Having trouble connecting netgear fvs318 vpn firewall to at&t u-verse NVG510 modem

So I recently moved and hence my ISPs changed to AT&T uverse using their arris 5268ac fxn wireless gateway/router combo unit.

I am able to get my tunnels up by setting 'dmzplus' to the fvs318n and also disabling all firewalling protection stuff on the firewall page on the 5268, but pings or any other traffic will not get through the tunnel.  I've connected to two different endpoints that worked previously, one being another fvs318n and another a watchguard.

Any ideas?

I forgot to add that there's no true 'bridge mode' available--just the dmzplus mode, which appears to do everything a real bridge mode would do, but may still be an issue, or something doesn't pass through in the vpn setups.

Hey SamirD,

This is usually caused by one of two things;

1) ISP - call your ISP and explain that it seems like some VPN traffic is not passing through. VPN tunnel establishes but does not pass traffic.

2) Firewall rules - In some cases I've seen weird firewall rules cause issues like this, make sure you do not have any strange ANY service inbound rules. Try disabling all of your inbound firewall rules temporarily and see if it solves it.

Also make sure you are on the latest firmware. What you can do as well is packet captures, on the diagnostics page of your FVS318N there is a "Packet trace" button, while pinging from site A -> site B do a packet capture on the WAN side of site B. You should see ESP packets come in and a response going out. If that is the case, do another capture on site A's WAN side where you should see ESP going out and coming in. 

By going through with those two captures you should be able to figure out on which side the issue is / where the traffic is being blocked.

Thank you for the quick reply.

AT&T is absolutely the worse support I've ever seen among any ISP. To say they suck is being very, very nice.

In my research online, it seems either one of these two scenarios is true--it will work with a static IP or it will not work at all because the AT&T router will not pass GRE packets, period.

As far as firewall rules, the fvs318n was simply moved from another location where the tunnels were up fine. Nothing has been changed except the IP address (because of the isp change) and the other endpoints connected immediately once the IP was updated. It's just that no traffic will pass. So either something is still firewalling on the AT&T, or that the AT&T won't actually pass GRE packets.

I tried a packet trace from my end, but it was just garbage when I tried to open it. But that doesn't matter as I know it has to be on this end. Both other endpoints connect fine to each other (mesh) and one of them is another fvs and the other is the watchguard so that covers all the other possibilities.

hehe yeah, ISP support in general is not always the most fun to deal with.. I'd call them and explain the situation and ask for a modem that supports true bridge mode, usually they come around if you're just very persistent 🙂 Although I have never dealt with your particular ISP myself.

Anyways, issue seems to be ISP related in this case I'm afraid - so not much more to do than; convince ISP to allow true bridge or change ISP 😕  

AT&T uverse doesn't have a bridge mode at all.  And there's a slim and none chance that they'll give the older equipment that actually worked correctly with this type of setup.

I've ordered a block of static IPs.  If that doesn't do the trick, I guess I'll need a second cable connection just for the vpn.

To help anyone else that runs into this issue with the 5268--a static IP solved the issue.