Welcome to the new AT&T Community
We've got a fresh look! Take the tour to see what's new.
I am having trouble properly configuring this AT&T 2Wire 3600HGV modem for my network. Maybe someone is aware of a different firmware for this product?
I am completely aware of how to setup the DMZ mode & router behind router setup in these boxes but that is NOT the point. (We have supported firewalled networked equipment working that has all the bells & whistles including QoS)
In the event of a factory reset of the AT&T 2Wire VDSL modem at this business, I want to properly insure the following business requirements are met:
- DHCP - OFF (at min, it appears you must leave one available?)
- WiFi - OFF (Yes this can be turned off, but bridging it always insured it was turned off in the past. ON is a security concern among just bad business i.e. conflict with other business WiFi, employees might see/use this non-content filtered WiFi, etc etc)
- & passing off internet service needs to be easy to another networked supported OUTSIDE of AT&T firewall. (I'm NOT asking for AT&T support on this, but in the bridge DSL world, this was EASY)
- if bridging this 2Wire is NOT an option, backing up the configuration settings would be a nice alternative but that is not available as well?
Bridging the old DSL modems always worked nicely but the 2Wire 3XXXHGV line appears to be the ONLY ones to support the AT&T VDSL Max Turbo speeds. 24Mbps down / 3 Mbps up which we use not only for normal business operations (credit cards, business email, web based training, etc) but this high speed is required to view onsite security video (3Mbps up) and offer customers FAST free WiFi!
AT&T U-Verse offers the right price, contract, speed, internet package & installers to properly handle our resturant locations company's data needs but I'm struggling with the their "business" support of this 2Wire VDSL modem product. We ONLY use the internet, no TV (not legally available for restaurants, yet). No Voip because POTS is our reliable backup. So it's just the internet service ...
For coverage on AT&T Uverse, we have over 50 locations lit up like a Christmas tree but sadly business support on this product is driving me nutz! Maybe because I now see this is listed under "Residential Gateway"? Is this AT&T 2Wire VDSL modem product not meant for business? Is anyone aware of another supported AT&T VDSL modem or a different 2Wire firmware available? Official AT&T support has me running in circles (AT&T U-verse support > AT&T Connecttech > AT&T Connecttech360 > AT&T U-verse support, rinse, repeat)
There is no true bridge mode on the 2Wire routers. However, you can still configure it such that almost all functions of your own router will work properly.
1. Set your router's WAN interface to get an IP address via DHCP. This is required at first so that the 2Wire recognizes your router.
2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.
3. Restart your router, let it get an IP address via DHCP.
4. Log into the 2Wire router's interface. Go to Settings -> Firewall -> Applications, Pinholes, and DMZ
5. Select your router under section (1).
6. Click the DMZPlus button under section (2).
7. Click the Save button.
8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address. At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.
9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration
10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.
11. Check everything under Outbound Protocol Control except NetBIOS.
12. Uncheck NetBIOS under Inbound Protocol Control.
13. Uncheck all the Attack Detection checkboxes (7 of them).
14. Click Save.
Your router should now be able to route as if the 2Wire was a straight bridge, for the most part.
Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it.
This is how I have my 2Wire configured, and I have a Cisco 2811 behind it doing IPSec, IPv6 tunnels, etc.
This also seems to work for AT&T's latest abomination, the Pace 5031NV. Our router is a Sonicwall TZ200W, but Joe's instructions were so good that I got connected on the first try. I've thanked him before, but this time: WHATEVER THEY'RE PAYING JOE IS NOT ENOUGH!!!
Thanks again, Joe,
... WHATEVER THEY'RE PAYING JOE IS NOT ENOUGH!!!
Ain't that the truth. But they don't pay him. Except in mythical steak knives.
Thanks for all the help provided in this post. It got me much further than I was able to on my own.
Moved from Boston (Verizon Fios) to San Antonio (AT&T UVerse)
Upgraded my router to EA6500 Smart Wi-Fi router so I could use their little wireless->lan devices to get internet to rooms without wireless and not run wires throughout the entire new house we bought.
Followed your instructions on the 2nd post and everything works. It all worked initially just fine by running the linksys wizard as well.
