This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AT&T Arris Pace 5268AC in DMZ+ mode opens ports 10, 49152, 61001, and ping!

End goal is how to place your UTM behind this "beauty", be as close to bridged as you can get, and with the smallest footprint. Spoiler alert - ping can not be disabled, this firmware is riddled with bugs, and if you are thinking about using 5268AC in a business setting, it will fail compliance audits for port 61001 being open and having old SSL certificates. I've gone as far down this rabbit hole as I am going to go. I am replacing mine with a Motorola NVG599 that allows IP Passthrough and I highly suggest others do the same. For those brave souls who want to continue with this device, the following (hours wasted) will hopefully be of some help...

Firmware 10.5.3.527283-att has at least 5 glaring bugs: 2.4GHz WPS won't disable, 5GHz reenables after reboot, 5GHz beacon won't disable, DMZ+ opens port 10, DMZ+ disables ping blocking. And last but not least, they allow you to access GUI with NO password. (Stellar job AT&T, hats off to your RG devs).

Disable radios/interface/WPS and leave the rest default. Follow recipe from AT&T forum thread of moving 5GHz channel to 165, 20MHz frequency, lower power to lowest setting of 10, set a very strong pass phrase, and "disable" it. I also took the liberty of naming this SSID (that won't turn off) something having to do with AT&T devs, monkeys, and balls as free advertising for as long as this goes unfixed.

Connect (ethernet cable) 5268AC LAN port 1 to UTM eth1 WAN (must be set to Dynamic IP in UTM). Assign DMZ+ in the Pace to the UTM eth1 WAN interface...

192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> click Choose unknown001A8Cxxxxxx (this is your UTM WAN virtual MAC) -> Select "Allow all applications (DMZplus mode)"

...now back in the UTM Interfaces -> eth1 WAN click Renew button (click off Interfaces and then back and you should now see your public IP).

On the Pace create a device with an official test IP...

192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> Enter IP address 203.0.113.0 -> click Choose

Create application rules for each open port/protocol you would like closed/hidden, naming with a dot in front like ".Mystery Port 10 UDP" makes managing easier later on...

192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> Add a new user-defined application -> Application Profile Name: .Mystery Port 10 UDP, Protocol: UDP, Port: 10 to 10, Protocol Timeout: 1, Map to Host Port: 10 (or blank), Application Type: (leave as "-") -> Add To List -> Back

...and now assign your created rules above to the 203.0.113.0 device you created.

Whatever application rules are assigned to a non DMZ+ device get diverted from the DMZ+ device. Since this phantom test IP won't respond to this port, that port/protocol should then show stealth...

192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> click Choose 203.0.113.0 -> Select Application List: ".Mystery Port 10 UDP" -> Add -> Save

...and ShieldsUp! now reports: Port 10 stealth, a ping reply (ICMP Echo) was received.

The 5268AC doesn't care whether the device is active (connected) or not, the inactive device persists in the device list even across reboots (unless you manually clear it), and it still let's you assign (divert) rules to it. I tried diverting to many different varieties of created devices in elusive attempt to stealth ports (successful) and squash pings (unsuccessful):

- Diverting port 10 to an official test IP (203.0.113.0) was the only test that showed up as Port 10 STEALTH, a ping reply (ICMP Echo) was received.

- Diverting port 10 to a manually added non-existent IP in my LAN (192.168.1.9) showed up as Port 10 closed, a ping reply (ICMP Echo) was received.

- Diverting port 10 to a manually added illegal IP (0.0.0.0) showed up as Port 10 open, a ping reply (ICMP Echo) was received. GUI should have told me this wasn't accepted, but it didn't!

- Diverting port 10 to a manually added MAC address (my old iPhone 2G) showed up as Port 10 closed, a ping reply (ICMP Echo) was received.

- Diverting port 10 to an an inactive device (briefly connected and discovered MacBook Pro to Port 2 on the 5268AC) showed up as closed, a ping reply (ICMP Echo) was received. I hoped this way would work, because I wanted there to be a MAC address in the router so it would avoid possibility that router may continuously ARP looking for a MAC address to associate with my added phantom IP. I don't know if this is actually worth worrying over, and at this point I don't really care how much extra work their basket case router has to do as long as it doesn't affect my speed.

Things I tried with ping/ping6... black holing 7 tcp/udp and icmp echo (and reply). I tried routing 7 tcp/udp to port 9 (which should discard). Nothing worked. If anyone can figure out how to block ping while in DMZ+ mode PLEASE post here and let everyone know. I would love to be wrong on this.

