AnoyedUVerseCust
@sbcglobal.net | reply to CJ Texas
Re: U-Verse Static IP's: Not Working, Can't figure out problem
Wait, so where you able to assign an Att public IP address to one of your internal devices and bypass the 2wire routing? If so, how did you do this? |
|
satnone
join:2009-07-05
| reply to CJ Texas
I also just signed up for this service and I am already quite pissed off. I made a huge effort to ask as many techs as I could if there's anything "funny" about this service, funny being anything other than an ethernet port to the internet that I can use any of my static IPs on. I have been wasting so many hours of my time trying to get my firewall working behind this piece of crap 2wire. did anyone ever figure out how to use IP aliases with this thing? It seems that it will only DMZ according to MAC addresses, so while I can get IP aliases working fine, all of them end up being blocked by their firewall. Using their residential gateway (not sure why a business class account would be given something like this) is not an option for me, so If I cant get my IPs to work correctly and not through some ridiculous DHCP reservations, I'm gonna have to waste even more time switching ISPs again. Cant believe how many hours I spent on the phone to avoid this very thing only to end up in this situation anyways. This is unacceptable for business class internet service - we need real routers... that route...period
Please if anyone has found a solution let me know. |
|
dave006
join:1999-12-26
Boca Raton, FL
 ·AT&T U-Verse
| First the RG is a real router but what you really want is just a bridged VDSL Modem. You are not going to get that with U-Verse.
What are you using for a "Firewall"? Do you have a block of Static IPs from U-Verse?
The RG has a very specific way to support multiple static IP addresses. It is not designed to pass a block of IPs to a downstream router.
Second, rather than ranting, tell us about your configuration and the specific issue that you have, you will get a much warmer welcome to the Forum. 
Dave |
|
satnone
join:2009-07-05
| First of all this is Uverse fiber optic service, there is no dsl modem.
Yes I have a block of IPs which I expected and was told I would be able to use the way that anyone would use static IPs. I have a linux based firewall that uses IP aliases. I am not going to use the RG for my firewall just like probably any normal business would not. I was even told by the tech I spent 45 minutes talking to that she doesnt understand why they are giving these RGs to business customers either, because it makes no sense since any business would have their own firewall with their own specific configurations. All I wanted to know was if anyone has yet found a way to use IP aliases with this thing, because I have tried everything and am about to give up. |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| Short answer is No, not in a reliable supported way. Many have tried and there are some hacks that claim to work but they are very complex and fail very often due to almost any change on your side of the network due to dynamic route table changes.
Sorry but more bad news. The RG is a 2Wire 3800HGV-B Gateway (based on the 2Wire 2701) and has a built-in VDSL Modem even if you don't use it (if you use the Broadband port). The U-Verse network is not a 100% fibre network. The network backbone is fibre from the VRAD upsteam but the last mile is mostly copper unless you are in one of the rare areas with FTTP. It sounds like you are in the FTTP group based on your comments about just and "ethernet" connection to the internet.
The RG is designed to use OSI Layer 2 and MAC addresses to provide the connection from the U-Verse network to your static IP block. Again, U-Verse does allow you to configure the RG in a bridged mode (transparent routing) or create forward / backward routes. It is designed to own the subnet and it uses an internal capability in the RG to generate the routes between the public segments to reach your static IP block.
Here is the 2Wire support article that provides the best overview of multiple Static IP support: »support.2wire.com/?page=view&article=126
Note: You are running Version 5 firmware on the U-Verse RG so follow that section, sorry the other capabilities don't apply.
This allows you to have both a public static set of IPs and also NAT for any other devices on your network.
Have you even tried to use the RG and it's capabilities? It has a Stateful packet inspection (SPI) Firewall.