Ok long story short, I can't get my actual ip address forwarded with either setup so far. Everything is working, internet/lan, etc. No matter how I forward the port 80 though I can't connect to my web server using my actual ip address (from phone on 3G as a real test). I can access it typing in the local ip (I used range 192.168.100.1-so it was 192.168.100.52). That connects fine.
I forwarded that to port 80 on the linksys to that ip in order to access it from outside my netowrk, but no luck. My setup is currently setup still using your instructions on the 2nd post down. What could I be doing wrong? Thanks again for the help.
I followed a tutorial to forward port 80 to the correct IP (for my specific router since it is new to me EA6500)
The linksys page does indeed have my internet IP as my "whatismyip" address lol
I will test the web server coming directly from the AT&T modem I think next. The windows firewall is off for the webserver so don't think thats it. Maybe there is a webserver setting that I need to change for my new internet provider that I am forgetting? It worked before w/my old ISP and different router, so its kinda confusing me lol. Thanks for the help, anything else you can think of to try I will give it my best shot.
Added note from some tests. I did a port forwarding check tester from a google search. It says my port 80 is open already. I even disabled it from the linksys and it still says its open lol. Then just for the heck of it checked another random port and it was closed. Went over to the linksys and opened it and nothing, website still says its closed. Seems like I still have something screwed up w/the routers.
And one more test with even more confusing results.
So if I open and close 3389 (remote desktop) it shows on this port forwarding tester that it is open/closed when it is supposed to.
Now if I open a port for Minecraft 25565 it says closed no matter what.
Lastly port 80 shows as open even when not forwarded, yet I can't connect to me real IP address from even another computer on my network. The other compters on the network can connect to it with it's local ip address though... My brain is about to explode lol...
Ok so I unplugged the linksys, plugged directly in to the UVerse router. Forwarded the port 80 & it worked first try. I can connect to my IP and domain name now from my phone on 3G. Going to reset the linksys and try again using your tutorial and see if that helps. At least I know my server is setup correctly now and that it is indeed a router configuration error. Really need that linksys to be the main router though for parental controls and my wireless to lan boxes setup...
After my spam of replies I have fixed my problem. I had to set the router to static and type in the gateway, dns servers, etc that is listed on the uverse box. Port forwarding works fine now on the linksys. Yay!
i recently moved from the country where the only available static IP was a very expensive T1 line. Now in the city I had two choices, AT&T or Time Warner. After much discussion with AT&T representatives that uVerse would provide me with the same capability to manage my block of 32 static IP addresses, I pulled the plug and moved my equipment to the new location, expecting at one or two day outage. That was a week ago. WIth the end on the month approaching and no access to my accounting system (LegerSMB), I am running out of time. i have poured through the forums looking for a solution, but it has eluded me. Here is my setup.
I run my own, DNS (named), DHCP, sendmail MTA, bacula, ejabberd, Mailman servers, CalDav, and apache servers from behind my fire wall. Some of the servers are physical, some are KVM hosted, some are apache virtual web hosts. The only connection to the 3801 is my linux based (centos) firewall that manages the connection to the internet. It has all of the active static IP addresses set up as eth0, eth0:1, eth0:2, etc. The 3801 recognizes the eth0 static IP address 184.108.40.206, passing traffic both directions. 220.127.116.11:80 is correctly NAT'ed to the apache server behing the fire wall, for example. Everything from inside the firewall is working correctly with data passng to and from the internet. We can send mail internally or externally and can receive mail, from inside the firwall, for example. I am willing to change the configuration anywhere in my system, provided it does not change the presentation to the end users either on the local net or the internet.
Here is the question. Can this be made to work and how, or should I move to Time Warner Cable? I am concerned that I'd be moving from the frying pan to the fire. I asusmed an internet company would be better prepaerd than a cable company. :-)
Any Help, much appreciated.
Sorry, too much superfluous information, I suspect. My problem is, except for 18.104.22.168, the internet cannot see any of my static ip addresses, including my dns servers on 22.214.171.124 and 125. So no DNS lookup is occurring. Even if that worked and pointed to my web server on 98, for example, the 3801 does not pass the 98 traffic to my firewall. So you can go to the web server on 97 (but not by name) but cannot get to any of the other servers or services on 98 through 125 by ip or name.
I am hoping there is a change I can make in my firewall as a workaround or a change to the 3801.
