U-verse Forums

Reply
Posted Oct 16, 2013
9:24:17 PM
View profile
Setup Static IP's Router behind RG 5031NV

I am trying to move from TWC to AT&T and need to have static IP's. I have a block of 5 usable and have been working with AT&T Level 2 support to try and get them working. They cannot figure this out. I would prefer to setup bridge mode in the device and let my firewall do all the routing and protection. This is my current setup. I have tried a few different things since the AT&T Level 2 guys can't figure it out. I've read that this model does not do bridging well, if at all. I've tried the DMZ route and that assigned a completely different public IP to my device than what I was given. How do I configure this device to work the way I need it to? If I can't get this to work, I'm going to seriously cancel the service. I'm on day 5 of trying to get this working. 

 

Any help is greatly appreciated. 

 

 

I am trying to move from TWC to AT&T and need to have static IP's. I have a block of 5 usable and have been working with AT&T Level 2 support to try and get them working. They cannot figure this out. I would prefer to setup bridge mode in the device and let my firewall do all the routing and protection. This is my current setup. I have tried a few different things since the AT&T Level 2 guys can't figure it out. I've read that this model does not do bridging well, if at all. I've tried the DMZ route and that assigned a completely different public IP to my device than what I was given. How do I configure this device to work the way I need it to? If I can't get this to work, I'm going to seriously cancel the service. I'm on day 5 of trying to get this working. 

 

Any help is greatly appreciated. 

 

 

0
(0)
  • Rate this reply
View profile
Solved
May 28, 2014 12:06:15 PM
0
(0)
Teacher

 

Got it working.  Others probably already know this but there is a key assumption in "Cascaded Router" mode that I was missing.  You have to make the WAN port on your internal router contain an IP address from the private range given by the 5031NV RG. 

 

If my public block was 1.2.3.8-15 (.9 - .13 useable) then I would do the following:

 

Check the "Enable Cascaded Router" box in the Broadband link screen

Network Address = 1.2.3.8

Subnet mask = 255.255.255.248

 

Router Address = 192.168.1.14 (pick an IP address from the private static range below 192.168.1.33)

 

On your inside router:

WAN port set to static IP 192.168.1.14

Gateway = 192.168.1.254

Subnet mask = 255.255.255.0

 

 

 

Once this is all set up. The Public Static IP addresses (1.2.3.9-13 in this example) will come through the WAN port on your router without any interference from the 5031NV RG.  With my ZyWALL 50 these addresses can be subject to virtual server mapping or "many 1:1 NET" from WAN to DMZ without any trouble.  It's confusing to have your WAN port be set to a private IP address while sending the public IPs through but it works fine on my router.

 

Accepted Solution

Setup Static IP's Router behind RG 5031NV

8,861 views
15 replies
(0) Me too
(0) Me too
Post reply
Cancel
Submit
Replies
(15)
0
(0)
  • Rate this reply
View profile
Oct 17, 2013 8:11:58 AM
0
(0)
Expert
Do you need the static IPs to work on the subnet that's directly connected to the 5031NV, or do you need them to work behind your own router, which itself will be connected to the 5031NV?

Also, what router are you working with?
Do you need the static IPs to work on the subnet that's directly connected to the 5031NV, or do you need them to work behind your own router, which itself will be connected to the 5031NV?

Also, what router are you working with?

Re: Setup Static IP's Router behind RG 5031NV

2 of 16 (8,838 Views)
0
(0)
  • Rate this reply
View profile
Oct 17, 2013 10:32:18 PM
0
(0)
Mentor
If you want to use a static IP block, you should be configuring it in Settings > Broadband > Link Configuration > Supplementary Network > Add Additional Network. A recent update added a "Cascaded Router" feature to that screen, but I don't know if that applies to your case.

I don't know the 5031NV, but most RGs need each static IP to be associated with a different MAC address. Can your firewall supply multiple unique MAC addresses?
If you want to use a static IP block, you should be configuring it in Settings > Broadband > Link Configuration > Supplementary Network > Add Additional Network. A recent update added a "Cascaded Router" feature to that screen, but I don't know if that applies to your case.

