U-Verse Static IP's: Not Working, Can't figure out problem in AT&T U-verse

U-Verse Static IP's: Not Working, Can't figure out problem in AT&T U-verse http://www.dslreports.com/forum/r22421681 en Sat, 05 Dec 2009 22:10:12 EDT Sat, 05 Dec 2009 22:10:12 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,23250596 bclbob : I do need to get back to that lol]]> http://www.dslreports.com/forum/remark,23250596 Tue, 27 Oct 2009 18:33:49 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,23246437 jmatthi : Why can't someone just hack the thing and so we can put it out of our(it's) misery. :p]]> http://www.dslreports.com/forum/remark,23246437 Mon, 26 Oct 2009 23:33:49 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,23246429 gdm : No you can't use the 2700 that's for a ADSL circuit not VDSL which is what U-Verse is. The 3800 is the only modem that can currently be used with U-Verse.]]> http://www.dslreports.com/forum/remark,23246429 Mon, 26 Oct 2009 23:32:06 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,23246419 jmatthi : Can you use a 2700 2wire device with Uverse? If so, you could get the bridging option needed since it is in there and active.

Ebay has quite a few that could be purchased. :D

I just got Uverse with 5 Statics and I am guessing I will need 5 routers (one for each IP available) to route over to my firewall to get it working with my network like it used to with DSL.

I tried IP aliases and that doesn't seem to be working. Is there any other options that I have missed besides VMWare?

Thanks]]> http://www.dslreports.com/forum/remark,23246419 Mon, 26 Oct 2009 23:29:46 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22830132 anon :

said by Robert75 :

Oh boy am i glad I found this thread. I did order uverse bus a week ago for a project I have in Dallas and I was going to buy a new Zyxel VDSL2 modem for the project next week.

Now that I know that I can't bring my own vdsl2 modem and the 2wire gateway can't be bridged and made dumb i will have to call at&t and cancel the installation.

This thread saved me time and travel expenses since our main office is in Harlingen, TX

Yeah, very unfortunate that such a very basic common feature was taken out and/or disabled for U-Verse. All the standard 2wire devices that you get directly from 2wire has this? What gives?]]> http://www.dslreports.com/forum/remark,22830132 Fri, 07 Aug 2009 10:00:18 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22829321 anon : Oh boy am i glad I found this thread. I did order uverse bus a week ago for a project I have in Dallas and I was going to buy a new Zyxel VDSL2 modem for the project next week.

Now that I know that I can't bring my own vdsl2 modem and the 2wire gateway can't be bridged and made dumb i will have to call at&t and cancel the installation.

This thread saved me time and travel expenses since our main office is in Harlingen, TX]]> http://www.dslreports.com/forum/remark,22829321 Fri, 07 Aug 2009 04:22:56 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22829014 mythulto : Except for the squabbling, this was a very useful thread. I was all psyched today when ATT installed U-verse TV and internet. But it looks like tomorrow I will have to cancel the internet portion. I spent about 30 minutes tinkering with the 2Wire before checking this forum and finding this post. Looks like you guys saved me many hours of grief. The inability to act as a simple bridge is a real shame.

Fortunately, my Comcast account is still working great. The Comcast business account with 5 static IP's, running on their bridged modem, coupled with my SonicWall router/firewall does everything I need flawlessly.]]> http://www.dslreports.com/forum/remark,22829014 Fri, 07 Aug 2009 00:41:55 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22785144 bclbob : Once they figure out they don't need to charge for a truck roll, I might try out the static IP service to see whats going on it with. DMZplus is useless, because its still filtering and it loses the mapping once in a while.

But to spend $99 on a truck roll is ridiculous.]]> http://www.dslreports.com/forum/remark,22785144 Wed, 29 Jul 2009 16:37:05 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22783974 satnone : HWL and jnessen,

You guys absolutely will not be able to do what you want to do. I had to cancel my service because of this and go with Time Warner who I gotta say so far has been great as long as its business class and NOT residential service. They will give you a cable modem/router which does those 2 things and only those 2 things, like any other normal business class internet service (an unfiltered untouched pipe to the internet).]]> http://www.dslreports.com/forum/remark,22783974 Wed, 29 Jul 2009 13:02:53 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22782214 anon :

said by jnessen

:

I think from what I read above, I can not use a router behind the RG using static IP's... Is this right?

Since I do not have the need for additional static ips, I can not post my personal experience about this. I do not think you can pass the ips to a specific device behind the RG to handle the ips. Basically, if your going to be using your own router, I have heard it is VERY tricky, and you need to follow a very specific set of instructions, and it still isn't setup properly, but works.

Again, someone that has had to personally deal with multiple static ips and their own routers could probably answer better.

said by jnessen

:

My current set up uses two separate routers post DSL modem on two static IP's. One I need for QoS (SIP traffic) and one is for T-Mobile @Home service (this one requires their "special" router with a sim card in it). My home was to assign a static to each one of these and turn off all firewall rules to/from them, and let them handle the NAT for my internal networks. Is this a possibility? From reading above, it sounded like I could do it, then in the last few posts it sounds like I can't. My service is being installed next Tuesday, and my existing DSL is being ripped out this Friday :(

Any help to get to the bottom of this before I am DSL-less would be appreciated.

Unfortunately, the 2WIRE RG does not have a 'bridge mode', you can only dmz+ (which forwards all ports) to a single specific device to handle. Their are some options to disable certain firewall features, and you can grab a public ip this way, however, the 2Wire is still acting as a proxy between your traffic, and processing it, which results in a double NAT condition. There does not seem to be a way to have the 2wire "just stay out of the way" at this point. The feature has been 'locked out', 'removed', 'disabled', for whatever reason.

Again with the multiple IP assignment, someone else will have to comment. The UVerse RG makes things pretty messy, and really breaks the way of proper routing when it comes to custom setups behind it.]]> http://www.dslreports.com/forum/remark,22782214 Wed, 29 Jul 2009 04:18:03 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22782153 jnessen : I think from what I read above, I can not use a router behind the RG using static IP's... Is this right?

My current set up uses two separate routers post DSL modem on two static IP's. One I need for QoS (SIP traffic) and one is for T-Mobile @Home service (this one requires their "special" router with a sim card in it). My home was to assign a static to each one of these and turn off all firewall rules to/from them, and let them handle the NAT for my internal networks. Is this a possibility? From reading above, it sounded like I could do it, then in the last few posts it sounds like I can't. My service is being installed next Tuesday, and my existing DSL is being ripped out this Friday :(

Any help to get to the bottom of this before I am DSL-less would be appreciated.]]> http://www.dslreports.com/forum/remark,22782153 Wed, 29 Jul 2009 02:49:14 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22770656 anon : Also with that said, I am overall happy with the stability and consistency of the service. I think there are just some minor issues that need to be taken care of, that is really holding UVerse back. Other providers I have used usually have a few major issues that seem to be never taken care of properly, with UVerse, I just see several minor issues, but they still need to be taken care of. Its new technology, learning experience for everyone, weeding out bugs, etc.., but it gets to a point, come on, you keep wanting to sell sell sell, but the flaws are there, not being fixed.]]> http://www.dslreports.com/forum/remark,22770656 Mon, 27 Jul 2009 00:32:31 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22770649 anon :

said by dave006

:

Just for the record, you do understand that U-Verse was designed to deliver IPTV, the triple play was just a benefit of the pipe

Note: Most of the complaints here are related to the requirement to use the RG. Some customers just want a bridged device and to run their own router. This option is not available with either U-Verse options. If you want to run your own router then you will have to choose the DMZplus option and then the Static IPs become much more complex to manage.

