07-29-2010 10:59:37 AM
I had a U-verse install this week that i had to pull the plug on because nobody could figure out how I could bridge all of the static IP addresses to the WAN port of my firewall. I am be loathe to trust any firewall an ISP will provide and beyond that point, as an I.T. professional, I have multiple VPN tunnels end pointed on my WAN port and routing IPs etc. No one on the AT&T side had a viable solution. I had to pull the plug and stick with my slower, but reliable DSL connection and DISH. I tried to see if I could have U-verse for TV and DSL for internet until they could resolve the incapability on their internet service but they told me they could not do that.
They tried to talk me into DMZ+ mode but there is no way to bind all of the IP addresses in the block to a single MAC so I'd have to settle for my firewall having a single IP to manage... a big downgrade from the /28 I have now.
I am SORELY disapointed AT&T! Your upgrade is a downgrade in this light. I've heard such bad things about Charter, but I am considering giving them a call anyway. Please, start providing bridged connections for those of us with real firewalls. I spent too much money on it to throw it away so I could use your less feature rich firewall.
07-29-2010 11:32:27 AM
I might suggest you search around more on this forum for some old threads on static IPs for more details. But my understanding of the requirements are that each IP must be assigned to a different MAC address. The 2wire maps each Static IP to a unique MAC address connected behind it.
So in your case where you are trying to provide your own single commercial firewall device, you would merely need to configure your firewall device to spoof multiple mac addresses - 1 per static IP you are trying to assign.
Once the 2 wire sees what it thinks are multiple ethernet cards w/ unique mac addresses behind it - you can then go through the process of mapping each IP in your static block to each unique MAC address being presented by your commercial firewall device.
A couple of months ago, a user posted details of how they scripted and set up a Debian Linux system to do this function. But your commercial firewall should be able to do this as well.
07-29-2010 03:00:57 PM
Yeah, I read those. I'm not sure if my Netscreen 5GT can spoof multiple MACs to the untrusted interface. I will check.. thanks! I saw the idea of creating a middle tier on linux that does that... unfortunately linux is not my specialty and I have a 2 year old and an infant so time is not on my side. :-(
07-29-2010 06:34:33 PM
bsdsmb, Thanks for tickling my brain! It makes sense! Since my firewall is so smart, it should be able to outsmart the 2Wire. :-) I just wish one of the AT&T folks could have told me that the reason the 2Wire didn't see my Netscreen is b/c it requires all clients to be DHCP.
I poked around and it seems I can configure up to 8 extra DHCP interfaces on my wan port. Perfect!.. That should cover a /29. My neighbor has Uverse so I'm going to test it out to see if his 2Wire detects what I've created and if it works, I'll schedule another install.
07-31-2010 08:21:59 PM
I haven't been able to get multiple untrust devices to grab IPs from a DHCP server. I can only get one... haven't given up but if anyone knows Netscreens, I'd appreciate some help. Or if anyone knows how to just get the dang 2Wire into a bridge mode to deliver a routed subnet, that would be nice too.
08-08-2010 09:28:19 AM
I have to agree that this method of assigning static IP's is a HUGE disappointment. If every other ISP (including my old Speakeasy DSL) can route multiple static IP's to my location, why can't U-verse? How is this a technological advancement? U-verse TV, phone and even the internet are great with the exception of this one issue.
I'm using a SonicWall router behind the RG, and while I can spoof MAC addresses, the router won't let me have multiple WAN IP addresses on the same subnet. I've managed to jury-rig a system to capture more than 1 static IP, but it all seems very ridiculous and unnecessary to me. I'm still at a loss for why U-verse won't provide basic routing capabilities like so many other ISP's.