I don't know the 5031NV, but most RGs need each static IP to be associated with a different MAC address. Can your firewall supply multiple unique MAC addresses?

Re: Setup Static IP's Router behind RG 5031NV

3 of 16 (8,825 Views)
0
(0)
  • Rate this reply
View profile
Oct 18, 2013 9:51:30 AM
0
(0)
Community Support

Hi cpsavage,

 

Just wanted to check in with you to see if you were ever able to get your issue resolved. There are different setups to produce the desired result, based off the modem you have. With the static IPs though, are you even able to browse when having one device directly connected?

 

Let us know how it's going, and if any issues, I am positive this community will be able to help.

 

-David T

If you encounter any issues with your service or equipment, I recommend checking out our Troubleshoot & Resolve solutions to help diagnose the issue.

Hi cpsavage,

 

Just wanted to check in with you to see if you were ever able to get your issue resolved. There are different setups to produce the desired result, based off the modem you have. With the static IPs though, are you even able to browse when having one device directly connected?

 

Let us know how it's going, and if any issues, I am positive this community will be able to help.

 

-David T

If you encounter any issues with your service or equipment, I recommend checking out our Troubleshoot & Resolve solutions to help diagnose the issue.
I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.
*I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

Re: Setup Static IP's Router behind RG 5031NV

4 of 16 (8,815 Views)
0
(0)
  • Rate this reply
View profile
Oct 20, 2013 10:14:21 AM
0
(0)
Tutor

I am having similar problems. I have managed to get ssh working, somehow, but https and mail don't work. It would be very nice if there were a step-by-step howto for setting up static IPs on this device.

Michael L Martin

I am having similar problems. I have managed to get ssh working, somehow, but https and mail don't work. It would be very nice if there were a step-by-step howto for setting up static IPs on this device.

Re: Setup Static IP's Router behind RG 5031NV

5 of 16 (8,797 Views)
0
(0)
  • Rate this reply
View profile
Oct 20, 2013 4:05:47 PM
0
(0)
Tutor

I'm trying to open up port 1194, UDP for openvpn. I see this in the 5031NV log:

 

INF     2013-10-20T17:51:45-05:00       fw,     src=50.201.220.162 dst=70.234.208.11 ipprot=17 sport=34923 dport=1194 Session Matches User Pinhole, Packet Passed
INF     2013-10-20T17:51:45-05:00       fw,     src=70.234.208.11 dst=50.201.220.162 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF     2013-10-20T17:51:53-05:00       fw,     src=50.201.220.162 dst=70.234.208.11 ipprot=17 sport=34923 dport=1194 Unknown inbound session stopped

So, the firewall says, "Yes, I recognize this request as a valid user pinhole request, and I'm passing the packet on".

Then it says, "What the heck is this?!? Dropping it on the floor..."

 

I honestly don't know what to make of this. I had Uverse installed last Wednesday (16 Oct. 2013) and am already seriously considering cancelling the service. I called AT&T about this, and got handed off to several different

individuals, none of whom seemed to have any clue what I was trying to tell them. The last person I talked to told me that I was now talking to a "fee-based" tech support team. His English was very difficult to understand, but it

sounded very much like he was reading from a script, and was of no help whatsoever.

 

AT&T used to have awesome customer support. What happened?

 

 

Michael L Martin

I'm trying to open up port 1194, UDP for openvpn. I see this in the 5031NV log:

 

INF     2013-10-20T17:51:45-05:00       fw,     src=50.201.220.162 dst=70.234.208.11 ipprot=17 sport=34923 dport=1194 Session Matches User Pinhole, Packet Passed
INF     2013-10-20T17:51:45-05:00       fw,     src=70.234.208.11 dst=50.201.220.162 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
INF     2013-10-20T17:51:53-05:00       fw,     src=50.201.220.162 dst=70.234.208.11 ipprot=17 sport=34923 dport=1194 Unknown inbound session stopped

So, the firewall says, "Yes, I recognize this request as a valid user pinhole request, and I'm passing the packet on".

Then it says, "What the heck is this?!? Dropping it on the floor..."

