Cablenut - Broadbandnuts - DSLnuts
News & Announcements => News for Broadbandnuts & DSLnuts => Topic started by: dannjr on April 09, 2012, 12:07:25 pm
THIS IS LONG.. IS it worth saving a few thousand for your business connection.
We Recent had a allot of experience with U-verse Residential and business..
I'm getting this info out fast and some of it might be a little sloppy. When I get the full write up done I'll post it in another board for questions and answers. I'm doing short section on residential first.
If your looking for help with Residential because web pages don't seem to open properly. Open your network settings and add public DNS assignments to TcpIP v4. A good place to start is Google public and open DNS. There IP addresses are for Google 18.104.22.168 and 22.214.171.124 AND OpenDNS are 126.96.36.199 188.8.131.52 I suggest you look them up in Google search for more information.
The other and more practical way for residential is to have a second router. plug it into the AT&T 2wire. Wait a few minutes go get a coffee then login to the 2wire. Goto the Network info page and note the name of your router. Then go to the Firewall setting and enable DMZplus mode for your router. once its set use all your networking for your computers or gaming boxes to go threw that router.. There will be more details in the Business IP assignments portion of this BUT this could also solve any minor pix-elation you might be getting by leaving your TV's and phones connected direct to the 2wire. and your computers behind on the second layer. It will also allow to to setup connections from work easier
HERE's the Section most business owners are having problems with.
So you had U-verse business installed.. and your Surfing ... AND YOU CAN'T get your 5 Static IP's or more running..
I know your pain
We had U-verse business put in about March 30th after long discussions with Techs and Sales people at AT&T We went with it.. Cable wasnt a option because Cable dosn't work properly in our area with lost connections that just won't work.
We have 8 IP addresses assigned to us. 5 of them usable as public IP addresses. We run extensive cloud service here with 18 Websites on 3 servers with POP and SMTP mail Servers with a total of 8 machines running 24/7 over the years the AT&T Static IP's threw DSL have been fine with our other DSL running great for a total of 10 IP addresses. All that and a average of 35Gig of bandwidth for the websites and about 150000 emails a month.
So now it was time better uploads to work with our servers and our own work.
So now AT&T U-verse is installed on a Dry loop to our business Which took a lot of pateints to have installed.
They brought out a iNID which is basically the Router mounted outside. Then installed a what looks like a regular 2wire inside and a battery backup to power the outside iNID router. 3 peaces of equipment.. You go through the registration and your surfing... But you didn't come here to find out how to surf or even get it installed You want to know how to use your additional IP addresses
By now you've been put in MAC Address hell.. This WILL fix that
Since the 31st of march I read over 1000 pages on this, including how bad the 2wire is to different solutions that made for allot of work..
This will still be a little technical BUT will work the first time and you can get back to what you really do for a living.
My personal opinion the 2wire solution is brilliant more on that below.
Most businesses will have a IT Guy or Girl or the owner of the business has learned how to be Technical. This wont cost a bunch of money. Just a little time.. HEY it took you time just to get U-verse give it a little patients. ;D ;D ;D ::)
First you need a older computer that your not using anymore OR look for a cheep Desktop with a minimum of 512 memory.
get 2 Network cards. inexpensive Realtek cards will work fine for this. In the future because of our needs we'll probably be getting managed Intel cards.. 99% of all businesses can probably get away with 2 NIC's(network cards)
So now you have the older computer setup with the 2 network cards.
You need something to run it and be able to assign your IP addresses with MAC addresses.... AGAIN I'M GETTING THIS INFO OUT FAST So it might be missing little details but the setup info works..
To do this we need a Operating system with a router solution.. This was done with PFSense. Some call it a Super router. I call it a Unbelievable Super Router.. Your 2wire router is built around FreeBSD our version is 4.4 PFsense is based on FreeBSD 8.1. For all practical purpose we're using PFsense 2.0.1 the latest build.