For me, and I THINK most others, this is the biggest complaint. If it is really meant for JUST IPTV, and the other 'fluff' broadband, phone etc.. is just secondary, then they need to stop offering internet only service, and business service internet, that is truly so restricted and limited... If they are going to continue offering it, they really need to get out of lock-down mode, and allow these internet customers some of the basic featuers every basic small router/modem/gateway can do. As noted before, all the other 2Wire Att devices (for basic DSL) can do these features without the problem, why is ATT locking down this RG so much, and forcing everything to go through it, no matter what the options. It is, in the end, VERY limited, and VERY difficult to work with, if you want anything more than just a single ip with a pipe for a few computers to the internet. There are issues that need to be worked out.

My personally documented issues (not rants) that I have been able to repeat easily:
1. We all know the DNS issue, I guess the simple fix would be just assign the DNS servers to each system, instead of forcing them through the RG. Maybe there is some limitation with the STBs (TV Custs) though that requires this.
2. Wireless, while I am overall impressed with the wireless range, there is a glitch regarding 2.4Ghz phones. Even if you have NO wireless devices connected, a 2.4Ghz phone can easily cause interference with your broadband service, causing 'glitches' and timeouts. Why is this interference being passed through to your connection?
3. The RG will bog, and bog hard, under more heavy load, and a lot of connections. Rarely causing total failure, but certainly must slow responses for doing anything that has to go through it.
4. Basically to sum up, I think that maybe the fault comes down the the RG hardware. Maybe it doesn't have the power to handle everything they are trying to get it to do. They really need to look at allowing some offloading, and not forcing EVERYTHING to be processed by the RG. Does anyone have the technically specs for the device? I have not been able to find them. Maybe its a firmware compatibility issue with the RG? Something needs to be done though regardless, 2years, with the same issues, that all point to the RG (even after replacements), that are very reproducible (even at another location with a uverse cust.) and nothing has been done. What gives ATT?]]> http://www.dslreports.com/forum/remark,22770649 Mon, 27 Jul 2009 00:32:23 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22769797 dave006 : 1. Short answer is Yes. The major differences between U-Verse and U-Verse Small Business is that Small Business is High Speed Internet (HSI) with no option for IPTV and the pricing options are different.

2. Static IPs are available on both options. You will get a minimum of a standalone subnet of 8 IP addresses with 5 Static IPs that can be assigned to your hosts behind the RG. The DMZplus option is different from having a public segment with static IPs. Yes, you can use a combination of NAT, DMZplus and a Public IP segment all at the same time.

The RG by default does provide some additional Advanced Firewall protection for your Public Static IP segment. You have the option disable all "Firewall" protection. Very easy to do via the Web UI.

You also have the option to have some hosts on the Pubic Segment with static IPs and some other hosts on a private segment if you choose.

I would suggest that if you have further questions, that you consider starting a new thread that is specific to your set of questions.

Note: Most of the complaints here are related to the requirement to use the RG. Some customers just want a bridged device and to run their own router. This option is not available with either U-Verse options. If you want to run your own router then you will have to choose the DMZplus option and then the Static IPs become much more complex to manage.

Dave]]> http://www.dslreports.com/forum/remark,22769797 Sun, 26 Jul 2009 20:28:21 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22769063 HWL : Hi all...
I just ordered UVerse Small Biz and after reading this post I have many questions.

1. Is UVerse residential available with (5) statics? Can it run a server/mail farm?

2. More importantly, I now have 5 IPs (from my present ISP) that are "out there", no FW...thats what I want - 5 IPs open to the WAN. Is that what I am going to get from UVerse or do I get one DMZ and 4 behind a firewall? This post has confused me...probably unnecessarily.

Thank you.]]> http://www.dslreports.com/forum/remark,22769063 Sun, 26 Jul 2009 17:09:12 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22742751 dave006 : Hey, thanks for the rant. You did not mention who you were selecting when you make that 8 AM call to cancel U-Verse. Please make sure you post another rant when you have your new TV provider.... :huh:

Just for the record, you do understand that U-Verse was designed to deliver IPTV, the triple play was just a benefit of the pipe. The AT&T U-verse system will continue to evolve and the iNID solution will bring yet another generation of service options and even more rants from the anon posters or posers.

You also might want to read the TOS of your new TV provider to make sure that they don't sell your viewing demo data since Dish, DIRECTV, TiVo and all Cable providers provide this data. Oops.

Just for the brave "anon" user, I don't work for AT&T and I never have worked directly for AT&T. My company has a long history of working with and competing against AT&T in the Global IT / Telecom marketplace.

I think I will agree with the following post as this thread may have descended into the darkness....

said by apeface

:

epeen wagging FTL...

Dave ]]> http://www.dslreports.com/forum/remark,22742751 Tue, 21 Jul 2009 12:39:45 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22742618 dave006 :

said by ralfwolf

:

Thanks. That helps.

The strange thing is, when I was trying to use the RG firewall, I turned *off* Miscellaneous and the RG stopped return traffic from the outside. I used tcpdump on an inside host and on an outside server and found that the syn got from my inside host to the outside server and the server sent a syn-ack but the syn-ack never got to my inside client. I also saw alerts on the RG saying it had detected packets for an unknown session. That led me to conclude that Miscellaneous actually does something more than just blocking bad stuff but it sets up some basic state that maybe other firewall features required. It seemed very counter intuitive that turning off a firewall feature would cause traffic to be blocked.

Oops, it looks like your conclusion might be wrong. If you turned "off" the Miscellaneous setting in the 2Wire Firewall - Advanced Settings while you have an active connection to a mapped connection you should expect to restart your client connection to your outside host.

Once you remove the Miscellaneous Setting Check-box setting you "Submit" the settings and in the case of active mapped sessions you will need to restart your session(s).

My 2Wire Firewall configuration has the "Excessive Session Detection" and the "Miscellaneous" options deselected and all my applications work just fine.

You might try clearing the Invalid TCP Flag Attacks (NULL/XMAS/Other) option and see if your SYN_ACK (SYN/ACK or SYN-ACK, since you like to complain about case selection used in a web forum) make the trip through the 2Wire Firewall Gauntlet :D

Again, once you submit your Firewall Settings, the 2Wire will reset the SPI Firewall state so any active TCP connections may be impacted. You should restart any client / server connection since that active session port/host mapping may have been impacted by your tweaking of the Firewall settings.

I think in your specific case you might just turn off all of the 2Wire Firewall Advanced Settings and then retry your tests to your remote server and see what pops up in your tcpdump.

This way you can't blame the 2Wire Firewall feature for breaking your TCP 3-way handshake. :D

Dave]]> http://www.dslreports.com/forum/remark,22742618 Tue, 21 Jul 2009 12:19:05 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22741175 anon : I love your guys above posts, because they are the 100%truth. It's all about "control". And the U-Verse firewall software limits the customer to just that. What the techs forget, is that WE are paying AT&T to provide a service to the RG only. But it goes beyond that. You have to manipulate all your equipment to get it to work. You will NEVER see the RG have a bridge mode. That's where they lose control. They want you to use their equipement, which they could remote in without you knowing at any time. But with your own firewall running that could not be possible. They don't like that. I am not sure why they are doing this, possibly taking in revenue to see what TV channels you are watching, or monitoring your system. Who knows. I see in the future AT&T raising a fee for internal usage. U-Verse is a great TV system and it's great for the simple web customer who wants to browse the web. Go beyond that and the simple is out of the picture. There is more to this U-Verse than meets the eye.. I would love to see what information they gather from our RG's. Tech's on this forum don't seriously understand there are alot of very smart people on this site, ex.., the writers up above. These people can out match and gun any tier 2 tech working for AT&T. Just because they are not employed by AT&T doesn't mean they don't know what they are talking about. They are extremely smart. The techs always come back to the "Did you try and use the 2Wire full capability?" Yes they have, and they know what the truth is. Ya this a rant or whatever you want to call it, but it should be known to future people who are thinking about signing up to U-Verse. The sales people tell you whatever you want to hear to get the sale. I am going to be making that call at 8am this morning also to cancel my U-Verse. I always remember Walter C talking on the black and white TV signing off saying...... Thats the way it is...Goodnight... ]]> http://www.dslreports.com/forum/remark,22741175 Tue, 21 Jul 2009 06:41:00 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22729099 ralfwolf : Thanks. That helps.