 

I honestly don't know what to make of this. I had Uverse installed last Wednesday (16 Oct. 2013) and am already seriously considering cancelling the service. I called AT&T about this, and got handed off to several different

individuals, none of whom seemed to have any clue what I was trying to tell them. The last person I talked to told me that I was now talking to a "fee-based" tech support team. His English was very difficult to understand, but it

sounded very much like he was reading from a script, and was of no help whatsoever.

 

AT&T used to have awesome customer support. What happened?

 

 

Re: Setup Static IP's Router behind RG 5031NV

6 of 16 (8,785 Views)
0
(0)
  • Rate this reply
View profile
Oct 21, 2013 8:24:52 AM
0
(0)
Community Support
Edited by Taylarie on Oct 21, 2013 at 8:33:08 AM

Hi building39,

 

Without knowing the entire details of how this connection is operating, what it appears is that there is some kind of acknowledgement/negative acknowledgement request happening. It appears that outside connection is sending the information to your device behind our router, which forwards it with no problems, from there, it sends a request back to that destination IP trying to establish a connection, but it gets an unreachable error, causing the inbound session to completely terminate at that point.

So with that, it appears the forwarding rules are working right, but you may need to add a few more to handle this acknowledgement request, or you may need to look into the rules on the other device to see if it is blocking traffic from your U-verse modem.

 

One thing to try is putting the device in DMZ mode, and seeing if that helps.

To do so, on the Pace 5031

  1. Login to http://192.168.1.254
  2. Click on Settings
  3. Click on Firewall
  4. Click on Applications, Pinholes and DMZ
  5. Select the device you are trying to pass traffic to
  6. Click Allow all applications (DMZ plus mode)
  7. Save

Let me know how it goes.

-David T

If you encounter any issues with your service or equipment, I recommend checking out our Troubleshoot & Resolve solutions to help diagnose the issue.

Hi building39,

 

Without knowing the entire details of how this connection is operating, what it appears is that there is some kind of acknowledgement/negative acknowledgement request happening. It appears that outside connection is sending the information to your device behind our router, which forwards it with no problems, from there, it sends a request back to that destination IP trying to establish a connection, but it gets an unreachable error, causing the inbound session to completely terminate at that point.

So with that, it appears the forwarding rules are working right, but you may need to add a few more to handle this acknowledgement request, or you may need to look into the rules on the other device to see if it is blocking traffic from your U-verse modem.

 

One thing to try is putting the device in DMZ mode, and seeing if that helps.

To do so, on the Pace 5031

  1. Login to http://192.168.1.254
  2. Click on Settings
  3. Click on Firewall
  4. Click on Applications, Pinholes and DMZ
  5. Select the device you are trying to pass traffic to
  6. Click Allow all applications (DMZ plus mode)
  7. Save

Let me know how it goes.

-David T

If you encounter any issues with your service or equipment, I recommend checking out our Troubleshoot & Resolve solutions to help diagnose the issue.
I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.
*I am an AT&T employee and the postings on this site are my own and don’t necessarily represent AT&T’s position, strategies or opinions.

Re: Setup Static IP's Router behind RG 5031NV

[ Edited ]
7 of 16 (8,773 Views)
0
(0)
  • Rate this reply
View profile
Oct 22, 2013 8:29:13 AM
0
(0)
ACE - Master

I'm not sure what to make of the conversation.  As you say, you've got a message incoming from a Comcast served address using UDP which is passed through, but then it (the RG) discovers it doesn't know how to route the packet, so it replies back with that fact (the ICMP message) and closes the connection. 

 

Something is hosed with the routing setup.  Work with @DavidCS, as he can get the proper information for you.

 

I'm assuming that you're dealing with a Static IP block, as that is the title of the thread you've posted in.  Have you been to the Settings/Broadband/Link Configuration page and added the suplementary network?

 

 

 

I'm not sure what to make of the conversation.  As you say, you've got a message incoming from a Comcast served address using UDP which is passed through, but then it (the RG) discovers it doesn't know how to route the packet, so it replies back with that fact (the ICMP message) and closes the connection. 

