U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

Teacher

U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?

 

I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)

 

In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:

- DHCP - OFF (at min, it appears you must leave one available?)

- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)

- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)

- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?

 

Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!

 

AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...

 

For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)  

 

help?

Message 1 of 636 (566,051 Views)
Expert

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

The 3600 is actually the same hardware as a 3800, but with the coax section removed.

The 3801 is newer hardware, with a faster processor, better switch hardware, better VDSL chipset, and newer revision HPNA chipset. I would recommend you stay with the 3801.

All 3x00 gateways from AT&T run the same firmware, so the feature set and operation is identical.

Since you have business class service, you should be able to call and have PTR records set up for your static IPs, but I know some customers in the past have had trouble getting in contact with the right people to make this happen. If you run into problems, sent a PM to customer care here on the forum.

If the RG is at 192.168.2.254, and your DMZPlus is setup correctly, then the WAN interface of the Astaro will get a public IP. The LAN IP of the Astaro should be 192.168.1.x (different subnet than the RG). Now all you need to do is add a static route to the Astaro that 192.168.2.0/24 is accessible via the WAN interface. Once that's done, you can browse to the RG using http://192.168.2.254 from inside your firewall.

Correct, the LAN IP of the RG and the WAN IP of the Astaro do not have to be on the same subnet, which is weird, I know. This is because the RG routes packets to the Astaro at layer 2 via MAC address, so it's IP address becomes irrelevant as far as the RG is concerned.
Message 361 of 636 (4,487 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

One more most important question. If the DMZPlus mode "pass through" goes from the RG to my Firewall (WAN NIC) with a static public IP then how could there be any conflicting traffic if my network is 192.168.1.x and the RG LAN IP is 192.168.1.x? Since I would have nothing else connected to the RG and my Firewall's NIC would be processing the traffic with its own NAT how could the RG get confused or interferance if it was just passing all traffic through?

 

Also even if the RG is processing/routing traffic through the DMZPlus mode that means it is seeing past my WAN NIC public IP and able to see the other LAN NIC on my firewall and see devices on my network? Doesn't make sense really.

 

Another concern is the Astaro firewall (linux based) runs on a VMWare ESXi box with my Server and Exchange. There are two physical NICs and two physical MAC addresses for each card and I've really only had Comcast SMC and an older Comcast modem/router in bridged mode where I just simply set the WAN NIC for public static IP with subnet mask and default gateway. So I'm concerned that this Vmware VNICS are maybe causing the RG confusion and resulting in that speed processing problem?

Message 362 of 636 (4,485 Views)
Expert

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

The problem with having both the RG's LAN and your firewall's internal LAN as the same subnet is two fold:

a. After the DMZPlus mode is enacted, there is no routing conflict and things actually will work. But because of the way that DHCP works on the RG, you have to allow your firewall to get a private IP first before you can switch it to DMZPlus mode. During that time, you have an illegal network configuration with the same subnet on both interfaces of the firewall, and because MAC addresses get cached in all devices, this will cause problems with the switch-over to DMZPlus.

b. You cannot reach the RG from inside the firewall in that configuration, because you can't insert the proper static route into your firewall.

On your ESXi box, remember that the NIC physical MAC is only used for traffic originating or terminating on the ESXi box itself. Traffic to and from VMs uses the configured MAC address in the VM setup options, which is different.

In any case, the physical interface connected to the RG needs to be isolated at the layer 2 level from the physical interface carrying internal LAN traffic. Do not let both NICs be connected together through a switch such that they can see each other, because things like proxy ARP will get in the way of proper routing and cause problems.
Message 363 of 636 (4,483 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

Astaro firewall management shows this for the interfaces.

 

Eth0 being my LAN on 192.168.1.x and Eth1 is the WAN with the static IP, snm, gw

 

Both seem to provide a different MAC address. As a side note I used to actually run all traffic LAN and WAN through a single VLAN NIC interface and some items such as my Bluray player, Samsung TV and other smaller devices had issues connecting to the internet, since I added a second physical NIC I've had none of those issues for about 2 years now.

 

eth1Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
Slot:n/a
Auto negotiation:On
Supported link modes: 
MAC Address:00:50:56:12:32:11
Interrupt (IRQ):19
PCI Device ID:0x2000:0x2000
MII capable:No
HA link monitoring:Yes

 

 eth0Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
Slot:n/a
Auto negotiation:On
Supported link modes: 
MAC Address:00:50:56:23:11:31
Interrupt (IRQ):18
PCI Device ID:0x2000:0x2000
MII capable:No
HA link monitoring:Yes

 

 
 
 
 
 
 
 
 
 
Message 364 of 636 (4,483 Views)
Tutor

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

does this allow for the Airports 1000base/T (Gigabit) speeds ? Tech is telling me they cannot turn off NAT services and do not offer a dedicated Modem.