The strange thing is, when I was trying to use the RG firewall, I turned *off* Miscellaneous and the RG stopped return traffic from the outside. I used tcpdump on an inside host and on an outside server and found that the syn got from my inside host to the outside server and the server sent a syn-ack but the syn-ack never got to my inside client. I also saw alerts on the RG saying it had detected packets for an unknown session. That led me to conclude that Miscellaneous actually does something more than just blocking bad stuff but it sets up some basic state that maybe other firewall features required. It seemed very counter intuitive that turning off a firewall feature would cause traffic to be blocked.]]> http://www.dslreports.com/forum/remark,22729099 Sat, 18 Jul 2009 12:25:19 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22710208 anon : After skimming through the guide, it looks like quite a bit of the options people are looking for have been purposely removed or disabled (either by 2wire or uverse) for use with the UVerse system. I mean, the 2wire I got from ATT for their dsl services even has all these features. Not sure why they are not available with the UVerse RG.]]> http://www.dslreports.com/forum/remark,22710208 Wed, 15 Jul 2009 06:56:30 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22710202 anon : Did some research.

Miscellaneous The firewall checks for the following:
Unknown IP protocol — drop packet.
Port 0 attack detected — drop packet.
TCP SYN packet — drop packet.
Not a start session packet — drop packet.
ICMP destination unreachable — terminate session.

From Model 2700: »www.2wire.com/pages/driversanddo···hp?did=5
Check out this link some 2wire: »www.2wire.com/pages/pdfs/5100-00···ev.A.pdf

Couldn't find a manual for this specific RG, though the 2700 is virtually the same. A lot more detailed explanation of things going on in the RG with that manual. I am actually impressed with the descriptions. I guess 2wire can do *SOMETHING* right.. heh]]> http://www.dslreports.com/forum/remark,22710202 Wed, 15 Jul 2009 06:56:17 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22700863 apeface : epeen wagging FTL...]]> http://www.dslreports.com/forum/remark,22700863 Mon, 13 Jul 2009 15:26:18 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22700560 ralfwolf : I'll keep this brief and to the point.

1. "I am sure you are typing and not speaking.."
I chose my words very specifically to convey a tone. Obviously the subtlety was lost on you.

2. "the magic of the 2Wire"
The only magic in the 2wire box is just like any other magician. It depends on obfuscation.

3. "Again for the record, the 2Wire does not provide a true DMZ"
Ok, agreed. That's what I meant when I said that I wish the 2wire would just get out of my way.

4. "You brought up the DMZ and the issue you had with not understanding why the "redirect" page was displayed for your "box" running a bittorrent client."
Oh I understand completely what it was doing. I simply didn't understand why it was doing it. Offering a DMZ that doesn't turn off firewall protections unless I turn them off globally is useless. That says the only thing DMZplus does is open holes for all ports. In every other RG and enterprise router I've ever used, DMZ (either physical or logical) means other hosts get protected while hosts in the DMZ don't.

5. "By now you might have guessed that us old timers like to joke about the "interweb" term since we invented it to describe individuals like you."
Call me a noob all you want but I know where I've been and what I've done. I was active in most of the unix usenet groups prior to any web forums even existed.

6. "It goes much farther back to the old days of ARPANET. My first network connection was a 115 BAUD half duplex acoustical modem.."
Quite aware of internet history already but thanks for the wikipedia recap. I will give you that my first modem was a 300 baud. Not acoustic but it was pre "AT" command so had to dial manually. So if you did indeed have a 115baud modem, I bow to your greater experience.

7. "...Al Gore "invented the Internet""
Hehe. I was just about to compare you to Al Gore for claiming to invent the internet. Here at least we appear to have common ground. I always wished I could borrow his PR person for a day and take credit for the wheel or some such.

8. "... I guess I would have only be 10 at the time, so thanks for the compliment."
I never mentioned your age. Guilty conscience or just being defensive.

9. "Just for the record "linux" is not a real Unix system"
I never said it was. I don't believe anyone mentioned UNIX in this thread prior to yours. Sorry, you should have read more closely when you looked this one up. UNIX (as it's properly capitalized) is an OS specification which resulted in an implementation by Bell Labs and AT&T. There is nothing magic or special in being declared a UNIX OS other than paying to be certified and paying to license the name. Linux as a completely open source OS did not get certified or pay for the name. Nor did the creators of Linux want to take any proprietary code from the orginal BSD or AT&T code since it wanted to stay clear of any additional license issues. Having administered SunOS/Solaris, HP-UX, AIX, and Ultrix networks, I've worked with BSD as well as SVR4 based systems and all of them are different even though they are all UNIX variants. Linux adheres more closely to BSD UNIX historically but technically, "Linux" is just a kernel, a C compiler, and a set of basic tools. Oh, one last point. BSD only exists today in several open source flavors which guess what... can't be called UNIX because they are not certified or licensed.

10. "Unix Like" toy
This is one of my favorite. This "toy" is being used at hundreds if not thousands of enterprises. Ebay/Paypal, oh and Google, oh yeah, Cisco too.. just to name a few. Maybe you've heard of some of these. So, I will go back to playing with my "toy" but I have yet to hear from an "elder" on this thread worth listening to.

Now, in all of that, you've still avoided my main question which is how someone who supposedly has 30+ years of networking experience can make the bold statement that the 2wire RG (or any RG) can do everything a Linux machine running as a firewall can do. To me that statement is flatly inconsistent with your experience. Also, if you do indeed want to help the rest of us understand what the 2wire RG is doing, please explain what the "Miscellaneous" option in the firewall does exactly. I asked these questions in my second post on this thread and have yet to get an answer to either.]]> http://www.dslreports.com/forum/remark,22700560 Mon, 13 Jul 2009 14:49:48 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22697413 dave006 : Wow, this is fun. First let me correct your very first sentence. I could be wrong but based on my 50+ years, last time I checked, yep, I am sure you are typing and not speaking, that is unless you are using one of those new interweb apps.

I am glald you get your static block working now let's help others understand the magic of the 2Wire. I will address your personal attack later... here we try to stay on topic.

Again for the record, the 2Wire does not provide a true DMZ (no residential router does this since by definition a true DMZ is outside your "Edge of Network" ingress point, and that fact is clearly identified on the the 2Wire's Firewall Settings page.

I explained the DMZplus function since you mentioned that you had your "box" in the DMZ and were just running your bittorrent client and you did not seem to understand that the SPI was still protecting your "box" against the evil interweb. You brought up the DMZ and the issue you had with not understanding why the "redirect" page was displayed for your "box" running a bittorrent client. Again if you don't want the "Advanced Features", just turn them off or ask how they work. I would be happy to explain each setting since I can read and write while not talking on the interweb.

The 2Wire does by default provide protection to all clients, even the "DMZplus-enabled computer". The DMZplus works just as I explained. All inbound traffic is delivered to the client in the "DMZplus" mode but first any traffic that is mapped for other machines based on the pinholes opened in the 2Wire Firewall Settings Page. So if you don't want to know how the DMZplus mode works don't ask why you got the HURL redirect. Again, you mentioned "DMZ" first. I just answered your question.

DMZplus Summary: All inbound traffic, except traffic which has been specifically assigned to another computer using the “Allow individual applications” feature, will automatically be directed to this computer but still protected by the SPI firewall

The public routeable static block is not part of the DMZplus feature. So any of your 'boxes" in the public routeable static segment are not in or part of the DMZplus. But again they are still by default protected by the 2Wire's SPI Firewall (Layer 4, since you want to get technical). If you don't like the Firewall features of the SPI Firewall, you can just "Uncheck" all of those boxes that are confusing you with those "firewall" terms. and you will be wide open to the interweb.

