Disabling Firewall on AT&T Arris BGW210-700 Gateway for IP Passthrough

Internet access discussion, including Fusion, IP Broadband, and Gigabit Fiber!
5 posts Page 1 of 1
by michaelsanders » Sat Mar 11, 2023 11:03 am
Hi, I have my AT&T gateway setup in IP Passthrough (the closest it can get to "bridge" mode), but it's unclear if this also disables the firewall for the device configured to be forwarded. I'd prefer to only use my primary router's firewall as it's more robust than this device and I don't want to have to deal with two separate / possibly conflicting configurations. Also some features that are enabled on the BGW by default like SIP ALG have a history of vulnerabilities so it may be worsening security.

So my questions are:

1.) Does enabling IP Passthrough automatically disable the firewall for the MAC address listed?

2.) Could turning off the firewall altogether on the BGW allow the modem to get compromised when it's being used solely as a bridge with IP Passthrough?
by artakamoose » Sat Mar 11, 2023 3:54 pm
IP Passthrough bypasses the router's firewall for the listed MAC/port, so don't worry about it!

That said, it's not a true passthrough and creates a double NAT situation. The vast majority of people aren't affected by this. If for some reason you are, there are 3 primary bypass methods to get around it (ordered from least to greatest difficulty); 1) dumb switch, 2) EAP Proxy and 3) WPA supplicant. Each has their pros and cons which mostly comes down to level of difficulty vs robustness.

There's also a 4th method for customers who have a the newer BGW320 gateways without an ONT, but it involves buying and programming a special ONT SFP+ module.
by msiegen » Sat Mar 11, 2023 5:52 pm
There are some additional firewall settings in the BGW210, in a different tab than where you configure passthrough, as shown here. If you want to receive inbound IPv6 connections then you need to disable Reflexive ACL.

I wouldn't worry about the BGW itself getting compromised. AT&T regularly pushes firmware updates and would fix any holes that become known. IIRC there's a setting elsewhere for whether the gateway admin interface is accessible from the WAN; it's off by default but you may want to double check.
by michaelsanders » Tue Mar 28, 2023 7:59 pm
IP Passthrough bypasses the router's firewall for the listed MAC/port
This is not true. You can test for yourself by opening a port on your router configured as the IP Passthrough device, check that it’s open from a WAN IP via VPN or external network, and then explicitly close that port using the BGW's packet filter. The BGW's firewall rule will take effect even for the passthrough device. So the answer to my question (1) is no, it's not automatically disabled. However, the packet filter has no rules enabled by default except for those listed in the advanced tab.

I've turned off the advanced firewall features Reflexive ACL and SIP ALG, but left "Drop incoming ICMP Echo requests to Device LAN Address" enabled as it's specific to the BGW210 and shouldn't affect any other devices.
by artakamoose » Tue Mar 28, 2023 9:34 pm
michaelsanders wrote:
IP Passthrough bypasses the router's firewall for the listed MAC/port
This is not true. You can test for yourself by opening a port on your router configured as the IP Passthrough device, check that it’s open from a WAN IP via VPN or external network, and then explicitly close that port using the BGW's packet filter. The BGW's firewall rule will take effect even for the passthrough device. So the answer to my question (1) is no, it's not automatically disabled. However, the packet filter has no rules enabled by default except for those listed in the advanced tab.

I've turned off the advanced firewall features Reflexive ACL and SIP ALG, but left "Drop incoming ICMP Echo requests to Device LAN Address" enabled as it's specific to the BGW210 and shouldn't affect any other devices.
Interesting. I hadn't read that before. Also, I had a 5268 so it might work differently on the two devices. What's really sad is the fact the manufacturer's default firmware supposedly has a true passthrough, but AT&T's custom firmware for the devices doesn't. If this is affecting you, I would recommend looking into one of the bypass methods. Due to a firmware issue on the 5268, I ran WPA supplicant for years without a hiccup. You can find a ton of info on the DSLReports Uverse forum.
5 posts Page 1 of 1

Who is online

In total there are 50 users online :: 1 registered, 0 hidden and 49 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Bing [Bot] and 49 guests