You'll need to download this from PFsense http://www.pfsense.org/ (http://www.pfsense.org/) and burnit to disk.. There's ALLOT of info and support for the software on there website and Please if you find this works for you Give them some MONEY otherwise it is free
For our purpose we used a Pentium 2.8 32bit with a gig of memory we had laying around.
Once you have PfSense installed and running you need to plug it into the 2wire.
PfSense will run without installing from the CD so you can get familiar with it... For this to work YOU WILL need to install it to a Hard drive.
During the setup you need to setup the WAN NIC(network card) more info is gotten on the pfsense website.
Once PFsense is up and running and your surfing through it.
Goto the 2wire and set it to turn off the firewall for your Static IP's
Goto Broadband Tab> Link Configuration link>
scroll down to "Supplementary network" > Add additional network
Check the box to > Enable
Input your Gateway IP that AT&T gave you for your Static IP addresses
Input your subnet mask usually 255.255.255.248
Check the box "Auto firewall open"
I assume the AT&T tech already did this for you... but just in case you have that info now.
Now goto the Firewall Tab> Advanced configuration
Disable> Stealth Mode
Disable> Block ping
Disable> Strict UDP Session control
Leave UDP session timeout alone.. Pleanty of people have messed with this and for this setup LEAVE IT ALONE
TCP session timeout is great right were it is.
Scroll down past all the rest of the enabled stuff to
Un-check all that stuff.. You don't need it pfSense will do that...
By all means Please leave NetBIOS unchecked.. you dont need to advirtise your network or open the computers this way to the public..
Now goto the LAN tab>
Scroll down to see devices
look for the currant IP and MAC address of the PFsense network card.. If you left it as DHCP assigned it should show your LAST Static IP address
If not at this time reboot the 2wire wait a minute and reboot the pfsense router
Go back into the 2wire firewall configuration > Applications. pinholes and DMZ
click on the pfsense computer link and if its not in the DMZ plus mode check that box or radio button and hit save.
At this point we're ready to get the rest of the IP addresses running as long as you can surf to the web through the pfsense box
In pfSense for our configuration we did a couple things I'll give you at the end. I'm also going to assume you know how to work with NAT port assignments and how to enable ICMP.. Believe it or not ICMP on ATT DSL and AT&T U-verse is important if you want to increase your connection time...
Lets assume your WAN IP is x.x.x.109... Its already up and running and the 2wire knows its MAC address
So in pfsense goto>
Click the plus sign>
Click the box/radio button Carp
Add your next IP if your WAN IP ends in x.x.x.108
(x represents number)
Set your CIDR for subnet 248 that = 29
Set a Virtual IP password.. If all goes well you can even login to pfsence from that virtual IP
Set the VHID Group>1
Since this is the first IP leave it as the number 1
Advertising Frequency> leave as default(Master) base 1 skew 0
Give it a short description you will use that name in NAT later on... I use the IP and the word "Static"
Hit Save the screen hit apply
Lets add another IP
click on a plus sign to add again follow the directions just above
Add the IP CIDR and password
Set the VHID Group to 2
Advertising Frequency the same as the first Virtual IP
Add your description and Save then apply
You can add more if you want but at this point you can check to see if there working in
In Status>Carp they should show as MASTER with a Green running arrow.
If you scroll down a little to find.......
the x represents a number
Simply said these numbers represent HEX addresses which are translated to MAC addresses that the 2wire router then recognizes...
You can also add this to the pfsense
As a Safety we added loop to our madness :big:
I mentioned the 3rd network card. we added the interface and enabled it.. DO NOT ASSIGN IT to anything at this point.
We then added to
Click the Routes Tab
Add your pool address and gateway.
Reboot your (2wire and pfsense)routers and go check for the IP's now showing in the 2wire
please note It could in some cases take a little bit to propigate the CARP virtual IP's
I hope this has been a big help to someone and as I get more of my info and desktop captures together I'll clean this up a bit.
In the mean time dont hesitate to ask for help in the forum.
Some of the other things we have running in pfsense is pfblocker and Squid proxy.