Dave |
|
satnone
join:2009-07-05
| Yes we have FTTP, and only FTTP, or believe me I would still be with DSL Extreme, and I'm sorry but I cant substitute my linux firewall with all of its capabilities and configurations for this 2wire.. not gonna happen. I just got off the phone with another tier 2 tech, and he also agreed with me about this, and said he doesnt understand why business class would be forced to use this 2wire as their firewall either. I spent many hours on the phone and even talked to a couple tier 2 techs before signing up to make sure I didn't have any surprises like this, and none of them bothered to mention this to me. Looks like TW is my only other option now.. and if that doesnt work I guess Ill be looking for another place to live. If I sound anal or picky about any of this, at my work we have well over 300 clients, and not one of them is using a 2wire residential gateway as their firewall. |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| Sorry that you received poor pre-sales information. It sounds like you need more control over your Internet connection than U-Verse allows today. All U-Verse customers are required to use the 2Wire RG.
I am not sure what your comment about your "work" and over 300 clients and none of them using 2Wire is meant to explain. Unless they have U-Verse then we are compairing "Apples" to "Oranges".
Did you even bother to try to use the RG as designed? You would have been up and running in less then 10 minutes with all of your Static IPs available and configurable using the RG and it's SPI Firewall.
Since you want to use multiple static IPs you have fewer options with the configuration of the RG. If you are willing to use the DMZPlus feature, you can use your Linux box to provide features for a private LAN network segment without multiple static IP support.
What specific feature or features do you think are missing from the RG? Did you just join the Forum to rant or would you like to have a technical discussion with peers here on the Forum that know about the features, functions and yes even some of the limitations of the U-Verse solution. It is not perfect but DSL Extreme and TW are not perfect either. Since you have FTTP, your options are really limited.
Dave |
|
neiltif
join:2006-12-11
Bloomingdale, IL
| reply to dave006
said by dave006  :Have you even tried to use the RG and it's capabilities? It has a Stateful packet inspection (SPI) Firewall. Really, well the GUI for configuring it must be designed for MIT grads only because its not obvious that its a real firewall at all. |
|
satnone
join:2009-07-05
1 edit | reply to CJ Texas
Well sure I could use the RG and my IPs would be working, but then my network would not be setup the way I want it and would not be controlled my MY firewall, therefore it is not an option for me, but Ive already explained this.
Just to give you an idea of what my firewall does and to have a little technical talk like you suggested, I use IP aliases and I use 1:1 NAT to give public IPs to my specific servers. I keep all my servers behind my firewall and use linux iptables to allow openings for certain ports and to control my NAT any way I want (I can direct any port from any public IP specified in my IP aliases to any port and any private IP I want in my network). Some people might have one server they don't mind just sticking on the DMZ, but I don't do it that way... besides I have far more than one server that needs to be publicly accessible in some way. I think my ISP has no business doing anything on my local network. There control should end at the public side of our firewall. That's my opinion and Im sure it's the same opinion any business would have.
Anyways like I said all the tier 2 techs I talked to totally agreed with what I'm saying, and the last one who I was exchanging emails with even felt it was necessary to forward my email to her supervisor and said that he forwarded it to his manager, so hopefully eventually this will change. Until then I have already signed up with TW who by the way answered all my questions about reverse DNS management, port blocking and every other question I had in about 3 minutes (one sales person knew all the answers), which took about 10 hours, 7 different departments and 12 different reps (no exaggeration after adding it all up) to get from AT&T. It almost took all that just to find someone at AT&T that knew what reverse DNS was. One tech said "Um well it was my understanding that DNS is something that runs on your computer.. right?".
Sorry if this offends you or any other AT&T employees on here, but its the truth. |
|
ralfwolf
join:2009-07-03
San Jose, CA
| said by satnone :Just to give you an idea of what my firewall does and to have a little technical talk like you suggested, I use IP aliases and I use 1:1 NAT to give public IPs to my specific servers. I keep all my servers behind my firewall and use linux iptables to allow openings for certain ports and to control my NAT any way I want (I can direct any port from any public IP specified in my IP aliases to any port and any private IP I want in my network). satnone,
What you are describing is very typical so any suggestion to the contrary is obviously not based on experience or knowledge. That said, I think the only choice here is to work with what we've got or move on to another ISP. Currently, nobody is providing the speeds uverse promises so I'm stuck. Take a look at the macvlan kernel module.
