Differences Between AT&T HSI (DSL) and U-verse Business Service

This article explains some the main differences between U-verse Business (U-biz/Ubiz) service and AT&T High Speed Internet (DSL) service that most commonly impact or confuse customers.

Key Differences

• Authentication 
  • There is no PPPoE authentication on the AT&T U-verse network. 
  • On the U-verse platform, authentication is based on a certificate that is hard coded into the RG, which is why only AT&T provided equipment can handle the authentication.
• Bridge mode
  • Bridge mode is not supported on the network or on the RG.
  • This is due to the architecture of the AT&T U-verse platform.
  • Configurations can be made to allow much of the behavior typically needed when using a bridge mode, but there may be some limitations for those with more advanced needs.
• Ping and Trace
  • By default AT&T U-verse RGs are set to not respond to ICMP requests such as Ping and Trace. This is sometimes configurable through the user interface. Also, as the network utilizes MPLS, trace routes often have lines which time out. This is not an indicator of trouble, it is just that the particular hop or node is not set to reply to ICMP requests. This is a common policy today as answering ICMP requests adds to CPU utilization and can impact network performance when attacks are made via mass ICMP request attempts commonly referred to as Denial of Service attacks.
• Use of 10.x.x.x IP addresses
  • The DHCP server in the RG is configured to not allow 10.x.x.x IP scope to be set as the DHCP IP addresses. 
  • The customer may continue to use 10.x.x.x addresses on the LAN side of a third-party router, but the RG cannot be configured to hand out 10.x.x.x. IP addresses. Configuration of a third-party router is not in scope for Ubiz care.
• Static IP Delivery
  • With DSL service the DSL modem was often set to bridge mode, one IP address was used at the Network Access Device on the AT&T side as the Gateway IP address and minus the Network and Broadcast IP addresses. The rest were for users to configure on their equipment with the customer device being the next logical hop out from the Access device. For those with a single Static IP, there is no equivalent in U-verse today.
  • With AT&T U-verse the RG is now the Network Access Device for this scenario. It has its own IP for its WAN which is a sticky dynamically assigned IP. A Virtual port is created on the LAN side for the Public/Static IP block and like the DSL Access device uses one IP from the block as the Gateway IP on the LAN. The remaining usable IP addresses are handed to the customer device.
  • A common misconception is that using DMZplus/IP Passthrough (depending on device) completely removes the RG as the firewall and the Gateway. In general, neither are the case. Those modes pass the sticky DHCP assigned IP of the RG WAN connection, which is separate from the Static IP block, to the assigned device. Also there is always a portion of the RG's firewall functionality that remains in place by design for our U-verse services.

DMZplus/IP Passthrough

• DMZ mode is known as DMZplus on the 2wire/Pace RGs.
• DMZ mode is known as IP Passthrough on the Motorola RGs.
• DMZ mode on many routers and broadband devices bypasses the firewall with an effective any-to-any filter. This means any IP or port can go to any IP or port. The intent is to let the assigned device placed into the DMZ mode handle its own security.
• For AT&T U-verse this is still the general intent, but due to some requirements for the U-verse platform, even when in these modes there are some situations where the behavior is not what the customer expects.
• This mode works well for a user placing a PC in DMZ mode. It works in many cases for a customer placing their own router in DMZ mode and not using public Static IPs offered by AT&T's Static IP Service.
• It is recommended for security and consistency, or if the customer is using Static IP's or VPN connections, that they do not use DMZ mode and instead create firewall rules/pinholes to allow the ports needed for a device. To some extent, this can be an any-to-any rule.

VPN and AT&T U-verse

• When using VPN across the AT&T U-verse platform, it is often necessary for the customer to lower the MTU setting of the VPN client to 1472. 
  • If using a VPN appliance/concentrator, lower the MTU setting of the egress port to the AT&T U-verse RG to 1472. 
  • Common symptoms of MTU needing to be lowered are VPN connections not being stable or having very poor performance for applications and browsing that traverses the VPN.
• The customer lowering the MTU on their end alone often corrects this. 
  • Sometimes it may also require adjustments on the far end. This is just information that we can provide to the customer. 
  • Configuring the customer's VPN system is out of scope for Ubiz care.
• Motorola NVG510: VPN connections using PPPTP or L2TP require setting up the GRE ALG option (or PPTP etc.) in the NAT/Gaming section.

U-verse Gateways (RGs) Do Not Have a Bridge Mode

The Firewall is never completely out of the picture. Configurations can be made to allow much of the behavior typically needed when using a bridge mode, but there may be some limitations for those with more advanced needs.

Those limitations can mostly be overcome once the user understands this and is willing and able to adapt to how things on the LAN need to be configured and updated. What should be done, such as using DMZplus, IP Passthrough (Passthrough or Default Server allocation mode) or Static IP service is based on the individual needs of the customer.