Also keep in mind pfsense is running services and a firewall.. these should be treated seperatly mentally and your not opening things in the 2wire firewall to your network. Your openhing them to your new firewal to control..
Important to note: U-verse will pass DNS public. So using a DNS IP other then what AT&T assigns is important
ICMP will increase reliablity to a AT&T connection.. Opening the Advanced Firewall in the 2wire is not decreasing your security.. pfsense will.. Some people think its double NAT from the 2wire threw pfsense.. Ive ran enough tracerts and pings to know its passing just fine.. if your not sure do a packet sniff frrom pfsense.. they have it built in...
This is as close as your gonna get to having a True commercial Cisco router without the expense or headaches.
We've been running pfSense builds since just before version 1.2.1... once you setit you can forget it..
With pfsense we dont use allot of the addons.. Squid proxy is to help cache our websites not SSL or SSH.. it speeds up the webpages a touch.. Squid can also be used to GET windows updates but we don't use it for that.
pfblocker we use to block by country name or a CIDR set of addresses that have attacked the router
WE also set these up in other places bonding more then one ISP or Failover and decrease latency
our laTENCY in this particlar build averages 30ms and in pfsense 0.72ms
Memeory use is about 10% the Swap file is 0 and CPU fluctuates from 0 to 6% on a normal day.. We have seen it as high as 20%
The last Pfsense box we setup was for a Comcast business connection that was subscribed to as 12down x 2up with it bonded to a AT&T DSL at 3 x 512Kb... End results were 56Mb down by 5Mb upload... Dont ask for that secret
KEEP IN MIND besides giving this info most of the info for the build of YOUR pfSense box is on the pfSense Website.
They deserve 99.9999% of the credit without CARP I wouldn't be writing about this...
Please donate to there website.. This isnt cheap to support BUT man you'll save on nightmares at night knowing your up and running..
Public static IP not working after u-verse AT&T U-Verse Static IP get information about a Static IP? - AT&T
NOTE on above before more ramblings..
Our port 1 on the 2wire is the last port inside.. our other port one is at the iNID which is what we use for our pfsense and we were told to use it by AT&T tech support that was also added to there notes...
There are people out there with other solutions some are dangerous and could cost you.
OpenWRT will work in a residential router
You need to flash that router or upgade it to openWRT and add the MAC tables which will for all intensity start them out as HEX
if you use that make sure the first 2 numbers start with 00:
Theres also Managed network switches that will allow for MAC assignments it still has to go behind the 2wire equiptment
Good ones start around $500US
And theres Cisco appliances but do we really want to spend the money or can we all afford it..
There are other firewall versions out there most of them are listed on speedguide.net most of them listed here
Allot of them Run on Linux or commonly known NIX or FreeBSD and your 2wire runs on FreeBSD
There are some hacks to get the 2wire to bridged mode... HEY WAKE UP.. We dont own the new 2wire products.. AT&T does and if you try to sell it you have to pay for it.. Don't mess it up based on bad info.. Bridging can also slow it up
As of right now the New iNID 2 wire does not support IPv6 allot of the older 2wire Uverse business do.
However I did find a way to get it to tunnel out and pfSense supports IPv6 tunnel
Our other U-verse business router support IPv6 fully so I imagine the NEW firmware for the iNID will eventually support it..
Remember what I said above the 2wire once its in DNZplus and your static IPs are set it passes all info
HOWEVER it will block 3 ports that I know of.. if you plan to use putty from outside SSH set pfsense on a different port for that.. AT&T reserved it for there use for now.
Last but not least BE patient.. You didnt spend all that time trying to get Uverse business to fail right..
Our time is valuable and we lost allot of time getting this to work.
AT&T Tech support is only responsible for assigning the IP addys to your info and turning them on in there device.
I'v known this for a long long time. Ive setup allot of AT&T DSL business accounts in the past using the 2wire with Subnets and what they then called dmzmode_LZ... U verse is real typical of what that was once you get your head around it.
