Using Multiple Broadband IP Addresses with the 2Wire Gateway

When you want to use multiple broadband IP addresses with your 2Wire gateway, you need to configure the gateway to use these IP addresses with local network devices. The following prerequisites to using multiple broadband addresses apply:

• The associated service providing the multiple IP addresses has been ordered and installed.
• The IP address and networking information has been identified for the subscribed service.
• Your 2Wire gateway is running software version 3.5.5 or higher.
• The network devices are already configured for TCP/IP networking and are connected to the Gateway's LAN via one of the available interfaces (Ethernet, USB, HPNA, or 802.11b/g Wireless).

The configuration process is divided into four logical steps:

• Set up and configure the HomePortal for broadband access using the first IP address
• Enable the HomePortal bridge network function and configure it with the appropriate subnet mask
• Assign the broadband IP address(es) to the intended network devices
• (Optional) Configure firewall rules to direct unsolicited traffic to the associated network devices

Configuring the HomePortal with the first IP address

You need to have at least one computer connected to the HomePortal that is able to access the main GUI (http://gateway.2wire.net). You can do this by either running the HomePortal Setup Wizard software (included with your HomePortal) and following the on-screen instructions, or manually configuring the network adapter for DHCP and obtaining an IP address from the HomePortal.

Determine the type of broabdand network access assigned by your ISP. Your choices are: PPPoE/PPPoA or RFC 2684 (Direct IP).

PPPoE/PPPoA Users

Go to http://gateway.2wire.net/setup and use the PPPoE/PPPoA activation key code for your provider to establish broadband connectivity with one IP address. Verify Internet connectivity by accessing public Web sites.

RFC 2684 Users

Go to http://gateway.2wire.net/setup and use the static IP activation key code to establish broadband connectivity. Use the IP address and subnet mask as provided by your ISP. Verify Internet connectivity by accessing public Web sites.

Enabling Bridge Network Mode or Public Proxied Subnet For 2Wire gateways runnning 3.x or 4.x firmware

For 2Wire gateways runnning 3.x or 4.x firmware

Go to the Management and Diagnostic Console (MDC) http://homeportal/management. Under the Local Network – Configure link, select the Bridge Network option (Figure 1) and enter the subnet mask provided to you by your ISP. Click Submit to save your results.

For 2Wire Gateways running 5.x firmware

Go to the 2Wire Gateway UI (http://gateway.2wire.net). Click the Local network icon, then click Advanced Settings. Select the Public Proxied Subnet option and enter your subnet mask.

Enabling Public Network or Public Routed Subinterface

Typically, two sets of IP addresses are used; one is used between the router and network and the second used with end devices. If you are provided with two sets of IP addresses, you need to configure your 2Wire gateway with the first set. If you are running 3.x or 4.x series software, use the Public Network option. For example, if you were provided with a WAN gateway address of 66.124.231.65, a WAN IP address for your router of 66.124.231.66, and told that your LAN devices were to use addresses in the range 207.214.87.137 through 207.214.87.141.

For 2wire gateways running 5.x firmware

Go to the 2Wire Gateways UI (http://gateway.2wire.net). Click the Local network icon, then click Advanced Settings. Enable Public Routed Subinterface and enter your subnet mask and router address.

If you are provided with IP addresses but no subnet mask, you can look up the associated subnet mask in the following table.

Allocating Public IP Addresses to the LAN Clients

Power on all network devices that you want to configure with a broadband IP address and connect them to the HomePortal.

When the HomePortal is configured to use multiple broadband IP addresses, you can configure network devices for one of three modes. Access the Address Allocation page of the MDC to select the desired option (Figure 2) for each LAN device.

On the OfficePortal, you can also set this information using the standard Web pages in addition to those under the MDC.

1. DHCP Private Network – The network client is assigned a private IP address on the private network (default is 172.16.0.0). This is the default mode of operation for all LAN devices (with or without the use of multiple broadband addresses.)
2. DHCP Public Network – The network client is assigned one of the currently available broadband IP addresses. The address may change as the IP address lease is renewed, but always comes from the pool of available Broadband IP addresses.
3. DHCP Fixed Public Network – The network client is permanently assigned one of the broadband IP addresses. The address will not change until the HomePortal is reconfigured via the Address Allocation page. This is the most common configuration for publicly accessible network devices.

