dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14757

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO

ILpt4U to cookiesowns

Premium Member

to cookiesowns

Re: U-Verse Business NVG585 NAT limit

To the OP:

Which WAN interface is your NVG595 using? Is it using the Ethernet or Fiber WAN port?
ILpt4U

ILpt4U to brianlan

Premium Member

to brianlan
said by brianlan:

Yep, I am an internet only customer... DirecTV provides the best picture, we all know that!!! I would assume most people that know about the NAT problem will quickly want to un-ass the NVG5XX platform if they can! But your right my solution will be for those that only have internet and no TV or VOICE products from AT&T.

True, but if their service is being handed off to the NVG595 via Fiber instead of Copper Ethernet, then a router with a Fiber WAN port will be needed

At least the best I can tell from the NVG595 pics are that it has both a Copper Ethernet WAN port and a Fiber (assuming Ethernet) WAN port
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

Yeah that would suck if it was fiber to the NVG595. I am assuming most (including my install) is CAT5e or CAT6 between the ONT and RG.

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO

ILpt4U

Premium Member

I'm sure routers/equipment can be found with a Fiber WAN port. Either that or get a Fiber to Copper Ethernet converter/transceiver/whatever they are called
brianlan
join:2009-10-12
Garner, NC

brianlan to cookiesowns

Member

to cookiesowns
im going to try to stay up tonight and put together my how to

ILpt4U
Premium Member
join:2006-11-12
Saint Louis, MO
ARRIS TM822
Asus RT-N66

ILpt4U

Premium Member

said by brianlan:

im going to try to stay up tonight and put together my how to

I'll pop some popcorn and a couple adult beverages

In all seriousness, though, I find this very interesting, and pretty awesome that you have this working, and even moreso if it continues to keep working! And that you are sharing the knowledge!
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

if you IRC, join FREENODE and PM me (username: redsoxcc)
brianlan

brianlan

Member

ok its late and I need to sleep, I will finish this in the morning. if you want a head start goto the store and buy a Netgear gs108e and a few CAT5e cables. I will tell you how to use it tomorrow!!
brianlan

brianlan to cookiesowns

Member

to cookiesowns
Finished my guide.

»docs.google.com/document ··· =sharing

Enjoy!
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to cookiesowns

Premium Member

to cookiesowns
If all you need is dot1x from the NVG, then some seriously hacked ebtable rules to pass only that layer-2 traffic might work. You'd need a NIC (vlan?) dedicated to the NVG and then run the Uverse line directly to your router. Using a non-linux router might make that harder, tho.
96964493 (banned)
join:2015-01-09
USA

96964493 (banned) to rolande

Member

to rolande
We are a reseller across the entire footprint on all accounts and never seen/heard of this RG
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

Here it is...

»apps.fcc.gov/oetcf/eas/r ··· Z5NVG595
cookiesowns
join:2010-08-31
Irvine, CA

cookiesowns to ILpt4U

Member

to ILpt4U
Fiber. Bummer, so this would be trickier.

I have a EX3300 that's running most of our production traffic, wonder if there's a way to just bridge. I'll have to brush up on JunOS. Or I can just get an Intel SFP nic on our pfsense box.

Just read your guide, looks like we can! I'll try this over the weekend. Should be able to just put one of the SFP's on the same vlan, as a ethernet to the gateway, if I can get a link this way, then that means I can essentially use the EX3300 as a media converter. If no go, I'll try finding some cheap 1G SFP optics and some additional LC-LC patch fiber.

Anyone happen to have any I can borrow in Orange County ? =)

brookeKrige
join:2012-11-05
San Jose, CA

brookeKrige to brianlan

Member

to brianlan
Awesome, I have bonded copper pairs, don't see how anything similar can work there.

Much slicker than the older posts of someone with (Max-Turbo only?) FTTP/ONT, spoofing the RG's WAN-MAC to replace it with their own router, IIRC simply by a mechanical reconnect of the cat5 from ONT, moving it from the RG WAN port to their own router's WAN port.

Are you saying GigaPower is different enough, that mechanical reconnect no longer works (did you try it?), i.e. physically is incapable of being "fast enough", or the ONT is somehow now "better" at detecting the transition, requiring the VLAN solution?

... and it lasted more than 24 hours?
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

I don't know about the past solutions... But I do know that while testing initially, I bumped the the connector on the switch and cause the link to break for a split second. This created a new auto-negotiation event and it caused me to have to restart the procedure. Maybe the Alcatel/Lucent ONT at my home is sensitive to these interrupts...

Yeah my uptime is over 36 hours at this time. Unfortunately I am going to have to resart my router this evening and will force a restart of my AT&T WAN connection. So the clock will restart.
cookiesowns
join:2010-08-31
Irvine, CA

cookiesowns

Member

Do you know what the DHCP lease time is on your gateways?

Have you ever needed to renew a DHCP lease?
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

No need, you will be statically assigning the IP info on your router. IP's dont change from what I can tell in the gigapower world.

Lets try to keep all this conversation at the thread I created relating to the bypass method. I dont want to take away from the OP's conversation anymore.
jdj2035
join:2010-11-03

jdj2035 to ILpt4U

Member

to ILpt4U
said by ILpt4U:

Which WAN interface is your NVG595 using? Is it using the Ethernet or Fiber WAN port?

I am interested to see when AT&T uses this instead of the copper/RJ45. I suspect that it is only for installs where the RG is over 100m from the DEMARC in the building. Not sure what other benefits would be there other than this.
brianlan
join:2009-10-12
Garner, NC

brianlan to cookiesowns

Member

to cookiesowns
I noticed in the user manual for the NVG595 there is a large section about shell access.