Things I WISH were available that aren't there.
2wire MDC advanced mode.
Some of the advanced Items I used like the NTP location and time
ability to setup the DNS addys ourselves not just use the AT&T addresses.. Again thats important to set that up in pfsense to help keep things alive..
I also wish that when I call into AT&T they could give more info on what other business use to get there public IP's running
Some of the TECH's on AT&T need to know that MAC assignments to your business router are important.
A good portion of business routers dont easily have managed MAC Aliasing to include even cisco business routers
Other websites dont have a bunch of info on this.
I spent allot of waisted time on RANTS about people that gave up.. or they wondered why AT&T wouldnt just open the MAC assignments to the public IP's
AND at first I hated having to deal with this.. For instance WHY is AT&T managing my network with MAC tables
WHY is AT&T able to loggin whenever they want..? They really don't unless you need help. OR if firmware needs to be updated..
Why does the tracert show dead in spots.. YEAH I dont like it but its actually a black hole to help protect the fiber channels and vRADS.. it hasnt effected getting to us and our ping rates are perfect... Covad did this years ago and it protects there equiptment just fine... I still have one of them Covad connections here.. The Tracert is the same...
How did I keep our Covad connection.. We have more then one address at our primary location.
Uverse business is to one location
Our AT&T DSL business is at the other address with our covad connection
The Uverse business took from November of last year to the end March this year to bring in..
Even though U-verse was available we had to order it as a Dry loop to keep our other connections and have NEW lines brought in..
Why didnt I get fiber.. ? Thats a Good question..
Most fiber on the VRAD can only go about 2000 feet. Since we were just over that distance we have a Twisted vDSL or commonly known as DSL2 in some places but it really isnt DSL2
They use a twist on MLPPP which is a bonded circuit.. if you ask for MLPPP from AT&T you wont get it.. they can't support it over vDSL do to the nature of the ethernet connection....
Theres allot more to it them meets the eye
I will mention since we have the iNID with the equiptment outside I do have the PFSENSE connected via Ethernet to the outside iNID per AT&T tech support... To me (probably mental) it works a little cleaner.. Just keep in mind the AT&T techs that will come out to run tests will need that port for testing at times.. BUT if they really need it.. You already have an outage. so don't worry about it..
Getting to the maintenance of the outdoor iNID
You have a spot for a lock... use it..
One of the Techs at AT&T I talked to actually made a box thats made for outdoors to go over the iNID to help protect it from weather. it has a second lock and a plexiglass door.. protecting the network cables from the weather is a good thing and can increase the life of the iNID just be sure it can ventilate it can get warm.. there is a warning on the iNID enclosure about that and on the iNID itself..
Ours will be lockable with plenty of holes down the side and a roof that extends to keep rain and sun off.. You need to give as much air s possible.. But you also want to keep acid and mold from forming on the internal connections...
I added a area for comments and for help questions here...
If you have to RANT I understand.
You need to be logged in to possibly view and comment...
Here's another reason for having your router behind the U-verse router and a good reason for addressing Internet the way U-verse does.
Quote from Tom Yager, Infoworld http://www.pcworld.com/businesscenter/article/160761/putting_atandt_uverse_to_the_test.html (http://www.pcworld.com/businesscenter/article/160761/putting_atandt_uverse_to_the_test.html)
my connection speed rose to a max of 18Mbps, with 1.5 megabits upstream. TV and VoIP get priority in quality of service, so the downstream bandwidth in my one informal test (with the TV running an HD channel) swung down to as little as 6Mbps, which is the minimum guaranteed speed. But because the TV service is almost entirely downstream, my upstream speed is constant.
As a IT/IS I dealt with QoS and this is why it just works well..
When I tested our Directv with Directv on Demand which is a MAX of 5meg down the connection used all 5Mb At the same time I sent a FAX via a Magic-Jack and that worked just as well..
We dont have Voice or TV from U-verse and our U-verse is a dedicated loop. All that means is we were able to keep our AT&T DSL and our Covad business.
