configuring devices behind the Public Routed Subinterface

Teacher

configuring devices behind the Public Routed Subinterface

It is a counter-intuitive configuration, so after trial and error for the past few hours, I've figured out how to do it.  The directions are:

 

Open a web browser to your homeportal (default is 192.168.1.254)

Have the password for your 2Wire gateway handy

 

1.  Click the Home Network icon and then click Advanced Settings

2.  Enable the Public Routed Subinterface

3.  Enter the public routable IP address that AT&T assigns you as the gateway into the Router Address box, and the Subnet Mask that they've assigned you in the Subnet Mask box.

4.  To set up your first device, connect it to the 2Wire Home Portal, and set it up to use DHCP.  The device will take a private address from the 2Wire.

5.  Click the box on the right side of the Advanced Settings window named "Edit Address Allocation"

6.  Find the device that you want to put the Public IP Address onto.  

7.  Uncheck the "Firewall Protection" box to turn off the inbound firewall to that device (if you wish, you can leave it checked and only open the ports that you need to use in the Firewall configuration)

8.  In the "Address Assignment" associated with your device, click the dropdown box and find and select "Public (select WAN IP Mapping)" 

9.  In the WAN IP Mapping, choose the address that you want to use from the dropdown box

10.  Click "Save" at the bottom of the page.  When the page refreshes, you'll see that your device needs a "DHCP Renew" 

11.  Go back to the device that you want to connect, and refresh its DHCP address (on a Linksys or Netgear router, you can just click Save Settings or Apply on the Setup window to refresh the DHCP address).  The results of the DHCP renew can be seen on the Status page of either device, or on a Windows PC, using the "ipconfig /all" command in a CMD window.

12.  On the 2Wire Home Portal, click Cancel to return you to the Home Network > Advanced Settings window, and you'll see that your device has taken the new public IP address.  If you click on the  "Edit Address Allocation" again, you'll see that your Device Status is "Connected DHCP"

13.  After doing this, I went back to my device and set the IP address in the setup to a static IP.

 

Adding a second device is a basic repeat of the procedure.  I'm having problems right now adding a 3rd device, which may require that I restart the Home Portal - I'll do that later tonight and report back on the status of the 3rd device.

 

 

Message 1 of 40 (2,017 Views)

Re: configuring devices behind the Public Routed Subinterface

Howdy Dave006 and others

 

You posted that 'The RG will work very well if you just configure the "Public Routed Subinteface" http://192.168.1.254/xslt?PAGE=J09&THISPAGE=J10&NEXTPAGE=J09 with the information from U-verse.'

 

I looked at my page and it did not have anything. I then went to http://192.168.1.254/xslt?PAGE=C06&THISPAGE=C01&NEXTPAGE=C06 and it had my "Public Routed Subinterface" correctly filled out.

 

Do you know why the two pages are different?

 

Thanks,

 

Gary

 

Message 16 of 40 (1,384 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

Hi. I just got U-verse installed yesterday so I'm still struggling with it. Your problems sound very familar, starting with the complete and utter lack of training and support by the AT&T people. But I've been playing with TCP/IP for a long time, and I enjoy a challenge.

 

I rediscovered what others here have already discovered: that if you just start using your static IP address block, the gateway will allow only outbound connections and block all incoming ones. What's the point of static IP addresses if you can't accept incoming connections!!! There really needs to be a button to simply disable all this firewall crap for static addresses.

 

I also discovered that in order to turn off the firewall for a static host, you must first have that host pick up a dynamic IP address with DHCP just to get it to appear in the table so you can select it to change its settings.

 

And I discovered something else that is pretty much of a show stopper, at least with my present configuration. My Linux servers MUST have two IP addresses, one in the static block so they can be reached from the outside world AND they must have an address in the non-routed 192.168.1.0/24 block so that their local clients can talk to them directly.There being no way within the gateway configuration pages to assign more than one address to each host, I simply added a second IP address from the 192.168.1.0/24 range, below the DHCP allocation block, to the Linux machine's ethernet interface. But the U-verse gateway apparently detected this, probably by observing its ARP broadcasts, and revoked the global static address I'd previously assigned to it, thus taking it off the outside network! This is obviously unacceptable.

 

I'm learning again a lesson I've learned many times before: use the absolute minimum of services and features from a network carrier's equipment, because they're probably broken or brain-dead in some unacceptable way. Provide as many of those features yourself as you possibly can.

