Comcast or other cable providers, when the physical cable is cut or damaged hundreds of people go down like the old Christmas tree lights if you are on that node you'll be down. Also power outages you'll lose your internet (at least here it goes down). I've found in the past when dealing with AT&T (then Bellsouth) I always had a truck roll immediately even in the night if necessary and better tech support. This would probably not apply the same for residential support as you probably get thrown overseas.
I really do hope that I can post great results when tomorrow when I can bring my existing connection offline and setup the uverse connection to my firewall. AT&T offered me a great rate and locked me in for 2 years at my request, in which time I can elect to upgrade or downgrade my plan if necessary. No monthly modem fee either, where Comcast was raping me for $7 a month and wouldn't even allow me to buy my own.
Last note back Oct 2005 when Hurricane Wilma hit south florida (eye passed over my city) light to moderate damage I had cable and it took them over a month to get it working again. Meanwhile the day after the storm I ordered a Bellsouth ADSL and since I had an old modem and a pots phone line I was up in 3 business days. Found out from others that Bellsouth DSL never went down, all wires underground and self powered. Not sure if AT&T Uverse would stay up without power but it sure isn't run next to power lines. This doesn't apply to some people that have cable buried underground.
01-18-2013 5:06 PM
Just informed by AT&T that my Public IP block starts with 172.x.x.x although my router receives its DHCP address as a 108.x.x.x was told that I could not follow or use DMZPlus mode with a static IP address because that's how AT&T does things. Period end of story after over an hour of arguing. How am I supposed to setup a PTR record with 2 different networks? Ridiculous and inexcusable. I'm going to try calling back a few times but it seems I am going to have to cancel my service.
01-18-2013 6:10 PM
- edited 01-18-2013 6:27 PM
Supervisor at AT&T helped me and configured the router for me and I took NOTES!
He was able to assign my static IP so that my WAN NIC on my firewall has the same 172.9.x.x range it is not a private range. He reset to factory defaults then went to do the following:
Broadband, Link Configuration, Supplementary Network >Enable>Router Address 172.9.x.x>Subnet 255.255.255.248>AutoFirewall Open check
Settings>LAN>IP Address Allocation>
Address Assignment> Public (Select WAN IP Mapping)
WAN IP Mapping > Public Fixed: 172.9.x.x
Firewall Applications>Pinhole>DMZ>DMZPlus mode
The confusion came from the previous tech telling me that we would assign my 172.9.x.x static IPs to the device but that the outside world would see my "sticky IP" that you get when you release renew your RG 108.233.x.x that is why I flew off the handle after him telling me that's just how it works etc etc. Now the supervisor is setting up my PTR record for RDNS (up to 48 hours) so that mail will function properly on my static IP.
Again directions in Post #2 don't apply but when you examine my configuration I am in DMZPlus to the MAC of my firewall's NIC (currently going to my laptop to test) but speeds are excellent. Working great so far. Will report back when entire network is working through my firewall.
01-18-2013 6:31 PM
01-19-2013 3:51 PM
I am trying to use the 3600HGV as a bridge and use the Airport Extreme (5th generation) as my router. I am trying to follow SomeJoe's instructions in message 2 to active DMZPlus on the 2Wire to emulate bridge mode, and set up the AE as my router.
At Step 8, after reboot of the AE, I verified the 2Wire had changed the AR's IP address. The settings before the reboot were IPv4 address = 192.168.1.67, subnet mask = 255.255.255.0, router address = 192.168.1.254 (the 2Wire), DNS server = 192.168.1.254 (the 2Wire), and domain name = gateway.2wire.net. After the reboot, the IPv4 setting changed to 188.8.131.52 and subnet mask changed to 255.255.252.0, and router address changed to 184.108.40.206. The DNS server address and the domain name did not change and remained 192.168.1.254 and gateway.2wire.net, respectively. Using Airport Utility on a Mac Lapbook Pro, I then changed the IP address to static using the new address, and told the AE router to use DHCP and NAT as the router mode since it had been set at OFF (bridge mode)). The settings also showed the DHCP range would be 10.0.1.2 to 10.0.1.200. I tried to save all of that so I could go to Step 9, but I kept getting a message that no valid DNS server or domain name had been set. I finally chose to ignore the message, the AR rebooted, and I went on and made the other changes to the 2Wire modem/router set out in Steps 9 through 14.
Now I am not getting internet service, which I guess means I have to change the DNS server and domain names in the AE router, which is the only step set out in message 2 that didn't seem to go correctly. Can anyone help? Is SomeJoe still posting?
01-19-2013 6:18 PM
- edited 01-19-2013 9:21 PM
Setup the 3801 exactly the same way it was connected to my laptop for testing. Experiencing the same issue as I did a year ago. My speedtests are erratic. All day yesterday I tested 22-23mbps all over with 2.8-2.9. Now I get 14mbps and 2.4mbps and the tests are erratic and often never the same even to the same servers. Just tested now and got 5.07mbps and 2.7mbps something seriously wrong. 3801 has been reset so has my Astaro. However if I plug my laptop in and obtain a 192.168.2.x IP and test it is full speed.
