Configuring multiple static IP addresses with AT&T Residential U-verse service

Lawrence Widman, 11/24/2011 (uverse-static-IP at cardiothink.com)

Introduction

AT&T is a last-mile provider of data services in parts of the USA. Fiber-based data services are marketed as "U-verse", and differ depending on whether the site of service is considered "business/commercial" or "residential".
Most residential users seem to require only dynamic IP addresses. AT&T has begun including static IP addresses, leased in a minimum block size of 5 (/29 space) but its Tier2 support personnel are not familiar, in my experience, with networking concepts in general and with the supplied router in particular.
This document describes configuration of the AT&T supplied router to implement multiple static IP addresses. The equipment used was a 2Wire, Inc. 3600HGV, for which no detailed documentation appears to be available on the Internet. Documentation on configuration of similar but not identical 2Wire routers for static IP ("broadband") addresses appears here. (The 3600HGV is provided for users who require Internet and voice service but not television; the reportedly-similar 3800 is supplied to those who require all three.). The user interface is via a web interface that can be accessed wirelessly and over a wired port.
There are several challenges in configuring the router for static IP use: it actively filters packets and therefore does not simply pass them from one interface to the other. Also, it will not accept packets from a device on its LAN side if it has not previously recognized it. Finally, it will accept statically assigned IP addresses from within the public block assigned to the user (after it is configured) but will accept only one static IP per MAC address. Thus, aliased interfaces, which share a common MAC address, are not recognized as being different and therefore cannot implement different IP addresses. Simply put, to implement multiple static IP addresses, the user must connect to the router either separate devices (computers, printers, etc) with unique MAC addresses, or the equivalent. Many security-conscious users prefer to maintain an inner firewall, such as a Linksys WRT54GL router running open-source firmware, over which they have complete control. They would prefer not to connect their individual devices directly to the AT&T-supplied router. This can be accomplished by configuring the Linksys router (or equivalent) to implement separate VLANs on the wide-area network side of that device, each of which can have its own MAC address. The following four sections discuss background information on IP addresses, configuration of the 2Wire 3600HGV router to implement static IP addresses, and configuration of a Linksys WRT54GL router running software from openwrt.org so that its extra ports each provide separate MAC addresses; and show configuration files for the WRT54GL router.

Background information on IP addresses

The IP addresses below assume a /29 address, which includes 8 addresses. A /29 address (out of 32 bits) uses the last 3 bits (bits 30, 31, and 32) for the user's IP space. For example, consider the /29 address space XXX.YYY.ZZZ.72-79.
The first address XXX.YYY.ZZZ.72 is the network address and cannot refer to an individual device. You can check this by using a programming calculator to convert the last of the 4 numbers to binary. You will see that 72 in binary has all zeros in the last 3 bits.
The last address XXX.YYY.ZZZ.79 is the broadcast address and cannot refer to an individual device. You can check this by using a programming calculator to convert the last of the 4 numbers to binary. You will see that 72 in binary has all ones in the last 3 bits.
Of the remaining six addresses, one is assigned to the AT&T router. This is under AT&T's control. It is important to know that the first of the six addresses was assigned to the router in my residential router, while the last was assigned to the router in the commercial router (a different manufacturer and model) installed in my office the week before. This distinction is particularly important because two separate AT&T Tier2 support personnel told me that the residential router was assigned the last of the six addresses, and were quite insistent even through they were obviously wrong. So, if you cannot communicate with the router, try using the other address (ie, start with XXX.YYY.ZZZ.73 but switch to XXX.YYY.ZZZ.78 if nothing else works).
The remaining five addresses may be used by the user.
Below, we use the fake dot-quad form XXX.YYY.ZZZ.QQQ to denote your assigned static IP addresses. You should of course substitute your own numbers.
The netmask for a /29 address space (block of 8, of which 5 are usable) is 255.255.255.248. For a /28 space (block of 16), it is 255.255.255.240. For a /27 space (block of 32), it is 255.255.255.224. See an enumeration of Subnet Address, Address Range, and Broadcast Address for blocks from 4 to 64 addresses here.

Configuration of the 2Wire 3600HGV router to implement static IP addresses

NOTE: This discussion assumes that you have (at least) one computer or interior router connected to the AT&T router. If not, it will have no way to know what you have on your network because you cannot program anything for devices it has never seen. One way to assign the static IP address to a given device is to configure that device (ie, computer, printer, etc) with the device; the AT&T router will use that IP address and accept packets for it from the Internet. The other way is to have the router assign the public IP address from a DHCP pool. I did not try this although the router's user interface says it should work.
NOTE: If the AT&T router becomes unresponsive or otherwise hopelessly confused, press the Reset button the back for about 10 sec, and it will reset to factory defaults. (One Tier2 representative, who was being very cooperative, explained to me that in this situation the router must be returned for service. After that, I noticed the Reset button and it worked as above.)
NOTE: References to the web-based user interface to the router, by default http://192.168.1.254/, are of the form A->B->C, where A is a top-level menu item, B is an item in a submenu of A, and C is an item in a submenu of B. For conciseness, the very top-level menu item ("Settings") is omitted below.
NOTE: When a page has a "Save" button, press it after making the changes below. This step is omitted below after the first step, for conciseness.
  1. Under Broadband->Link Configuration:
  2. Under LAN->Address Allocation. Under the Device corresponding to your interior router or other computer attached to the AT&T router:
  3. Under Firewall->Advanced Configuration: Note: the following will prevent the AT&T router from blocking the enumerated threats. But you have your own firewall, don't you? If not, it's probably better not to make these changes, and you probably should not be trying to do what this document describes in the first place.
  4. Under Firewall->Applications, Pinholes and DMZ. Note: this step must be repeated for each unique MAC address presented to the AT&T router, but the router is supposed to remember the configuration unless the Reset button is pressed.
At this point, all of the static IP addresses for the devices currently connected to the router should be ping-able from the Internet and packets directed to all ports for TCP and UDP should be passed to the corresponding device. Other IP protocol numbers, such as Generic Routing Encapsulation (GRE) (47) may not pass but I have not tested this. This source says that GRE should work: "The RG [Residential Gateway, the AT&T router], when you've configured its firewall to open PPTP, will let the GRE packet through to the PPTP server."

Configuration of a Linksys WRT54GL router running openwrt.org software to create separate VLANs on the wide-area network side with separate MAC addresses for each VLAN.

The specific device discussed here, a Linksys WRT54GL router, has 5 wired ports and wireless capability. The manufacturer's firmware was replaced with open-source software from www.openwrt.org. The device is described on that site here. Many other devices can run the openwrt software, and some of these likely have more physical ports. The specific device described here can use only 4 of the allocated 5 public IP addresses. If a device with more ports were used, more public IP addresses could then be used.
The 5 wired ports are usually configured into two "virtual local area networks" (VLANs) with one wide-area network (WAN) connection and with the remaining four ports bridged together on the local-area network (LAN) side. A firewall on the device, implemented with standard iptables, governs transit of packets between the two sides. In this section, we describe reconfiguring it to create five VLANs, with four on the WAN side of the firewall and one on the LAN side, but to allow packets from the one LAN port to reach all of the WAN ports and visa versa.
The essential elements are the following. Please note that I am not an expert in this area, and that some changes may have been unnecessary, and some essential steps may have been omitted that may contribute to occasional failures to work properly after rebooting but not after power-cycling the Linksys router.

Configuration files for the Linksys WRT54GL router

/etc/config/network:

/etc/init.d/network:

/etc/init.d/firewall: