dslreports logo

Important Note: If you use AT&T uVerse Voice (VoIP) service it is not recommended to put your NVG589/599 Remote Gateway into IP Passthrough mode. IP Passthrough mode has been shown to conflict with uVerse Voice service in which incoming calls may not connect properly resulting in callers hearing an error message. If you use AT&T uVerse Voice Service you are pretty much condemned to use this device to power your home network.

Bridge mode, DMZ+, or IP Passthrough are the features that permit you to run your own router behind the AT&T provided residential gateway with a public IP address on its outside WAN interface. The NVG589 supports the IP Passthrough feature to accomplish this.

To be technically accurate, the NVG589 does not actually "bridge" the traffic. It will enable a default rule to forward all unknown inbound traffic to the AT&T public IP address to the MAC address of the internal router. This will preserve the public destination IP address on incoming packets and allow you to control inbound access for services and security from your personal router.

The NVG589 will still map session state information for each connection passing through, similar to a traditional NAT configuration. The only thing it will do with this traffic is rewrite the destination MAC address to that of your personal router's WAN interface. The NVG589 includes more memory and can support 8192 simultaneous connection entries, as compared to previous gateways that were limited to a maximum of 1024.

Make sure you have a notebook or a computer that you can directly connect to the NVG589.  Once you have that, unplug all Ethernet cables (including television STBs) from the NVG589 except for the previously mentioned notebook/computer. Note: the WAN connection from AT&T is not an Ethernet connection.

Second, write down the WAN-side MAC Address of your personal router.

Configuration steps to perform on the NVG589:
Note: 192.168.10.1-254 address block is a suggestion in this series of steps.  Feel free to adjust this as you wish.

1. Login to the NVG589's web-based configuration interface in your web browser.
This can usually be accessed with the following link:  https://192.168.1.254

2. Go to the "Home Network" -> "Subnets & DHCP" tab.  It may ask for your NVG589's password.

3. If your "Device IPv4 Address" is in the same subnet as your personal router's LAN segment, you should change your personal router's network configuration to use a different subnet like 192.168.10.0 or whatever you wish, as long as it continues to use private address space in the 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12.  The subnet mask can stay the same, 255.255.255.0, or can be adjusted to a larger range if you want.

4. Leave the default DHCP settings on the NVG589 as is, unless you want to expand the usable range. This will permit your Television Set Top Boxes to connect and any other devices that you may want to use the integrated wireless or wire directly to the RG. The Television STBs can not connect to your personal router, unless your router has the capability to provide Multicast Routing using IGMPv3. Most consumer routers do not have this capability.

It is important that you have only your computer that's configuring the NVG589 connected to it at this time.

5. If you have made any changes, at this point, Click "Save" at the bottom.

6. Go to the "Home Network" -> "Wireless" tab.

7. If you do not want to use the NVG589's integrated wireless feature, disable Wireless by choosing "Off" in the "Wireless Operation" option.

8. Go to the "Firewall" -> "Packet Filter" tab.  Click on the "Disable Packet Filters" button.

9. Go to the "Firewall" -> "NAT/Gaming" tab and disable any and all settings.

10. Go to the "Firewall" -> "IP Passthrough" tab.  Select "Passthrough" in the "Allocation Mode" option.

11. Do not enter anything for the "Default Server Internal Address". Leave this field blank.

12. In the "Passthrough Mode" selection choose "DHCPS-Fixed".

13. Type in the WAN-side MAC Address for your router under "Manual Entry", lowercase is fine. The MAC address should be in the traditional hexadecimal format xx:xx:xx:xx:xx:xx where the x's should be values from 0-9 or letters a-f, separated with single colons. If you have already connected the WAN interface of your personal router and configured it for DHCP, it may show up in the "Choose from list". If you select it, it will automatically fill the field with appropriate MAC address.

