Configure your Pace 5268AC with Static IPs for pfSense

  • Previously, this could only be done using CARP IP Aliases, but with the current firmware it is now allowing pfSense to use normal IP Aliases, so I thought I'd help others out with this post.  By using this new configuration, you will end up being able to use the Router Address that was previously assigned to the Pace 5268AC, and the WAN IP address (could change over time) of the Pace 5268AC, in addition to the IP addresses that you were already using.  This also bypasses the firewall in the Pace 5268AC.  With all this being stated, the setup is pretty much identical to the setup that AT&T will configure you with using the Supplementary Network / Add Additional Network settings.

    If you haven't changed the default LAN and DHCP settings, you can continue to use them, but you might want to exclude a block at the base.  I do not recommend changing the default LAN subnet, as it will make troubleshooting easier if something goes wrong.  The WAN interface of your pfSense can be setup to use either DHCP or a static IP address, though DHCP is much easier for troubleshooting. Once that is set, it all comes down to changes to Settings / Broadband / Link Configuration in the Pace 5268AC.  Instead of using the Add Additional Network section, you need to use the Add Cascade Router section (see below):

    The Network Address setting can be ANY of the IP addresses in your IP block, and it doesn't matter which one you chose.  Most will either use the first IP address in the block, or the Router Address that AT&T used when setting up Add Additional Network, it doesn't matter which you use.  The Subnet Mask is the same that was used under Add Additional Network.  The router for the secondary subnet is your pfSense device.  If the WAN interface IP address is not available in the dropdown, enter it into the IP Address text box. When using DHCP always use the dropdown, as the Pace 5268AC will internally register the MAC address, in case the DHCP address should change.  Make sure to select the appropriate radio button and click Save.  That's it for the Pace 5268AC configuration, now you just need to configure your pfSense device.

    In pfSense, you need to create a Virtual IP Alias for each of the public IP addresses that you have, under Firewall / Virtual IPs.  Here are the settings for each alias:

    • Type: IP Alias

    • Interface: The WAN interface that your Pace 5268AC is plugged into.

    • Address(es):

    • Subnet Mask (dropdown): The significant number of bits in your public static IP subnet mask

    If you have 5/8 IPs (5 usable of 8 as defined by AT&T), you will actually get 6 usable, and you would select 29 from the dropdown (28 for 13/16, 27 for 29/32, etc.).  Don't forget to create an entry for the Router Address that was previously being taken by the Pace 5268AC, as it is now usable.  Once that is done, you can then use those IP Aliases within pfSense.  To use the AT&T WAN IP address of the Pace 5268AC, just configure pfSense to use the IP address of the WAN interface (LAN of the Pace 5268AC), which is the LAN IP address that you gave it earlier.


    P.S.  On the LAN side of the Pace 5268AC I am seeing ~970Mb up/down.  I am waiting for a new pfSense device to get that full BW, as my old pfSense device maxes out at around 430Mb(up)/267Mb(down).

    UPDATE 10/07/2018
    I've been using my new pfSense appliance for about 4 months now, along with a managed Cisco switch that it feeds into, and this has been working flawlessly. I have 32 static IP addresses for hosting web applications and other IoT things. My latency to the Google DNS servers ( is 7ms, for those who are interested. Due to security concerns I won't post tracert information, but I can describe it:

    1. The pfSense gateway address that you are connected to.
    2. The gateway address of the RG.

    You might be asking why the gateway address of the RG is there when using Virtual IP Aliases. Well, that's how routing works. Even though it is using the RG gateway address, pfSense is modifying the outgoing packet to set the source IP address as the Virtual IP address. You can't bypass the RG, and you really don't want to, as it has the required certificates to communicate with the AT&T network.

  • So this completely bypasses the RG entirely?

    Can you post a tracert to any site showing the first 2 hops?

    At&t Static ip required?

  • Can you post a tracert to any site showing the first 2 hops?

    Asking the important questions. This technique is unfortunately of limited benefit if all traffic still passes through the RG's LAN subnet.

  • @gpz1100 Sorry for the late reply, but this site isn't sending notification emails. Nothing completely bypasses the RG, as it is physically required to communicate with the AT&T servers. What does happen though is that the static IPs of the specified range are passed through the RG to it's LAN side w/o any processing. And yes, this only works for static IP addresses, as this is of no use for dynamic IP addresses. If you have a dynamic IP address, just use the DMZ option.

  • @mwp821 it passes through the RGs LAN connectors, but on the public static IP subnet. The RGs LAN will have 2 subnets, that of the RG LAN, and that of the public static IP subnet that you have been assigned. In order to communicate with the RG you will need to use the RG LAN IP address, and for your public IP usage you will need to setup Virtual IP Aliases on the WAN interface of your pfSense appliance, that you have sitting behind the RG. The easiest way to do this is to setup the RG DHCP server, configure the WAN interface of your pfSense appliance to use DHCP, and create the Virtual IP Aliases on the WAN interface for your static IP subnet.

