Correct, but the att router does not route the static ips. Cascading router on the att router hands the entire static IP block to the 2811, with no nating involved. Don't ask me how that works, but its been verified by countless other posts. The only requirement is that the interface that connects to the att router has one of its local ips to "communicate".

Hello,

what AT&T Uverse router model do you have ? Did you add the Cascaded Router as described i this document ? I am just trying to understand why all networks on the 2811 are not automatically routed out the AT&T, as this seems to be the reason why a cascaded router can be added in the first place...

http://timshacks.blogspot.nl/2014/03/adding-third-party-router-behind-att.html

I used this one, http://www.dslreports.com/forum/r30741926-Arris-NVG595-in-IP-Passthrough-mode-with-multiple-static-IP-addresses

I have a 5268ac but they all work the same.

Hello,

as I understand it, the Pace doesn't do any NATing when you configure cascaded router mode.

What is the public IP on the WAN side of the Pace ? Is that part of the static IP block handed to the 2811 ?

No, it is not. The wan side of the Pace is a totally different IP. Not even close to my static IP block.

I am having same issue with a PACE 5268 (ip static range not close to assigned wan ip to PACE router/modem horrible hardware. Was this resolved?

Thanks

I also have the Pace (Arris) 5268AC. I was on Comcast and the cablemodem had a 'bridge-ish' mode and the terminology they used was different from the Pace/Arris but provides similar capability.

The fundamental problem is that these devices are designed to support a managed residential set of services (triple-play) and you and I are thinking in terms of standard networking devices. These things are anything but 'standard'. The closest analog would be 'half-bridge'.

WARNING: Following the actions below will disable any protections provided by the 5268AC for all devices downstream/connected to the 5268AC. It is recommended that you have sufficient experience and knowledge of the individual settings being changed before doing so and that you have a security plan in place to support the capabilities being disabled as needed for your environment. Proceed with caution. The below instructions come with no warranty implied or expressed and are not endorsed by Cisco Systems, Inc.

The closest you can get the 5268AC to act as a 'bridge' is to

First

Access the 5268AC mgmt page (192.168.1.254 by default) and go to Settings/Firewall/Applications, Pinholes and DMZ and then

1) Select a computer

this is your router's WAN interface. Mine shows up as 'unknown1C872C70C230' which doesn't match my router's WAN MAC so I have no idea where that came from.

2) Edit firewall settings for this computer

Choose the last option, 'Allow all applications (DMZplus mode). This is a close as you'll get to a 'bridge' or 'IP passthru' or whatever kind of term you read on the net. What this definitely doesn't do is guarantee you that all TCP/UDP ports will be open. AT&T will still block port TCP 25 (SMTP) and you'll have to contact them to get that open. DO NOT SIGN UP FOR 'ConnecTech' if you are directed to them for support. They want $15/month to provide in-your-house tech support for all your computers, cellphones, tablets, etc. and this will not help you for any of these problems ('oh, you have a server? we do not support servers.')

Click the 'save' button in the bottom right of the page.

Second

Go to Settings/Firewall/Advanced Configuration where you'll be asked for the 'Access code' found on the bottom of the 5268AC.

Note: I have all the security I need configured on my own routers/firewalls behind my 5268AC as well as anti-virus/malware software installed on any computers. I want the 5268AC to be as unobtrusive as possible in my network path and to add as little latency as possible.

Under 'Enhanced Security' uncheck (disable) everything.
Under 'Outbound Protocol Control' check (enable) everything.
Under 'Attack Detection' uncheck (disable) everything.

Third

Consider going to Settings/LAN/Wi-Fi and disabling all the radios if you already have your own wifi. The additional radio 'noise' is only going to add latency, reduce throughput and possibly make connecting and staying connected to your own wifi problematic.

You are done

I'm paying an extra $15 and have a /29 block of addresses (.0-.7).
If you have static address, this is where it's tricky. There's two ways to handle those addresses:

1) The 5268AC hands them out via DHCP
2) The 5268AC 'routes' them from a downstream router

#1 is easiest but it means that anything using the static (public) IPs really need to be connected to the 5268AC. This is somewhat limiting but still has it's uses: your router takes an address and NATs everything further downstream to it's WAN (public) IP; other devices (gaming systems, Roku, etc.) can be connected directly to the 5268AC (pros: no NAT port conflicts. cons: 'direct' internet exposure).

This is the method I'm currently using. I have my own domain and run my own mail server and after getting port 25 (SMTP) opened, I can now receive email. 5 days later I'm still trying to get rDNS setup for my static IP to my mail server hostname...

Here's a guide for setting up #1:

https://blogs.technet.microsoft.com/klince/2016/02/15/psasetting-static-ip-address-with-the-att-u-verse-gigapower-router-pace-5268ac/

#2 gives you more control over the addresses, in theory. I say 'in theory' because I've not yet tried it myself so I can't vouch for it. The way it should work is that the LAN IP settings on the 5268AC, whether DHCP or static, will 'route' packets from your downstream (a network behind your router) without NATting them. In order for it to do this, it would need a static route to that network.

How do you do this? If you follow the MS technet guide above, you'll reach a step that takes you to the Broadband/Link Configuration where you 'Add Additional Network'. Instead of adding that network (which is then only accessible from the 5268AC LAN ports) you 'Add Cascaded Router' by adding the 'Network Address' and mask of the static IP block you were given (x.x.x.x /29 or x.x.x.x 255.255.255.248 typically) and 'Choose the router that will host the secondary subnet' by either 'Select Router' or 'Enter Address' and entering the IP of your router's WAN interface (which would be on the same subnet configured on the 5268AC LAN (via Settings/LAN/DHCP and under 'DHCP Network Range' using on of the default ranges or 'Configure manually'.)

Again, I've not tried #2 because a) my non-Cisco router doesn't support NATting to the WAN IP and separate NATting to additional IPs [easily] and b) my Cisco 2821 does support conditional NAT via route-maps but doesn't support the 900+ Mbps throughput I get with the AT&T Fiber 1000 service.

I hope that helps.

Thank you for this post.  Are you saying to ask AT&T to change the External IP Address of the Modem (which is currently Dynamic AT&T public IP) or the internal interface which is 192.168.1.254?  Would I use the Gateway address that AT&T provided in my 8 block (5 usable)?