03-22-2011 5:28 PM
While technically savvy, I am not an IT professional, and my knowledge of networking is limited to what I have learned during the last 3 weeks of frustrating phone calls with ATT Uverse support and our office's IT consultants, neither of which can solve the problem but rather seem satisfied with pointing the finger at each other. If anyone can help I would be very thankful.
I have a Sonicwall router/firewall running behind my RG. There is a switch attached to the Sonicwall which contains our office's 5 desktops, a wireless access point, 2 servers and 2 network printers. I have put the Sonicwall in DMZ mode in the RG's UI and am currently able to connect to the internet from all 5 computers as well as through the wireless. The Sonicwall is being passed one of our static IPs from the block of 5 useable addresses provided by ATT. What we are not able to do is to log into the server remotely using Remote Desktop or log into our mail server using the web interface (mail.domainname/exchange).
ATT claims that once the router is placed in DMZ mode, no NATing or blocking of any kind is happening and the problem is with the Sonicwall's configuration (which they won't support even though I am paying them for their Connect Tech service which I was told would resolve the issue). Our IT consultants claim that everything on the router is configured correctly and that it is ATT's problem. Since I don't really understand what the router configuration should be, I have no way of knowing how to check if things are properly set up. The one hint that ATT gave is to make sure the router is set up in DHCP. Any help would be greatly appreciated.
Solved by: Go to Solution.
03-22-2011 5:41 PM
It's true that if you're using DMZPlus mode for a router-behind-router setup that no NAT or firewall is in the way (with a very few exceptions that are peculiar to the 2Wire RG).
However, you're not using DMZPlus, you're assigning one of your static IPs to the Sonicwall. In that case, you have to disable the firewall manually. Go to the following page on the 2Wire RG:
In the list of devices, find the SonicWall. Change the Firewall pulldown menu to "Disabled". Then click the Save button down at the bottom of the page.
03-23-2011 9:09 AM
Thanks for the reply SJ,
One of the things I was instructed to do was to change the IP address of the 2wire to the 10.0.0.0 / 255.255.0.0 series so that it did not conflict with the Sonicwall's address (192.168.1.254). As such, the link you provided did not work for me. I tried 10.0.0.1/xslt?PAGE=C 2 4 but no luck there. I was able to log into the UI of the RG by going to 10.0.0.1, but I don't see an option to disable the firewall. Should I have changed the RG's IP address? Is there another was to get to the interface that allows me to disable the RG's firewall. FYI the RG ATT provided is a 2701 HGV-B.
Also, for clarification, are you saying that I should not have the Sonicwall set to DMZ mode in the firewall settings? I suppose if the idea is to disable the firewall, than it does not matter what this setting is.
Lastly, can you offer any assistance with the Sonicwall in terms of my verifying that the DHCP settings are correct?
Thanks for your help.
03-23-2011 11:05 AM
To further clarify (or perhaps somewhat restate) my issue, our IT consultants have asked ATT to put their RG in bridge mode, which I now understand cannot be done. Your 3/16/2011 post regarding using Uverse for business recommended setting the router behind the RG to DMZ mode to achieve the closest approximation to bridge mode that Uverse is capable of. Step 8 of this process was as follows:
8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address. At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.
As I said in my OP, the Sonicwall is receiving the public address, but I am unsure how to properly set the DHCP settings. Are the symptoms I am having (i.e. no remote desktop or webmail access) likely related to these DHCP settings? Thanks again for your help. IB
03-23-2011 11:24 AM
No, I doubt the symptoms you're seeing relate to DHCP. Let's assume that's working properly for now.
Your issue is the firewall on the RG. It must be turned off for the SonicWall's IP address. You stated the SonicWall is on a static IP out of your assigned static IP block. This is fine but this is a different configuration than using DMZPlus mode.
You should have mentioned that your RG is a 2701. This means you have ADSL2+ based U-Verse, not VDSL. Thus, the link I gave you will not work right.
You need to find the IP Address Allocation page in the 2Wire 2701. It will have this same firewall setting on it for the SonicWall, you need to disable it. I can't walk you through how to get there, I have never configured a 2701.
03-23-2011 5:09 PM
I am trying to be as clear as I can given my lack of technical expertise. Please forgive me if I am missing the basics.