»cateee.net/lkddb/web-lkddb/MACVLAN.html
With this, it should be possible to create a separate virtual interface for each "real" ip (each with a different mac address) without adding extra hardware or creating VMs. These interfaces can then be put in the DMZ and used in your iptables rules to do nat or anything else. I've used this in another application and it looks exactly like a real ethernet interface from the outside. |
|
satnone
join:2009-07-05
1 edit | Wow that looks like exactly what I was looking for... too bad I didn't find out about this sooner. Oh well my speed package now should be even faster than the package I had before anyways. Hopefully I won't have too many problems with TW. I've never had their business class internet service, but have had their residential TV and havent been too happy with that. At my work we have many clients with this service so I think it may be alright.
Anyways thanks for this ralfwolf, it may come in handy for me in the future. |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| reply to neiltif
Again, have you tried to configure the Firewall settings using the GUI? It is very easy to open individual ports or groups of TCP or UDP ports or predefined Application groups. It it were designed by MIT Grads for MIT grads it would be all CLI.
You have the option of using simple pre-defined groups or selecting your individual groups of ports that you are interested in managing, you also have to ability to manage advanced features on the Firewall.
Dave |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| reply to satnone
Your Linux firewall does nothing that can't be done with the existing 2Wre. You can have a combination of public static IPs that have all ports open, ranges of ports open or even select individual ports open. You also have the ability to have static IP and NAT to individual private IPs using pinhole port forwarding. The DMZPlus is meant to be used for sharing the single IP and not for the static IPs.
The ISP stops their managment at the RG (router) level and it includes a SPI Firewall that is very configurable but you just have to spend a few minutes to learn how to use the tools. U-Verse gives you full control of the RG, many "business" grade providers don't even allow you to have a login id to the router to make any changes.
So again you can have a mix of static IP addresses (they are not part of any DMZPlus mode), they are on a fully routeable segment, and you still have PNAT addresses supported behind the RG.
The static IPs don't have to be fully exposed unless you choose to have them configured that way.
By default the Firewall still protects the static IPs. The Firewall also allows you to control groups of common ports based on common applications or the ability to create groups of ports: both TCP / UDP that you want to manage. If you have a block of 8 Static IPs for example (5 are fully routeable) and you can also have upto 254 PNAT devices that are supported in the private segment that also have port forwarding capability from the router's IP using NAT.
So again, you have not stated a specific requirement that can't be met by a properly configured RG other than you just like to use your Linux box.
AT&T and U-Verse don't manage your Firewall settings in the RG, so the boundry is really at the router aka the old DSU / CSU boundry. You have full control of the Firewall settings within the RG.
Dave |
|
satnone
join:2009-07-05
| said by dave006 :Your Linux firewall does nothing that can't be done with the existing 2Wre. I can see you are quite excited about these 2wires, but to say that is laughable. |
|
Uverse Cust
@sbcglobal.net
| Yeah, Very funny posts here. The 2Wire does MAYBE 1/10th what a linux or bsd box can do in terms of routing. This 2Wire is not setup to well in terms of custom routers setups, firewalls, QoS shaping and the such. Hell, even my old 2Wire from Att DSL does a better job and has more options, which makes me think these features are just disabled maybe? Though I am not sure how good the hardware in this RG is either, since it does bog down under high load and demand, especially with a lot of tcp connections going through it. I just hope they eventually enable the option for full bridge mode to completely bypass this joke of a "router". DMZ+ 'kinda' works, but you still have to do a little dance to get it to 'kinda' work, and it still proxies through the 2wire, and the 2wire is still trying to route, sometimes double NATing.. I mean, for offering static IPs and business accounts, you just expect more... |
|
real_goose
join:2001-04-13
Grosse Pointe, MI
1 edit | reply to dave006
The major missing features for me are no way to specify use of OpenDNS for the network, no DynDNS client, and no QOS. Please tell me how to accomplish any of these on 2WIRE RG. |
|
UVerse Cust
@sbcglobal.net
