Configure your Pace 5268AC with Static IPs for pfSense

  • @mwp821 it passes through the RGs LAN connectors, but on the public static IP subnet. The RGs LAN will have 2 subnets, that of the RG LAN, and that of the public static IP subnet that you have been assigned. In order to communicate with the RG you will need to use the RG LAN IP address, and for your public IP usage you will need to setup Virtual IP Aliases on the WAN interface of your pfSense appliance, that you have sitting behind the RG. The easiest way to do this is to setup the RG DHCP server, configure the WAN interface of your pfSense appliance to use DHCP, and create the Virtual IP Aliases on the WAN interface for your static IP subnet.

  • So just to confirm, these steps do nothing to avoid the Session state limitation AT&T imposes correct? It seems like your using the built in cascade router feature that would then suffer from the limitation.

    Have you been able to test and see how many sessions you have running? I got all excited recently when I saw AT&T Fiber prices for small business, but it seems those dreams are quickly going up in smoke unless I can figure out a stable and cost effective solution that avoids the session state bug. I suppose it is not a bug, but a intentional crippling of the service so that only the smallest offices use it.

  • @phatty I think you are completely misunderstanding what the Cascade Router functionality actually does. It is simple IP packet routing, there is no session involved at all. The packets from the WAN are routed to the LAN, and vice versa. If you want to perform tests, you are welcome to.

  • So looks like AT&T screwed something up, with my BGW210 I can not save Cascade router settings. I get a long browser hang up, followed by session refused, and then it takes quite awhile for the browser admin page to be responsive again. Rebooting it is the quickest way to get back control, but then no cascade settings are actually saved.

    Looking at AT&T forum it looks like others are reporting the same issue with firmware 2.3.4. Tech support just wanted to direct me to the IP Passthrough feature, which suffers the 8k table limitation. When I tried to push for cascade they kept insisting passthrough was the method to use. At this point I guess the next best option is try to Netgraph method.

    Grrr, I am stumped as to why AT&T gives out such a handicapped device to business users.

  • @merc Are you able to confirm with 100% certainty that the routing table shows 0 in the modem stats when using the Cascaded Routing Feature? I Tweeted at AT&T which gets you to the AT&T Office of the President, and their default response to this feature being broken was he didn't think it was going to help with the 8k limitation anyway. He is escalating on his end for confirmation as well.

  • @phatty you are going to need to be explicitly clear on what you are asking for, as what you are asking for does not exist. The Cascaded Router feature does not NAT, thus there is no table.

  • I'll let you know what I uncover, I suspect even if they claim it would fix me, I am then stuck with a firmware that has this feature broken and I wouldn't expect that to be a quick fix.

  • @phatty that's very possible. The feature was broken on the Pace 5268AC for several years (close to 8 years I think), before it was finally working correctly. I had talked with the manufacturer several times, and they stated that it was AT&T that was the problem, as AT&T manages the firmware and decides what goes into it.

  • @merc so Office of the President gave me 2 options to go past 8,000 sessions. Downgrade to DSL, which has a modem that supports 'Bridge Mode', or get a 2nd fiber account. I bet the bridge mode they refer to is the same Cascaded Router feature, they just know its broke for their current Fiber modems that they deploy with. He continued to claim that his network guys say cascaded router still relies on sessions, but impossible to prove him wrong with the feature being broken and them claiming they have no other model modems to send my way.

    Needless to say downgrading to DSL or spending 2x a month for a second circuit will not happen. I will probably look at bundling with a Spectrum Coax account and maybe split up traffic based on department so that the people dealing with larger data sets default to the fiber.

  • @phatty do you currently have the business version of Uverse Fiber? If so, you might see if you can find a Pace 5268AC from a third party, and check to see if AT&T can install their firmware on it. They should be able to on non-customized units. I guess I got lucky that I got mine when they still using the Pace 5268AC for dual channel DSL Uverse. When I upgraded to Uverse Fiber, they installed the fiber box, which has an ethernet out, and connects to the exact same Pace 5268AC input as the DSL.

    Be careful with Spectrum though. If your local Spectrum provider is still operating as Time Warner, and has not fully converted to Charter's systems, then you'll be paying extremely high prices (~3-4x normal) for fiber connections.

  • Yes it is Business version, although same hardware they give out to residential. If I go Spectrum it wouldn't be fiber, it would be coax, I would then use fail-over and some priority rules to determine what goes out the fiber vs coax line to balance my user sessions.

  • @merc So then question is will I need anything from AT&T to make it work? The Office of President was admit that no other devices were supported on my 500mb business plan. Now I know CS reps are impossible to trust, but you never know if a multiwelling office building relies on some special protocol. If it helps my modem shows a Broadband Network Type iPAG under the broadband admin portion. Some of the reviews claim it's not really AT&T hardware, I guess no matter what a little Russian roulette is at play.

