dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
583

freakout9903
Premium Member
join:2001-04-19
Gastonia, NC

freakout9903 to Snuffbox

Premium Member

to Snuffbox

Re: ATT Uverse DSL - Good Speed, poor performance help?

First off I would HIGHLY recommend you get wireless router to put behind the 3801 Gateway. I use a Linksys router with a Tomato-Toastman based firmware. This basically let's you bypass a lot of the traffic shaping the 3801 gateway attempts to do but fails severely in many ways.

1. For my VoIP/Skype/gaming I put the router into DMZplus mode which gives it the public IP, open up all traffic to the router/disable the 3801 firewall for the device, and then I go an extra step and go into the firewall settings of the 3801 gateway

and UNCHECK(to disable the 3801 from touching anything):
Stealth Mode
Block Ping
Strict UDP Session Control
Excessive Session Detection
TCP/UDP Port Scan
Invalid Source/Destination IP address
Packet Flood (SYN/UDP/ICMP/Other)
Invalid TCP Flag Attacks (NULL/XMAS/Other)
Invalid ICMP Detection
Miscellaneous

and CHECK(to allow all inbound):
HTTP
HTTPS
FTP
Telnet
SMTP
DNS
NetBIOS
POP3
IMAP
NNTP
IRC
H323
All Other Protocols

I know this is kind of not needed since I disabled the firewall for the gateway but it seems to speed things up a bit in my opinion since it's not actively looking for attacks or not allowing certain traffic through.

2. Then in my Tomato firmware I changed my dns servers and un-checked the option in the firmware for : "Use received DNS with user-entered DNS"

This let's you bypass the 3801's dns which is slow and unresponsive at times I have found. So this dramatically speeds up everything.

3. Specifically for Youtube I block these IP ranges from the post I made here: previous post

All this let's me have a smooth experience with U-verse, and I should mention I am on the 12mbit/1.5mbit internet tier. No tech is going to be able to recommend you do any of this, and it may not be for everyone if you have devices other than your STB's/Wireless Router connected directly to your 3801 gateway(as this would open up those devices to attacks). With that said everything except your STB's should be connected behind your router...not directly to your 3801 gateway if you go this route.

Snuffbox
nice irl
Premium Member
join:2011-04-15
Milwaukee, WI

Snuffbox

Premium Member

Thank you Freakout, I will give this a go.

I have an unused Netgear router that I'll put through and bypass the gateway's wifi.

I understand the implications of essentially removing the firewall. Machines connected directly to the gateway don't have any sensitive information so I'm not concerned.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

rolande to freakout9903

MVM,

to freakout9903
Thanks freakout9903 See Profile. I've been meaning to get my own access points back online and fire up my Cisco 3725 as my internal gateway. Maybe I can get my IPv6 tunnel back online at the same time. Just haven't had the time to focus on any of that, since we moved in last September. I appreciate you posting your recommendations on what has worked for you.

freakout9903
Premium Member
join:2001-04-19
Gastonia, NC

freakout9903

Premium Member

said by rolande:

Thanks freakout9903 See Profile. I've been meaning to get my own access points back online and fire up my Cisco 3725 as my internal gateway. Maybe I can get my IPv6 tunnel back online at the same time. Just haven't had the time to focus on any of that, since we moved in last September. I appreciate you posting your recommendations on what has worked for you.

I have a tomato-toastman ipv6 tunnel config as well somewhere if you guys would like.
freakout9903

freakout9903 to Snuffbox

Premium Member

to Snuffbox
said by Snuffbox:

Thank you Freakout, I will give this a go.

I have an unused Netgear router that I'll put through and bypass the gateway's wifi.

I understand the implications of essentially removing the firewall. Machines connected directly to the gateway don't have any sensitive information so I'm not concerned.

If you need any help getting it setup just PM me, and I do the same thing, kill the wifi on the gateway and use my own.

David
Premium Member
join:2002-05-30
Granite City, IL

David to freakout9903

Premium Member

to freakout9903
said by freakout9903:

First off I would HIGHLY recommend you get wireless router to put behind the 3801 Gateway. I use a Linksys router with a Tomato-Toastman based firmware. This basically let's you bypass a lot of the traffic shaping the 3801 gateway attempts to do but fails severely in many ways.

1. For my VoIP/Skype/gaming I put the router into DMZplus mode which gives it the public IP, open up all traffic to the router/disable the 3801 firewall for the device, and then I go an extra step and go into the firewall settings of the 3801 gateway

and UNCHECK(to disable the 3801 from touching anything):
Stealth Mode
Block Ping
Strict UDP Session Control
Excessive Session Detection
TCP/UDP Port Scan
Invalid Source/Destination IP address
Packet Flood (SYN/UDP/ICMP/Other)
Invalid TCP Flag Attacks (NULL/XMAS/Other)
Invalid ICMP Detection
Miscellaneous

and CHECK(to allow all inbound):
HTTP
HTTPS
FTP
Telnet
SMTP
DNS
NetBIOS
POP3
IMAP
NNTP
IRC
H323
All Other Protocols

I know this is kind of not needed since I disabled the firewall for the gateway but it seems to speed things up a bit in my opinion since it's not actively looking for attacks or not allowing certain traffic through.

2. Then in my Tomato firmware I changed my dns servers and un-checked the option in the firmware for : "Use received DNS with user-entered DNS"

This let's you bypass the 3801's dns which is slow and unresponsive at times I have found. So this dramatically speeds up everything.

3. Specifically for Youtube I block these IP ranges from the post I made here: previous post

All this let's me have a smooth experience with U-verse, and I should mention I am on the 12mbit/1.5mbit internet tier. No tech is going to be able to recommend you do any of this, and it may not be for everyone if you have devices other than your STB's/Wireless Router connected directly to your 3801 gateway(as this would open up those devices to attacks). With that said everything except your STB's should be connected behind your router...not directly to your 3801 gateway if you go this route.

I am kind of surprised more people don't set them up this way. This is how I set up the 2wire 2701HG-B at home with the DSL. Everything just passes right through.

Mangix
join:2012-02-16
united state

Mangix to freakout9903

Member

to freakout9903
said by freakout9903:

and UNCHECK(to disable the 3801 from touching anything):
Stealth Mode
Block Ping

Why?

Unchecking two options make you visible on the internet. And no your little linksys router will not solve that.

Keep in mind that even in DMZPlus mode, it's still the 2Wire which connects to the internet. It just shares that connection with your linksys.

freakout9903
Premium Member
join:2001-04-19
Gastonia, NC

freakout9903

Premium Member

said by Mangix:

said by freakout9903:

and UNCHECK(to disable the 3801 from touching anything):
Stealth Mode
Block Ping

Why?

Unchecking two options make you visible on the internet. And no your little linksys router will not solve that.

Keep in mind that even in DMZPlus mode, it's still the 2Wire which connects to the internet. It just shares that connection with your linksys.

If you have used a third party firmware you would know its pretty much like having linux firewall between the gateway and the rest of your devices. I can be very specific with iptables, so yes essentially it opens me up to the Internet but unwanted traffic is still filtered out just by my tomato based router instead of the gateway. As long as all my devices are connected behind my dmz device and not directly to the gateway, nothing is "wide open" to the Internet .