| said by real_goose :The major missing features for me are no way to specify use of OpenDNS for the network, no DynDNS client, and no QOS. Please tell me how to accomplish any of these on 2WIRE RG. You know what is funny? The 2wire device ATT users for their adsl, you can do ALL of this.... Infact, im using my old dsl modem as a WAP behind my pfsense box, and disabled the RG wireless AP, which also solved issues relating to internet issues with phones ringing, which means that even if your devices are wired, if a cordless device happens to interfere with the same frequencies as this 2wire RG, it will still interfere and cause some disruption with your connection... very easy to reproduce.. it cracks me up.. one thing after another I find wrong with this thing. |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| reply to satnone
said by satnone :said by dave006 :Your Linux firewall does nothing that can't be done with the existing 2Wre. I can see you are quite excited about these 2wires, but to say that is laughable. Not really excited but I still have not heard what your magic Linux "Firewall" box can do. I was not laughing as you continuted to rant about something after it was clearly explained that you can't just bridge the RG or in your FTTP area, a transparent router to allow you to bridge your static IP segment as you stated in your first post:
"an ethernet port to the internet that I can use any of my static IPs on"
Just to keep the noise down from the other "rant" team members, we are talking about "Firewall" features / functions not custom routing capabilities as you selectivly quoted my previous post. You keep calling it a Linux Firewall, not a Linux Router. You have every reason to complain if you thought you were getting just a dumb data pipe with U-Verse Business but now you know the restrictions.
You are welcome to swing by the TW forum, here is the link: »Road Runner (yea it is still Road Runner to us) 
Just a final question to clear the topic, did you ever even try to use the RG as designed with your static IP package?
( It would have been up and running in 15 minutes...or less and allow you to continue to be an active member of this forum )
Dave |
|
ralfwolf
join:2009-07-03
San Jose, CA
| I got my uverse static IP internet installed and have spent the last several days trying to get everything working as I want. Finally gave up on the built in firewall. For inbound port blocking, it certainly has the main functional bits. The issue I had was the "advanced firewall" options seems to have an impact on performance when a single machine needs to open a bunch of outbound connections in a very short period of time. Also, it appears that with static IP configured, the firewall sees these hosts as "outside" hosts. This last part is only based on external observation because I have no idea what logic it's using to defend against portscans.
The as a residential gateway, it seems to have the basic features. What I don't like is that it's got all of these "advanced" firewall features that are not clearly defined. I understand the words and I know how I might implement such protection but there is nothing to tell me what this device does to detect against these threats. If I don't know exactly how it protects, then how do I know if it's sufficient in my mind or if it does something I don't want it to do. What exactly does checking "excessive sessions" do? What the heck is "miscellaneous"? There are also a number of features that are obviously missing. Is there stateful packet inspection? Is there deep packet inspection? Can it run snort? Can I control what actions it takes depending on what events it sees? Can I set a connection rate limit which is key to defending DDoS attacks? Can I set policy based on full 5-tuple (i.e. both source and destination IP/port/protocol) combinations? These are ALL firewall functions that I can easily configure with a linux box.
Now let's move on to the IP routing features. First let me say that this box should first and foremost be a router. To dismiss basic gaps in routing capability by saying, "we are talking about firewall features" is a cop out. Firewalls I can build but I'm stuck with this thing as a router. Plus, from what I've seen, even if I've configured my linux box with dhcp and assigned it an public IP on 2wire, it's STILL doing NAT. I see the nat translation entries for every connection in one of the mdc screens and it's tracking the connection (with associated overhead) even though it's not doing any translation. Also, I've put this box in the DMZ and it gave me a web redirect this morning to a page that says my box is sourcing/receiving lots of sessions (aka connections). Duh, I had my bittorrent client up so of course. My question is, if I'm in the DMZ, why is this thing still doing anything with my traffic other than passing it from one end to the other.
All of this said, I got it to work within my requirements mainly by bypassing as much of the "firewall" as I can. The issue now is that even in the DMZ this box seems to be watching and acting on my traffic. So far that has not gotten in the way other than that annoying redirection. At least not in an obvious way. I do feel like something is impeding my outbound connections if I try to open them up too fast. As I said earlier, it almost seems like it sees my inside server as an outside box and is applying some attempt a preventing syn floods. The other strange thing is that it looks like the 2wire box is eating/blocking the final ack to the fin-ack of some connections. I've actually seen this issue in the product my company produces where we closed down the session state very quickly after it sees the fin-ack but before it sees the final ack. In tech speak fin-wait2 is too short.
For background, I've been working in networking as an engineer (Cisco, NT/Baynetworks/Synoptics, 3com just to name a few) for the last 15+ years and have spent the last 5 working specifically in network security. I know exactly what portscans are including all the different types of portscans and personally designed our portscan feature here which even detects extreme slow scans (1 every 5 min in the case of nmap's -T0 option). I say all this to explain that I am 100% certain what the limits of my knowledge in this area is and I don't see how anyone can seriously make the claim that the 2wire 3800 can do even a fraction of what you can do with a linux box.
This is just my option and only based on my experiences so take it for what you paid for it. |
|
dave006
join:1999-12-26
Boca Raton, FL
·AT&T U-Verse
| Lets start slowly since you are new to the site. U-Verse and U-Verse Business are mass market offerings for home and small business use, if you need an Enterprise offering / solution you should consider a solution with a SLA.
Price a Fractional T1, T1/DS3 or maybe an OC12 bundle. Oh and the price will be much higher and if you have to ask then you can't afford it or don't have a clue.
If you have a static block of IPs, then the RG creates a "software/firmware" based route to the "Public" IP segment and yes those devices are in a different "Public" network. You might get the clue since they have a different network address and a different network mask. Even when you have the static block route active, each device on that segment is by default protected by the SPI Firewall in the RG.
So in your case, when your machine opens all of those outbound connects it looks very much like a virus/worm/trojan infection, oops. Now you know what checking "excessive sessions" does. Excessive Session Detection. When enabled, the firewall will detect applications on the local network that are creating excessive sessions out to the Internet. This activity is likely due to a virus or “worm”
infected computer. When the event is detected, the gateway displays a HURL warning page. Now back to the basic features. Again, you seem confused by the Firewall features for a network security expert. The DMZplus mode allows all incoming traffic. While in DMZplus mode, the computer is still protected against numerous broadband attacks (for example, SYN Flood or Invalid TCP flag attacks). The DMZplus mode is not a physical DMZ since it shares the IP of the RG and the RG has to strip off traffic for other ports that are mapped for other machines on your private segment.
The DMZplus machine only gets what is not already filtered / directed, so the RG has to look at the traffic and yes that means overhead. Again, not sure what you are expecting from a software based DMZ. If you need a physical DMZ you might consider a "Hosted" solution and I doubt that your linux based firewall will last more then 30 minutes with or without Snort or any other "open source" bell or whistle.
We already covered that the RG has a SPI Firewall several posts above, in this thread and no it does not run "Snort" but if you think you really need a NIDS, you might have bigger problems as the NSA is already reading your traffic.
I think you meant FIN_WAIT_2 and FIN_WAIT_2 happens when your remote peer shuts down its sending half of the connection, and your program doesn't respond. Time to load your TCP stack debugger. 
For background, I have only been working with networking for 30+ years and my company has one of the first 10 "Class A" IP networks in the world. You might want to look up the word MAE IEP on the "interweb" because, I have been there and done that... 
For the record, I never claimed that the RG was magic or perfect but you and another poster seem fixed on a selective mis-quote to argue about something that you can't change as long as you are on U-Verse, "the ability to use the 2Wire RG as a Bridge only device". My statement was directed at the specific claims that "satnone" was making about their "linux" firewall that did magic: quote: "IP aliases and I use 1:1 NAT to give public IPs to my specific servers"... not a firewall function... 
I think you might consider your own advice: That said, I think the only choice here is to work with what we've got or move on to another ISP. Currently, nobody is providing the speeds uverse promises so I'm stuck. 
Dave |
|
