SgtPepper
join:2009-09-07
Webster, TX
|  reply to x51
Re: Uverse DSL With Static IPS WORST ISP EVER!
Wow this was some read I just got Uverse a week ago with the 3800HGV-B Gateway and /29 of sticky IP's. There are many ways to make all this work. I'm using a Cisco 1841 router yet this approach will work with many Linksys routers as well. Mac address cloning or spoofing is the key to get this to work.
Before I got started I set the mac address on the network interface of my laptop to match that of the F0/1 interface of the 1841 router. Next I connected to the 2-wire gateway with the laptop, assigned a public IP address to it followed by and IPCONFIG / Release & Renew. Verified it worked and then moved the cable connected to the laptop to the f0/1 interface of the router. Log into the router and configure it with the same public IP address and the 2-Wire 3800HGV-B Gateway will never know the difference. |
|
ralfwolf
@wiline.com
| reply to h3lix0
First of all, thanks for posting the rant.  I just ordered Uverse and would have been pissed if I found out about this after my 30day money back period. Has anyone (specifically x51) tried h3lix0's solution? It seems that if this does indeed turn the 2wire box into a plain IP router then it should address the problem.
I've got a slightly different solution if the above doesn't work... x51, you mentioned you had set up linux as a gw/fw. If so, then if you are using a recent distro of fedora, you can try iproute2 and the macvlan kernel mod. It seems to have been introduced sometime between fc7 and fc10. Not sure about other distros. I'm sure you can download the latest kernel and iproute. I wasn't able to get the necessary iproute version via yum on fc7 with stock repo's so I didn't try very hard. This would allow you to configure a/multiple link/s (shows up as an interface via ifconfig) on a single ethernet interface each with a different mac and ip. I tried it out and it sends and responds to arps with the correct ip/mac combos. Seems like this would allow you to build a linux gw/fw/nat box that would do exactly what you want without having to resort to vm's.
I'll have to play with some of this myself once my service is installed. |
|
h3lix0
join:2001-09-30
San Diego, CA
| reply to bclbob
I can't get you Layer 2 - but I can at least get you layer 3 routed via the 2wire without the need for DHCP.
1) Configure the normal private IP range.. you probably already have this setup, but you can not configure the 2wire POS using the public IP interfaces.
2) Under the uverse configuration, go to the "Home Network" tab
2.1) Click "Advanced Settings". Down below, you will see a "Public Routed Subinterface" option. This is key.
3) Give your "Router Address" one of the public routed IPs given to you by AT&T.
4) Subnet mask will probably be a /27.. As a network engineer you'll know this is 255.255.255.248 - but for anybody else who is playing along at home, this is what you enter here if you have the lowest static package.
5) "Auto Firewall Open".. select this.
6) Clear your "Device List" by heading to http://ip.of.gateway/mdc and clicking "Resets" on the left hand side. Click on the "CLEAR" next to "Local Network"
7) Add devices onto your network in your IP address range, use the "Router Address" configured above as your gateway
7.1) Ping the gateway "Router Address" from the node you bring up on the network. The gateway seems to be braindead enough not to ARP, so at least this way it knows your MAC address
8) Under the same "Home Network" -> "Advanced Settings" tab, click "Edit Address Allocation" on the right when you have a node online
9) Make sure "Firewall Protection" is unselected. This is what turns this beast into a dumb gateway for your public address range. (It may already be deselected)
Downsides:
For the life of me, I have not been able to figure out why MTR and Traceroute still do not work, even with this thing configured as a gateway. Other than that - enjoy turning your 2wire into a gateway. |
|
dropfreeze
@sbcglobal.net | reply to x51
x51 - Thank god for your post. I was beginning to go thru the same thing you did, however luckily i found this posting. Setting up a half a*s network is not an option for me. Thank you again for saving me tons of time! |
|
x51
join:2009-05-27
Stratford, CT
| reply to anderboy
anderboy, as far as I can tell the 2wire wont route for me.
So if i have a server with address 75.100.75.121 with it's gateway being the 2wire public 75.100.75.126.
And I have... say... a printer running off the 2wire using an ip in the default private subnet 192.168.1.31. with the 2wire (192.168.1.1) as its gateway.
The 2wire wouldn't route the traffic to the other interface as I expected it to. It seemed I had to add a second nic, or at least a second IP to the server in the 192.168.1.x subnet so they could communicate.
Routes are only as good as the router you point them at.
Should the 2wire have routed this for me?? I was so aggravated over all the other issues, I put little time into testing the actual routing since it was a such a small part.
