I'm getting conflicting information from AT&T on their business class Uverse internet connection. Let me explain:

18 MB Uverse internet installed yesterday  for a small business. AT&T installed an iNID unit with an i38HG TwoWire AP.  Customer requested AT&T Uverse service prior to me being involved.

I would like to disable the existing DHCP service and firewall on the 2Wire device and have a Windows 2008 server perform DHCP and internal DNS services and install a Watchguard firebox as a firewall. The AT&T installers said "no problem"; a AT&T Tier 2 iNID support tech said you cannot disable DHCP on the 2Wire device without taking down the internet connection.

The AT&T installer said I could plug an Ethernet cable in the Telco Access port on the iNID to the switch and eliminate the TwoWire AP. AT&T Tier 2 iNID support tech said that will not work.

I asked if it is possible to configure the iNID device without its firewall enabled and in bridge mode. The Watchguard will act as a firewall and handle address translation. Only the Watchguard would NAT, not the 2Wire device. The AT&T installer said he thought that was OK. The tier 2 tech said this is not supported.

Will this config work?

Thanks in advance for all feedback.

asked 06/14/2011 08:37

DrewBryant1961's gravatar image

DrewBryant1961 ♦♦

5 Answers:
I have same set up.  Disabled dhcp on internal net no problem.  I use static outside ip, so it takes a little more configuration on 2 wire.  2 wire cannot be set to nat,  I did not nat my watchgaurd either.  Uverers support is hit and miss.  2wire is very limited in configuration options.
rtay's gravatar image


Can you expand upon your setup?

Are you:

using the iNID telco access port to connect to your switch?

disabling the DHCP service from the 2Wire device and using a Windows server for DHCP? AT&T said I could not do this.

disabling NAT on the 2Wire device? AT&T said I could not do this.

disabling NAT on the Watchguard as well? How many devices do you have behind the Watchguard? Are all IP(s) statically assigned? I will have many more devices than I will static addresses and cannot double NAT.

What model Watchguard are you using?

Do you have a public mail or web server on the uverse connection?

I will see the 2Wire config for the first time tomorrow.


DrewBryant1961's gravatar image


I will post my config info tomorrow when I can get to my computer.  Working off phone now.  

rtay's gravatar image


I have a WatchGuard Firebox X Edge.  This is set up at a remote site for VPN.  I have Internal DHCP turned off on the 2Wire, but use the firebox to serve DHCP due to the fact that it is a subnet network.  I use DNS from the domain controler (2008 server).  The internal interface on the watchguard is pointed to the domain controller for DNS.  On the firebox you can enable dns relay to your server.  

I have the firewall on the 2 wire turned completely off.  I have the 2 wire just routing outside I to the watchguard so it is sitting outside of the network.  I have five devices sitting on the subnet.  I cannot get to my 2wire config so I can not give you all the information I wanted to.  I am pretty sure that nat is turned off, because I seem to remember enableing it and it shut down the network.  It has been awhile, so I do not remember much more.  Sorry I could not be more help.
rtay's gravatar image


Here what you have to do:

AT&T installed an i3812V (usually outside) and a 4 port wireless AP i38HG (usually inside). In my case both units were inside the wiring closet of an office building. The business in question obtained TV and internet service from AT&T. Here's what I did (kudos to SomeJoe7777 on the AT&T Uverse forum:

There is no true bridge mode on the 2Wire routers.  However, you can still configure it such that almost all functions of your own router will work properly.

1. Set your router's WAN interface to get an IP address via DHCP.  This is required at first so that the 2Wire recognizes your router.
2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.
3. Restart your router, let it get an IP address via DHCP.
4. Log into the 2Wire router's interface.  Go to Settings -> Firewall -> Applications, Pinholes, and DMZ
5. Select your router under section (1).
6. Click the DMZPlus button under section (2).
7. Click the Save button.
8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address.  At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.
9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration
10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.
11. Check everything under Outbound Protocol Control except NetBIOS.
12. Uncheck NetBIOS under Inbound Protocol Control.
13. Uncheck all the Attack Detection checkboxes (7 of them).
14. Click Save.

Your router should now be able to route as if the 2Wire was a straight bridge, for the most part.

Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it.

The Watchguard is setup for dynamic NAT to a subnet other than 192.168.1.x/24 (that's what the 2Wire device uses)

UVerse is not a good ISP for business and the support leaves a lot to be desired.

Thanks for your response.
DrewBryant1961's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 06/14/2011 08:37

Seen: 1037 times

Last updated: 06/28/2011 04:54