  • @phatty TBH, I don't trust half of what AT&T tells me. The question is, does AT&T support the Pace 5268AC across it's entire Uverse network, or is the support localized. I don't have an answer to that question. In the past, any DSL modem could be used on any DSL line in North America. The Pace 5268AC supports 2 different kinds of inputs, DSL and Ethernet. The latter is used with fiber, and I think is a direct ATM line. In any case, the DSLAM should be able to provide whatever signal is needed. I don't know how they distribute the certificates and updates that are needed.

    A high level tech in provisioning might be able to help you. They should know absolutely everything about the systems in question. Only supporting the BGW210 at your location, when both are supported (plus one other) where I am, doesn't sound accurate to me. I hope you can get it cleared up.

  • @merc I found an unofficial firmware upgrade for my BGW210 (2.4.4) and applied that. With that set I can now officially enable the cascaded router feature. Problem is it appears support was correct, NAT table looks the same using that feature as it did without it enabled. So on this model it appears to still be limited by the 8k.

    8k problem aside, are you able to to translate outgoing traffic to your static IPs, or does everything show up as the DHCP IP address on the public side of the WAN?

  • @phatty it doesn't make sense for the BGW210 to use the NAT table, as it doesn't need to keep track of any connection state information. It's simple IP routing, which does need a routing table of some sort. Could the BGW210 be using its "NAT table" to also store normal routing?

    On the Pace 5268AC, the 4 LAN network connectors have 2 subnets on them. Subnet #1) The normal subnet to access the RG, which can be static or DHCP, and subnet #2) The public IP subnet that is configured under Add Cascade Router. The WAN network of pfSense is configured to connect to subnet #1, and the IP Aliases give me access to subnet #2. As you can see, the RG doesn't need to perform NAT at all, it only needs to route packets, as each alias is just a different end-point.

    Have you tried talking to your gateway manufacture? They might be using different terms.

  • Plausible that it is some sort of reporting issue on the modem. I haven't attempted contacting them, and at this point I probably won't. AT&T has been admit that there is no bridge equivalent with this device, and NAT session tracking is always at play. If I could manipulate my outbound traffic to reflect the static IPs I would have a little more confidence that NAT tracking is actually being disabled.

    I'm going to go ahead and start moving more traffic over using the cascaded outer feature. If NAT Table continues to fill though I will probably go back to disabling this feature, and programming my static IPs on the modem so that I can manipulate my outbound traffic through my different IPs which is my preferred setup.

  • @phatty ok, I think I understand what AT&T is doing, and why they are doing it, but they are doing it wrong. First off, they should be doing a public IP subnet check in the static addresses entered, which allows you to make assumptions that they can’t currently make.

    If the packet coming from your pfSense appliance has a source address of a public IP within the subnet that you entered, then the destination must either be a public IP address, or a private IP address on the LAN side of the gateway. All other packets can be ignored. By making this assumption, everything is simple IP routing, and a NAT session is not needed outside of your pfSense appliance.

    The NATing that they are doing allows you to access private IP addresses within the AT&T network, which you don’t need. There isn’t any business reason that any customer would need such ability from a Uverse or DSL type account. Only someone with an OC3, T1, or T3 type account MIGHT possibly need such access.

    They are way over thinking it. If they just enabled the bridging functionality, you’d have direct access to the gateway, and to the Internet, exactly as I’ve described. They need to hire someone who can think outside the box, and actually make it work for you. That was the only way that I was able to get it to work.

    On a side note, you can use the additional network functionality and CARP aliases, each IP in a different group, and achieve the same thing. Or use a Cisco router, and assign a different MAC address to each public IP address. pfSense doesn’t support a different MAC address for each IP alias, but it does assign a different MAC addresses to each CARP group.

  • @merc I thought I would follow up and say I am now 99% confident that AT&T was actually correct, and there is no avoiding the NAT table. I have tested in Cascaded Router mode, and in the typical mode of configuring the gateway/static IPs on the modem, and both create about the same number of NAT sessions in use. If it was just a reporting glitch, I would suspect the routing table display when in cascaded router mode should have been much smaller than the display that tracks each and every session like a typical NAT table.

    With that said I think overloading the modem is very much the exception in my office, but still a risk. So I was able to talk the powers that be into adding a Spectrum coax modem for backup. It will also have the bonus result of improving work from home performance for our users who use Spectrum at home as I can lower their latency by routing through the spectrum connection.

    Thanks for the help, but I think this particular modem is a no go for anything even slightly resembling bridge mode.

  • @phatty that is unfortunate. I did find some old documentation on features that were made available to customers like AT&T, but unfortunately, AT&T never implemented them. One of the features was a Pass-Through for customer data, which allowed the gateway to also perform the required tasks that allow it to work on AT&T's ATM network. I'd describe it as a smart Bridged Mode that doesn't prevent the gateway from doing what it needs to do. They have many different options to implement what is needed, but I have a feeling that they aren't doing it to force you to upgrade to an OC3 or similar connection. :/

Log in to reply