In all of the above cases, the network device should be configured to enable their DHCP client. From this point on, the IP addresses for these LAN devices are managed by the HomePortal.

In addition, a LAN device can be configured with a static IP address hard coded in the TCP/IP settings for that device. The IP address can be from either the DHCP Private Network addresses or from the DHCP Bridged Network addresses.

When a DHCP Private Network address is statically assigned to a LAN device, the proper range must be used. The default range is 172.16.0.0, so the network device may statically use 172.16.1.1 through 172.16.1.32, inclusive. Devices assigned with these addresses act as if they were assigned an IP address in mode 1 noted above.

When a DHCP Bridged Network address is statically assigned to a LAN device, the device assigned with this address acts as if it were assigned an IP address in mode 3 noted above. Use the IP address information as provided by the ISP.  The HomePortal automatically detects the usage of a broadband IP address on the LAN network and correctly routes the return traffic to the appropriate LAN device. When the HomePortal detects a broadband IP address as being statically coded on the PC, the Address Allocation page will no longer displays its entry.

The ability to use DHCP in assigning WAN addresses to LAN devices is different from the operation of other routers. These other routers usually require the address to be hard coded on the LAN device.

Configuring Firewall Rules

LAN devices using addresses from the bridge network are still protected by the HomePortal firewall. To allow unsolicited inbound traffic to any of these LAN devices, you need to modify the firewall settings specified for that device; that is, a LAN device can receive inbound traffic associated with outbound traffic (for example, Web browsing) but needs to have a firewall rule established to function as a server.

To change the firewall settings, access the Firewall - Settings page of the MDC or the Firewall Settings page of the standard Web pages to configure the hosted applications allowed for each device to be used with unsolicited traffic.

This is different from the operation of other routers. These other routers automatically allow all traffic to pass through from the WAN to the LAN devices configured with WAN IP addresses.

If the device only requires the public IP address, then no rules need to be established. In most cases a firewall rule is required if you want to host an application or access a server from the public Internet. This is also known as creating a pinhole in the firewall.

The 2Wire firewall only allows traffic for a bridged IP address to be directed to a local LAN device with the same bridged IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.

Sample Configuration

This network consists of a public Web server, a private Web server, a public FTP server, and a number of desktop devices. Only the public servers need be accessed from outside the network. The FTP server needs to be accessed from inside.

1. Configure the 2Wire gateway for Internet access. Enable the Bridge Network features with the proper subnet mask.
2. Use DHCP Private Network for all the desktop devices by default. These devices will use NAT and share one of the broadband IP addresses. Addresses given out by the DHCP server in the 2Wire gateway will range from 172.16.1.33 to 172.16.1.250 (for software version 3.7.x or lower) or 192.168.1.64 - 192.168.1.253 (for software version 3.7.x or higher).
3. Set the FTP server to one of the Fixed Bridged Network IP addresses. This will route all incoming traffic for the specific public IP address to the designated network device. In this case, the traffic is routing to the FTP server. If the FTP server does not have a DHCP client, you can opt to configure the server with a public static IP address and the 2Wire gateway will correctly route the traffic. If unsolicited inbound traffic is expected, you need to configure the firewall to allow FTP traffic to pass clicking the Firewall Settings link of the MDC (http://gateway.2wire.net/mdc) or using the Firewall tab of the main GUI (http://gateway.2wire.net/mdc).
4. Similar to the FTP example, set the public Web server to one of the Fixed Bridged Network IP addresses. This will route all traffic to the specific public IP address to the designated network client. You need to configure the firewall (as described in Step 3, above) to route inbound port 80 traffic to the server.
5. Set the private Web server to a static private IP address, so that it is always accessible at the same address to the local desktop clients. For example, use 192.168.1.1 as the server’s IP address.