 

Something is hosed with the routing setup.  Work with @DavidCS, as he can get the proper information for you.

 

I'm assuming that you're dealing with a Static IP block, as that is the title of the thread you've posted in.  Have you been to the Settings/Broadband/Link Configuration page and added the suplementary network?

 

 

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Setup Static IP's Router behind RG 5031NV

8 of 16 (8,746 Views)
0
(0)
  • Rate this reply
View profile
Mar 9, 2014 4:57:31 PM
0
(0)
Contributor

I have an ISA firewall behind my 5031NV. I have assigned all 5 ofv my IP addresses to my ISA Server yet  my 5031NV only recognizes the 1st IP address in the list. I need it to recognize all 5 so that my ISA firewall can handle traffic instead of my modem.

I have an ISA firewall behind my 5031NV. I have assigned all 5 ofv my IP addresses to my ISA Server yet  my 5031NV only recognizes the 1st IP address in the list. I need it to recognize all 5 so that my ISA firewall can handle traffic instead of my modem.

Re: Setup Static IP's Router behind RG 5031NV

9 of 16 (8,056 Views)
0
(0)
  • Rate this reply
View profile
May 23, 2014 3:47:25 PM
0
(0)
Teacher
Did you ever find a solution to your problem? I have the same issue (my firewall is a ZyWALL 50). I want all 5 Static IPs to map to 5 servers inside my DMZ subnet. I have only successfully connected the one server that maps to the IP assigned to my router/firewall WAN port.

They sure do a good job of making life miserable with 5031NV RG...
Did you ever find a solution to your problem? I have the same issue (my firewall is a ZyWALL 50). I want all 5 Static IPs to map to 5 servers inside my DMZ subnet. I have only successfully connected the one server that maps to the IP assigned to my router/firewall WAN port.

They sure do a good job of making life miserable with 5031NV RG...

Re: Setup Static IP's Router behind RG 5031NV

10 of 16 (7,542 Views)
0
(0)
  • Rate this reply
View profile
May 23, 2014 5:16:20 PM
0
(0)
Expert
To use the static IP addresses behind another router, you will have to use the "Cascaded Router" option. I have not tested this option, so I can't tell you if it works or not and/or what the caveats would be. This option would be used on it's own (i.e. you have to turn off Supplementary Network and DMZPlus in order to use it).

To use the static IP addresses behind another router, you will have to use the "Cascaded Router" option. I have not tested this option, so I can't tell you if it works or not and/or what the caveats would be. This option would be used on it's own (i.e. you have to turn off Supplementary Network and DMZPlus in order to use it).

Re: Setup Static IP's Router behind RG 5031NV

11 of 16 (7,533 Views)
0
(0)
  • Rate this reply
View profile
May 23, 2014 7:39:24 PM
0
(0)
Teacher
OK. I wish there was some documentation on the "Cascaded Router" option. It isn't really self explanatory how to set it up. I am not at the office right now but will try later. I did try disabling Supplementary Network and enabling Cascaded Router with the pointer to the IP address I have selected for my router. That didn't work but I would not be surprised if there are parameters I am missing either in the 5031 or in my corporate router (I just do a NAT map of a public range to a private range in my ZyWALL NAT which is called "many 1:1 NAT" in ZyWALL terminology. Specifically WAN public IPs as follows 104.xxx.xxx.9-13 are mapped to DMZ private IPs of 192.168.3.9-13). The 104.xxx.xxx.9 IP address is also the address of the ZyWALL router which is how the RG recognizes the router in "Supplementary Network" mode. I am assuming it gets identified the same way when in "Cascaded Router" mode but maybe that is where I am getting it wrong...
OK. I wish there was some documentation on the "Cascaded Router" option. It isn't really self explanatory how to set it up. I am not at the office right now but will try later. I did try disabling Supplementary Network and enabling Cascaded Router with the pointer to the IP address I have selected for my router. That didn't work but I would not be surprised if there are parameters I am missing either in the 5031 or in my corporate router (I just do a NAT map of a public range to a private range in my ZyWALL NAT which is called "many 1:1 NAT" in ZyWALL terminology. Specifically WAN public IPs as follows 104.xxx.xxx.9-13 are mapped to DMZ private IPs of 192.168.3.9-13). The 104.xxx.xxx.9 IP address is also the address of the ZyWALL router which is how the RG recognizes the router in "Supplementary Network" mode. I am assuming it gets identified the same way when in "Cascaded Router" mode but maybe that is where I am getting it wrong...