Message 365 of 636 (4,432 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

decoff wrote:

does this allow for the Airports 1000base/T (Gigabit) speeds ? Tech is telling me they cannot turn off NAT services and do not offer a dedicated Modem.


I can at least help with this question. The 2wire 3801 has 10/100 ports, I'm going to assume the 3800 and 3600 are the same.

 

Even if you had gigabit ports on it the internet isn't going to come in any faster unless you approach a 100mbps internet connection actually even if you were at a 50mbps or higher you might want GB ports but I think even at 50mbps a 100mbps port would be ok. Suggest if you want to have gigabit on your LAN to use what a lot are doing in this thread and do the "ip passthrough" since none of AT&T Uverse VDSL (except older DSL tech) have a router/modem that will fully bridge.

 

With the help of SomeJoe7777 who is well known by AT&T techs I am going to be trying to "pass through" all my traffic this evening and see if my erratic download and upload speed tests are gone with his solutions. My install was excellent, less than 48 hours and I am fully installed!!! The disappointment however is as others have mentioned ping times tend to be a little higher. This might have mattered when I was younger in the BF2 days where I played a lot of ping sensitive games.

 

Speed tests 23-23.5mbps down and 2.8-2.9mbps up very nice... Max user rate 54mbps/8mbps Profile 32mbps/5mbps (pretty standard) I was told I was 1200-1700 ft from the vrad so when pair bonding and 48mbps comes out I should be good to go several pairs of copper available near my location.

 

Of note to some people I'm on AT&T Uverse Business Class, when I browsed online with the modem to agree to terms setup accounts etc. I noticed the 250GB limit (which they haven't started metering yet) but this limitation says clearly "Applies ONLY to residential customers" I confirmed that with tech support and a supervisor. Pretty much on par with Comcast no usage limitations on business. Already did checks on my static IP and it is clear from all spam/blacklist databases.

 

Remember everyone that is on Comcast or other cable providers, when the physical cable is cut or damaged hundreds of people go down like the old Christmas tree lights if you are on that node you'll be down. Also power outages you'll lose your internet (at least here it goes down). I've found in the past when dealing with AT&T (then Bellsouth) I always had a truck roll immediately even in the night if necessary and better tech support. This would probably not apply the same for residential support as you probably get thrown overseas.

 

I really do hope that I can post great results when tomorrow when I can bring my existing connection offline and setup the uverse connection to my firewall. AT&T offered me a great rate and locked me in for 2 years at my request, in which time I can elect to upgrade or downgrade my plan if necessary. No monthly modem fee either, where Comcast was raping me for $7 a month and wouldn't even allow me to buy my own.

 

Last note back Oct 2005 when Hurricane Wilma hit south florida (eye passed over my city) light to moderate damage I had cable and it took them over a month to get it working again. Meanwhile the day after the storm I ordered a Bellsouth ADSL and since I had an old modem and a pots phone line I was up in 3 business days. Found out from others that Bellsouth DSL never went down, all wires underground and self powered. Not sure if AT&T Uverse would stay up without power but it sure isn't run next to power lines. This doesn't apply to some people that have cable buried underground.

Message 366 of 636 (4,426 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

Just informed by AT&T that my Public IP block starts with 172.x.x.x although my router receives its DHCP address as a 108.x.x.x was told that I could not follow or use DMZPlus mode with a static IP address because that's how AT&T does things. Period end of story after over an hour of arguing. How am I supposed to setup a PTR record with 2 different networks? Ridiculous and inexcusable. I'm going to try calling back a few times but it seems I am going to have to cancel my service.

Message 367 of 636 (4,402 Views)
Highlighted
Expert

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

While most of the AT&T help desk technicians cannot properly answer the technical questions about their network and gateway setup, it is unfortunate in this instance that he does happen to be mostly correct.

The AT&T gateways do not have the ability to insert a static route, so you cannot route a static IP block behind your own routing device.

Also, if they gave you an IP block of 172.16.x.x through 172.31.x.x, then you're behind Carrier-Grade NAT anyway, so you couldn't run servers on those IPs even if you tried.

There is an extremely complex work-around to use a static IP block behind your own router, but it requires either a custom coded Linux box, a Cisco IOS router capable of running Hot Standby Router Protocol (HSRP), or the router has to have some type of ability to present multiple MAC addresses on it's WAN interface.

For your requirements, it's looking less and less likely that you're going to be able to set up your network like you want. I would recommend you take a look at a provider who can provide a true business solution.
Message 368 of 636 (4,392 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

Supervisor at AT&T helped me and configured the router for me and I took NOTES!