By now you might have guessed that us old timers like to joke about the "interweb" term since we invented it to describe individuals like you. Quote: The term interweb originated as a response to the influx of inexperienced users to the Internet's forums and chat rooms. Whereas the Internet had previously been the exclusive domain of the tech-savvy, it was now attracting millions of newcomers (noobs) who were now participating in it, often with poor netiquette (that would again be YOU) :o

Try a little searching in the interweb an you will see some of the many projects that I have been involved in since the early days of networking and the internet. BTW, it did not start in 1993 at CERN. It goes much farther back to the old days of ARPANET. My first network connection was a 115 BAUD half duplex acoustical modem on a private circuit in a litte office in DC that lead to the development of the MAE East IEP in McLean VA. We were building the moden backbone for the internet long before Al Gore "invented the Internet".

As I side note, I have only been a registered user since since 1999 but based on your personal attack, I guess I would have only be 10 at the time, so thanks for the compliment.

Just for the record "linux" is not a real Unix system. You might notice that I keep references it in "quotes' it is "Unix Like" toy, so maybe you should stop playing with toys and listen to your elders. That's why I find it funny everytime someone of your age group claims that a linux box can be a realy routher / firewall. Oh, just for the record I wrote about 10,000 lines of code as part of the port of Berkly Unix to the Mainframe (UTS) world in the early 80s. But I guess that means I don't know as much as you. Just a quick reminder BSD and all the other versions of 'nix are based on the original work done by a little company called "AT&T Bell Laboratories"

Since it looks like you are in San Jose, you might want to swing by 2Wire and help them fix their designs to include your great ideas or at least listen to your rants.

Dave]]> http://www.dslreports.com/forum/remark,22697413 Mon, 13 Jul 2009 01:11:45 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22696392 ralfwolf : Let me speak slowly since you seem to have problems following. I don't have a problem with the uverse service. I have everything I need setup and working. Is it perfect? No but I don't expect perfection from a residential service. Not a problem for me. In fact, I actually did my research before I got my service installed and came up with several solutions to many of the problems others have had with the 2wire box such as the requirement for 1 to 1 mapping of IP to mac. I don't expect nor want AT&T to provide enterprise level service nor do I need or want an SLA (although basic SLA requirements are established especially for the voice service regardless). I'd just like the RG that's provided to get out of my way if I want to implement my on security.

My post was aimed at your comment that a Linux firewall solution does nothing that can't be done with a 2wire RG. Sorry, I don't buy that someone with 30+ years (sorry 20 years would have been a more believable number in any case) can even consider make this statement for one second. Regardless, you still didn't address the specific examples I gave of clear firewall functions that any Linux (or BSD or Solaris) machines can perform and how 2wire or any RG can. Again, that's not to say I'd expect any RG to compete here but you made a statement that begs to be corrected. And who cares if your company has one of the first class A networks. My first 3 companies all had class A's as well as a number of additional class B's. Oh.. sorry, I simply can't take anyone who uses the word interweb seriously. :p

Regarding DMZplus... DMZ is by definition an unsecured zone where the firewall provides no protections. I guess the "plus" part means it's not really a DMZ. If the 2wire provided a true DMZ, I'd have no problem with that. Also, your statement that the RG has to "strip off traffic for other ports" is ridiculous since with statics, I've assigned an external IP to my internal box and that IP is not used by the RG for any ports/services I might have punched for other natpool machines. Natpool machines go out with and have ports forwarded from the dynamic IP that the RG gets at startup which is completely outside my static subnet. I have no confusion here but apparently you do.

BTW, I know how much T1 costs. I managed my company's T1 for some years before we decided to go metro ethernet. I honestly don't see what point you're trying to make here since nobody in their right mind would buy a T1 for home use even if they are running a business. More cost effective to get a colo rack at that point. Let me repeat again. I'm fine with residential service and don't expect anything from the ISP but to provide the connection. What your static IP customers are complaining about, and what you appear to have trouble accepting or understanding, is that the 2wire RG is not ideal for static IP needs. It neither provides the functions that most static IP customers are looking for nor does it allow you to bypass it's built in firewall. I posted a suggestion above that addresses at least one of the common issues in an attempt to help others resolve their problems. What have you done other than to tell everyone that they don't know what they're doing and that the RG will do everything they need?

Oh, one last thing... I have a packet capture where the server sends a FIN, my client machine ACKs the server's FIN and send a FIN it self. At that point I never see the ack from the server. I never said it was my machine stuck in FIN_WAIT_2 (underscore added for your benefit). I simply theorized that if the RG tracks tcp state, as it most certainly does given that it adds a nat translation entry even when no translation is required, that the RG itself has a FIN_WAIT/FIN_WAIT_2 timer that removes the session prematurely. Alternately, the RG might be removing the NAT entry on the second FIN-ACK and not waiting for final ACK. Either way, I occasionally get tcp connections that hang on close which I never had before.

Now for the rest of you actually trying to get things working.. Not sure if this has been discussed before but I found the /mdc page extremely helpful in discovering what the RG is actually doing. Including it's nat translation table. You can also change the nat table timeouts here which usually have defaults that are much too high for my taste. Also check out the Even Log to help understand why some connections get blocked.]]> http://www.dslreports.com/forum/remark,22696392 Sun, 12 Jul 2009 20:04:08 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22695567 anon : Good post dave006, I do not post often, but definitely a lot of "mis-terminology" here. I think most people kinda know what people are getting at in general though, and are correct, in the 2Wire lack of configuration and custom routing solutions. Another thing that stood out, was linux not handling routing? Which a linux based o/s would definitely not be my first choice by any means (*BSD is vastly superior in this department), I think it would be a fine choice for a home setup, if configured properly. I will agree though, again, with larger demand, and a more business enterprise setup, it is not the best solution, and a more powerful *BSD box would be required.]]> http://www.dslreports.com/forum/remark,22695567 Sun, 12 Jul 2009 16:25:29 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22693249 dave006 : Lets start slowly since you are new to the site. U-Verse and U-Verse Business are mass market offerings for home and small business use, if you need an Enterprise offering / solution you should consider a solution with a SLA.

Price a Fractional T1, T1/DS3 or maybe an OC12 bundle. Oh and the price will be much higher and if you have to ask then you can't afford it or don't have a clue. :)

If you have a static block of IPs, then the RG creates a "software/firmware" based route to the "Public" IP segment and yes those devices are in a different "Public" network. You might get the clue since they have a different network address and a different network mask. Even when you have the static block route active, each device on that segment is by default protected by the SPI Firewall in the RG.

So in your case, when your machine opens all of those outbound connects it looks very much like a virus/worm/trojan infection, oops. Now you know what checking "excessive sessions" does.

Excessive Session Detection. When enabled, the firewall will detect applications on the local network that are creating excessive sessions out to the Internet. This activity is likely due to a virus or “worm”
infected computer. When the event is detected, the gateway displays a HURL warning page.

Now back to the basic features. Again, you seem confused by the Firewall features for a network security expert. The DMZplus mode allows all incoming traffic. While in DMZplus mode, the computer is still protected against numerous broadband attacks (for example, SYN Flood or Invalid TCP flag attacks). The DMZplus mode is not a physical DMZ since it shares the IP of the RG and the RG has to strip off traffic for other ports that are mapped for other machines on your private segment.

The DMZplus machine only gets what is not already filtered / directed, so the RG has to look at the traffic and yes that means overhead. Again, not sure what you are expecting from a software based DMZ. If you need a physical DMZ you might consider a "Hosted" solution and I doubt that your linux based firewall will last more then 30 minutes with or without Snort or any other "open source" bell or whistle.