Same server from laptop on LAN IP just tested @ 23.03mbps / 2.91mbps ping 25
Going through my Astaro Firewall WAN IP tested @ 10.36mbps / 2.89mbps ping 32
Any ideas why this is happening would be greatly appreciated.
When I try to trace route places hop 3-13 time out when going through the Astaro firewall then hop 14-30 just keep repeating same ping reply but only first 2 replies 3rd always times out.
When I connect laptop to the DHCP Port 2 of the RG it trace routes just fine with no time outs.
This seems troubling as well.... Something is going on in this RG that the Astaro routing doesn't like... Feels like it has to do with something on this other "sticky IP" that starts with public IP 108.233.x.x (the RG is 192.168.2.254)
Tracing route to 192.168.2.254 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.17
2 <1 ms <1 ms * 192.168.2.254
3 <1 ms <1 ms * 192.168.2.254
4 <1 ms <1 ms * 192.168.2.254
5 <1 ms <1 ms * 192.168.2.254
6 <1 ms <1 ms * 192.168.2.254
7 <1 ms <1 ms * 192.168.2.254
8 <1 ms <1 ms * 192.168.2.254
9 <1 ms <1 ms * 192.168.2.254
10 <1 ms <1 ms * 192.168.2.254
11 1 ms <1 ms * 192.168.2.254
12 <1 ms <1 ms * 192.168.2.254
13 <1 ms <1 ms ^C
Update: any IP address trace route past the WAN IP of the firewall's NIC replies first 2 as seen above then 3rd is always * when it reaches its destination it repeats until it reaches max of 30 hops.
The only IPs I can successfully trace route are before it leaves the WAN NIC of the firewall, internal machines etc. This likely has to do with why my speed tests are very erratic data is not passing through properly.
- edited 01-20-2013 12:49 PM
I think I have resolved this issue with my Astaro in ESXi Vmware. I thought it was many things including virtual nics vswitch etc.
Turns out the erratic speeds and pings and behavor stemmed from a packet filter rule on my internal interface to the outside. Instead of having the rule as Internal > any > Internet IPV4, I had and still was using a rule that was Internal > Any > External WAN....
This type of setup was from many many years of using Astaro any worked perfectly fine with any normal bridged router or modem that provided a static IP and default gateway. However, most of you reading this are aware the RG is far from "normal" it behaves differently because of the need for TV and Phone. Having been through more hours than I can think of this weekend I now know the reasoning behind the need for this gateway as a defense for AT&T at least. Hopefully they'll get one option for business internet only someday.
In the end it took me loading the new Sophos (which is Astaro) UTM V9 installation fresh as a new VM going through basic configuration by default it added the NAT Masquerading then I watched a youtube video of someone that spent about 15 minutes showing the installation of an older version V8 and when he created his "packet filter rule" which is now called "firewall" he pointed all internal traffic to a different destination as mentioned above instead of the physical WAN.
I am now pinging, trace routing, and speed testing the same as my laptop that is connected directly to the RG on DHCP. FYI through some research I found that trace routes are hit and miss when you are behind the RG as a static IP still not working exactly right. However I can trace route to my "sticky IP" and to the gateway of my "sticky IP" they begin with 108.233 and are similar I think to a serial IP on a T1.
AT&T had my PTR record for reverse DNS setup in less than 24 hours (not sure exactly when it was) but it could have been as early as 8 hours from when I requested it (they say it can be up to 48 hours) now I just need to change my MX record in my DNS and I'm all set. They opened port 25 for me in a few clicks. I might have slightly higher pings than I had with comcast but STABILITY factory is much higher when I run pingtest and voip testing I get 98-99% vs comcast 85-95% stable and jitter is better as well. Overall very stable connection.
Update: a few minutes later after walking away and returning to my desk I tested some more and like a lie detector test my speedtest.net got 4mbps down with huge spikes and valleys showing issues during the test. Different server 5.87mbps, at my wits end with this nonsense. Meanwhile my laptop that's testing connected directly to the RG using its NAT gets perfect tests from any server everytime.
01-21-2013 1:48 PM
Using laptop as a physical NIC and I created a new VM of Win7 64bit install I was able to test the problem further. It is NOT present on the laptop as a static IP route 172.9.x.x and in the VM Win7 session with virtual nic and virtual mac the testing and trace routing are about the same. Still have a lot of * * * time outs though when going through the static IP DMZplus vs if a machine is connected to the LAN DHCP with the "sticky IP" as WAN (trace routes usually almost the entire route)
So I am now going to work with Astaro engineering as they can logon remotely and assess what is happening to the traffic and why it is behaving erratically. Simple solution would be for me to just hook up an old dlink NAT router but I have mail scanning, IPS etc on the Astaro/Sophos product and been using it for a long time.
I know it must have something to do with the way this RG does this Static IP routing to Sticky IP and perhaps they have a solution with some kind of DNAT/SNAT or masquerading. Late last night I changed to my Static IP for Comcast SMC and instantly was online so wish this RG would just bridge and bypass all this residential stuff. Comcast annoyed me enough though with billing that I am hopeful I can get this troubleshot and resolved for myself and others that run into this issue.
Visit these related resourcesView New Device Help!