The Linux Page

Setting up my home server with the NVG510 router on AT&T Uverse

My Rant

I got a new router as AT&T forced me to a new product called U-Verse. They are actually forcing all their users to switch to that new systems as the new optic cables are now installed and they probably have a goal to turn off their old infrastructure soon.

The old router I had would generate a gateway on their side. The router was just a router and would send/receive data from their server to my server. So all I had to do is transfer all my traffic via 192.168.1.1 to and from the router, and everything appeared as if I were on my static IP address. That was rather easy.

However, the new system works differently. Now my server is the server. That is, my server IP address is the public IP address. In some respect, that's better and more sensible, on the other hand, my iptables were NOT setup to handle that case.

The NVG510 setup is pretty straight forward, it simply transmit the data acting as a router, but it is also the gateway of my new IP address. That makes a difference too. This being said, the default setup of router works as expected. The main problem I have, still, is that stupid page that it shows saying that there is a problem trying to connect. Obviously, when you reboot there are problems: the connection isn't up right away and yet traffic tries to flow through and the router marks that errors are occuring. Next time you check out a website, the router decides to show you a stupid page saying that everything is broken. This is even way after the connection is up and running! I'm not too sure whether that would interfere with external (incoming) traffic.

My Ethernet Changes

Click to check your
current public IP:
Check My IP

First I had to support two IPs on the same port to accomodate connecting to the router (192.168.1.254) and have my public IP address (162.226.130.121) also defined there. I edited my /etc/network/interfaces file with the following:

auto eth1
iface eth1 inet static
    address 192.168.1.1
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.254

auto eth1:0
iface eth1:0 inet static
    name Local network
    address 162.226.130.121
    netmask 255.255.255.248
    network 162.226.130.120
    broadcast 162.226.130.127
    gateway 162.226.130.126

This generates the normal routing with 192.168.1.1 as the gateway of my intranet, but at this point I still have 192.168.1.254 as the gateway, which is not what I want because using that one I look like some random IP from the outside (i.e. when I go visit a site other than my own websites.)

None the less, this allows me to receive and reply for traffic sent to 162.226.130.121 which is what I needed.

My Firewall Changes

I use a very strong firewall to prevent most traffic from doing anything (i.e. DROP is the default for a lot of the incoming traffic). Plus I setup the firewall to masquarade traffic from my other computers (intranet). This is good as in this way my main server acts as a firewall for all the computers in our house. (although only my wife uses MS-Windows, all the other computers are on Linux only now.)

What I learned today (took me about 36 hours to understand! darn!) is that when you setup an IP address in your NIC, it becomes a local network address. In other words, many connections are made through the lo interface and not the assigned ethernet port (eth1:0 in my case). That is... some of the traffic goes through eth1:0, other is going through eth1, and local traffic uses lo directly!

So... what I needed was to open the lo interface to that new IP address, something like this:

*filter

# INPUT table
-A INPUT -i lo -s 162.226.130.120/29 -j ACCEPT

# OUTPUT table
-A OUTPUT -o lo -d 162.226.130.120/29 -j ACCEPT

Note that I only show the two entries that I missed adding. I also had to match all my old eth1 entries with 192.168.1.1 that would also be used with the new public IP. For example, I added this rule to accept port 53 connections (DNS):

-A INPUT -i eth1 -p tcp -m tcp --dport 53 -d 162.226.130.120/29 --syn -j ACCEPT

This helps the firewall greatly. I tried adding rules with eth1:0 but their counters all stay at zero (0) so I would imagine that they are not used.

Routing Table Changes

Now I want the default route to use the new IP addresses instead of the 192.168.1.254 because using that other IP causes a problem: from the outside I look like the DHCP assigned IP address that the router gets when connecting to the AT&T network. What I really want is to look like 162.226.130.121 and nothing else. That's actually important if I want to setup remote servers to only answer to my IP address (to avoid problems such as hackers going in.)

Can I get more control over the NVG510 Router?

Yes. As a matter of fact, you can and I happen to have a page about it: Hacking my NVG510 router.