Treo600user's profile

Teacher

 • 

3 Messages

Wednesday, March 16th, 2011 3:18 PM

U-verse for BUSINESS? : 2Wire 3600HGV bridge mode? or another AT&T supported VDSL modem?

I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?

 

I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)

 

In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:

- DHCP - OFF (at min, it appears you must leave one available?)

- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)

- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)

- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?

 

Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!

 

AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...

 

For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)  

 

help?

Accepted Solution

Official Solution

Expert

 • 

9.4K Messages

13 years ago

There is no true bridge mode on the 2Wire routers.  However, you can still configure it such that almost all functions of your own router will work properly.

 

1. Set your router's WAN interface to get an IP address via DHCP.  This is required at first so that the 2Wire recognizes your router.

2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.

3. Restart your router, let it get an IP address via DHCP.

4. Log into the 2Wire router's interface.  Go to Settings -> Firewall -> Applications, Pinholes, and DMZ

5. Select your router under section (1).

6. Click the DMZPlus button under section (2).

7. Click the Save button.

8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address.  At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.

9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration

10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.

11. Check everything under Outbound Protocol Control except NetBIOS.

12. Uncheck NetBIOS under Inbound Protocol Control.

13. Uncheck all the Attack Detection checkboxes (7 of them).

14. Click Save.

 

Your router should now be able to route as if the 2Wire was a straight bridge, for the most part.

 

Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it.

 

This is how I have my 2Wire configured, and I have a Cisco 2811 behind it doing IPSec, IPv6 tunnels, etc.

 

Tutor

 • 

2 Messages

13 years ago

Hi,

 

Would you be able to give a hint as to how your 2811 is setup? Are you nat-ing inside source behind 2811 using overload? I've been trying to do the same with 1841 but having some issues.

 

Thanks

Expert

 • 

9.4K Messages

13 years ago

Yes, I'm using NAT to the outside interface of the 2811.

 

Here is a representative configuration:

 

 

Current configuration : 12632 bytes
!
! Last configuration change at 16:51:56 CST Fri Mar 4 2011 by xxxxxxxx
! NVRAM config last updated at 16:14:07 CST Fri Mar 4 2011 by xxxxxxxx
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname inet.dw.2811
!
boot-start-marker
boot system flash 
boot-end-marker
!
logging buffered 51200 warnings
logging console warnings
enable secret 5 xxxxxxxxxxxxxxxx
!
clock timezone CST -6
clock summer-time CDT recurring
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
ip cef
no ip dhcp use vrf connected
!
no ip bootp server
ip domain name thedanzone.net
ip name-server 192.168.160.20
!
ip inspect name fromLAN_ipv4 tcp
ip inspect name fromLAN_ipv4 udp
ip inspect name fromLAN_ipv4 esmtp
ip inspect name fromLAN_ipv4 ftp
ip inspect name fromLAN_ipv4 ftps
ip inspect name fromLAN_ipv4 isakmp
ip inspect name fromLAN_ipv4 l2tp
ip inspect name fromLAN_ipv4 pptp
ip inspect name fromLAN_ipv4 ssh
ip inspect name fromINet_ipv4 tcp
ip inspect name fromINet_ipv4 udp
ip inspect name fromINet_ipv4 esmtp
ip inspect name fromINet_ipv4 ftp
ip inspect name fromINet_ipv4 ftps
ip inspect name fromINet_ipv4 isakmp
ip inspect name fromINet_ipv4 l2tp
ip inspect name fromINet_ipv4 pptp
ip inspect name fromINet_ipv4 ssh
!
multilink bundle-name authenticated
!
voice-card 0
!
username wilsondr password 7 xxxxxxxxxxxxxxxxxx
!
ip ssh version 2
! 
interface FastEthernet0/0
 description Internal LAN
 ip address 192.168.160.1 255.255.255.0
 ip access-group internet_outbound in
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip inspect fromLAN_ipv4 in
 ip virtual-reassembly max-reassemblies 64
 arp timeout 600
!
interface FastEthernet0/1
 description DMZ AT&T U-Verse Internet Service
 ip address dhcp
 ip access-group internet_inbound in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect fromINet_ipv4 in
 ip virtual-reassembly max-reassemblies 64
 no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
! 
ip nat inside source list nat_eligible interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.160.20 80 interface FastEthernet0/1 80
!
ip access-list extended internet_inbound
 remark Allow traffic from 2Wire router
 permit ip host 10.0.0.1 any
 remark Allow Cisco to renew DHCP
 permit udp any eq bootps any eq bootpc
 remark Block IPv4 Bogons
 deny ip 0.0.0.0 0.255.255.255 any
 deny ip 10.0.0.0 0.255.255.255 any
 deny ip 39.0.0.0 0.255.255.255 any
 deny ip 102.0.0.0 1.255.255.255 any
 deny ip 104.0.0.0 0.255.255.255 any
 deny ip 106.0.0.0 0.255.255.255 any
 deny ip 127.0.0.0 0.255.255.255 any
 deny ip 169.254.0.0 0.0.255.255 any
 deny ip 172.16.0.0 0.15.255.255 any
 deny ip 179.0.0.0 0.255.255.255 any
 deny ip 185.0.0.0 0.255.255.255 any
 deny ip 192.0.0.0 0.0.0.255 any
 deny ip 192.0.2.0 0.0.0.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 198.18.0.0 0.1.255.255 any
 deny ip 198.51.100.0 0.0.0.255 any
 deny ip 203.0.113.0 0.0.0.255 any
 deny ip 224.0.0.0 31.255.255.255 any
 remark Block own assigned IPv4 space
 remark Block anything going to Windows RPC
 deny tcp any any eq 135
 remark Allow all ICMP traffic
 permit icmp any any
 remark Allow NTP to the router
 permit udp host 192.5.41.41 eq ntp any eq ntp
 permit udp host 192.5.41.209 eq ntp any eq ntp
 remark Allow services to internal servers
 permit tcp any any eq www
ip access-list extended internet_outbound
 remark Prohibit any contact with Windows RPC-NetBIOS
 deny tcp any any eq 135
 deny tcp any any eq 137
 deny tcp any any eq 138
 deny tcp any any eq 139
 deny udp any any eq 135
 deny udp any any eq netbios-ns
 deny udp any any eq netbios-dgm
 deny udp any any eq netbios-ss
 remark Allow traffic from own assigned IP space
 permit ip 192.168.160.0 0.0.0.255 any
ip access-list extended nat_eligible
 permit ip 192.168.160.0 0.0.0.255 any
!
logging facility local1
logging 192.168.160.20
!
snmp-server community xxxxxxxx RO
snmp-server location Dan Wilson, Houston, TX
snmp-server contact Dan Wilson, Houston, TX
snmp-server enable traps tty
!
banner login ^C
###################################################################
# #
# Dan Wilson Residence #
# -------------------- #
# #
# Dan Wilson Internet Border Router (Cisco 2811) #
# 76-238-185-187.lightspeed.hstntx.sbcglobal.net (76.238.185.187) #
# #
# Unauthorized Access Prohibited - All access attempts are logged #
# #
# Location: Dan Wilson Residence, Houston, TX #
# #
###################################################################
^C
!
line con 0
 session-timeout 30 
 exec-timeout 30 0
line aux 0
line vty 0 4
 session-timeout 30 
 exec-timeout 30 0
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
ntp server 192.5.41.41
ntp server 192.5.41.209 prefer
end 

