End goal is how to place your UTM behind this "beauty", be as close to bridged as you can get, and with the smallest footprint. Spoiler alert - ping can not be disabled, this firmware is riddled with bugs, and if you are thinking about using 5268AC in a business setting, it will fail compliance audits for port 61001 being open and having old SSL certificates. I've gone as far down this rabbit hole as I am going to go. I am replacing mine with a Motorola NVG599 that allows IP Passthrough and I highly suggest others do the same. For those brave souls who want to continue with this device, the following (hours wasted) will hopefully be of some help...
Firmware 10.5.3.527283-att has at least 5 glaring bugs: 2.4GHz WPS won't disable, 5GHz reenables after reboot, 5GHz beacon won't disable, DMZ+ opens port 10, DMZ+ disables ping blocking. And last but not least, they allow you to access GUI with NO password. (Stellar job AT&T, hats off to your RG devs).
Disable radios/interface/WPS and leave the rest default. Follow recipe from AT&T forum thread of moving 5GHz channel to 165, 20MHz frequency, lower power to lowest setting of 10, set a very strong pass phrase, and "disable" it. I also took the liberty of naming this SSID (that won't turn off) something having to do with AT&T devs, monkeys, and balls as free advertising for as long as this goes unfixed.
Connect (ethernet cable) 5268AC LAN port 1 to UTM eth1 WAN (must be set to Dynamic IP in UTM). Assign DMZ+ in the Pace to the UTM eth1 WAN interface...
192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> click Choose unknown001A8Cxxxxxx (this is your UTM WAN virtual MAC) -> Select "Allow all applications (DMZplus mode)"
...now back in the UTM Interfaces -> eth1 WAN click Renew button (click off Interfaces and then back and you should now see your public IP).
On the Pace create a device with an official test IP...
192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> Enter IP address 203.0.113.0 -> click Choose
Create application rules for each open port/protocol you would like closed/hidden, naming with a dot in front like ".Mystery Port 10 UDP" makes managing easier later on...
192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> Add a new user-defined application -> Application Profile Name: .Mystery Port 10 UDP, Protocol: UDP, Port: 10 to 10, Protocol Timeout: 1, Map to Host Port: 10 (or blank), Application Type: (leave as "-") -> Add To List -> Back
...and now assign your created rules above to the 203.0.113.0 device you created.
Whatever application rules are assigned to a non DMZ+ device get diverted from the DMZ+ device. Since this phantom test IP won't respond to this port, that port/protocol should then show stealth...
192.168.1.254 -> Settings -> Firewall -> Applications, Pinholes and DMZ -> click Choose 203.0.113.0 -> Select Application List: ".Mystery Port 10 UDP" -> Add -> Save
...and ShieldsUp! now reports: Port 10 stealth, a ping reply (ICMP Echo) was received.
The 5268AC doesn't care whether the device is active (connected) or not, the inactive device persists in the device list even across reboots (unless you manually clear it), and it still let's you assign (divert) rules to it. I tried diverting to many different varieties of created devices in elusive attempt to stealth ports (successful) and squash pings (unsuccessful):
- Diverting port 10 to an official test IP (203.0.113.0) was the only test that showed up as Port 10 STEALTH, a ping reply (ICMP Echo) was received.
- Diverting port 10 to a manually added non-existent IP in my LAN (192.168.1.9) showed up as Port 10 closed, a ping reply (ICMP Echo) was received.
- Diverting port 10 to a manually added illegal IP (0.0.0.0) showed up as Port 10 open, a ping reply (ICMP Echo) was received. GUI should have told me this wasn't accepted, but it didn't!
- Diverting port 10 to a manually added MAC address (my old iPhone 2G) showed up as Port 10 closed, a ping reply (ICMP Echo) was received.
- Diverting port 10 to an an inactive device (briefly connected and discovered MacBook Pro to Port 2 on the 5268AC) showed up as closed, a ping reply (ICMP Echo) was received. I hoped this way would work, because I wanted there to be a MAC address in the router so it would avoid possibility that router may continuously ARP looking for a MAC address to associate with my added phantom IP. I don't know if this is actually worth worrying over, and at this point I don't really care how much extra work their basket case router has to do as long as it doesn't affect my speed.
Things I tried with ping/ping6... black holing 7 tcp/udp and icmp echo (and reply). I tried routing 7 tcp/udp to port 9 (which should discard). Nothing worked. If anyone can figure out how to block ping while in DMZ+ mode PLEASE post here and let everyone know. I would love to be wrong on this.
Here are the ports I found open and that you will need to create rules for diverting... 10, 49152, & 61001 (these are ports they use to push firmware). Then be sure to test with appropriate firewall settings temporarily disabled in Pace... Pace Firewall Advanced Configuration
Good Luck.
This thread was automatically locked due to age.