  • So just to confirm, these steps do nothing to avoid the Session state limitation AT&T imposes correct? It seems like your using the built in cascade router feature that would then suffer from the limitation.

    Have you been able to test and see how many sessions you have running? I got all excited recently when I saw AT&T Fiber prices for small business, but it seems those dreams are quickly going up in smoke unless I can figure out a stable and cost effective solution that avoids the session state bug. I suppose it is not a bug, but a intentional crippling of the service so that only the smallest offices use it.

  • @phatty I think you are completely misunderstanding what the Cascade Router functionality actually does. It is simple IP packet routing, there is no session involved at all. The packets from the WAN are routed to the LAN, and vice versa. If you want to perform tests, you are welcome to.

  • So looks like AT&T screwed something up, with my BGW210 I can not save Cascade router settings. I get a long browser hang up, followed by session refused, and then it takes quite awhile for the browser admin page to be responsive again. Rebooting it is the quickest way to get back control, but then no cascade settings are actually saved.

    Looking at AT&T forum it looks like others are reporting the same issue with firmware 2.3.4. Tech support just wanted to direct me to the IP Passthrough feature, which suffers the 8k table limitation. When I tried to push for cascade they kept insisting passthrough was the method to use. At this point I guess the next best option is try to Netgraph method.

    Grrr, I am stumped as to why AT&T gives out such a handicapped device to business users.

  • @merc Are you able to confirm with 100% certainty that the routing table shows 0 in the modem stats when using the Cascaded Routing Feature? I Tweeted at AT&T which gets you to the AT&T Office of the President, and their default response to this feature being broken was he didn't think it was going to help with the 8k limitation anyway. He is escalating on his end for confirmation as well.

  • @phatty you are going to need to be explicitly clear on what you are asking for, as what you are asking for does not exist. The Cascaded Router feature does not NAT, thus there is no table.

  • I'll let you know what I uncover, I suspect even if they claim it would fix me, I am then stuck with a firmware that has this feature broken and I wouldn't expect that to be a quick fix.

  • @phatty that's very possible. The feature was broken on the Pace 5268AC for several years (close to 8 years I think), before it was finally working correctly. I had talked with the manufacturer several times, and they stated that it was AT&T that was the problem, as AT&T manages the firmware and decides what goes into it.

  • @merc so Office of the President gave me 2 options to go past 8,000 sessions. Downgrade to DSL, which has a modem that supports 'Bridge Mode', or get a 2nd fiber account. I bet the bridge mode they refer to is the same Cascaded Router feature, they just know its broke for their current Fiber modems that they deploy with. He continued to claim that his network guys say cascaded router still relies on sessions, but impossible to prove him wrong with the feature being broken and them claiming they have no other model modems to send my way.

    Needless to say downgrading to DSL or spending 2x a month for a second circuit will not happen. I will probably look at bundling with a Spectrum Coax account and maybe split up traffic based on department so that the people dealing with larger data sets default to the fiber.

  • @phatty do you currently have the business version of Uverse Fiber? If so, you might see if you can find a Pace 5268AC from a third party, and check to see if AT&T can install their firmware on it. They should be able to on non-customized units. I guess I got lucky that I got mine when they still using the Pace 5268AC for dual channel DSL Uverse. When I upgraded to Uverse Fiber, they installed the fiber box, which has an ethernet out, and connects to the exact same Pace 5268AC input as the DSL.

    Be careful with Spectrum though. If your local Spectrum provider is still operating as Time Warner, and has not fully converted to Charter's systems, then you'll be paying extremely high prices (~3-4x normal) for fiber connections.

  • Yes it is Business version, although same hardware they give out to residential. If I go Spectrum it wouldn't be fiber, it would be coax, I would then use fail-over and some priority rules to determine what goes out the fiber vs coax line to balance my user sessions.

  • @merc So then question is will I need anything from AT&T to make it work? The Office of President was admit that no other devices were supported on my 500mb business plan. Now I know CS reps are impossible to trust, but you never know if a multiwelling office building relies on some special protocol. If it helps my modem shows a Broadband Network Type iPAG under the broadband admin portion. Some of the reviews claim it's not really AT&T hardware, I guess no matter what a little Russian roulette is at play.

  • @phatty TBH, I don't trust half of what AT&T tells me. The question is, does AT&T support the Pace 5268AC across it's entire Uverse network, or is the support localized. I don't have an answer to that question. In the past, any DSL modem could be used on any DSL line in North America. The Pace 5268AC supports 2 different kinds of inputs, DSL and Ethernet. The latter is used with fiber, and I think is a direct ATM line. In any case, the DSLAM should be able to provide whatever signal is needed. I don't know how they distribute the certificates and updates that are needed.

