ILpt4U Premium Member join:2006-11-12 Saint Louis, MO |
to cookiesowns
Re: U-Verse Business NVG585 NAT limitTo the OP:
Which WAN interface is your NVG595 using? Is it using the Ethernet or Fiber WAN port? |
|
ILpt4U |
to brianlan
said by brianlan:Yep, I am an internet only customer... DirecTV provides the best picture, we all know that!!! I would assume most people that know about the NAT problem will quickly want to un-ass the NVG5XX platform if they can! But your right my solution will be for those that only have internet and no TV or VOICE products from AT&T. True, but if their service is being handed off to the NVG595 via Fiber instead of Copper Ethernet, then a router with a Fiber WAN port will be needed At least the best I can tell from the NVG595 pics are that it has both a Copper Ethernet WAN port and a Fiber (assuming Ethernet) WAN port |
|
|
Yeah that would suck if it was fiber to the NVG595. I am assuming most (including my install) is CAT5e or CAT6 between the ONT and RG. |
|
ILpt4U Premium Member join:2006-11-12 Saint Louis, MO |
ILpt4U
Premium Member
2015-Mar-4 11:58 pm
I'm sure routers/equipment can be found with a Fiber WAN port. Either that or get a Fiber to Copper Ethernet converter/transceiver/whatever they are called |
|
|
to cookiesowns
im going to try to stay up tonight and put together my how to |
|
ILpt4U Premium Member join:2006-11-12 Saint Louis, MO ARRIS TM822 Asus RT-N66
|
ILpt4U
Premium Member
2015-Mar-4 11:59 pm
said by brianlan:im going to try to stay up tonight and put together my how to I'll pop some popcorn and a couple adult beverages In all seriousness, though, I find this very interesting, and pretty awesome that you have this working, and even moreso if it continues to keep working! And that you are sharing the knowledge! |
|
|
|
if you IRC, join FREENODE and PM me (username: redsoxcc) |
|
brianlan |
ok its late and I need to sleep, I will finish this in the morning. if you want a head start goto the store and buy a Netgear gs108e and a few CAT5e cables. I will tell you how to use it tomorrow!! |
|
brianlan |
to cookiesowns
|
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to cookiesowns
If all you need is dot1x from the NVG, then some seriously hacked ebtable rules to pass only that layer-2 traffic might work. You'd need a NIC (vlan?) dedicated to the NVG and then run the Uverse line directly to your router. Using a non-linux router might make that harder, tho. |
|
|
to rolande
We are a reseller across the entire footprint on all accounts and never seen/heard of this RG |
|
|
|
|
|
to ILpt4U
Fiber. Bummer, so this would be trickier.
I have a EX3300 that's running most of our production traffic, wonder if there's a way to just bridge. I'll have to brush up on JunOS. Or I can just get an Intel SFP nic on our pfsense box.
Just read your guide, looks like we can! I'll try this over the weekend. Should be able to just put one of the SFP's on the same vlan, as a ethernet to the gateway, if I can get a link this way, then that means I can essentially use the EX3300 as a media converter. If no go, I'll try finding some cheap 1G SFP optics and some additional LC-LC patch fiber.
Anyone happen to have any I can borrow in Orange County ? =) |
|
|
to brianlan
Awesome, I have bonded copper pairs, don't see how anything similar can work there.
Much slicker than the older posts of someone with (Max-Turbo only?) FTTP/ONT, spoofing the RG's WAN-MAC to replace it with their own router, IIRC simply by a mechanical reconnect of the cat5 from ONT, moving it from the RG WAN port to their own router's WAN port.
Are you saying GigaPower is different enough, that mechanical reconnect no longer works (did you try it?), i.e. physically is incapable of being "fast enough", or the ONT is somehow now "better" at detecting the transition, requiring the VLAN solution?
... and it lasted more than 24 hours? |
|
|
I don't know about the past solutions... But I do know that while testing initially, I bumped the the connector on the switch and cause the link to break for a split second. This created a new auto-negotiation event and it caused me to have to restart the procedure. Maybe the Alcatel/Lucent ONT at my home is sensitive to these interrupts...
Yeah my uptime is over 36 hours at this time. Unfortunately I am going to have to resart my router this evening and will force a restart of my AT&T WAN connection. So the clock will restart. |
|
|
Do you know what the DHCP lease time is on your gateways?
Have you ever needed to renew a DHCP lease? |
|
|
No need, you will be statically assigning the IP info on your router. IP's dont change from what I can tell in the gigapower world.