 

So my plan is to insert a Linux-based router between the U-verse gateway and my local network and have it run a DHCP server for all the computers in our house except the U-verse settop box, which will remain plugged directly into the U-verse gateway. My router will proxy-arp for every address in my static block and route those packets to my main local network; hopefully this won't confuse the U-verse gateway too badly.

 

This will prevent the computers on our network from talking directly to the set top TV box, but I'm not sure that matters; are there any useful services running on the set top box? I see it listening on ports 8080 and 8086 but they don't seem to be webservers.

 

 

 

 

Message 17 of 40 (1,384 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

Yeah, I only got Uverse installed on Thursday but I'm having trouble believing that the software in this piece of junk really IS this badly designed. I must be missing something simple. But if so, then so are you guys. I'll keep beating my head against it through the weekend, and if I still can't figure out a workaround I'll disconnect Uverse in disgust. I'm beginning to think that the only way I'll ever get anything resembling a simple block of unfiltered static IP addresses at home is to set up an OpenVPN node in a colo somewhere.

 

It must have taken a lot of effort to screw up something as conceptually simple as routing a static IP address block. Why would anyone want static IP addresses on which you can't turn off a firewall?

 

No wonder you can only get 2WIRE products through a service provider. Nobody in their right mind would buy one on the open market if they had a choice to buy anything else.

 

Message 18 of 40 (1,384 Views)
Employee

Re: configuring devices behind the Public Routed Subinterface

Tell ya what, cut all the flak and just explain what you want to do.

Whine whine whine ....

 

 

Employee Contributor*
*I am an AT&T employee and the postings on this site are my own and don't necessarily represent AT&T's position, strategies or opinions.
Message 19 of 40 (1,384 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

What do I want to do?

 

I bought a block of static IP addresses. I actually want to use that block of static IP addresses with the computers on my home network.

 

I DO NOT want my host computers to have to speak DHCP to get one of those static IP addresses. I just want to statically configure each system with an address from the block.

 

I DO NOT want ANY kind of firewalling, port or protocol blocking on these static IP addresses, in either direction. None whatsoever.

 

Is this too much to ask for?

 

Message 20 of 40 (1,384 Views)
Scholar

Re: configuring devices behind the Public Routed Subinterface

Sounds easy, the 2-Wire RG can help you with each of your stated requirements. You just have to understand that the RG is a router in addition to being just a VDSL modem. I responded inline each of your questions.

 


ka9q wrote:

What do I want to do?

 

I bought a block of static IP addresses. I actually want to use that block of static IP addresses with the computers on my home network. Fully supported by the RG, just hardcode one of your Public Routed IP addresses, subnet, and the Public Routed Gateway address in each client machine that you want use in the public routed block.

 

I DO NOT want my host computers to have to speak DHCP to get one of those static IP addresses. I just want to statically configure each system with an address from the block. Not an issue, the RG will auto detect the usage of the Static IP if you choose to use that instead of using one of the 3 DHCP mapping options that 2-Wire recommends.

 

I DO NOT want ANY kind of firewalling, port or protocol blocking on these static IP addresses, in either direction. None whatsoever. Again the RG supports this but by default it provides inbound protection, yet allows you to easly configure the Firewall to allow individual services or use the "Allow All Applications" setting on the Firewall configuration page to allow all unsolicited inbound traffic through to each client.

 

Is this too much to ask for? No, and the RG meets all your stated requirements, please let us know if you need additional assistance configuring your Static block of public routed IP addresses....

 


Dave

Message 21 of 40 (914 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

I understand that it's not just a VDSL modem. That's precisely the problem.

 

I am making progress, though. I disconnected everything on my network and cleared the gateway list of local hosts. I set "Auto firewall open" on the Edit Advanced Home Network Settings page. Then I connected one host at a time, statically configuring each one and checking that it could ping the router.

 

It took several minutes, but each host eventually showed up in Home Network - Summary. I clicked on Edit Firewall Settings for the new host and verified that it had "allow all applications (DMZplus mode)" checked.

 

My underlying problem was that the Uverse gateway changes its state when it discovers a statically configured host, which it apparently does by snooping on ARP broadcasts. This is both undocumented and not something I expected a router to do. And it took me a long time to realize what was going on because it takes the gateway several minutes to discover each new host. Definitely not in keeping with the Principle of Least Astonishment.

 

The reason this is a problem for me is that I want each of my servers with a globally routable IP address to also have a secondary local address so they can talk to their local clients without looping any traffic through the Uverse gateway. (I have a lot of gigabit Ethernet.)  Whenever one of my servers used a secondary address in the 192.168.1.0/24 block, or in fact ANY secondary address, the Uverse gateway snooped on it,  got confused and apparently assumed the server didn't need its globally routable address anymore. It apparently never occurred to the designers of the Uverse gateway that anyone would ever want a server to have more than one address.

