AT&T Gigabit and IPsec Tunnels

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
7,277
So I'm considering getting AT&T at one of our sites. I actually had their non-gigabit service in the past about 5 years ago and still have the Pace 5268AC from that service. The problem I ran into at that install is that the vpn router which was behind the ATT one in their 'DMZ+' could not process phase 2 IPsec tunnel negotiations. The ATT router was blocking them even though everything was turned off. Finally, the solution that I was told that I needed was to buy a block of static public IPs from ATT and then these had to be programmed into the ATT router and once my vpn router had a true public IP, the IPsec tunnels worked fine. I really had my doubts that this was going to work when it was first presented as 'the solution' and was a real headache.

So fast forward a few years and move the site a few thousand miles (okay so maybe just a thousand) and now I have the opportunity to go down this rabbit hole again, except this time it's ATT gigabit service. I have to pay $10/mo for 'equipment' even if I use the old Pace 5268AC, and I have no idea what consumer crap they're pushing out these days so I have no clue what issues I could run into this time. And hence my post, and my question--does anyone have an smb/enterprise grade IPsec vpn router running tunnels successfully behind your ATT equipment and if so, what did you have to do and how much of a pain was it?

Currently this site has cable, but sometimes the packet loss irks me. I want to get a second line here so I'm not at the mercy of a single isp.

Thank you in advance for any replies!
 
In theory I've got a Pace 5268 which is what they were using 2ish years ago. It's bypassed and sitting cold atm. In its place is a fortigate with multiple ipsec tunnels. That said depending on where you have moved bypassing may no longer be an option. I would highly suggest checking out the dslreports uverse sub-forum where this is a very frequent topic.

I can say that I am going to attempt to build a tunnel to someone semi-local that has the newer BW320 with integrated ONT which seems to be what getting handed out in some areas. That may or may not happen later in the week.
 
What model of Fortigate and what did you have to set up to get everything to work? I checked out the dslr thread back when I first faced this issue before they figured out the vlan workaround, but that's about as much as I know about it atm.

I'd be interested in what you run into with the BW320--especially if they have their vpn router behind it.
 
I moved out of AT&T territory three years ago, but I built my own modem bypass, and still remember most of the details (yay memory for useless knowledge). I've heard they're pushing a combined ONT and gateway which would you can't really bypass, and assuming their gateways are still as bad at their job as before, you'd probably need a block of IPs again, and hope.

The gateway bypass is pretty simple, if you have a way to proxy 802.1X packets. I built some software for FreeBSD to do it, but someone told me a dumb switch will tend to broadcast 802.1X on all ports, so there's lots of ways to let the gateway be connected until 802.1X is authorized and then swap in your router; ONT stays connected to the switch all the time, so it won't notice the connection dropped and your connection will stay authorized. Shows just how useful 802.1X is for security. :rolleyes:
 
Yeah, this is kinda the kludge I remember it being. I think the ont is already here as there's a single terminated fibre ready to plug into something. Ironically, my current cable modem connection also comes in on another fibre and then is converted to coax via some box. My goal is to have both connections live simultaneously and get a dual wan capable vpn router and run my IPsec tunnels over both for redundancy and increased bandwidth. But having to deal with a kludge on the att side may make me want to just scrap the whole idea.
 
I have ATT with an ASA behind it. I have static IPs & VPN works fine. It's a huge PITA getting static IPs working 'the way you want' on their router. It doesn't just bridge the connection.
I wrote some instructions to myself years ago (once I got it working I haven't had to touch it in years), here they are, hope it helps:

Code:
5268AC instructions:
 
 192.168.1.254
 Settings - System Info - Event Notifications
 Disable router behind router detection
 save
 
 Settings - Lan - Wi-Fi
 Disable wifi interface 2.4 & 5ghz
 save
 
 Settings - Lan - DHCP
 change to 172.16.0.0
 save
 
 172.16.0.1
 Settings - Lan - Firewall - Applications
 Select my ASA
 Select bottom radio button, dmzplus
 save
 press red button to reboot

FYI they block outgoing port 25, and will want an upcharge per month to unblock it, something like $20. I said F that and ended up getting digital ocean vps to relay my email for $5. Still BS IMHO, but considering the bandwidth I get for the price; I'll live with it.

1620655479806.png
 
Last edited:
Thank you for posting! Yeah, it was some weird process to get the static IPs in the att gateway and I'm sure I wrote down instructions somewhere too, but it's sad that it still works this way. :( Maybe a business account won't have this issue?
 
it's sad that it still works this way. :( Maybe a business account won't have this issue?

You'd think that but business accounts still have the same pos RG, you know where the R stands for residential, .... go figure. No to lose that crap is different product with a VERY different level of pricing. :(
 
Back
Top