Please Note to a Residential Customer. You won't be keeping your DSL line(s).. You will be able to revert back to it in the 30 day trial if you have to and AT&T will put your wiring back together unlike the Cable companies.
Over the past 12 Days that we've had U-verse here and the past year at our other location.
The connections haven't dropped out.. Call us lucky if you want.. I imagine we will have a outage if they upgrade firmware or a bad storm which really isnt in anyone's control. OR I do something really MUSH like subnet the wrong way..
Thats something to be careful of Be careful of your subnet's.
Small update to all of this.
We've had the connection for 30 days now.
SSH to our router inside the network and getting to both the 2wire and pfSense has been working great.
But a couple of things to mention.. AND its not real important but for some it might be.
If you plan on using SSH back to your server for any reason you'll have to use a port other then 22
That's blocked by the 2wire..
Also if you use Traceroute from inside your network through a router. The 2wire will not let the packets answer back to to pass back to your connection.
It seems AT&T read a small article on how that can be a security risk and blocks it at the before the DMZ-plus..
They also do a couple of things that other ISP's have recently enabled was black hole's everywhere to not advirt there network as easily.. Covad, now Mega path is doing the same thing.
Comcast is thinking of doing it and with business SMC routers putting that particular cable modem in Bridge mode is a pain and your better off using the DMX in the SMC.
Keep in mind DOCSIS3 aint all that yet.. they only use it for download and not uploads yet
So far we're happy with our results..
We're still MYTH-ED at why it had to take almost 6 months of phones calls to get this all done.
AND one day I'll bring myself to telling that story.. They haven't made it as easy and requires pateints for 12 and 24Mb connections.
Back to moving the network room to the cold dungeon and making a new office area.
This article also helps get around some of the weird..
Its written by By Bill Petrey, Realtor. I figure if you came here you might want to see this article that worked out that has the negative title.. With just cause.
I can't remember if I mentioned this but we recently moved our directv behind the pfSense firewall to utilize the FreeBSD 8.1 OS which seems to handle the connection even better with even more balance. AND since Directv loved using 2 IP addy's.. The Static IP we assigned and an additional IP the DVR decides it likes to try and grab this eliminated the DHCP requests of the DVR or at least we blocked it ::) Its working even better.
As site admins we have the ability to monitor which articles here on the forums are looked at... This is particularly useful when you try to provide content that the users of the forum might find the most interesting...
I bring this up because it is very evident by the number reading Dan's articles here that information about AT&T's Uverse internet connections are in need. If you have come across this forum in an attempt to set up your Uverse connection we welcome you and thank you for stopping by. If you need further help or just want to comment, feel free to sign up and post here. Signing up is free and easy...
Feel free to share your experiences and suggestions as well.
Up time on the pfSense has been 9 months with the AT&T Static IP Addresses without an outage. WE'RE not using AT&T QOS.. pfSense deals with that real nice.
We've had to restart Apache, IIS and the mail servers more then anything else. But not as often...
We did have a small error we had to deal with in pfSense with pfBlocker which was user error and took a couple days before I realized I had loop in pfblocker causing a crash in the blocker only. That was back in June.
As far as we can tell the forum spam and email spam is next to nuttin...
Our email server deals with over 36000 legit emails a month
Prior to pfSense even with using spam controls we had over 76000 emails that included spam and about 20 emails that included viruses that the server had to deal with. If 4 viruses get cleaned out I'd be very surprised..
We did notice that allot of spam that run through USA server run from HOSTING NOC out of Ohio.. Seem's like they don't care. so we found all there IP blocks from Spamhaus and added it to pfBlocker and thats all stopped..
I would give these blocks out here but they'd probably go out and buy some more.
All the control you'd ever want and all coming threw a 10 year old P4 with a Fresh HD and gig of memory.
Swap on the hardrive runs between 1 to 5%... Memory use runs about 18% at most.
Of course now that I said something we'll probably get hit by the infamous ugly karma ::)