Here are the ports I found open and that you will need to create rules for diverting... 10, 49152, & 61001 (these are ports they use to push firmware). Then be sure to test with appropriate firewall settings temporarily disabled in Pace... Pace Firewall Advanced Configuration

Good Luck.



This thread was automatically locked due to age.
  • Now to tackle ports on UTM that are showing up in ShieldsUp!... Open 25, 443, 465, 587 and Closed 113.

    Here's how I've figured out to stealth these so far, some of these services will likely be needed by other users, but this is my home setup, I'm not using these services (yet), and until I've found alternative solutions to hiding these ports, this will stealth these for me now...

    Network Protection -> NAT -> NAT ->  Traffic Selector: [DNAT Any -> IDENT 113 (TCP) -> External (WAN) Address] [Destination Translation: Int.BLACKHOLE (some nonexistent LAN IP address 203.0.113.0) -> IDENT 113]     (Some warn that cloaking IDENT can break things, I've had no issues with this).

    Email Protection -> SMTP -> Global -> switch off (I still receive email alerts from the UTM with this off). This closes 25 smtp, 465 sms, & 587 submission.

    Remote Access -> SSL -> SSL VPN -> switch off (I still have L2TP on and VPN functions fine with this off). This closes 443 ssl.

    This gets me all green on my ShieldsUp! ports.

     PS... REMEMBER to turn back on Anti-Portscan! -> Firewall -> Intrusion Prevention -> Anti-Portscan -> On

     “Stay paranoid, my friends.”

  • In one year with AT&T at home, I went through three "Home Gateway" devices because their 1st-level tech support had no idea how to make their stuff work and they wanted me to pay to get to someone that knew something.  Back to Cox where a simple modem made living with a UTM easy again.  Let us know if this new device can manage to keep its configuration or if you have to keep fixing its forgetfulness.  Your OP here and knowing that the new unit keeps working might get me to try them again.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, I just read a couple of days ago in their forum about one customer being asked to agree to $15/mo for a 1 year contract before 3rd party support could assist and fix their static IP block issue with this hunk of junk.

    I've had it over 2 weeks now and I can say that it has had no forgetfulness. This is across MANY MANY reboots dissecting this evil beast. I was told by the installer not to customize because he experienced his losing config at his home, but I've not seen it. For me it has been persistently whacky.

    I specifically tried to make my final solution require as little tweaking as possible and I know this thing so well now it wouldn't be a big deal if it did drop to default:

    - Radios come back on but they are default AES protected with decent unique default password.

    - UTM WAN would drop out of DMZ+ but UTM WAN set to Dynamic IP so LAN internet will still work, and UTM will be fully cloaked.

    I didn't want this but they clawed away my $50/mo 6Mb DSL with a Dear John letter that they were pulling the plug on me if I didn't switch. It's $30/mo no contract, no install fee, I'm paying for 50 and getting 60 down and 13 up. The IP has stayed static throughout reboots but I have Afraid DynDNS running on UTM if it does change.

     “Stay paranoid, my friends.”

  • I updated on top and cleaned up - this hoopti is going back to the dealership. Will have an NVG599 with supposedly true bridge in next day or two. Who knows what darkness awaits behind the GUI of Uverse modem 2.

     “Stay paranoid, my friends.”

  • It's been a couple of weeks since switching to and using the NVG599 so I thought I'd give a quick comparison. It's a Motorola device which I like much better, but it still has some true shortcomings, it will NOT do a true bridge either:

    5268ac calls it's pseudo bridge "DMZ+" while the NVG599 call it "IP Passthrough", neither of which truly bridge, but the NVG599 behaves more closely to being bridged.

    5268ac has ports 10, 49152, & 61001 open and cannot block ping, the NVG599 has only 61001 open and ping CAN be blocked.

    5268ac uses 11 watts vs the NVG599 usage of 18 watts.

    5268ac has 4x4 antenna's vs the NVG599 with 3x3 antenna's (not using it's WiFi so don't care).

    5268ac interface is clunky, slow, has buffer bloat issues, and takes a long time to reboot while the NVG599 seems fast and responsive without any of these issues.

    Overall I'm definitely more satisfied with the NVG599 but still find it infuriating that AT&T no longer provides a method for bridging modem with their network. As of yet I have not been able to find a way to block 61001 and likely won't. It is how they communicate with the modem and push firmware updates to it, so they've gone to great lengths preventing you from closing it. At least I only have 1 port open now vs 3 and ping is now blocked. I hope the 3rd parties win their suit against the providers not allowing them to compete in the market place for modems.

     “Stay paranoid, my friends.”