Setting up the AT&T U-Verse 2-Wire VDSL gateway to be a bridge.

The procedure described below will allow use of AT&T assigned public IP addressing.  It is assumed that an "inside" router is going to be used to provide security and other local services.

Use of this procedure is done at the risk of the person using it.  Don't moan and groan if your connection ends up being broken, you can't fix it, and you end up having to call AT&T support.

The procedure below has been implemented, tested, and is known to work on the AT&T gateway shown below.  It may not work on other 2-Wire gateways.

2-Wire 3800hgv-b DSL Gateway
Hardware Version:  2700-100531-006
Software Version:   6.3.7.50-plus.tm (as of 4/3/2013)

When AT&T assigns a range of addresses, they are assigned as a contiguous block.  Also assigned will be a subnet mask, which defines the size of the block of addresses.  For example, this is a /29 assignment:

108.238.xxx.208     Not locally usable.  Typically defined as the network address for the range.
108.238.xxx.209     Usable.
108.238.xxx.210     Usable.
108.238.xxx.211     Usable.
108.238.xxx.212     Usable.
108.238.xxx.213     Usable.
108.238.xxx.214     Usable.  Should be assigned as the gateway address in step 5 below.
108.238.xxx.215     Not locally usable.  Typically defined as the broadcast address for the range.
255.255.255.248     Subnet mask.  Should be assigned to the gateway in step 5 below.

AT&T will recommend that a certain address from the range be assigned to the gateway (they may refer to it as a modem).  Be sure to use that address in step 5.  Any of the other usable addresses can be set for the inside router or other device.

Note that every assigned range will be unique, so what I've shown here as an example is just that (that's why there are x's).  However, the principles and concepts are the same.

There is nothing to configure on the WAN side of the gateway.  It's all dynamic and only provides connectivity to AT&T's system.  Whatever is there will remain there at the pleasure of AT&T, whether or not a static range is in use.

There is nothing to configure for LAN IP addressing in the gateway other than the type of range as instructed in steps 7 through 9.

Two computers are helpful for this; one computer connected to one of the inside router's LAN ports or the local LAN (providing that it is connected to one of the inside router's LAN ports) and one computer connected to a LAN port on the AT&T gateway.  BE SURE that the computer connected to the AT&T gateway has its firewall turned on, or use a Mac or Linux machine, in case it inadvertently gets a public address assigned. 


1.               Configure the inside router for static addressing using one of the IP addresses in the assigned range.  Be sure to type in the correct subnet mask and gateway address. Setting static DNS is optional depending on the needs of the network.  While configuring settings, it's a good idea to change the default name, or hostname, of your router to something personalized.  Restart the router when you're done with the configuration.

2.               Log onto the AT&T gateway via web browser.  The default address to use is 192.168.1.254

3.               Click the Settings tab, then the Broadband tab.

4.               Click Link Configuration then scroll to the bottom of the page to Supplemental Network.

5.               Click a checkmark to enable Add Additional Network.

Type in the gateway's public IP address as assigned above.
Type in the gateway's Subnet Mask as assigned above.
Place a checkmark for Auto Firewall Open.

6.               Click Save.  There will be a prompt for a password.  Type it in and click OK.

If the settings were successful, a green-boxed banner stating "Configuration Successful" should be displayed.

7.               Scroll back to the top and click LAN.

8.               Click IP Address Allocation.  The inside router's information should be shown in a box under its hostname.  You should also see the computer that is plugged into the gateway.

The inside router should show its address as configured in #1 above.  It should also show its device status (connection state and how it got its address), Firewall, Address Assignment, and WAN IP Mapping.  Adjust configuration as follows:

Firewall:                                Disabled
Address Assignment:         Public (select WAN IP Mapping)
WAN IP Mapping:                 Public Fixed: address assigned in #1 above

9.               Click Save.

If the settings were successful, a green-boxed banner stating "Configuration Successful" should be displayed.

Note that step 8 must be done for any device connected that will use a static IP address.

10.           Click the Home tab, then Restart your System.

11.           Be careful here!  Click the Reset button next to Reboot System.  This will initiate a reboot of the gateway.  The process will take a few minutes.  During this time your connection to the Internet will be down, as well as any telephone lines provided by the gateway.

If you are now able to browse the web from the local LAN, you are done!  Document all your settings and keep them in a safe place.


What you end up with:

The gateway becomes a bridge in this scenario.  Once the supplemental network is configured and the addressing set up in the inside router, a wide open connection exists through the AT&T gateway to the statically addressed inside router.  This would also be true for any other device attached to the gateway that has a static address from the assigned range.  For these public addresses, the AT&T gateway provides no firewalling and AT&T does no upstream filtering.

The AT&T gateway will provide private addressing and firewalling for any device connected to its LAN port(s) so long as that device gets a DHCP-assigned address from the gateway or has a private address in the same subnet as the LAN side of the gateway.  This is why we make no changes to the LAN DHCP configuration in the gateway.

Optional and NOT RECOMMENDED unless you know what you are doing and have taken the necessary precautions to safeguard systems:

1.                If you want the router to assign addresses from the assigned public range click the LAN tab, then  DHCP and scroll to the bottom of the page to Select Default Address Pool for the DHCP Server.  For New Device DHCP Pool, use the drop-down to select Public Routed Network.

2.                Click Save.

If the settings were successful, a green-boxed banner stating "Configuration Successful" should be displayed.

This can be hazardous because the gateway's DHCP server will serve public addresses to any device connected to its LAN ports. 

How is this different from a DMZ?

The DMZ+ setting in the gateway acts in a similar fashion, except that it still provides some firewalling.  When DMZ+ is used, the inside router's WAN must be set to DHCP.  When all the settings are complete, the inside router's WAN address will be the WAN address normally seen as the WAN address of the gateway.  It should be noted that AT&T maintains a tight rein on these addresses via upstream filtering, so there are certain limits involved with its use.

For most implementations where static IP addressing isn't required but the end user wants to use their own router, DMZ+ is adequate.

Copyright 2009 - 2013 Ken Baker and bassesbyleo.com