I'm guessing here... but I imagine if it were to route this for a 192.168.1.x device to talk to a 75.100.75.x address the firewall would need to be opened on the right ports? |
|
anderboy
join:2007-07-23
Leander, TX
 ·AT&T U-Verse
| reply to x51
said by x51  :2) The only way to use the static IPs provided is to have their 2wire device assign them to your equipment via DHCP. That’s awesome.. So.. I have to have real public IP addresses on my machines to use the static IPs. (Theoretically you can manually assign the public’s to your equipment, but it does not work for reasons mentioned below.) So no NAT???? I cant NAT a public on the gateway to a private in my network? NOPE.. sorry. Publics for everything! ... with Public IPs on my equipment, how am I supposed to talk to my printers, Active directory servers, portable devices..etc?? Do I ask them for more IPs to cover my whole network? Or do I now put 2 network cards in each of my public facing machines? One with the public IP and one with the private? Why not just change your routing tables on the public machines? You don't need two different network cards to talk to two different subnets.
~$ sudo route add 192.168.1.2 dev eth0
~$ ping 192.168.1.2 |
|
ttassos
@comcast.net
| reply to x51
I too am feeling the U-verse pain and hoping for a business class device that can be bridged.
To answer the "why would you need several static IP's" question, it is because we have multiple web and e-mail servers in our network. We need to NAT port 25 (SMTP) and port 80 (HTTP) in from the Internet to different web and mail servers on the private LAN. |
|
x51
join:2009-05-27
Stratford, CT
| reply to NetEx
hahahahahahahah LMAO. I had also considered that approach. but I think a Linux firewall with 5 nics would be neater.
I spoke to Level 2. Actually the Tech who did the "Install" didn't know anything about static IPs. He gave me the number the Techs call that goes directly to level 2. After answering the "How did you get this number" questions... They confirmed that that’s just how it works. I'm SOL
It's not really a matter of "How to". the interface is self explanatory... the only way to do what I need would be new firmware or possibly full command line access to turn on disabled features.
Anyway, I canceled the statics. I put my Cisco in DMZ mode and I'm port forwarding to my various servers. I'll live with the single IP. It's not what I wanted, but it'll do until they offer a better device or I change ISPs.
I sent a nice tech who contacted me through here an email offering to become a beta tester for a new device / firmware... LOL |
|
NetEx
@comcast.net
| reply to x51
what about using 5 routers Unfortunately that is what I am doing at this time. Yeah i know it sucks and yeah the Uverse RG sucks but I had them laying around and had to do something.... Dont ask to see pictures of my rack its pretty lame looking with 4 linksys routers, 1 cisco pix and 1 rg :P
x51 - on another note there is a tier 2 support number that you can use to get a tech on the phone.. those uverse business tier2 guys actually know stuff. Havent called them since I had the service installed 4 months ago but last time I spoke they did say they are working on a new hardware solution for business customers. not sure why they would release a product like this when its not ready at all. its still in alpha IMHO. |
|
x51
join:2009-05-27
Stratford, CT
| reply to bclbob
said by bclbob :x51: I think what you need to do is get 2 NICs for the webservers, one side plugged into the U-Verse gateway for the public IP and the other set to your internal network. Obviously you're going to need to have firewalls on each of the machines, since the idea is you're going to do the DHCP dance to get those machines external IPs. Well with the publics on the machines, I can still use the RG as a firewall... but it all seems to come back to 2 NICs. The one solution from djrobx with the VM linux firewall is the only way I know to avoid it. |
|
bclbob
join:2000-06-23
Oak Park, IL
clubs:
| reply to x51
x51: I think what you need to do is get 2 NICs for the webservers, one side plugged into the U-Verse gateway for the public IP and the other set to your internal network.
Obviously you're going to need to have firewalls on each of the machines, since the idea is you're going to do the DHCP dance to get those machines external IPs. |
|
x51
join:2009-05-27
Stratford, CT
2 edits | reply to mhetterm
said by mhetterm :Why, exactly, do you need multiple static ip's (just asking so that maybe we can brainstorm a way to provide the services you need ...) I have a windows exchange server with Outlook web access, A windows Web server, A linux Apache Web server, a VPN device, and an SFTP server.
There are many workarounds (As I'm doing right now) to fit this all into a single IP address. I can use port forwarding to different devices. The most difficult part is the multiple servers that require port 80 and 443.. simple port forwarding won’t cut it. Right now all websites point at one server on port 80 and 443, and redirect to the proper servers on other ports. I dont want to make people remember port numbers.
I CAN move the important things to one of my datacenters where I wont have any issues... Most of the stuff I have is just for a test lab..
It's more about the point that with any other ISP that offers statics, this would not be a problem. going from AT&T DSL to AT&T Uverse I thought would be pretty simple.
