ATT BGW210 iptables 1 to 1 NAT

rsteinmetz70112 · 10-04-2019, 03:09 PM

We recently "upgraded" our Internet service with ATT. They provided an ARRIS BGW 210 Gateway.

Previously we had ATT U verse service using a 5268AC FXN whihc worked as a cascaded router

Our service including a block of Public IP addresses. Previously I used iptables to provide a 1 to NAT translating between public and private IP addresses. Under teh old Gateway we configured a 'Cascaded Router' set it to the IP address of the server running iptables and everything worked.

Here are the router settings I've tried:

Code:

Cascaded Router
Cascaded Router Enable - Yes

Cascaded Router Address - 192.168.1.1
Network Address -aa.bb.cc.8
Subnet Mask 255.255.255.48

With the new Gateway whenever I try to configure the Cascading Router the Gateway freezes saying "Session Rejected"

The iptables rules are stored in a file called /etc/iptable.rules:

Code:

: PREROUTING ACCEPT [66316:6289839]
:INPUT ACCEPT [33999:3265034]
:OUTPUT ACCEPT [10562:903361]
: POSTROUTING ACCEPT [4:240]
-A PREROUTING -d aa.bb.cc.14/32 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -d aa.bb.cc.9/32 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -d aa.bb.cc.10/32 -j DNAT --to-destination 192.168.1.3
-A PREROUTING -d aa.bb.cc.11/32 -j DNAT --to-destination 192.168.1.28
-A PREROUTING -d aa.bb.cc.12/32 -j DNAT --to-destination 192.168.1.29
-A PREROUTING -d aa.bb.cc.13/32 -j DNAT --to-destination 192.168.1.4
-A POSTROUTING -s 192.168.1.1/32 -j SNAT --to-source aa.bb.cc.14
-A POSTROUTING -s 192.168.1.2/32 -j SNAT --to-source aa.bb.cc.9
-A POSTROUTING -s 192.168.1.3/32 -j SNAT --to-source aa.bb.cc.10
-A POSTROUTING -s 192.168.1.28/32 -j SNAT --to-source aa.bb.cc.11
-A POSTROUTING -s 192.168.1.29/32 -j SNAT --to-source aa.bb.cc.12
-A POSTROUTING -s 192.168.1.4/32 -j SNAT --to-source aa.bb.cc.13

checking the actual rules here is what I get:

Code:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  anywhere             aa.bb.cc.14          to:192.168.1.1
DNAT       all  --  anywhere             aa.bb.cc.9           to:192.168.1.2
DNAT       all  --  anywhere             aa.bb.cc.cc          to:192.168.1.3
DNAT       all  --  anywhere             aa.bb.cc.11          to:192.168.1.28
DNAT       all  --  anywhere             aa.bb.cc.12          to:192.168.1.29

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  hamlet               anywhere             to:aa.bb.cc.14
SNAT       all  --  192.168.1.2          anywhere             to:aa.bb.cc.9
SNAT       all  --  192.168.1.3          anywhere             to:aa.bb.cc.cc
SNAT       all  --  romulus.local        anywhere             to:aa.bb.cc.11
SNAT       all  --  remus.local          anywhere             to:aa.bb.cc.12
MASQUERADE  all  --  anywhere             anywhere
SNAT       all  --  hamlet               anywhere             to:aa.bb.cc.14
SNAT       all  --  hamlet               anywhere             to:aa.bb.cc.14
SNAT       all  --  hamlet               anywhere             to:aa.bb.cc.14

The only problem I've been been to come up with is that the above command takes almost 3 minutes to complete, which seems far too long.

teckk · 10-04-2019, 04:21 PM

The ARRIS BGW 210 won't bridge, it does double NAT. Lots of threads on ATT's site about that. https://forums.att.com/

If you are doing passthrough then the device hooked to it will have a public IP, the IP of the portal. I haven't done that on purpose. Look at ATT's forum. There seems to be lots of complaints and solutions to that. In fact it's probably the number one thing people talk about.

https://forums.att.com/t5/forums/sea...false&q=bgw210

That thing has a digital certificate in it, it is required to authenticate against ATT. There are threads on how to use your own router by plugging both into a dumb switch, authenticating with the bgw210, turn the other one on, turn the bgw210 off. As long as power stays at the switch, you are good.

I think you'll get answers by scanning ATT's forum.

rsteinmetz70112 · 10-04-2019, 04:55 PM

I've been on ATT's forum and looked at a lot of "Solutions" but most of them aren't complete or refer to what they call NAT/Gaming which is really setting a pinhole in the firewall or to older hardware, which isn't the same. For example we had the NVG589 set up until last week. I still have it and it worked as a Cascaded Router. A similar configuration won't work on the BGW 210, every time I try to configure it I get a server error, which may be an ATT configuration error or bug.

I've found a coupe that say theu got it working but I can't duplicate their sucess.

Talking to ATT is a waste of time. I'm nearly ready to throw them out.

There are only two posts that refer to a Cascaded Router option and they both are having the same problem I have.

teckk · 10-06-2019, 11:35 AM

Few more links

https://www.dslreports.com/forum/r32...-4-4~start=390

https://www.dslreports.com/forum/r29...ue-bridge-mode

https://github.com/jaysoffian/eap_pr...ster/README.md

rsteinmetz70112 · 10-07-2019, 11:39 AM

Quote:

Originally Posted by teckk

Few more links

https://www.dslreports.com/forum/r32...-4-4~start=390
This one as far as I can tell does not have any entry for a cascaded Router. The Passthru feature as afar as I can tell requires a device with a fixed Public IP address. I may try to do some more

https://www.dslreports.com/forum/r29...ue-bridge-mode
This thread seems to relate to increasing speed of the connection by simulating a true bridge more.

https://github.com/jaysoffian/eap_pr...ster/README.md

This one seems to mostly concern using the Ubiquity Edgerouter to bypass the ATT Device.