We already covered that the RG has a SPI Firewall several posts above, in this thread and no it does not run "Snort" but if you think you really need a NIDS, you might have bigger problems as the NSA is already reading your traffic. :D

I think you meant FIN_WAIT_2 and FIN_WAIT_2 happens when your remote peer shuts down its sending half of the connection, and your program doesn't respond. Time to load your TCP stack debugger. :(

For background, I have only been working with networking for 30+ years and my company has one of the first 10 "Class A" IP networks in the world. You might want to look up the word MAE IEP on the "interweb" because, I have been there and done that... :p

For the record, I never claimed that the RG was magic or perfect but you and another poster seem fixed on a selective mis-quote to argue about something that you can't change as long as you are on U-Verse, "the ability to use the 2Wire RG as a Bridge only device". My statement was directed at the specific claims that "satnone" was making about their "linux" firewall that did magic: quote: "IP aliases and I use 1:1 NAT to give public IPs to my specific servers"... not a firewall function... :uhh:

I think you might consider your own advice:

That said, I think the only choice here is to work with what we've got or move on to another ISP. Currently, nobody is providing the speeds uverse promises so I'm stuck.

:o

Dave]]> http://www.dslreports.com/forum/remark,22693249 Sat, 11 Jul 2009 23:11:36 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22689006 ralfwolf : I got my uverse static IP internet installed and have spent the last several days trying to get everything working as I want. Finally gave up on the built in firewall. For inbound port blocking, it certainly has the main functional bits. The issue I had was the "advanced firewall" options seems to have an impact on performance when a single machine needs to open a bunch of outbound connections in a very short period of time. Also, it appears that with static IP configured, the firewall sees these hosts as "outside" hosts. This last part is only based on external observation because I have no idea what logic it's using to defend against portscans.

The as a residential gateway, it seems to have the basic features. What I don't like is that it's got all of these "advanced" firewall features that are not clearly defined. I understand the words and I know how I might implement such protection but there is nothing to tell me what this device does to detect against these threats. If I don't know exactly how it protects, then how do I know if it's sufficient in my mind or if it does something I don't want it to do. What exactly does checking "excessive sessions" do? What the heck is "miscellaneous"? There are also a number of features that are obviously missing. Is there stateful packet inspection? Is there deep packet inspection? Can it run snort? Can I control what actions it takes depending on what events it sees? Can I set a connection rate limit which is key to defending DDoS attacks? Can I set policy based on full 5-tuple (i.e. both source and destination IP/port/protocol) combinations? These are ALL firewall functions that I can easily configure with a linux box.

Now let's move on to the IP routing features. First let me say that this box should first and foremost be a router. To dismiss basic gaps in routing capability by saying, "we are talking about firewall features" is a cop out. Firewalls I can build but I'm stuck with this thing as a router. Plus, from what I've seen, even if I've configured my linux box with dhcp and assigned it an public IP on 2wire, it's STILL doing NAT. I see the nat translation entries for every connection in one of the mdc screens and it's tracking the connection (with associated overhead) even though it's not doing any translation. Also, I've put this box in the DMZ and it gave me a web redirect this morning to a page that says my box is sourcing/receiving lots of sessions (aka connections). Duh, I had my bittorrent client up so of course. My question is, if I'm in the DMZ, why is this thing still doing anything with my traffic other than passing it from one end to the other.

All of this said, I got it to work within my requirements mainly by bypassing as much of the "firewall" as I can. The issue now is that even in the DMZ this box seems to be watching and acting on my traffic. So far that has not gotten in the way other than that annoying redirection. At least not in an obvious way. I do feel like something is impeding my outbound connections if I try to open them up too fast. As I said earlier, it almost seems like it sees my inside server as an outside box and is applying some attempt a preventing syn floods. The other strange thing is that it looks like the 2wire box is eating/blocking the final ack to the fin-ack of some connections. I've actually seen this issue in the product my company produces where we closed down the session state very quickly after it sees the fin-ack but before it sees the final ack. In tech speak fin-wait2 is too short.

For background, I've been working in networking as an engineer (Cisco, NT/Baynetworks/Synoptics, 3com just to name a few) for the last 15+ years and have spent the last 5 working specifically in network security. I know exactly what portscans are including all the different types of portscans and personally designed our portscan feature here which even detects extreme slow scans (1 every 5 min in the case of nmap's -T0 option). I say all this to explain that I am 100% certain what the limits of my knowledge in this area is and I don't see how anyone can seriously make the claim that the 2wire 3800 can do even a fraction of what you can do with a linux box.

This is just my option and only based on my experiences so take it for what you paid for it.]]> http://www.dslreports.com/forum/remark,22689006 Fri, 10 Jul 2009 21:12:31 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22683222 dave006 :

said by satnone

said by dave006

:

Your Linux firewall does nothing that can't be done with the existing 2Wre.

I can see you are quite excited about these 2wires, but to say that is laughable.

Not really excited but I still have not heard what your magic Linux "Firewall" box can do. I was not laughing as you continuted to rant about something after it was clearly explained that you can't just bridge the RG or in your FTTP area, a transparent router to allow you to bridge your static IP segment as you stated in your first post:

"an ethernet port to the internet that I can use any of my static IPs on"

Just to keep the noise down from the other "rant" team members, we are talking about "Firewall" features / functions not custom routing capabilities as you selectivly quoted my previous post. You keep calling it a Linux Firewall, not a Linux Router. You have every reason to complain if you thought you were getting just a dumb data pipe with U-Verse Business but now you know the restrictions. :)

You are welcome to swing by the TW forum, here is the link: »Road Runner (yea it is still Road Runner to us) :D

Just a final question to clear the topic, did you ever even try to use the RG as designed with your static IP package?
( It would have been up and running in 15 minutes...or less and allow you to continue to be an active member of this forum )

Dave]]> http://www.dslreports.com/forum/remark,22683222 Thu, 09 Jul 2009 22:27:55 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22683175 anon :

said by real_goose

:

The major missing features for me are no way to specify use of OpenDNS for the network, no DynDNS client, and no QOS. Please tell me how to accomplish any of these on 2WIRE RG.

You know what is funny? The 2wire device ATT users for their adsl, you can do ALL of this.... Infact, im using my old dsl modem as a WAP behind my pfsense box, and disabled the RG wireless AP, which also solved issues relating to internet issues with phones ringing, which means that even if your devices are wired, if a cordless device happens to interfere with the same frequencies as this 2wire RG, it will still interfere and cause some disruption with your connection... very easy to reproduce.. it cracks me up.. one thing after another I find wrong with this thing. ]]> http://www.dslreports.com/forum/remark,22683175 Thu, 09 Jul 2009 22:21:29 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22682820 real_goose : The major missing features for me are no way to specify use of OpenDNS for the network, no DynDNS client, and no QOS. Please tell me how to accomplish any of these on 2WIRE RG. ]]> http://www.dslreports.com/forum/remark,22682820 Thu, 09 Jul 2009 21:19:27 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22677853 anon : Yeah, Very funny posts here. The 2Wire does MAYBE 1/10th what a linux or bsd box can do in terms of routing. This 2Wire is not setup to well in terms of custom routers setups, firewalls, QoS shaping and the such. Hell, even my old 2Wire from Att DSL does a better job and has more options, which makes me think these features are just disabled maybe? Though I am not sure how good the hardware in this RG is either, since it does bog down under high load and demand, especially with a lot of tcp connections going through it. I just hope they eventually enable the option for full bridge mode to completely bypass this joke of a "router". DMZ+ 'kinda' works, but you still have to do a little dance to get it to 'kinda' work, and it still proxies through the 2wire, and the 2wire is still trying to route, sometimes double NATing.. I mean, for offering static IPs and business accounts, you just expect more... ]]> http://www.dslreports.com/forum/remark,22677853 Thu, 09 Jul 2009 07:30:53 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22677595 satnone :

said by dave006

:

Your Linux firewall does nothing that can't be done with the existing 2Wre.

I can see you are quite excited about these 2wires, but to say that is laughable.]]> http://www.dslreports.com/forum/remark,22677595 Thu, 09 Jul 2009 03:08:34 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22677481 dave006 : Your Linux firewall does nothing that can't be done with the existing 2Wre. You can have a combination of public static IPs that have all ports open, ranges of ports open or even select individual ports open. You also have the ability to have static IP and NAT to individual private IPs using pinhole port forwarding. The DMZPlus is meant to be used for sharing the single IP and not for the static IPs.