I don’t mind a LITTLE compromising, but it's getting silly.
said by Tigerpaw509 :Would be willing to bet this guy talks for 3 hours on a conference call without a break.h]Has to be one of the worst rants on here Hrm.. maybe thats why I was on with tech support so long?? |
|
x51
join:2009-05-27
Stratford, CT
| reply to djrobx
said by djrobx :If you want to "roll your own" routing, you could run Linux or BSD in a virtual machine on a physical machine with 2 interfaces. Create 5 virtual network adapters bridged to a real network adapter connected to one of the RG's ports. The RG will see these virtual adapters as individual machines because they each get their own MAC address. Then bridge a sixth virtual adapter to your physical adapter connected to your LAN and set up routing as desired between these interfaces. I had considered something similar.... I have a bunch of 4 port Ethernet cards. I considered throwing 2 of them in an old PC and building a Linux firewall. This could solve the issue with the RG only working off of physical mac addresses.
The Virtual solution WOULD effectively do the same thing and sounds like a better Idea. I may give that a shot. |
|
Tigerpaw509
Premium
join:2006-07-15
Huntley, IL | reply to x51
Would be willing to bet this guy talks for 3 hours on a conference call without a break.h]Has to be one of the worst rants on here |
|
mhetterm
join:2001-11-01
Altadena, CA
·AT&T U-Verse
| reply to x51
@x51 - you are correct, I have a single dynamic IP - I don't have need for statics, as my router updates my dyndns account (and, apparently, u-verse "dynamic" ip's don't really change)
My point was only that the service _can_ be used for business purposes. I completely agree that AT&T should figure out how to provide a true bridged internet pipe via u-verse - but they don't at the moment, so we have to find work-arounds, or you can drop the service.
Why, exactly, do you need multiple static ip's (just asking so that maybe we can brainstorm a way to provide the services you need ...) |
|
Tigerpaw509
Premium
join:2006-07-15
Huntley, IL | reply to x51
again what about his johnson |
|
David
No,there is another.
Premium,VIP
join:2002-05-30
Granite City, IL
clubs:
 ·DIRECTV
 ·magicjack.com
 ·AT&T Midwest
| reply to x51
We also even have a direct forum as well...
»/forum/sbcdirect
I do take in problem reports and now that I have more uverse people listed in direct it's getting quite relaxing as I have more time to also focus on other AT&T problems as well.
oh look more research!
--
If you have a topic in the direct forum please reply to it or a post of mine, I get a notification when you do this.
Koetting Ford, Granite City, illinois... YOU'RE FIRED!!
|
|
djrobx
join:2000-05-31
Valencia, CA
·PHONE POWER
·AT&T U-Verse
·AT&T CallVantage
·Time Warner VOIP
 ·RoadRunner Cable
2 edits | reply to x51
If you want to "roll your own" routing, you could run linux or BSD in a virtual machine on a physical machine with 2 interfaces. Create 5 virtual network adapters bridged to a real network adapter connected to one of the RG's ports. The RG will see these virtual adapters as individual machines because they each get their own MAC address. Then bridge a sixth virtual adapter to your physical adapter connected to your LAN and set up routing as desired between these interfaces.
--
AT&T U-Hearse
Your funeral. Delivered.
|
|
x51
join:2009-05-27
Stratford, CT
| reply to djrobx
said by djrobx :What ipsec VPN are you using, and what was your secret? I could not for the life of me get Ipsec working through DMZPlus. Tried both OpenSwan and PFSense. It always died at phase 2. I've set it up dozens of times with a regular bridged connection and never had a problem. I can confirm in DMZ plus mode i have IPSEC VPN working. I have read posts from many others who, like you, can not get it to work though. I dont know if all of these devices have the same firmware? |
|
x51
join:2009-05-27
Stratford, CT
| reply to mhetterm
said by mhetterm :Likewise, another engineer here (electrical, but one of my hats at work is managing our IT - the joys of a startup!) I have uverse at home and my ipsec vpn tunnel to work stays up fine 24/7, softphone/web/ssh/all other traffic through the tunnel is fine, no complaints! I agree the 3800hg UI is a bit fisher-price, but I just put a business-grade router in DMZplus and everything is fine. Asking for solutions is quite a bit more productive than just ranting ... Your solution is the most common found for this issue. The problem is that it sounds like you are using the single provided IP and your own router in DMZ mode. This is actually how I'm running right now, because it mostly works.
If this IS indeed the case, the problem is that your solution does not address my rant at all. I want to use my block of 5 different static IPs. I want to NAT them and only require 1 NIC in my servers.
If I misunderstood and you ARE using a block of statics, I'd be interested in more detail. |
|
