Comments on: Utilizing AT&T U-Verse Static IPs with OpenWRT

By: Randall

Randall — Wed, 27 Jul 2011 15:58:04 +0000

Victor — there are only two ways to get this to work:

(1) use a bridge instead of a router. In OpenBSD at least (and probably for other Unix/Linux as well) you can mostly treat bridges and routers the same, and can filter or apply rules as desired. The key difference is that bridges preserve the Ethernet frame, including source/destination MAC address, fooling the RG into thinking there is no other router, and allowing it to continue to map static IP addresses 1:1 to MAC addresses;

(2) Use the virtual interface and NAT trick as above. This also results in the RG maintaining a 1:1 mapping between static IP and MAC address, the difference is that your router must then NAT or bi-NAT between the static IPs and private IPs, and each of your machines must use a private IP instead of a public static.

By: Victor Orly

Victor Orly — Wed, 27 Jul 2011 03:57:40 +0000

Any idea how to get this working with a Soncwall TZ190?

I’m about to throw the Uverse 2wire gateway in the trash.

By: Randall

Randall — Mon, 25 Jul 2011 01:00:07 +0000

I’m not sure who bobh is addressing, but my setup is more-or-less OK: each machine has one of the 64 static public IPs from my U-Verse block. I have an OpenBSD system as a router/bridge which blocks DHCP to/from the RG and any other firewall rules I desire. The key to this setup is that the OpenBSD box has a bridge, which fools the RG into thinking there is no other router. This way there is no NAT, no private address. I have another system as my own DHCP server, but I could easily have the OpenBSD box do that as well. My DHCP server hands out static public IPs to my devices.

By: bobh

bobh — Sun, 24 Jul 2011 02:12:32 +0000

Did you ever get the NAT problems solved? I think this is great and I am ready to try it, but I need to have the correct static IP referred to on outbound traffic as well.

By: Randall

Randall — Thu, 23 Dec 2010 03:31:12 +0000

If I understand your post, the key is that you create virtual interfaces, each with its own fake MAC address, to fool the RG into thinking there is one and only one MAC per IP. This requires that the actual machines have different addresses, such as 192.168.x.x, and you use NAT or at least bi-NAT to translate packets inbound and outbound, and further direct all outbound packets via the matching virtual interface. This allows you to have internal machines change IP address or have multiple IP addresses, without the RG realizing it and throwing a hissy.

I’ve got U-Verse with a block of 64 statics, with my actual machines assigned a public address, and a Soekris running OpenBSD acting as an Ethernet bridge, but I run into problems with the RG getting into a tizzy.

I hate the idea of going back to private addresses and NAT/bi-NAT, but I also hate my current setup.

In theory, it should be possible to fool the RG by having something intercept all ARP packets and faking replies, so the RG thinks there is one unique IP per MAC, but I’m not aware of anything that would do that.

By: Andrew

Andrew — Thu, 02 Dec 2010 12:49:34 +0000

@Jon, You can probably get it to run on a pc, although I’ve never tried. If you’re using a pc, you should be able to run just about any small Linux distribution to route the IP’s using macvlan.

By: Jon Strabala

Jon Strabala — Wed, 01 Dec 2010 22:02:59 +0000

So far this writeup is the best solution I have seen for U-verse RGs (3800HGV or 3600HGV). I got 64 public IPs but the firewall on the RG is worthless.

Can OpenWRT be used to route and protect the public IP’s? If so any tips / changes to your configuration.

I could buy the same D-Link DIR-615 rev. C as you used, but will OpenWRT also run on a PC with 2-4NICs?

Thanks in Advance

Jon

By: Andrew Q

Andrew Q — Sun, 14 Nov 2010 13:19:39 +0000

Ok, I’ve been struggling getting the SNAT part to work. I run a outgoing mail server and a PBX behind the uverse IPs. Incoming works, but the new connections from the servers don’t have the right IP which is messing up the SPF settings I’ve had. If I figure it out I’ll post again to share.

Again thank you for sharing this workaround the the Uverse modem limitation, I would have had to cancel my Business Uverse and go back to my slow DSL line just to get the IPs working again.

By: Andrew

Andrew — Sun, 14 Nov 2010 13:06:00 +0000

@Andrew Q – I don’t think I ever got the server to use SNAT. I don’t do a lot of outgoing traffic from my server and as long as the response to a http request on the outside looks like it’s coming from the correct IP, I haven’t worried about it.

By: Andrew Q

Andrew Q — Sun, 14 Nov 2010 09:59:04 +0000

Did you ever get SNAT to work with this? When I tried it I got DNAT working but SNAT isn’t. All new outbound connections from my servers are being mapped to the common IP not their static IP, but static IP to the servers is working, and thank you for that.