Does the BGW320 still perform NAT with IP Passthrough?

Hello iValley, we'd be glad to address your questions about IP Passthrough and Bridge mode.

The process for setting up IP Passthrough has not changed. Bridge mode is not supported on any AT&T equipment for the following reasons:

• Bridged mode is not compatible with AT&T services, because AT&T requires all gateways to have 802.1x proprietary authentication.
• AT&T Customer Care has no way to remotely access the modem/gateway device in order to do diagnostics testing.
• A bridged mode configuration does not allow the device to receive any future firmware updates from AT&T as remote access is disabled with a bridged mode setting.
• PPPoE is not applicable on the AT&T platform.

Read our article on Bridge mode vs IP Passthrough for more information.

If you have any other questions, let us know.

Aminah, AT&T Community Specialist

On the Arris routers AT&T also uses, this mode still involves NAT, 

This statement is not true.  It still involves a session tracking table.  It may involve PAT in certain situations.

which destroys packets and causes your service to be useless when hosting your own services (mail server, remote access server, etc.), or trying to setup a point to point VPN when using a third party firewall / router behind it.

Since your first statement was not true, the rest of this is not strictly true either.  Unless PAT is necessary, the packets are passed unchanged, not destroyed.

I run an application server behind my AT&T Gateway.  I run VPN through the AT&T Gateway.  Some protocols may have issues with the configuration.  Some implementations of protocols may have issues.  The IP Passthrough is not a perfect solution.  But your statements are over the top and are not completely correct.

Unless Arris changed something over the past year or two, incoming packets were changed. This was confirmed using a packet analyser.  Even AT&T engineers could not get it to stop.

At the time, I was using a BGW210, so it is very possible a change has been made in the firmware for this model, hence the reason for my question.

Therefore, the answer to my question for the BGW320 is:

1) True bridged mode is not supported by AT&T.

2) IP Passthrough should not perform NAT.

3) IP Passthrough may still perform PAT in some situations. (of course, we don't know what those situations are).

Thank you for the responses.

Thank you for visiting the AT&T Community Forums, iValley.

And thank you, JefferMC, for the helpful information.

If you need help with anything else in the future, we'll be here.

Aminah, AT&T Community Specialist

More info.  This is from AT&T's documentation on Bridged mode vs. IP Passthrough (link in response from AT&T above).  This explains why the BGW210 did not work with VPN:

Note: IP Passthrough Restriction

Since both the BGW210 Internet Gateway and the IP Passthrough host use the same IP address, new sessions that conflict with existing sessions will be rejected by the BGW210. For example, suppose you are working from home using an IPSec tunnel from the router and from the IP Passthrough host. Both tunnels go to the same remote endpoint, such as the VPN access concentrator at your employer's office. In this case, the first one to start the IPSec traffic will be allowed; the second one from the WAN is indistinguishable and will fail.

This explains why TWO VPNs would not start, but not why ONE would not work.  So, yes, if you need TWO VPN tunnels to the same VPN server from your location that would not work.  That is a specific instance of an issue.   I agreed that some protocols/implementations will have issues.  I objected to your characterization "causes your service to be useless when hosting your own services"

Would you please document what changes to the packet were made by the Gateway observed by the network analyzer (other than, yes, the TTL would be decremented and PAT may occur to prevent port collisions).

An example situation when PAT would occur would be this:

1) A client connected directly to the Gateway (i.e. on its private LAN, not through the IP Passthrough device) makes an external connection using a ephemeral source port, e.g. 1100.  A session is established in the Gateway showing a source port of 1100 to a given destination IP and port.

2) A client connected through the IP Passthrough device, makes an external connection to the same destination IP and port with the same ephemeral source port of 1100. 

That combination of destination IP, port and source port already exists in the table, so to allow the connection, the Gateway would have translate the internal source port of 1100 to an available external source port, e.g. 1101.  The external server would see a connection from the same public IP, but with a different port and would reply to the same; the Gateway would then have to translate the external port of 1101 to 1100 in the destination port of the returning packet.