 

To work around this, I've had to separate the Uverse LAN and my regular home LAN. (The Uverse set-top box remains directly connected to the Uverse gateway, of course). Each server has two physical Ethernet interfaces. The one on the Uverse gateway has the globally routable Uverse address and the other interface has an address in the 192.168.2.0/24 block on my regular home LAN. This keeps the Uverse gateway from seeing and becoming confused by my intra-LAN traffic.

 

One of those dual-homed servers is a homegrown Linux-based router that uses its static routable Uverse address to provide DHCP, NAT and 6to4 services to the clients on my regular LAN. This lets me specify the DNS server and search domain, something the DHCP server in the Uverse box apparently doesn't do.

 

I'm still able to talk from the house LAN (192.168.2.0/24) through the NAT in the Linux server to the configuration webserver in the Uverse gateway (192.168.1.254), but any clients on the Uverse LAN are unable to talk to servers on the regular house LAN. That means the WiFi AP that's built into the Uverse gateway isn't very useful, but that's no big loss since it's 802.11g only.

 

At some point I might look into using a filtering bridge instead of an IP router between the Uverse gateway and my house LAN to block traffic that I don't want the Uverse gateway to see.

 

Thanks for your help and advice.

 

 

Message 22 of 40 (914 Views)
Expert

Re: configuring devices behind the Public Routed Subinterface

As you've discovered, the RG routes traffic by MAC address, not by IP.  The limitation in this method is that the RG does not handle multihomed interfaces (e.g. more than 1 IP address with the same MAC address).

 

If you can configure your Linux servers with multiple logical subinterfaces on a single NIC, and have each subinterface use a different MAC, you can use only 1 NIC instead of 2.

 

 

Message 23 of 40 (914 Views)
Highlighted
Mentor

Re: configuring devices behind the Public Routed Subinterface

Actually, I can't say I'd discovered that the RG routes traffic by MAC address. If it did, that would make it a bridge, and I'd be far happier with a simple bridge. All IP routers, by definition, route by IP address. The problem with the Uverse gateway is that it tries to be clever and only shoots itself (me, actually) in the foot.

 

If it is also going to act as a DHCP server, a feature I should be able to turn off, it should give me a simple means to enter a list of MAC addresses and desired fixed IP address allocations. MAC addresses not on the list should either be given an address from a dynamic pool or rejected, at the user's option. The box should use ARP only for its intended purpose and not modify its firewall state in response to what it sees in those packets. (I haven't confirmed that it's definitely using ARP in this way; it might also be monitoring what Ethernet and IP source addresses appear in regular data packets. This is hinted at by the "enable router behind router alert" option. Naturally, none of this is documented in any meaningful way.)

 

And there's no way to get all of this brain damage out of the way. Even with the firewall still supposedly open I still see it filtering some incoming TCP ports (at least 445, 139, etc). I don't know yet whether it blocks any other protocols, as there's no mention of anything but UDP and TCP on the firewall page.

 

I also see that outbound TCP port 25 is blocked. I strongly prefer to run my own outbound mail relay, and this was one of my reasons to get a static block since so many ISPs misguidedly reject mail from dynamic and dialup IP pools. I don't know if the Uverse gateway is doing this, or if it's somewhere inside AT&T's network. I am not a spammer, and I resent the assumption that I am. I just want to use the Internet in the way that it was originally designed.

 

As a matter of principle I don't want my service to block ANY TCP or UDP ports or IP protocols whatsoever. My computers can protect themselves. For addresses in the the static block there's no reason for any router to even look past the IP header at the transport (TCP, UDP, ICMP, etc) header. Probably the biggest mistake we ever made in developing TCP/IP was in not making IPSEC mandatory on all traffic to stop this kind of filtering nonsense and to kill NAT in its infancy before it became the horrible monster that it is today.


Message 24 of 40 (914 Views)
Expert

Re: configuring devices behind the Public Routed Subinterface

It technically doesn't "route" by MAC address, it still routes at layer 3.  But once it has learned of a MAC address on the network, it continuously sends ARP packets to it and updates it's internal ARP cache with whatever IP is there.  This is why multihomed devices don't work - the ARP cache table constantly changes as it sees different packets with different IP addresses.

 

The DHCP server can't be turned off because the U-Verse STBs need to get the AT&T DNS server information via DHCP.  If you ran your own DHCP server, you would have to program specially to hand out the correct info to the U-Verse STBs.