Lets try to keep all this conversation at the thread I created relating to the bypass method. I dont want to take away from the OP's conversation anymore. |
|
|
to ILpt4U
said by ILpt4U:Which WAN interface is your NVG595 using? Is it using the Ethernet or Fiber WAN port? I am interested to see when AT&T uses this instead of the copper/RJ45. I suspect that it is only for installs where the RG is over 100m from the DEMARC in the building. Not sure what other benefits would be there other than this. |
|
|
to cookiesowns
I noticed in the user manual for the NVG595 there is a large section about shell access. » apps.fcc.gov/oetcf/eas/r ··· Z5NVG595Since I have never used anything other than the NVG589, can someone confirm weather or not you can actually access the shell on this device. If so, you can probably rewrite the config as outlined over at EARLZ (» earlz.net/view/2012/06/0 ··· he-webui) to gain a true bridge. Food for thought. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2015-Mar-6 4:07 pm
All known (read: published) holes have been fixed. The only way to root one now is to hack the firmware, or attach to the internal serial port (assuming they haven't locked that, too) |
|
|
I was referring to the fact if the OP with his NVG595 was able to access the shell, then maybe he could follow the command sequences to enable a true bridge. yea it wont be identical steps but sometimes having help can allow you to form your own conclusions and get what you want. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2015-Mar-6 4:44 pm
That's a very big if. The last I heard, the internal shell (serial console) didn't use the same passwords. I don't have a copy of the 595 firmware to inspect. (have 510 and 589 fws) For an ONT based install, an EAPOL bridge should be enough. (protocol 888e vlan -- assuming you have smart enough switch) (what you'd need to replicate the nvg's eap_tls agent is the entire certificate chain from flash. AND, knowledge of how to decrypt the scrambled device cert therein. As I have zero equipment that can act as a dot1x client -- linux boxes don't count -- I've not bothered to disassemble the nvg's code. Plus, I no longer do business with Uverse. ) |
|
TestBoy Premium Member join:2009-10-13 Irmo, SC |
to cookiesowns
The 589 creates the password at boot.... there is nothing in the firmware to see unfortunately. JTAG is pretty much a no-go. The only hopes (we think) for the 589 is to alter the image and write it back to the flash - and hope it's not checksummed.. and it likely is. That means it won't boot off our modded firmware.. but we have yet to try it. Kind of an expensive project |
|
|
to jdj2035
They are already using this. It's for all new business fiber guys. Up to 500/500 currently, and they connect straight into a Ciena 5140 eMUX. Our link is actually less than 50 feet, but they gave us a fiber drop since we were the first. Which is fun, because I love dealing with sfp's, but again makes this a bit trickier.
I'll chime in on the other thread soon with my findings.
Telnet/ssh is no go. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to TestBoy
A default passwd file is in the firmware, if it uses it at all. Normally, the password is a serial number stored in "nvram". (manufacturer section of flash) The point was, the serial console reportedly uses a different password than cshell/nsh ask for by telnet. The 510's are rootable because older firmware is available. I don't think any 589 versions were hackable. The current generation should have every known hole fixed. |
|
|
to cookiesowns
said by cookiesowns:One of our AT&T reps here this morning actually spoke to me. We're one of the first to have signed up in our plaza. So I feel that I may have some bargaining power here to either request a more powerful gateway or to figure out a way around the nat limit.
Theoretically the device CPU & RAM should be able to handle in well excess of 2K sessions. If they bump it up to 10K, I think in most use cases we would be totally fine..
I'll let you guys know what I find =) Any updates from Uverse on the small NAT tables? Even thought people have said before that they have tried to fight this battle. I am hoping that they would at least listen to a business customer more. |
|
lddaly join:2002-09-02 Plano, TX |
to cookiesowns
We cut-over to our AT&T Business Fiber 300/75 circuit over the weekend and are experiencing the same issues. We did not hit the limit during our testing because we introduced significant traffic load but not enough sessions. We escalated the issue with support and sales, but have not yet heard back. We are not a large business, under 100 users. We just want the Arris router out of the way and let our Juniper SSG handle the traffic. |
|
|
to nephipower
Haven't gotten around to calling AT&T or seeing if the work-around Brian posted succeeds.
I should have an update on the latter soon. |
|
rolandeCertifiable MVM, join:2002-05-24 Dallas, TX ARRIS BGW210-700 Cisco Meraki MR42
1 recommendation |
to jdj2035
said by jdj2035:If you give the cascaded router a private LAN IP then the 589 is still going to NAT all the traffic that goes to that router. Right? Technically, no. You route your public static IPs to the private IP of your cascaded router. The private IP of your router does not have to be directly reachable as it is a transit interface. The RG may still have flows for the traffic but it is not actively managing them if you turn off all the SPI features. The question is if you wrap the flow table due to the memory limitation how the RG will handle it. If it drops traffic, then you are stuck. That is really crappy if AT&T is selling that as a business solution. They have to have another business router option with that NAT constraint significantly raised. Ironically, the NVG589 was initially configured to support over 8,000 NAT flows when it was first released. They hobbled it back down to the 2,500 range early last summer sometime when they did a firmware rollout. They "fixed" and added a bunch of IPv6 features and security stuff. Seems they must have needed more memory on those boxes for those upgrades and they had to rob Peter to pay Paul. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
1 recommendation |
cramer
Premium Member
2015-Mar-10 4:36 pm
said by rolande: the private IP of your cascaded router. The private IP of your router does not have to be directly reachable as it is a transit interface. And people wonder why PMTU doesn't work. (ICMP's from a private IP tend to get dropped in provider networks, at borders, or CPE that has any measure of security) The RG's NATing of that private address won't necessary work. My Uverse ("business") static block was the LAN between the RG (NVG510) and my router. I don't recall it ever being a problem, but I never checked it's connection tracking tables. |
|