RV082 and Public Static IPs and UVerse (oh my!)

nbaker01 · ‎08-30-2012

I recently "upgraded" to Uverse from DSL. While the speed boost is nice, UVerse comes with a 2wire residential gateway that is driving me crazy. Unfortunately you can't disable the DHCP functionality in the 2wire router, nor can you disable the router functionality completely and just run it as a modem, which has pretty much made it impossible to integrate into my network.

So the partial solution anyway is to keep using the rv082 (yey!) behind the 2wire, assign a public static IP to the rv082 WAN1 i/f, disable the firewall in the 2wire for the rv082, and up and running again.

The problem I'm facing now is that I had 3 devices on the LAN that were published using individual public static IPs. With good-ol'-DSL, I could use the one-to-one-NAT feature in the rv082, block any unwanted traffic in the firewall, and everything works. Unfortunately with the configuration options in the 2wire, I can only assign a single public IP address to any one device hooked up to it, in this case the rv082 WAN1 port.

I have the one-to-one-NAT configured sequentially on the WAN and LAN side on the rv082 with nothing else hooked up to the 2wire. For example, one-to-one-NAT configuration in the rv082:

WAN range: 66.77.88.91 to 66.77..88.93

LAN range: 192.168.0.2 to 192.168.0.4

The 2wire is allocating the first public static IP in the range to the rv082 (i.e. 66.77.88.91). This works 100% reliably for this address - however because I can only assign a single address in the 2wire interface the other devices are no longer accessible externally. Curiously it kind of partially works, but not reliably. I can briefly connect to one of the other addresses (say xx.92), but then connectivity is lost to the others.

Someone suggested I try using the Dual-WAN feature to get at least two addresses assigned to the rv082. Seemed like a good idea in theory, i.e. because the 2 WAN ports have different MAC addresses, the 2wire should see two different devices and allow me effectively to assign two public IPs to the rv082, e.g. 66.77.88.91 to WAN1 and 66.77.88.92 to WAN2.

Of course failover mode won't work here, because only one is connected at a time. However the load-balancing mode did seem like it may work, but something is going on that I don't understand. Internal connectivity is working fine and I can access the internet, but for some reason the 2wire is getting really confused and constantly re-assigning IP addresses to the rv082. I don't know if this is because the host name is the same for both WAN1 and WAN2 ports, or there is something in how the rv082 does the load balancing.

So questions:

- Is there any tricks to getting the Dual-WAN to work in the way needed to essentially have two simultaneous internet connections?

- Would it be possible to buy a 2nd rv082 and have it on the same LAN? How would I configure this?

- Is there an alternative Cisco router that may work better with what I'm trying to do?

- Anyone else run into this problem with Uverse and solved it some other way?

Thanks,.

Nick.

Tom Watts · ‎08-30-2012

Hi Nick, I don't think there is any good way about this. One thing I'd recommend perhaps trying to create a DMZ for the RV082 on the Uverse. I've seen a lot of various results doing this but quite honestly, these "modem/routers" are a nightmare when you need more functions than those products may offer.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

nbaker01 · ‎08-30-2012

Yes, the rv082 is configured in "DMZplus" mode (firewall completely disabled) within the 2wire configuration page.

What would happen with two rv082s on the same LAN? Is this even possible to configure?

Tom Watts · ‎08-30-2012

You may put 2 rv082 on the same LAN but it is somewhat of a wasteful scenario. If doing this practice, you'd be better off simlpy buying a switch, they're cheaper and faster.

When connecting multiple router on the same LAN, it has to be an ethernet to ethernet (lan to lan) connection and the dhcp would have to be disabled on one of the routers. It effectively makes 1 router a switch.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

dondersconsulting · ‎08-30-2012

I have your exact equipment in my home - RV082 and 2Wire U-verse Residential Gateway. I have my U-verse TV receivers plugged directly into the Gateway, still handing out DHCP on 192.168.1.x, and also use the built-in wireless for smartphones and guests. My RV082 gets one of the static IPs and then the rest of my home wired/wireless LAN is behind the RV082.

I understand what you're trying to do, and I have not tried to use the DMZ, although I agree with what you have deduced and what Thomas has said. Using the second WAN IP would require that it present different MAC addresses for the two interfaces. If the RGW sees the same MAC on both connections it will do the bouncing back-and-forth. I took a quick look at mine (v1) and don't see an option to change this. It's possible that v3 hardware could have this ability.