14. The Passthrough DHCP Lease value defaults to 10 minutes. You can not change this. 

15. Click "Save" at the bottom. It will tell you that it needs to reboot. Stop! Do not reboot the router, yet.

16. If you are not putting any devices on the network segment directly attached to the AT&T gateway and do not want any of the Firewall security features active on the NVG589, go to the "Firewall Advanced" tab at the top and turn everything off. The recommendation is to leave these features enabled if you will have any devices on this segment or are using the integrated wireless feature. If you disable these features, make sure you are enabling this functionality on your personal router.

17. Near the top of your screen, you should see an option telling you to reboot the router. Go ahead and do this now. It takes about 2 minutes.


Configuration steps for your personal router:

1.
Disconnect your laptop's ethernet connection from the NVG589 and connect your personal router, while the NVG589 reboots.

2. Connect your laptop to your personal router.

3. Login to your personal router and change the Internet connection type to DHCP as per your router's instructions.

You should be done configuring the IP Passthrough "bridge mode", at this point. Verify that your personal router is being assigned the public IP address from AT&T on its WAN interface via DHCP.


Feedback received on this FAQ entry:
  • I've followed this to the letter trying to stop the double NAT with my ASUS AC1900 a.k.a. RT-AC68U. I can surf OK except oddly I cannot reach target.com (Access Denied - You don't have permission to access "http://www.target.com/" on this server. Reference #18.270ad817.1502513145.3a71fcfc) and my directvnow service stopped working. The public ip on my U-Verse modem doesn't agree with the IP address reported by various web sites. I'm obviously lost. Any ideas? I don't use Uverse TV or VOIP. I can reach Target by connecting directly to the modem. Thanks.

    2017-08-12 00:49:18 (w7sjk See Profile)

  • Great directions. Thank you. This needed to be done on my router to make IP Passthrough mode work: local network ? Subnets & DHCP ? Allow Inbound Traffic ? On

    2017-03-04 09:01:18

  • FOR AT&T PACE 5268AC - The answer is YES! I just did it (with ATT support). Step one, have the ATT router..(say ethernet port 1 connected to your WAN interface on YOUR Router). Switch cables or have a known lan connection to YOUR router. Get the "DHCP IP" from your WAN interport on your ROUTER (will likely be 192.168.1.x - knowing the ATT Pace 5268AC's default is 192.168.1.254). On the FIREWALL page - "Applications, Pinholes and DMZ at the seciton "1" area there will be a Cell window where you can type in the known WAN address of YOUR router (192.168.1.x). Put that IP address in the window and click the button to the right called CHOOSE. Scroll down to Options "2" area and at the bottom there is a radio button to forward ALL traffic to your (it says computer, but we know it's your router). Click the save button. If you look at the STATUS tab on the ATT FIREWALL Status tab now, you'll see ALL/ALL inbound traffic to be directed to your ROUTER. Turn off your router now. Reboot the ATT router PACE 5268AC and wait until you see the "Service" light come on blinking actively. This will take oh....2 minutes? Once the Service light is on....turn on YOUR router.....once booted.......log in and you should see the WAN interface with the PUBLIC IP on it!!!!!! Yours truly......

    2016-12-29 17:09:33

  • My issue is that the DNS server on this router is fixed and is much slower than other servers. Will I establish the DNS server on the new router?

    2016-12-28 11:20:21

  • Thanks it worked. If computers login to the server they get IP from server. If computers login just to workgroup they get IP from NAV599. Thanks

    2016-08-27 21:12:20

  • Do you connect the NVG589 LAN port to your personal routers LAN port or connect it to the WAN port of your personal router?

    2016-08-01 23:24:14

  • Thumbs up.

    2016-07-26 09:54:12

  • Does this configuration support the use of U-Verse television service? If so, I'm guessing that only the coax outputs would work, not the ethernet outputs? I have heard that in order to use our own router, the best solution is to have AT&T provide 2 gateways - use one for TV & Voip phone connection, and the second one "bridged" for internet only. Do you know if that would require two U-Verse accounts? If so, maybe the best solution is to implement your bridging instructions and get landline telephone service (providing that TV service would still function)?

    2016-07-15 11:45:28 (StanC See Profile)



Expand got feedback?

by trparky See Profile
last modified: 2015-11-16 17:54:10