The ISP stops their managment at the RG (router) level and it includes a SPI Firewall that is very configurable but you just have to spend a few minutes to learn how to use the tools. U-Verse gives you full control of the RG, many "business" grade providers don't even allow you to have a login id to the router to make any changes.

So again you can have a mix of static IP addresses (they are not part of any DMZPlus mode), they are on a fully routeable segment, and you still have PNAT addresses supported behind the RG.

The static IPs don't have to be fully exposed unless you choose to have them configured that way.

By default the Firewall still protects the static IPs. The Firewall also allows you to control groups of common ports based on common applications or the ability to create groups of ports: both TCP / UDP that you want to manage. If you have a block of 8 Static IPs for example (5 are fully routeable) and you can also have upto 254 PNAT devices that are supported in the private segment that also have port forwarding capability from the router's IP using NAT.

So again, you have not stated a specific requirement that can't be met by a properly configured RG other than you just like to use your Linux box. :)

AT&T and U-Verse don't manage your Firewall settings in the RG, so the boundry is really at the router aka the old DSU / CSU boundry. You have full control of the Firewall settings within the RG.

Dave]]> http://www.dslreports.com/forum/remark,22677481 Thu, 09 Jul 2009 01:43:27 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22677428 dave006 : Again, have you tried to configure the Firewall settings using the GUI? It is very easy to open individual ports or groups of TCP or UDP ports or predefined Application groups. It it were designed by MIT Grads for MIT grads it would be all CLI. :)

You have the option of using simple pre-defined groups or selecting your individual groups of ports that you are interested in managing, you also have to ability to manage advanced features on the Firewall.

Dave]]> http://www.dslreports.com/forum/remark,22677428 Thu, 09 Jul 2009 01:22:34 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22671627 satnone : Wow that looks like exactly what I was looking for... too bad I didn't find out about this sooner. Oh well my speed package now should be even faster than the package I had before anyways. Hopefully I won't have too many problems with TW. I've never had their business class internet service, but have had their residential TV and havent been too happy with that. At my work we have many clients with this service so I think it may be alright.

Anyways thanks for this ralfwolf, it may come in handy for me in the future.]]> http://www.dslreports.com/forum/remark,22671627 Wed, 08 Jul 2009 06:48:15 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22671416 ralfwolf :

said by satnone

:

Just to give you an idea of what my firewall does and to have a little technical talk like you suggested, I use IP aliases and I use 1:1 NAT to give public IPs to my specific servers. I keep all my servers behind my firewall and use linux iptables to allow openings for certain ports and to control my NAT any way I want (I can direct any port from any public IP specified in my IP aliases to any port and any private IP I want in my network).

satnone,

What you are describing is very typical so any suggestion to the contrary is obviously not based on experience or knowledge. That said, I think the only choice here is to work with what we've got or move on to another ISP. Currently, nobody is providing the speeds uverse promises so I'm stuck. Take a look at the macvlan kernel module.

»cateee.net/lkddb/web-lkddb/MACVLAN.html

With this, it should be possible to create a separate virtual interface for each "real" ip (each with a different mac address) without adding extra hardware or creating VMs. These interfaces can then be put in the DMZ and used in your iptables rules to do nat or anything else. I've used this in another application and it looks exactly like a real ethernet interface from the outside.]]> http://www.dslreports.com/forum/remark,22671416 Wed, 08 Jul 2009 02:46:08 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22671191 satnone : Well sure I could use the RG and my IPs would be working, but then my network would not be setup the way I want it and would not be controlled my MY firewall, therefore it is not an option for me, but Ive already explained this.

Just to give you an idea of what my firewall does and to have a little technical talk like you suggested, I use IP aliases and I use 1:1 NAT to give public IPs to my specific servers. I keep all my servers behind my firewall and use linux iptables to allow openings for certain ports and to control my NAT any way I want (I can direct any port from any public IP specified in my IP aliases to any port and any private IP I want in my network). Some people might have one server they don't mind just sticking on the DMZ, but I don't do it that way... besides I have far more than one server that needs to be publicly accessible in some way. I think my ISP has no business doing anything on my local network. There control should end at the public side of our firewall. That's my opinion and Im sure it's the same opinion any business would have.

Anyways like I said all the tier 2 techs I talked to totally agreed with what I'm saying, and the last one who I was exchanging emails with even felt it was necessary to forward my email to her supervisor and said that he forwarded it to his manager, so hopefully eventually this will change. Until then I have already signed up with TW who by the way answered all my questions about reverse DNS management, port blocking and every other question I had in about 3 minutes (one sales person knew all the answers), which took about 10 hours, 7 different departments and 12 different reps (no exaggeration after adding it all up) to get from AT&T. It almost took all that just to find someone at AT&T that knew what reverse DNS was. One tech said "Um well it was my understanding that DNS is something that runs on your computer.. right?".

Sorry if this offends you or any other AT&T employees on here, but its the truth.]]> http://www.dslreports.com/forum/remark,22671191 Wed, 08 Jul 2009 00:53:49 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22670140 neiltif :

said by dave006

:

Have you even tried to use the RG and it's capabilities? It has a Stateful packet inspection (SPI) Firewall.

Really, well the GUI for configuring it must be designed for MIT grads only because its not obvious that its a real firewall at all.]]> http://www.dslreports.com/forum/remark,22670140 Tue, 07 Jul 2009 20:51:47 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22666449 dave006 : Sorry that you received poor pre-sales information. It sounds like you need more control over your Internet connection than U-Verse allows today. All U-Verse customers are required to use the 2Wire RG.

I am not sure what your comment about your "work" and over 300 clients and none of them using 2Wire is meant to explain. Unless they have U-Verse then we are compairing "Apples" to "Oranges".

Did you even bother to try to use the RG as designed? You would have been up and running in less then 10 minutes with all of your Static IPs available and configurable using the RG and it's SPI Firewall.

Since you want to use multiple static IPs you have fewer options with the configuration of the RG. If you are willing to use the DMZPlus feature, you can use your Linux box to provide features for a private LAN network segment without multiple static IP support.

What specific feature or features do you think are missing from the RG? Did you just join the Forum to rant or would you like to have a technical discussion with peers here on the Forum that know about the features, functions and yes even some of the limitations of the U-Verse solution. It is not perfect but DSL Extreme and TW are not perfect either. Since you have FTTP, your options are really limited.

Dave]]> http://www.dslreports.com/forum/remark,22666449 Tue, 07 Jul 2009 10:48:07 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22659313 satnone : Yes we have FTTP, and only FTTP, or believe me I would still be with DSL Extreme, and I'm sorry but I cant substitute my linux firewall with all of its capabilities and configurations for this 2wire.. not gonna happen. I just got off the phone with another tier 2 tech, and he also agreed with me about this, and said he doesnt understand why business class would be forced to use this 2wire as their firewall either. I spent many hours on the phone and even talked to a couple tier 2 techs before signing up to make sure I didn't have any surprises like this, and none of them bothered to mention this to me. Looks like TW is my only other option now.. and if that doesnt work I guess Ill be looking for another place to live. If I sound anal or picky about any of this, at my work we have well over 300 clients, and not one of them is using a 2wire residential gateway as their firewall.]]> http://www.dslreports.com/forum/remark,22659313 Mon, 06 Jul 2009 00:49:26 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22659088 dave006 : Short answer is No, not in a reliable supported way. Many have tried and there are some hacks that claim to work but they are very complex and fail very often due to almost any change on your side of the network due to dynamic route table changes.

Sorry but more bad news. The RG is a 2Wire 3800HGV-B Gateway (based on the 2Wire 2701) and has a built-in VDSL Modem even if you don't use it (if you use the Broadband port). The U-Verse network is not a 100% fibre network. The network backbone is fibre from the VRAD upsteam but the last mile is mostly copper unless you are in one of the rare areas with FTTP. It sounds like you are in the FTTP group based on your comments about just and "ethernet" connection to the internet.