Re: Setup Static IP's Router behind RG 5031NV

12 of 16 (7,522 Views)
0
(0)
  • Rate this reply
View profile
Solved
May 28, 2014 12:06:15 PM
0
(0)
Teacher

 

Got it working.  Others probably already know this but there is a key assumption in "Cascaded Router" mode that I was missing.  You have to make the WAN port on your internal router contain an IP address from the private range given by the 5031NV RG. 

 

If my public block was 1.2.3.8-15 (.9 - .13 useable) then I would do the following:

 

Check the "Enable Cascaded Router" box in the Broadband link screen

Network Address = 1.2.3.8

Subnet mask = 255.255.255.248

 

Router Address = 192.168.1.14 (pick an IP address from the private static range below 192.168.1.33)

 

On your inside router:

WAN port set to static IP 192.168.1.14

Gateway = 192.168.1.254

Subnet mask = 255.255.255.0

 

 

 

Once this is all set up. The Public Static IP addresses (1.2.3.9-13 in this example) will come through the WAN port on your router without any interference from the 5031NV RG.  With my ZyWALL 50 these addresses can be subject to virtual server mapping or "many 1:1 NET" from WAN to DMZ without any trouble.  It's confusing to have your WAN port be set to a private IP address while sending the public IPs through but it works fine on my router.

 

 

Got it working.  Others probably already know this but there is a key assumption in "Cascaded Router" mode that I was missing.  You have to make the WAN port on your internal router contain an IP address from the private range given by the 5031NV RG. 

 

If my public block was 1.2.3.8-15 (.9 - .13 useable) then I would do the following:

 

Check the "Enable Cascaded Router" box in the Broadband link screen

Network Address = 1.2.3.8

Subnet mask = 255.255.255.248

 

Router Address = 192.168.1.14 (pick an IP address from the private static range below 192.168.1.33)

 

On your inside router:

WAN port set to static IP 192.168.1.14

Gateway = 192.168.1.254

Subnet mask = 255.255.255.0

 

 

 

Once this is all set up. The Public Static IP addresses (1.2.3.9-13 in this example) will come through the WAN port on your router without any interference from the 5031NV RG.  With my ZyWALL 50 these addresses can be subject to virtual server mapping or "many 1:1 NET" from WAN to DMZ without any trouble.  It's confusing to have your WAN port be set to a private IP address while sending the public IPs through but it works fine on my router.

 

Re: Setup Static IP's Router behind RG 5031NV

13 of 16 (7,444 Views)
Solution
0
(0)
  • Rate this reply
View profile
May 28, 2014 2:55:51 PM
0
(0)
ACE - Master

Thank you @gimp_dad for posting your configuration and that you were able to get it working.

 

Actually, that makes sense to me.  You're telling the RG that the next hop for traffic arriving at its WAN port on the public static addresses is the router on its LAN which it can reach at a private IP address, and telling your internal router that the next hop for the default route from its LAN side is the private IP address on the LAN side of the RG.  The traffic arrives at the next hop, that router knows how to route that address and away the packet goes.

 

 

Thank you @gimp_dad for posting your configuration and that you were able to get it working.

 

Actually, that makes sense to me.  You're telling the RG that the next hop for traffic arriving at its WAN port on the public static addresses is the router on its LAN which it can reach at a private IP address, and telling your internal router that the next hop for the default route from its LAN side is the private IP address on the LAN side of the RG.  The traffic arrives at the next hop, that router knows how to route that address and away the packet goes.

 

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: Setup Static IP's Router behind RG 5031NV

14 of 16 (7,430 Views)
0
(0)
  • Rate this reply
View profile
May 28, 2014 3:16:18 PM
0
(0)
Teacher

I agree that it all makes sense.  This seems like a configuration that would be commonly desired.  ATT should do a better job of explaining it.  There is zero documentation on this mode.  Part of what makes it unintuitive is because the identification of my router by using a private IP address from the RG is totally different treatment than used for either Supplementary Network or LAN IP modes.