»apps.fcc.gov/oetcf/eas/r ··· Z5NVG595

Since I have never used anything other than the NVG589, can someone confirm weather or not you can actually access the shell on this device.

If so, you can probably rewrite the config as outlined over at EARLZ (»earlz.net/view/2012/06/0 ··· he-webui) to gain a true bridge.

Food for thought.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

All known (read: published) holes have been fixed. The only way to root one now is to hack the firmware, or attach to the internal serial port (assuming they haven't locked that, too)
brianlan
join:2009-10-12
Garner, NC

brianlan

Member

I was referring to the fact if the OP with his NVG595 was able to access the shell, then maybe he could follow the command sequences to enable a true bridge. yea it wont be identical steps but sometimes having help can allow you to form your own conclusions and get what you want.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

That's a very big if. The last I heard, the internal shell (serial console) didn't use the same passwords. I don't have a copy of the 595 firmware to inspect. (have 510 and 589 fws)

For an ONT based install, an EAPOL bridge should be enough. (protocol 888e vlan -- assuming you have smart enough switch)

(what you'd need to replicate the nvg's eap_tls agent is the entire certificate chain from flash. AND, knowledge of how to decrypt the scrambled device cert therein. As I have zero equipment that can act as a dot1x client -- linux boxes don't count -- I've not bothered to disassemble the nvg's code. Plus, I no longer do business with Uverse. )

TestBoy
Premium Member
join:2009-10-13
Irmo, SC

TestBoy to cookiesowns

Premium Member

to cookiesowns
The 589 creates the password at boot.... there is nothing in the firmware to see unfortunately.

JTAG is pretty much a no-go.

The only hopes (we think) for the 589 is to alter the image and write it back to the flash - and hope it's not checksummed.. and it likely is.
That means it won't boot off our modded firmware.. but we have yet to try it.

Kind of an expensive project
cookiesowns
join:2010-08-31
Irvine, CA

cookiesowns to jdj2035

Member

to jdj2035
They are already using this. It's for all new business fiber guys. Up to 500/500 currently, and they connect straight into a Ciena 5140 eMUX. Our link is actually less than 50 feet, but they gave us a fiber drop since we were the first. Which is fun, because I love dealing with sfp's, but again makes this a bit trickier.

I'll chime in on the other thread soon with my findings.

Telnet/ssh is no go.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to TestBoy

Premium Member

to TestBoy
A default passwd file is in the firmware, if it uses it at all. Normally, the password is a serial number stored in "nvram". (manufacturer section of flash) The point was, the serial console reportedly uses a different password than cshell/nsh ask for by telnet. The 510's are rootable because older firmware is available. I don't think any 589 versions were hackable. The current generation should have every known hole fixed.
nephipower
join:2012-02-20
San Antonio, TX

nephipower to cookiesowns

Member

to cookiesowns
said by cookiesowns:

One of our AT&T reps here this morning actually spoke to me. We're one of the first to have signed up in our plaza. So I feel that I may have some bargaining power here to either request a more powerful gateway or to figure out a way around the nat limit.

Theoretically the device CPU & RAM should be able to handle in well excess of 2K sessions. If they bump it up to 10K, I think in most use cases we would be totally fine..

I'll let you guys know what I find =)

Any updates from Uverse on the small NAT tables?

Even thought people have said before that they have tried to fight this battle. I am hoping that they would at least listen to a business customer more.
lddaly
join:2002-09-02
Plano, TX

lddaly to cookiesowns

Member

to cookiesowns
We cut-over to our AT&T Business Fiber 300/75 circuit over the weekend and are experiencing the same issues. We did not hit the limit during our testing because we introduced significant traffic load but not enough sessions. We escalated the issue with support and sales, but have not yet heard back. We are not a large business, under 100 users. We just want the Arris router out of the way and let our Juniper SSG handle the traffic.
cookiesowns
join:2010-08-31
Irvine, CA

cookiesowns to nephipower

Member

to nephipower
Haven't gotten around to calling AT&T or seeing if the work-around Brian posted succeeds.

I should have an update on the latter soon.

rolande
Certifiable
MVM,
join:2002-05-24
Dallas, TX
ARRIS BGW210-700
Cisco Meraki MR42

1 recommendation

rolande to jdj2035

MVM,

to jdj2035
said by jdj2035:

If you give the cascaded router a private LAN IP then the 589 is still going to NAT all the traffic that goes to that router. Right?

Technically, no. You route your public static IPs to the private IP of your cascaded router. The private IP of your router does not have to be directly reachable as it is a transit interface. The RG may still have flows for the traffic but it is not actively managing them if you turn off all the SPI features. The question is if you wrap the flow table due to the memory limitation how the RG will handle it. If it drops traffic, then you are stuck.

That is really crappy if AT&T is selling that as a business solution. They have to have another business router option with that NAT constraint significantly raised. Ironically, the NVG589 was initially configured to support over 8,000 NAT flows when it was first released. They hobbled it back down to the 2,500 range early last summer sometime when they did a firmware rollout. They "fixed" and added a bunch of IPv6 features and security stuff. Seems they must have needed more memory on those boxes for those upgrades and they had to rob Peter to pay Paul.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 recommendation

cramer

Premium Member

said by rolande:

the private IP of your cascaded router. The private IP of your router does not have to be directly reachable as it is a transit interface.

And people wonder why PMTU doesn't work. (ICMP's from a private IP tend to get dropped in provider networks, at borders, or CPE that has any measure of security) The RG's NATing of that private address won't necessary work.

My Uverse ("business") static block was the LAN between the RG (NVG510) and my router. I don't recall it ever being a problem, but I never checked it's connection tracking tables.