The RG is designed to use OSI Layer 2 and MAC addresses to provide the connection from the U-Verse network to your static IP block. Again, U-Verse does allow you to configure the RG in a bridged mode (transparent routing) or create forward / backward routes. It is designed to own the subnet and it uses an internal capability in the RG to generate the routes between the public segments to reach your static IP block.

Here is the 2Wire support article that provides the best overview of multiple Static IP support: »support.2wire.com/?page=view&article=126

Note: You are running Version 5 firmware on the U-Verse RG so follow that section, sorry the other capabilities don't apply.

This allows you to have both a public static set of IPs and also NAT for any other devices on your network.

Have you even tried to use the RG and it's capabilities? It has a Stateful packet inspection (SPI) Firewall.

Dave]]> http://www.dslreports.com/forum/remark,22659088 Sun, 05 Jul 2009 23:31:17 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22658393 satnone : First of all this is Uverse fiber optic service, there is no dsl modem.
Yes I have a block of IPs which I expected and was told I would be able to use the way that anyone would use static IPs. I have a linux based firewall that uses IP aliases. I am not going to use the RG for my firewall just like probably any normal business would not. I was even told by the tech I spent 45 minutes talking to that she doesnt understand why they are giving these RGs to business customers either, because it makes no sense since any business would have their own firewall with their own specific configurations. All I wanted to know was if anyone has yet found a way to use IP aliases with this thing, because I have tried everything and am about to give up.]]> http://www.dslreports.com/forum/remark,22658393 Sun, 05 Jul 2009 20:20:59 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22657687 dave006 : First the RG is a real router but what you really want is just a bridged VDSL Modem. You are not going to get that with U-Verse.

What are you using for a "Firewall"? Do you have a block of Static IPs from U-Verse?

The RG has a very specific way to support multiple static IP addresses. It is not designed to pass a block of IPs to a downstream router.

Second, rather than ranting, tell us about your configuration and the specific issue that you have, you will get a much warmer welcome to the Forum. :)

Dave]]> http://www.dslreports.com/forum/remark,22657687 Sun, 05 Jul 2009 16:34:27 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22657569 satnone : I also just signed up for this service and I am already quite pissed off. I made a huge effort to ask as many techs as I could if there's anything "funny" about this service, funny being anything other than an ethernet port to the internet that I can use any of my static IPs on. I have been wasting so many hours of my time trying to get my firewall working behind this piece of crap 2wire. did anyone ever figure out how to use IP aliases with this thing? It seems that it will only DMZ according to MAC addresses, so while I can get IP aliases working fine, all of them end up being blocked by their firewall. Using their residential gateway (not sure why a business class account would be given something like this) is not an option for me, so If I cant get my IPs to work correctly and not through some ridiculous DHCP reservations, I'm gonna have to waste even more time switching ISPs again. Cant believe how many hours I spent on the phone to avoid this very thing only to end up in this situation anyways. This is unacceptable for business class internet service - we need real routers... that route...period

Please if anyone has found a solution let me know.]]> http://www.dslreports.com/forum/remark,22657569 Sun, 05 Jul 2009 16:04:22 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22585969 anon : Wait, so where you able to assign an Att public IP address to one of your internal devices and bypass the 2wire routing? If so, how did you do this?]]> http://www.dslreports.com/forum/remark,22585969 Sun, 21 Jun 2009 07:40:14 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22584382 jcmjr : Matt are you still working in Static IP's at u-verse? I could use some help.]]> http://www.dslreports.com/forum/remark,22584382 Sat, 20 Jun 2009 19:43:50 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22506447 bclbob :

said by Darron :

Here's my question. I'm worried about leaving them as 'fixed' DHCP entries, because the computers may be off for extended periods. Will the 2wire "forget" static IP settings for a computer it hasn't seen in a while?

I only have the DMZplus mode which assigns the single router static IP to a chosen device via DHCP and yes, it does forget if the assigned computer doesn't DHCP in a while. the 2wire hands out a 10 minute lease and I seem to reember thats how long it took for the traffic to stop flowing when I configured my router with the static IP and to block DHCP from the Internet (and hence the 2wire).

It might be different for true statics, but I wouldn't bet on it.]]> http://www.dslreports.com/forum/remark,22506447 Sat, 06 Jun 2009 10:00:54 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22505850 djrobx :

quote:
You CAN put multiple ips on one device and outbound they Will work, but you can not allow traffic inbound to each device. The RG only works when it sees seperate mac addresses.

One network card CAN have multiple MAC addresses as long as it's in promiscuous mode. If you run VMWare, for example, you can create several virtual adapters, and each will get its own MAC from a single NIC. The RG will see each as an individual device, too.
--
AT&T U-Hearse
Your funeral. Delivered.
]]> http://www.dslreports.com/forum/remark,22505850 Sat, 06 Jun 2009 04:11:50 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22505376 x51 :

said by Darron :

Sorry, I was a little boneheaded. The new NICs were in static IP mode, not DHCP. The 2wire will never 'see' a NIC card in the device list until it requests a DHCP address.

It will usually see it eventually if the static is on the same subnet and you generate a lot of taffic. But I've had it take up to 48 hours that way. So DHCP is the ony really usable solution.

It shouldnt be a problem. With regualar DHCP the lease will expire, but with the Fixed option selected it's not "supposed" to expire. ]]> http://www.dslreports.com/forum/remark,22505376 Sat, 06 Jun 2009 00:34:58 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22505142 anon : I finally got it (so far, anyway, it works) After connecting and booting up an old laptop off an Ubuntu LiveCD, I disproved my "must be on seperate jacks on the 2wire" theory, and in the process figured out what it really was.

Sorry, I was a little boneheaded. The new NICs were in static IP mode, not DHCP. The 2wire will never 'see' a NIC card in the device list until it requests a DHCP address. That kind of makes sense. It's crappy, but no crappier than the rest of it, really. It works, so for that at least I'm thankful.

The problem was, the second NIC that half-works was once on DHCP, so the 2wire knew about it... but it was no longer, and the 2wire was ignoring it. So, I could try to configure it, but the 2wire wasn't going to let me. (The error message is NO help there) The third and fourth NIC cards that 2wire never saw as DHCP clients of course never showed up at all.

So, I set all 4 (yeah 4 now) of the new NICs to DHCP mode, and then went to the address allocation page and switched them to the IP addresses I wanted them to use.

Here's my question. I'm worried about leaving them as 'fixed' DHCP entries, because the computers may be off for extended periods. Will the 2wire "forget" static IP settings for a computer it hasn't seen in a while?

By the way, they're not physical machines... the new 4 are all in a single VMWare virtual machine in bridge mode. They all have dedicated MAC addresses, and a tcpdump trace on the ethernet wire shows they are talking with unique MACs, so I knew that wasn't it. I didn't want to mention that because I was sure that would throw off the assistance. Once a devices (virtual or otherwise) is talking with a different MAC address, there's absolutely no difference on the physical ethernet layer between that and a physical box. In bridged adapter mode, VMWare acts like a network switch (not router).

Why 4 NICs on a single virtual machine? Because now that PC can route them to where they really need to go. It's an ugly solution for an almost-broken 2wire system.

bclbob and x51, thanks for your help and your time.]]> http://www.dslreports.com/forum/remark,22505142 Fri, 05 Jun 2009 23:31:41 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22505050 x51 :

quote:
It's working for one computer, but never more than that. Do they have to be plugged in to different ethernet jacks on the 2wire? they're all on a switch, which is connected to the 2wire on one jack.

When you say switch... do you mean a regular switch or a router like a linksys or netgear with a built in switch or something?

If you are using a router, this is your issue.. it wont happen. The router has one public interface and that's all the 2wire will see.