 

If you have set a device to DMZPlus, the RG should allow everything.  I have run a Cisco 2811 router behind the RG in DMZPlus, and was able to pass non-TCP/non-UDP IP protocols like GRE/ESP/AH with no problems.

 

Outbound port 25 is blocked in AT&T's network by default (not blocked in the RG) for spam control.  AT&T will turn off the port 25 block on request, just call technical support and tell them you want them to unblock port 25 for you.

 

 

Just so you know, the proper way to set up your servers to use a static IP with no blocking is:

  1. Log into the RG, go to Home Network -> Advanced Settings.
  2. Enable the Public Routed Subinterface, put the IP address within that block that you want the RG to have, and put in the subnet mask.  You probably already know, but the first and last addresses of your static IP block (likely a block of 8) are not usable.
  3. Assign a static IP from your block to a server.  From that server, ping the RG's static IP so that the RG caches it's MAC address and IP in the ARP cache.
  4. Go back to the RG, go to Home Network -> Advanced Settings.
  5. Click the "Edit Address Allocation" button in the lower right.
  6. Find your server in the list.  Under the Address Assignment, verify it says "Static IP - no DHCP".
  7. Under the WAN IP Mapping, select the IP address from your static block that you assigned to the server.
  8. Uncheck the "Firewall Protection" checkbox on the left.

That server should now be open to all traffic from the internet on that static IP.

 

Message 25 of 40 (914 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

Hi Joe, thanks again for the information, you've helped me get everything here into a fairly reasonable state.

 

I haven't tested all the protocols I'll want to use, but at least one of them (IPv6 in IPv4 tunneling) does indeed seem to work.

 

Thanks much for the information about port 25 blocking, that's just what I suspected. I'll call AT&T as you suggest.

 

I note an unused RJ-45 on the back of the gateway labeled "Broadband". Apparently it can work with an external modem, connected by Ethernet. Perhaps if I can find a standalone VDSL2 modem somewhere, I could use it in place of the one built into the gateway and thereby gain direct access to the network for my own router. It should be easy enough to figure out the necessary VLAN IDs and so forth.

 

Message 26 of 40 (914 Views)
Expert

Re: configuring devices behind the Public Routed Subinterface


ka9q wrote:

 

I note an unused RJ-45 on the back of the gateway labeled "Broadband". Apparently it can work with an external modem, connected by Ethernet. Perhaps if I can find a standalone VDSL2 modem somewhere, I could use it in place of the one built into the gateway and thereby gain direct access to the network for my own router. It should be easy enough to figure out the necessary VLAN IDs and so forth.


 

The broadband port is used with Fiber-To-The-Premises (FTTP) installations.  The Optical Network Terminal (ONT), which replaces the NID on the side of the house, feeds the RG through this connection.

 

Unfortunately, standalone VDSL/VDSL2 modems won't work with U-Verse.  The RG authenticates with the upstream servers using unique X.509 certificates that are stored in the RG.  Stand-alone VDSL products will not authenticate, and the virtual circuits will never come up.

 

Message 27 of 40 (914 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

I'm not trying to turn off the uverse gateway entirely; why can't I connect it and my own router with an Ethernet hub to a standalone VDSL2 modem and let the U-verse box handle all the authentication? The U-verse gateway box should continue to handle the original dynamic IP address, any of its NAT users, and all my video traffic just as though I never had a static IP address block. That would be handled separately by my own router.

 

By the way, on your advice I fired up a chat with AT&T customer service and asked them to turn off port 25 blocking. Within minutes it was off and I was sending my own mail. I can't believe it was that easy! Thanks.

 

 

Message 28 of 40 (914 Views)
Expert

Re: configuring devices behind the Public Routed Subinterface

I don't think anyone has ever tried that, but it doesn't seem like it would work.  If you had your own VDSL2 modem, and it connected to a switch in which you had both the RG and your router plugged in, it's possible the RG would be able to authenticate and come up, but your router wouldn't.  All traffic from AT&T would be directed to the RG, and your router, even if it authenticated, couldn't get an outside IP address, and it can't share the one assigned to the RG.

 

I doubt seriously that you could get AT&T to route your static IP block to your own router.

 

Message 29 of 40 (914 Views)
Mentor

Re: configuring devices behind the Public Routed Subinterface

One problem I'm still having: traceroute doesn't work. I don't seem to be getting ICMP messages back. I can't see any reason they shouldn't come back to a host with a routable address (no NAT) unless a firewall is blocking them.

 

Message 30 of 40 (914 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.