 

By the way, my solution has one more level of complexity.  I am actually mapping the Public IP block to a private block (192.168.3.xx).  As a result the public static IP block is never specifically sent to my internal DMZ port.  I have a WAN to DMZ NAT conversion in between.  This, of course, makes it much easier to do two things:

1. have other supporting file or compute servers on the DMZ network for supporting my public servers,

2. allow more levels of virtual server mapping to be taken care of on my ZyWALL router (e.g. can map one public IP address to a mail server and a different web server).

 

Thanks for the help that got me started down the right path here.

I agree that it all makes sense.  This seems like a configuration that would be commonly desired.  ATT should do a better job of explaining it.  There is zero documentation on this mode.  Part of what makes it unintuitive is because the identification of my router by using a private IP address from the RG is totally different treatment than used for either Supplementary Network or LAN IP modes.

 

By the way, my solution has one more level of complexity.  I am actually mapping the Public IP block to a private block (192.168.3.xx).  As a result the public static IP block is never specifically sent to my internal DMZ port.  I have a WAN to DMZ NAT conversion in between.  This, of course, makes it much easier to do two things:

1. have other supporting file or compute servers on the DMZ network for supporting my public servers,

2. allow more levels of virtual server mapping to be taken care of on my ZyWALL router (e.g. can map one public IP address to a mail server and a different web server).

 

Thanks for the help that got me started down the right path here.

Re: Setup Static IP's Router behind RG 5031NV

15 of 16 (7,427 Views)
0
(0)
  • Rate this reply
View profile
May 29, 2014 6:31:24 PM
0
(0)
Expert
Edited by SomeJoe7777 on May 29, 2014 at 6:32:37 PM

Yes, I agree that this Cascaded router setup is highly confusing:

1. Having public IP addresses on one side of a router, the Internet on the other side of the gateway, and an intervening RFC-1918 private IP network in between is counterintuitive. One would think that publically-addressed Internet packets could not (and should not) traverse a private network.  However, this is actually a legal configuration given that the 2Wire router is prepared to route traffic over the private network.

2. Since you actually have another RFC-1918 private network behind your own router, the public IP addresses are actually completely virtual in that none of them are actually assigned to a physical LAN port on any device.

The cool part you have been able to do with this configuration is:

A) Be able to use your own router and static IP addresses behind it, which was never possible before the cascaded router option showed up in the last firmware update.

B) Cascaded router setup on the 2Wire + your 1:1 NAT configuration on your router essentially sidesteps the 2Wire routers' enforcement of 1:1 mappings between IP addresses and MAC addresses (i.e. no multihoming). You can now have all 5 of the public IP addresses usable within the same piece of hardware (the Zyxel router).

 

 

Yes, I agree that this Cascaded router setup is highly confusing:

1. Having public IP addresses on one side of a router, the Internet on the other side of the gateway, and an intervening RFC-1918 private IP network in between is counterintuitive. One would think that publically-addressed Internet packets could not (and should not) traverse a private network.  However, this is actually a legal configuration given that the 2Wire router is prepared to route traffic over the private network.

2. Since you actually have another RFC-1918 private network behind your own router, the public IP addresses are actually completely virtual in that none of them are actually assigned to a physical LAN port on any device.

The cool part you have been able to do with this configuration is:

A) Be able to use your own router and static IP addresses behind it, which was never possible before the cascaded router option showed up in the last firmware update.

B) Cascaded router setup on the 2Wire + your 1:1 NAT configuration on your router essentially sidesteps the 2Wire routers' enforcement of 1:1 mappings between IP addresses and MAC addresses (i.e. no multihoming). You can now have all 5 of the public IP addresses usable within the same piece of hardware (the Zyxel router).

 

 

Re: Setup Static IP's Router behind RG 5031NV

[ Edited ]
16 of 16 (7,363 Views)
Share this post
Share this post