If it's a regular (non routing) switch... then forget all that stuff i just said ;) ]]> http://www.dslreports.com/forum/remark,22505050 Fri, 05 Jun 2009 23:05:19 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22505038 x51 : Darron,

I had a lot of trouble with machines not being seen when I statically assigned my ips. Your best bet might to use DHCP, then sticky the publics on the machines you want to have them.]]> http://www.dslreports.com/forum/remark,22505038 Fri, 05 Jun 2009 23:01:47 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22504727 anon : The netmask does show 248, I forgot to mention that.

It's working for one computer, but never more than that. Do they have to be plugged in to different ethernet jacks on the 2wire? they're all on a switch, which is connected to the 2wire on one jack.

I see a weird "Display alert when another router is connected to this router" checkbox on the J09 page... what's that about?

On the C06 page, there is an "Auto firewall open" checkbox, which is cleared. What does that do? ... or should I always use the J pages and not the C pages?]]> http://www.dslreports.com/forum/remark,22504727 Fri, 05 Jun 2009 21:50:08 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22504629 anon : The public interface on page J09 never shows, but the detailed log shows something is happening. Here, I changed the route from .6 to .5, cleared the log, then set it back.

INF 2009-06-05T20:27:58-05:00 lmd: ipnet2: DOWN on bridge0:2 with 75.63.108.5
INF 2009-06-05T20:27:58-05:00 lmd: ipnet2: UP on bridge0:2 with 75.63.108.6/29
INF 2009-06-05T20:27:59-05:00 lmd: ipnet2: dns change on bridge0:2 DNS1: 75.63.108.6 DNS2: 0.0.0.0]]> http://www.dslreports.com/forum/remark,22504629 Fri, 05 Jun 2009 21:31:19 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22504529 anon : Weird. Okay, By going to 192.168.1.254/ instead of your direct link, I get a different set of configuration pages. The pages I was looking at (C06) shows the pubic routed interface enabled and configured. The page you gave (J09) shows the public interface as blank.

When I enter the public interface on the J09 page, it refreshes to the status page, but does not show any public interface on that page. When I go back to J09, the public interface is blank again.

Any ideas?]]> http://www.dslreports.com/forum/remark,22504529 Fri, 05 Jun 2009 21:13:06 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22504284 bclbob : Did you configure the "Public Routed Subinterface" section on this page?

»192.168.1.254/xslt?PAGE=J09&THIS···PAGE=J09

If so, you might have the wrong netmask, for a 5 public IP block you need 255.255.255.248]]> http://www.dslreports.com/forum/remark,22504284 Fri, 05 Jun 2009 20:27:17 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22504186 anon : I've got static IPs, and I'm trying to get more than one IP actually assigned to something.

I -want- to send multiple IPs to the same machine (firewall), but from reading enough posts the 2wire appears to be something of a joke as far as an internet router goes and can't do that. So...

I've got several machines behind a switch, which is connected to the 2wire. The machines are all running linux with static IPs configured.

The 2wire shows two machines (not a third) on the interface. On the "Edit Address Allocations Settings" page, two machines show as "Static IP" on the left side, but the right side shows machine #1 with the correct static IP, but machine #2 is set to WAN IP. If I try to change it to the correct static IP, then I get an error "For the public routed subinterface only WAN IP mapping is allowed.".

How can I get a few more of my static IPs actually attached to something?]]> http://www.dslreports.com/forum/remark,22504186 Fri, 05 Jun 2009 20:04:53 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22488200 bclbob :

said by x51

:

The RG will only see the one device (mac address) and you can only open ports (or use dmz if you wish) for the one device / one ip ... right? The other 2 ips wont show in the list?

Not quite, if you have the RG configured correctly for the static IP block there is a page where you can effectively DMZPlus mode multiple static IPs to MAC addresses seen on the LAN side]]> http://www.dslreports.com/forum/remark,22488200 Wed, 03 Jun 2009 10:14:30 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22486714 mmay149q : Well you are right on that, it only see's one mac, but if you hook it up to multiple NIC's then that takes care of the issue. Also if you are going through a switch/firewall, you can just static assign it to the machine, it works that was as well.
--
"Technological progress is like an axe in the hands of a pathological criminal." -Albert Einstein]]> http://www.dslreports.com/forum/remark,22486714 Tue, 02 Jun 2009 23:39:15 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22486675 x51 : hrm.. maybe i misunderstood then..

My understanding included some assumptions.

I assumed since he wants 3 static ips on one nic, he's looking to open ports inbound somehow??

The RG will only see the one device (mac address) and you can only open ports (or use dmz if you wish) for the one device / one ip ... right? The other 2 ips wont show in the list?]]> http://www.dslreports.com/forum/remark,22486675 Tue, 02 Jun 2009 23:33:06 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22486606 mmay149q :

said by x51

:

Multiple ips on one device will not work.
There is no bridging mode on the rg which is really what you need.

You CAN put multiple ips on one device and outbound they Will work, but you can not allow traffic inbound to each device. The RG only works when it sees seperate mac addresses.

There is no way around it. (that i can find) I've spent many many hours with tech support, I've searched every board that mentions uverse and static ips... I had statics for about 2 weeks and just canceled them since they were not going to meet my needs.

If Matt from tier 2 is somehow able to help you...... PLEASE post back here so the many many others with this issue can fix it.

Well bridge mode isn't in the RG yet, but that's not what he was trying to do, and I haven't heard back about if what he tried to do fixed it or not.
--
"Technological progress is like an axe in the hands of a pathological criminal." -Albert Einstein]]> http://www.dslreports.com/forum/remark,22486606 Tue, 02 Jun 2009 23:16:56 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22486508 x51 : Multiple ips on one device will not work.
There is no bridging mode on the rg which is really what you need.

You CAN put multiple ips on one device and outbound they Will work, but you can not allow traffic inbound to each device. The RG only works when it sees seperate mac addresses.

There is no way around it. (that i can find) I've spent many many hours with tech support, I've searched every board that mentions uverse and static ips... I had statics for about 2 weeks and just canceled them since they were not going to meet my needs.

If Matt from tier 2 is somehow able to help you...... PLEASE post back here so the many many others with this issue can fix it. ]]> http://www.dslreports.com/forum/remark,22486508 Tue, 02 Jun 2009 22:56:49 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22430134 mmay149q : Hello, my name is Matt, and I'm an AT&T U-Verse Tier II Technical Support Technician, I'm also trained in setting up the static IP blocks, if you would like to private message me your billing account number and a good call back number, I would be more than happy to call you back and help you set this up and explain to you how it all works with U-Verse. Thanks, Matt.]]> http://www.dslreports.com/forum/remark,22430134 Fri, 22 May 2009 17:28:12 EDT Re: U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22423296 bclbob :

said by CJ Texas :

Does anyone now how to setup the RG so that it actually routes the Static IP block into my network so I can take care of assigning the IP however I want (static is my preference)?

You can't do that, you must do the DHCP dance with the 2wire. It's designed for idiots, but its kind of rediculous for any prosumer use, which static IPs are targeting]]> http://www.dslreports.com/forum/remark,22423296 Thu, 21 May 2009 14:59:55 EDT U-Verse Static IP's: Not Working, Can't figure out problem http://www.dslreports.com/forum/remark,22421681 anon : I had static IP's for the last 6 months or so working with out a glitch. In fact I had 3 static IP's (all static on the server, 2 of them alias) assigned to a single nic in a Linux machine. Then last week all stop working. I have been working with U-Verse Static IP support group for over a week to no avail: First got told they do not support IP aliases and that I needed a single NIC per IP on the server: I complied, then I was told multiple NIC's on a single PC are not supported. ALl along they tell me I must assign IP unsing DHCP and then move them to static. The eventually the IP's show up as static in the RG although they are really DHCP and of course I can not see my server from the outside eventhough I can ping the Internet from the server.

Does anyone now how to setup the RG so that it actually routes the Static IP block into my network so I can take care of assigning the IP however I want (static is my preference)?

I am about to cancel just because they can get it to work but if it did before why can't they make it work now?]]> http://www.dslreports.com/forum/remark,22421681 Thu, 21 May 2009 10:05:05 EDT