 

[edited per user request] - pamelaz

Tutor

 • 

2 Messages

13 years ago

Wow! Thanks SomeJoe7777. much more involved than i envisioned. Thank you very much for the info. I will see if i can make it work with your config as guideline. Much appreciated.

 

mewd80

Scholar

 • 

178 Messages

13 years ago

SomeJoe7777:

 

I just got a new wireless router and I'm trying to set it up as per your instructions.  (I did this before successfully a few years ago, but I can't remember how).  Anyway, I've followed your instructions, and everything seems set up correctly.  The router is getting an outside ip address.  My wireless devices are connecting fine with a valid ip address from the router's dhcp.  But, I get no internet.  I also have a desktop computer plugged directly into the router, and it has no internet.  The rest of the computers on my network are all working fine.  The only possible deviation is that the router is not plugged directly into the 2Wire, but is plugged into a switch connected to the 2Wire that all my other computers are connected to.  Would that make a difference?

 

Any help is appreciated.

 

One other thing that I just noticed: when looking at the connection info on my iPhone, it's showing the DNS address as the same address as the wireless router (it's actually showing that address twice).  That sounds suspicious to me.

 

 

Expert

 • 

9.4K Messages

13 years ago

No, the switch should not make any difference.  That should work fine.

 

If devices that are connected to your router are getting DNS addresses that are the same as your router, that is correct.  Most home routers act as a DNS server, so they hand out their own address as the DNS server.  The router then forwards the DNS requests to the upstream DNS server.

 

Check your subnetting on the 2Wire RG and on your router carefully.  By default, the U-Verse RG's DHCP range is set to 192.168.1.x.  This is the same DHCP range that many home routers hand out.  If the two DNS ranges are the same, Internet will not work.  You must change the LAN addressing of your router to 192.168.2.x (router address: 192.168.2.1), or you must change the 2Wire DHCP range on this page:

 

http://192.168.1.254/xslt?PAGE=C_2_3

 

Once the two routers are using different LAN subnets (i.e. different router addresses and different DHCP ranges), you should have Internet.

 

Scholar

 • 

178 Messages

13 years ago

OK, that's what I've found out also - I had both routers on the same subnet. If the wireless router is on a different subnet, everything works fine.  My problem is this - I need to be able to access all the devices on the network.  I can't access files on a computer that's on a different subnet.  How do I get around this?

 

 

Expert

 • 

9.4K Messages

13 years ago

So you have some computers connected to the 2Wire router and some connected to your router?  Is there a reason that they're not all connected to your router?

 

Scholar

 • 

178 Messages

13 years ago

One computer is by the router and there's only one connection to that part of the house.  I need to be able to access files on my network with my mobile devices also.

Expert

 • 

9.4K Messages

13 years ago

OK, so what was the main purpose of installing your own router?  What functionality were you seeking?

 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.