 

He was able to assign my static IP so that my WAN NIC on my firewall has the same 172.9.x.x range it is not a private range. He reset to factory defaults then went to do the following:

 

Broadband, Link Configuration, Supplementary Network >Enable>Router Address 172.9.x.x>Subnet 255.255.255.248>AutoFirewall Open check

 

Settings>LAN>IP Address Allocation>

 

Device XYZ

 

Firewall Disabled

Address Assignment> Public (Select WAN IP Mapping)

WAN IP Mapping > Public Fixed: 172.9.x.x

 

Firewall Applications>Pinhole>DMZ>DMZPlus mode

 

The confusion came from the previous tech telling me that we would assign my 172.9.x.x static IPs to the device but that the outside world would see my "sticky IP" that you get when you release renew your RG 108.233.x.x that is why I flew off the handle after him telling me that's just how it works etc etc. Now the supervisor is setting up my PTR record for RDNS (up to 48 hours) so that mail will function properly on my static IP.

 

Again directions in Post #2 don't apply but when you examine my configuration I am in DMZPlus to the MAC of my firewall's NIC (currently going to my laptop to test) but speeds are excellent. Working great so far. Will report back when entire network is working through my firewall.

Message 369 of 636 (4,420 Views)
Expert

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

Oh, you only wanted to use one of the IPs from the static block? If that's the case, then yes, that method that the supervisor told you is correct and will work perfectly.

I was under the impression that you wanted to use the 172.9.x.x addresses BEHIND your firewall, which isn't possible without the trickery I mentioned above.
Message 370 of 636 (4,409 Views)
Voyager

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

I am trying to use the 3600HGV as a bridge and use the Airport Extreme (5th generation) as my router.  I am trying to follow SomeJoe's instructions in message 2 to active DMZPlus on the 2Wire to emulate bridge mode, and set up the AE as my router.  

 

At Step 8, after reboot of the AE, I verified the 2Wire had changed the AR's IP address.  The settings before the reboot were IPv4 address = 192.168.1.67, subnet mask = 255.255.255.0, router address = 192.168.1.254 (the 2Wire), DNS server = 192.168.1.254 (the 2Wire), and domain name = gateway.2wire.net.  After the reboot, the IPv4 setting changed  to 99.36.108.212 and subnet mask changed to 255.255.252.0, and router address changed to 99.36.108.1.  The DNS server address and the domain name did not change and remained 192.168.1.254 and gateway.2wire.net, respectively.  Using Airport Utility on a Mac Lapbook Pro, I then changed the IP address to static using the new address, and told the AE router to use DHCP and NAT as the router mode since it had been set at OFF (bridge mode)).  The settings also showed the DHCP range would be 10.0.1.2 to 10.0.1.200.  I tried to save all of that so I could go to Step 9, but I kept getting a message that no valid DNS server or domain name had been set.  I finally chose to ignore the message, the AR rebooted, and I went on and made the other changes to the 2Wire modem/router set out in Steps 9 through 14.

 

Now I am not getting internet service, which I guess means I have to change the DNS server and domain names in the AE router, which is the only step set out in message 2 that didn't seem to go correctly.  Can anyone help?  Is SomeJoe still posting? 

 

Message 371 of 636 (4,381 Views)
Expert

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

If you set your AE to use a static IP instead of DHCP, then yes, you will have to set the DNS server and domain manually.

You can use AT&T's DNS servers if you want:

68.94.156.1
68.94.157.1

Or you can use a 3rd-party DNS provider like OpenDNS:

208.67.222.222
208.67.220.220

Or Google:

8.8.8.8
8.8.4.4

For the domain name, it really doesn't matter, but you can put in att.net.

Message 372 of 636 (4,370 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

Setup the 3801 exactly the same way it was connected to my laptop for testing. Experiencing the same issue as I did a year ago. My speedtests are erratic. All day yesterday I tested 22-23mbps all over with 2.8-2.9. Now I get 14mbps and 2.4mbps and the tests are erratic and often never the same even to the same servers. Just tested now and got 5.07mbps and 2.7mbps something seriously wrong. 3801 has been reset so has my Astaro. However if I plug my laptop in and obtain a 192.168.2.x IP and test it is full speed.

 

Same server from laptop on LAN IP just tested @ 23.03mbps / 2.91mbps ping 25

Going through my Astaro Firewall WAN IP tested @ 10.36mbps / 2.89mbps ping 32

 

Any ideas why this is happening would be greatly appreciated.

 

When I try to trace route places hop 3-13 time out when going through the Astaro firewall then hop 14-30 just keep repeating same ping reply but only first 2 replies 3rd always times out.

 

When I connect laptop to the DHCP Port 2 of the RG it trace routes just fine with no time outs.