I think there is another way around this besides using 3 routers on the same LAN to get 3 IPs thorugh - that's a waste of time and money. What exactly is the purpose of your 1-to-1 NAT? Is there a specific resource you are making available publicly, or are you serving multiple resources from each computer?

nbaker01 · ‎08-30-2012

The problem is a mix of different hardware all wanting to use the same ports (e.g. 80). Some its possible to change the integrated webserver to use a different port (e.g. 81), some its either not possible (e.g. for Windows Home Server), or maybe not convenient. 1-to-1 worked great for this. One feature that I've seen on some routers is the ability to map an external port to a specific device while remapping the port, e.g. WAN port 88 would go to LAN IP 192.168.0.10:80, but AFAIK this is not possible on the rv082.

dondersconsulting · ‎08-30-2012

Ah, but it IS possible! =)

I installed several RV042 and RV082 for probably 3 years before I figured it out and it's so ridiculously easy you will probably hate yourself (as I did) for not figuring it out sooner. I assume you have gone to the "Setup" tab and then there is a submenu called "Forwarding" where you can define ports (and ranges) to forward to internal IPs. This actually is best for forwarding ranges of ports as there is no "port translation" and it's limited to 30 entries. The very next tab is "UPnP"; it does what you're looking for and is not limited.

I suggest you delete your services and entries out of the Forwarding section and just enter them on the UPnP page. You don't have to enable UPnP function for your custom entries to work. Enabling just allows computers and devices on the LAN to request/make forwarding entries automatically. When you go to add your custom services here, you will notice that there are separate fields for "internal port" and "external port", I'm sure you can figure out the rest. It's not as nice as being able to use the individual IP's, and there's more config than for 1-to-1 NAT, but I think there is an additional layer of security as well.

Are there any features you are using on the RV082 that the RGW doesn't have? Dual WAN, VPN, and priority-based custom firewall entries are the only things it has over the 2-Wire RGW. I use the VPN function periodically, and I test configurations on mine - otherwise I wouldn't have much use for it. If you don't need the VPN or fancy firewall rules, I think you could look at just using the RGW (and an 8-port switch if needed). It will do your 1-to-1 NAT very nicely and can forward only the ports you need to each internal device.

dondersconsulting · ‎08-30-2012

If my above suggestions of removing the RV082 or using UPnP port translation will not work for you, there is one other option. It's a little bit "rigged" but it should work fine. (I have not tested this except in my mind) Going back to Thomas's first reply...

Enable DMZ mode as a range on the RV082
Carefully create firewall rules to make your "DMZ" just as locked down as the LAN, but allowing only the incoming ports you need through to each device. Make sure you block all OUTBOUND traffic (to LAN or WAN) from the DMZ except from your range of Public IPs
to avoid the separate network and secondary network cards, plug the DMZ into your LAN, which should be fine since it is fully firewalled and won't try to pass LAN traffic out.
If your computers are running Windows, they can support multiple IPs on one network card. (other OS probably can, but I don't know for sure). Just go into the config where you put in the static IP, click Advanced, and that's where you can add the second IP (or 3rd, 4th, etc). Edit the gateway entry here to be the Public gateway IP (2-wire RGW's IP). These computers will access all internet through the DMZ port on the router instead of from the LAN side.
let me know if this works, so I won't have to try something crazy as this on my own network =)

nbaker01 · ‎08-30-2012

OK, will need some time to digest. Did not realize that UPnP was configurable manually on the router, that's actually very helpful thanks. Unfortunately, I don't know if for WHS its still a general enough solution even with port remapping as it uses ports 80, 443 and 4125. Remapping the original login screen from 80 to say 82 does actually let me access the site, which I couldn't before, but then it barfs on the SSL connection, let alone trying to run an RDP session. Will need to do some more reading here.

As to your question why I can't use the RGW only, this is becuase the network is based on Windows SBS, which wants to be the DHCP server. If only I could disable the DHCP server in the RGW all my problems would go away. As for why I'm running both SBS and WHS - don't ask! . Presumably I could move the domain connected machines onto their own subnet (behind the rv082), and run everything else behind the RGW directly, but then is there a way of seamlessly bridging the two subnets?

I'll have ponder the DMZ solution a bit longer.

Thanks,

Nick.

dondersconsulting · ‎08-30-2012

I really think the DMZ solution I diagramed above will work, unless the RV082 freaks out when you connect the DMZ port to the LAN. Since both ways are firewalled it should be no less secure, potentially more secure, just not a standard configuration.

I think you CAN turn off DHCP on SBS, but it probably wouldn't like it and would be more difficult to manage.

This led to another crazy brainstorm here... You could turn off NAT/Gateway function on the RV082 and just use it as a router. (WAN same subnet as LAN) The firewall should still work, and you could use it to block DHCP from the RGW from passing through (if needed). The RGW DHCP will need to be set as manual config to same subnet as your LAN, but a smaller range that is excluded from the SBS DHCP range. With this setup, the RGW should see the LAN devices through the RV082 and you can assign your 1-to-1 NAT, pinholes, etc in the RGW. There wouldn't be much purpose to the RV082 except to block DHCP. Also it would isolate the TV receivers and any wireless guests on the RGW from seeing your actual LAN.

You could also just use the DMZ range to accomplish this. It would limit the router features available, but you probably wouldn't be using most of them anyway in this type of config