Configuring IP Passthrough

Determining the Business Need
Business customers sometimes state that they need DSL/Broadband CPE that can be configure or placed into a Bridged Mode where they are putting other CPE behind the DSL/Broadband CPE. Many times these customers can be better served with a configuration known as IP Passthrough. The below information explains the difference between IP Passthrough vs Bridged mode and provides instructions on how to configure the Motorola NVG510 gateway and Motorola 2210/2310 modems for IP Passthrough.

IP Passthrough means the AT&T supported CPE device terminates the DSL, authenticates with the network (Receives a WAN IP) and shares that IP address with a single device connected to the AT&T supported CPE equipment. This configuration is often times suitable for a business customer desiring to connect third party equipment to AT&T supported equipment. The "IP Passthrough configuration still allows AT&T support groups to access the AT&T supported equipment while allowing end-users to connect third party equipment in a configuration they desire. The "IP Passthrough" configuration will only allow one connection to AT&T supported equipment to be "unfiltered" or pingable from the WAN or internet side of the AT&T equipment (does not support multiple pingable connections).

Configuring Motorola NVG510 Gateway In Passthrough
The IP Passthrough feature allows a single PC on the LAN to have the Router's public address assigned to it. It also provides Port Address Translation (PAT)–Network Address Port Translation (NAPT) via the same public IP address for all other hosts on the private LAN subnet. Here are the steps for configuring the Gateway in IP Passthrough:

Note: Remember to make a copy of all current ip settings before proceeding. Instructions:
  • Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer connected to the Motorola® Gateway.
  • Enter http://192.168.1.254 in the Location text box.
  • Select the Firewall tab from the Web Management page. Firewall page displays status of systemfirewall elements.
  • Select the IP Passthrough option by selecting the IP Passthrough or Disabled option from the drop-down menu to activate or deactivate IP Passthrough.
  • After the desired setting is achieved, click on the Save button.
  • A re-starting Gateway reminder message will appear, click on the Restart Now button to complete the setting change.

IP Passthrough overview

IP Passthrough overview:
  • The public WAN IP is used to provide IP address translation for private LAN computers.
  • The public WAN IP is assigned and reused on a LAN computer.
  • DHCP address serving can automatically serve the WAN IP address to a LAN computer.
    • When DHCP is used for addressing the designated Passthrough PC, the acquired or configured WAN address is passed to DHCP, which will dynamically configure a single-servable-address subnet, and reserve the address for the configured PC's MAC address. This dynamic subnet configuration is based on the local and remote WAN address and subnet mask. If the WAN interface does not have a suitable subnet mask that is usable, for example when using PPP or PPPoE, the DHCP subnet configuration will default to a class C subnet mask.
  • Click Save. Restart the Gateway reminder appears. Click the Restart Now button.
    • Once configured, the Passthrough host's DHCP leases will be shortened to two minutes. This allows for timely updates of the host's IP address, which will be a private IP address before the WAN connection is established. After the WAN connection is established and has an address, the Passthrough host can renew its DHCP address binding to acquire the WAN IP address.
  • Restriction:
    Since both the PC's on private IP addresses (Like 192.168.1.X) behind the Gateway and the PC configured for IP pass through will use the same WAN IP address , new sessions that conflict with existing sessions will be rejected by the Gateway. For example, suppose you are a teleworker using an IPSec tunnel from a PC on a private IP address and a second person sets up A VPN connection from the PC configured for IP pass through with both PC's going to the same remote endpoint, such as the VPN access concentrator at your employer's office. In this case, the first one to start the IPSec traffic will be allowed to connect; but the second PC- since both appear to be coming from the same WAN IP will be indistinguishable - and will fail.

    Configuring Motorola 2210/2310 Modem in IP Passthrough
    • Run your Web browser application, such as Firefox or Microsoft Internet Explorer, from the computer connected to the Motorola® Gateway.
    • Enter http://192.168.1.254 in the Location text box.
    • You may be required to provide your Modem's Access Code. The Modem Access Code is unique to your modem. It is printed on a label on the bottom of the modem.
    • When you click the Connection Configuration button, the Connection Configuration page appears. This screen's appearance will vary depending on your type of connection to the Internet.
      Modem Access Code screen
    • Enter your Modem Access Code and click the Continue button.

    Here is an example screen.

    Connection Configuration screen

    Internet Connection Configuration
    Maximum allowable MTU: Some sites and applications (for example, VPN software) require that the MTU value be reduced for proper operation and this can be specified here.

    Network Configuration
    • Your LAN devices must renew their DHCP leases by LAN traffic every day by default. If you want to change this value, you can check the Override default checkbox and enter your own DHCP Lease duration in the appropriate fields.
    • If any of your applications require that the local LAN PC have the same IP address as the modem's public IP address, you can specify that by selecting the Yes, use public IP address radio button.
    • When all of your entries are made, click the Save Changes button.

    Bridged Mode means the DSL/Broadband modem/gateway device only terminates a DSL connection. In a Bridged Mode the modem/gateway device does no authentication, does no management, has no ability to perform any firewall protection, and does not allow for remote access into the modem/gateway device. The subsequent device connected to the DSL/Broadband CPE will have to perform all these tasks if needed.

    Notes:

    1. Most importantly, Bridged Mode is not supported by the AT&T DSL helpdesk. The reason is the AT&T DSL helpdesk would have no way to remotely access the modem/gateway device in order to do any troubleshooting/diagnostics.
    2. This configuration would not allow a way to receive any future updates to the device from AT&T due to remote access is turned off with a bridged mode setting.
    3. Bridged Mode is not compatible to AT&T IP-DSL (IPDSLAM)because AT&T requires the IP-DSL CPE to have802. 1x proprietary authentication.
    4. PPPoE is not applicable to IP-DSL/VDSL.
    Printable Configuring IP Passthrough Guide.