 

This seems troubling as well.... Something is going on in this RG that the Astaro routing doesn't like... Feels like it has to do with something on this other "sticky IP" that starts with public IP 108.233.x.x (the RG is 192.168.2.254)

 

Tracing route to 192.168.2.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.17
  2    <1 ms    <1 ms     *     192.168.2.254
  3    <1 ms    <1 ms     *     192.168.2.254
  4    <1 ms    <1 ms     *     192.168.2.254
  5    <1 ms    <1 ms     *     192.168.2.254
  6    <1 ms    <1 ms     *     192.168.2.254
  7    <1 ms    <1 ms     *     192.168.2.254
  8    <1 ms    <1 ms     *     192.168.2.254
  9    <1 ms    <1 ms     *     192.168.2.254
 10    <1 ms    <1 ms     *     192.168.2.254
 11     1 ms    <1 ms     *     192.168.2.254
 12    <1 ms    <1 ms     *     192.168.2.254
 13    <1 ms    <1 ms  ^C

 

Update: any IP address trace route past the WAN IP of the firewall's NIC replies first 2 as seen above then 3rd is always * when it reaches its destination it repeats until it reaches max of 30 hops.

 

The only IPs I can successfully trace route are before it leaves the WAN NIC of the firewall, internal machines etc. This likely has to do with why my speed tests are very erratic data is not passing through properly.

Message 373 of 636 (4,356 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

[ Edited ]

I think I have resolved this issue with my Astaro in ESXi Vmware. I thought it was many things including virtual nics vswitch etc.

 

Turns out the erratic speeds and pings and behavor stemmed from a packet filter rule on my internal interface to the outside. Instead of having the rule as Internal > any > Internet IPV4, I had and still was using a rule that was Internal > Any > External WAN....

 

This type of setup was from many many years of using Astaro any worked perfectly fine with any normal bridged router or modem that provided a static IP and default gateway. However, most of you reading this are aware the RG is far from "normal" it behaves differently because of the need for TV and Phone. Having been through more hours than I can think of this weekend I now know the reasoning behind the need for this gateway as a defense for AT&T at least. Hopefully they'll get one option for business internet only someday.

 

In the end it took me loading the new Sophos (which is Astaro) UTM V9 installation fresh as a new VM going through basic configuration by default it added the NAT Masquerading then I watched a youtube video of someone that spent about 15 minutes showing the installation of an older version V8 and when he created his "packet filter rule" which is now called "firewall" he pointed all internal traffic to a different destination as mentioned above instead of the physical WAN.

 

I am now pinging, trace routing, and speed testing the same as my laptop that is connected directly to the RG on DHCP. FYI through some research I found that trace routes are hit and miss when you are behind the RG as a static IP still not working exactly right. However I can trace route to my "sticky IP" and to the gateway of my "sticky IP" they begin with 108.233 and are similar I think to a serial IP on a T1.

 

AT&T had my PTR record for reverse DNS setup in less than 24 hours (not sure exactly when it was) but it could have been as early as 8 hours from when I requested it (they say it can be up to 48 hours) now I just need to change my MX record in my DNS and I'm all set. They opened port 25 for me in a few clicks. I might have slightly higher pings than I had with comcast but STABILITY factory is much higher when I run pingtest and voip testing I get 98-99% vs comcast 85-95% stable and jitter is better as well. Overall very stable connection.

 

Update: a few minutes later after walking away and returning to my desk I tested some more and like a lie detector test my speedtest.net got 4mbps down with huge spikes and valleys showing issues during the test. Different server 5.87mbps, at my wits end with this nonsense. Meanwhile my laptop that's testing connected directly to the RG using its NAT gets perfect tests from any server everytime.

Message 374 of 636 (4,292 Views)
Explorer

Re: U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

Using laptop as a physical NIC and I created a new VM of Win7 64bit install I was able to test the problem further. It is NOT present on the laptop as a static IP route 172.9.x.x and in the VM Win7 session with virtual nic and virtual mac the testing and trace routing are about the same. Still have a lot of * * * time outs though when going through the static IP DMZplus vs if a machine is connected to the LAN DHCP with the "sticky IP" as WAN (trace routes usually almost the entire route)

 

So I am now going to work with Astaro engineering as they can logon remotely and assess what is happening to the traffic and why it is behaving erratically. Simple solution would be for me to just hook up an old dlink NAT router but I have mail scanning, IPS etc on the Astaro/Sophos product and been using it for a long time.

 

I know it must have something to do with the way this RG does this Static IP routing to Sticky IP and perhaps they have a solution with some kind of DNAT/SNAT or masquerading. Late last night I changed to my Static IP for Comcast SMC and instantly was online so wish this RG would just bridge and bypass all this residential stuff. Comcast annoyed me enough though with billing that I am hopeful I can get this troubleshot and resolved for myself and others that run into this issue.

Message 375 of 636 (4,197 Views)