    A high level tech in provisioning might be able to help you. They should know absolutely everything about the systems in question. Only supporting the BGW210 at your location, when both are supported (plus one other) where I am, doesn't sound accurate to me. I hope you can get it cleared up.

  • @merc I found an unofficial firmware upgrade for my BGW210 (2.4.4) and applied that. With that set I can now officially enable the cascaded router feature. Problem is it appears support was correct, NAT table looks the same using that feature as it did without it enabled. So on this model it appears to still be limited by the 8k.

    8k problem aside, are you able to to translate outgoing traffic to your static IPs, or does everything show up as the DHCP IP address on the public side of the WAN?

  • @phatty it doesn't make sense for the BGW210 to use the NAT table, as it doesn't need to keep track of any connection state information. It's simple IP routing, which does need a routing table of some sort. Could the BGW210 be using its "NAT table" to also store normal routing?

    On the Pace 5268AC, the 4 LAN network connectors have 2 subnets on them. Subnet #1) The normal subnet to access the RG, which can be static or DHCP, and subnet #2) The public IP subnet that is configured under Add Cascade Router. The WAN network of pfSense is configured to connect to subnet #1, and the IP Aliases give me access to subnet #2. As you can see, the RG doesn't need to perform NAT at all, it only needs to route packets, as each alias is just a different end-point.

    Have you tried talking to your gateway manufacture? They might be using different terms.

  • Plausible that it is some sort of reporting issue on the modem. I haven't attempted contacting them, and at this point I probably won't. AT&T has been admit that there is no bridge equivalent with this device, and NAT session tracking is always at play. If I could manipulate my outbound traffic to reflect the static IPs I would have a little more confidence that NAT tracking is actually being disabled.

    I'm going to go ahead and start moving more traffic over using the cascaded outer feature. If NAT Table continues to fill though I will probably go back to disabling this feature, and programming my static IPs on the modem so that I can manipulate my outbound traffic through my different IPs which is my preferred setup.

  • @phatty ok, I think I understand what AT&T is doing, and why they are doing it, but they are doing it wrong. First off, they should be doing a public IP subnet check in the static addresses entered, which allows you to make assumptions that they can’t currently make.

    If the packet coming from your pfSense appliance has a source address of a public IP within the subnet that you entered, then the destination must either be a public IP address, or a private IP address on the LAN side of the gateway. All other packets can be ignored. By making this assumption, everything is simple IP routing, and a NAT session is not needed outside of your pfSense appliance.

    The NATing that they are doing allows you to access private IP addresses within the AT&T network, which you don’t need. There isn’t any business reason that any customer would need such ability from a Uverse or DSL type account. Only someone with an OC3, T1, or T3 type account MIGHT possibly need such access.

    They are way over thinking it. If they just enabled the bridging functionality, you’d have direct access to the gateway, and to the Internet, exactly as I’ve described. They need to hire someone who can think outside the box, and actually make it work for you. That was the only way that I was able to get it to work.

    On a side note, you can use the additional network functionality and CARP aliases, each IP in a different group, and achieve the same thing. Or use a Cisco router, and assign a different MAC address to each public IP address. pfSense doesn’t support a different MAC address for each IP alias, but it does assign a different MAC addresses to each CARP group.

  • @merc I thought I would follow up and say I am now 99% confident that AT&T was actually correct, and there is no avoiding the NAT table. I have tested in Cascaded Router mode, and in the typical mode of configuring the gateway/static IPs on the modem, and both create about the same number of NAT sessions in use. If it was just a reporting glitch, I would suspect the routing table display when in cascaded router mode should have been much smaller than the display that tracks each and every session like a typical NAT table.

    With that said I think overloading the modem is very much the exception in my office, but still a risk. So I was able to talk the powers that be into adding a Spectrum coax modem for backup. It will also have the bonus result of improving work from home performance for our users who use Spectrum at home as I can lower their latency by routing through the spectrum connection.

    Thanks for the help, but I think this particular modem is a no go for anything even slightly resembling bridge mode.

  • @phatty that is unfortunate. I did find some old documentation on features that were made available to customers like AT&T, but unfortunately, AT&T never implemented them. One of the features was a Pass-Through for customer data, which allowed the gateway to also perform the required tasks that allow it to work on AT&T's ATM network. I'd describe it as a smart Bridged Mode that doesn't prevent the gateway from doing what it needs to do. They have many different options to implement what is needed, but I have a feeling that they aren't doing it to force you to upgrade to an OC3 or similar connection. :/

Log in to reply