According to our IT consultants, in true bridge mode, all 5 of our usable IP addresses would be passed to the Sonicwall which would then allocate them using one-to-one NATing. In it's current DMZ configuration, the RG appears to be only passing one IP to the Sonicwall (this IP is within, not outside, of the usable static IPs provided by ATT). With only one IP address available to the Sonicwall, we are not able to allocate a separate static IP to each of the following:
1. Our mail server
2. Our file server
3. Our remote connections
4. One other piece of equiptment that allows our consultants to reboot our servers remotely (not a critical for us)
Do we need to use an ATT RG other than the 2701 to have multiple static IPs passed through?
If there is no way to have multiple IPs sent through a single port on the RG connected to the Sonicwall (my understanding of a true bridge), is there a way to connect more than one of the RGs Ethernet ports to the Sonicwall and pass multiple addresses that way? There is only one WAN port on the Sonicwall, but perhaps some intermediary device could be used? I am trying to think outside the box here which could be dangerous considering my lack of networking knowledge.
Since my last post our consultants have come up with a work around which is to turn off "one to one NATing" and instead run our remote desktop connection through port 3389. This has given us the ability to log in through Remote Desktop (some good news) but does not allow us to access our webmail interface (previously accessed through mail.domainname.com) and also does not allow our IT consultants to do the off-site monitoring of our systems that they typically do. I was told the reason we can't use webmail (which is how our mobile phones use to connect to our mail server) is that it would need to use port 80, and that port 80 is already being used (I believe by the Sonicwall itself). I don't completely understand this new setup, but it apparently can't give us all the functionality we had prior to getting Uverse.
Thanks for sticking with me and offering advice to someone with a growing but still very limited understanding of the networking world.
03-23-2011 8:10 PM
The issue is not that multiple static IPs can't be used. The issue is a limitation in how the 2Wire 2701 deals with systems on the network. The 2Wire routers do not support any device that is multihomed (a single MAC address with more than one IP address).
Attempting to use more than one of your static IP addresses on the SonicWall makes it a multihomed device, and is therefore not supported and won't work. You will get one IP on the Sonicwall, no other choice.
Because you get only one IP, the Sonicwall will be doing NAT to allow all computers behind it to access the internet. Because you're using NAT, you can open ports to multiple servers to do everything you need to as long as the port numbers are different.
Another way to approach the problem is to use a VPN server behind the Sonicwall. Make a VPN inbound connection to the VPN server, and then any use of Remote Desktop or other applications will work as if you're on the local network.
Sorry, but you need to get your IT consultants to understand the issue with the 2Wire router in that it will not support more than 1 IP on your Sonicwall, and they need to architect the network around that limitation.
03-24-2011 11:43 AM
Thanks again SJ,
Regarding opening ports to "do everything [we] need to as long as the port numbers are different," does this include running both the Sonicwall and the webmail interface . As I said in my last post, we have been told that both of these "devices" use port 80 and therefore we cannot use both. Is there any reason the webmail or Sonicwall can't use a port other than port 80 to avoid a conflict? In other words, are certain functions dedicated to particular ports or can you assign any type of device/function to any port?
Regarding the VPN server alternative, would this system replace the Sonicwall in our current setup? What sort of startup cost are we looking at to set up a VPN server?
03-24-2011 12:37 PM
Certainly, the mail server could use a different port than 80, either only on the public side of the SonicWall or on both sides depending on how you want to configure it.
The SonicWall may be able to use a different port than 80, I have no idea if it has that capability, I have never used one. I always use Cisco equipment for business/enterprise installations.
VPN services are built in to Windows Server, if that's what you use, making the cost nothing. It would not replace the SonicWall.
At this point, your questions are well outside the scope of U-Verse and involve network architecture. You need to get an on-site consultant to assist you with this so that they can evaluate the situation with knowledge of the details of your network.
03-24-2011 1:29 PM
I agree. My last post was simply an attempt to educate myself so I will be better prepared to have the next conversation with our IT consultants. Thanks for all your help.
- edited 09-28-2016 8:40 AM
I am back in this morning, I have no new updates and tracert shows the problem still exists. I will escalate.
Disregard this, I posted to the wrong topic!
AT&T Customer Care
Need help with an account specific question? Post a new question here on the forums by clicking the "Ask a Question" button. Have email issues? Contact the Digital Assistance Center at 877-267-2988 and you can also reach out to our Chat Support 24/7.
For additional support, please visit us at our AT&T services hub.