What you're running into is a limitation of the 2Wire gateway in that it is hard coded to expect a 1-to-1 relationship between IP addresses and MAC addresses. Each static IP address you're using must appear to the 2Wire gateway to be coming from a different MAC address. I suspect that your Linux router is answering the 2Wire with the same MAC address for all IP addresses, which will not work.
If your Linux router can assign different MAC addresses to eth0:1, eth0:2, etc. then that should solve the problem.
If not, there is another potential workaround if your 2Wire gateway is running the very latest firmware (126.96.36.199). Can you log into the 2Wire and check to see what firmware version it's running?
The FW level is 188.8.131.52-enh.tm. The eth1:X is more like an iP alias. All of the :X's share the eth1 mac address. More over putting MACADDR= or HWADDR in the X's is ignored and the eth1 mac address is inserted.
OK, I have not tested this because it is so new. But you are a good candidate for the cascaded router option in the new firmware. Follow these steps:
Those servers should now be able to reach the internet, and you can configure the firewall on the Linux router as you want. Some other notes:
Thanks, SomeJoe7777. I too am on a business trip. Since this requres taking the interface down with the potential of it not coming back up, I'll try it when I get home. After you described the problem for me, I was able to find a potential way to get my firewall to present a different mac address for each ip by using the bridge function and taps. If I get that to work, I'll post the solution.
I'm not sure if this is still an active post, but i'm trying to figure out a couple things in your config or really just wanted to double check.. what does the address 192.168.160.20 belong to? My first thought was an attach switch from your router connect to int fa0/0 on the switch.
I'm trying to figure out how to get my 2600 cisco router to play nice with my AT&T router. I have followed the instructions that you have provided, well the best that i can anyways..
my setup is like this:
Port 2 on the AT&T router is connect to the Cisco 2600 router on port fa0/1
Cisco 2600 port fa0/0 is connect to 2950 layer 2 switch on port 23
Host machine is connected to port 1 on the 2950 switch
this setup allows me to ping the outside world like google, yahoo etc from the my host machine but does not allow me to use an internet browser to browse to the site. it just keeps loading with no results. I believe this has something todo with my acl or routing. I was wondering if you or anyone could please take a look at my configs and suggest anything that might help..
is setup as a bridge per your instructions (DMZplus mode)
Current configuration : 1047 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
enable password password
no aaa new-model
ip name-server 184.108.40.206
ip name-server 220.127.116.11
ip dhcp pool TEST_CLIENTS
network 192.168.2.0 255.255.255.0
dns-server 18.104.22.168 22.214.171.124
description Internal LAN
ip address 192.168.2.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
arp timeout 600
ip address dhcp (this recieves the public IP address)
no ip redirects
no ip proxy-arp
ip nat outside
no cdp enable
ip nat inside source list 101 interface FastEthernet0/1 overload
no ip http server
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
line con 0
line aux 0
line vty 0 4
SWITCH 2950 CONFIGS
ip name-server 126.96.36.199
ip name-server 188.8.131.52
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
ip address 192.168.2.2 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.254
ip http server
Thanks you for the responce, below is the information that you requested.
Gateway of last resort is 184.108.40.206 to network 0.0.0.0
220.127.116.11/22 is subnetted, 1 subnets
C 18.104.22.168 is directly connected, FastEthernet0/1
192.168.1.0/32 is subnetted, 1 subnets
S 192.168.1.254 [254/0] via 22.214.171.124, FastEthernet0/1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 126.96.36.199
FastEthernet0/1 is up, line protocol is up
Internet address is 99.109.100.xxx/22 (my public IP address I X'ed the last octet hope thats ok, but it is my public IP address)
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
And sorry about the late responce
After 3 weeks of effort, with support from 3 levels of AT&T tech support as well as this forum, I have concluded that the AT&T router is incapable of supporting my environment. I installed Time Warner Cable Business Internet last Friday and had my environment running in less than 3 hours. (The only reason it took 3 hours, was that TWC had messed up a routing table which caused the routing to go into an infinite loop resulting in a timeout. Bottom lline, the TWC router worked just like the T1 router, passing everything down the pipe.
I want to thank SomeJoe for his effort in trying to get this to work. Another week of work may have yielded sucess, but I ran out of time.
Sign up now to post, reply, and join the conversation.
© 2015 AT&T Intellectual Property.© 2015 AT&T Intellectual Property. link. This link will open a new window All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. AT&T 36USC220506