5

AT&T U-verse VDSL "fiber to the node" 24Mbit down / 3Mbit up
2Wire Router Model 3800HGV-B
Software Version 6.1.9.24-enh.tm

The 2Wire router appears to have a limit of 1024 TCP and UDP sessions. This limit appears to apply to all sessions regardless of any static IP, firewall off, DMZ plus, secondary router configurations.

I've tried using the 2Wire router alone and also configuring the 2Wire static IP addressing, firewall off, DMZ plus, etc. setup along with my own pfSense router/firewall. Either way it appears I exceed the 1024 session limit and sessions start being reset.

Running out of sessions isn't being caused by torrents or p2p etc. We're a business and our legitimate uses are exceeding this session limit.

AT&T tells me it's not possible to bridge the router or increase or avoid the session table limit.

I'm curious if anyone has found a way around either of these issues.

caleban
  • 1,116
  • 5
  • 18
  • 34
  • I'm not familiar with 2wire gear but is the fiber terminating directly into it or is it going through another piece of gear and you are just running ethernet into the 2wire? – Zypher Aug 13 '11 at 03:02
  • AT&T calls this service "Fiber to the node". The fiber terminates at a "node" a few blocks away and they run copper from the "node" a few blocks away to our office here. A copper phone line is connected to the back of the 2Wire. As far as my LAN is concerned I plug ethernet into the switchports on the back of the 2Wire. – caleban Aug 13 '11 at 03:28
  • Ah that sucks so i guess you can't just get a real router. Do they offer the option to get just a standard "modem" from them instead of a full on router? – Zypher Aug 13 '11 at 03:35
  • Not for the "Fiber to the node" service unfortunately. The speed and pricing for this service is very attractive but the 2Wire device is a deal breaker. AT&T told me the 2Wire 3800 was the only possible device and it's impossible to bridge. They said it had to do with the authentication among other things. I read elsewhere they're using 802.1x authentication. In order to use a normal bridge/modem instead I'd have to get different DSL service, the kind where they run copper from the CO to my office, not fiber to the node, and that's a lot slower connection. – caleban Aug 13 '11 at 03:57
  • 1
    @Zypher, UVerse is [VDSL](http://en.wikipedia.org/wiki/Very-high-bitrate_digital_subscriber_line#United_States); they usually backhaul it via fiber, but it's not implicit. AT&T is the king of misrepresenting it's services of recent to make it sound like they're still competitive. – Chris S Aug 13 '11 at 04:14
  • @Chris S: Who's preferable to AT&T for something like a 24Mbit down 3Mbit up internet connection for $70/mo.? I'd love to find something as fast and as cheap for our back up internet connection, if it can bridge :) The next best thing I've found is Time Warner 7/768 with 5 static IP's for $150/mo. This 2Wire session limitation is a deal breaker. I'm installing Time Warner and cancelling AT&T. – caleban Aug 13 '11 at 06:07
  • @Caleban, If you're only getting Internet through your connection you can almost certainly get a different modem/router; I'm not familiar with any particular models to recommend, but AT&T likely maintains a list of compatible modems. – Chris S Aug 13 '11 at 15:27
  • @Chris S. Unfortunately not with this particular flavor of AT&T service according to a variety of people at AT&T. AT&T U-verse, "fiber to the node", VDSL2, only works with this one 2Wire Router Model 3800HGV-B according to AT&T. I can get different AT&T DSL service, ADSL2+, which is not U-verse, which is much slower, and with that service use a Motorola 2210 modem which can bridge. – caleban Aug 13 '11 at 19:17
  • Would a proxy server reduce the connections? Maybe look at chatty services running on machines making calls to the Internet? Perhaps put another firewall between this and only let out what you need? Just throwing out ideas. – SpacemanSpiff Aug 18 '11 at 05:15
  • 2c: Telstra Australia also deploys 2Wire DSL Routers for some of their "business" products. The cheap rubbish causes me a number of problems. • It has a 'home user' interface that makes it impossible to quickly check/change settings. • It tries to 'auto detect' some Virtual Server / Port Mapping settings that makes it hard to open ports for a server. • Every 6 months it re-detects the internal DHCP or DNS servers and cuts off all HTTP access. When you browse to the modem it announces something silly in the name of security & you have to disable some function for it to be happy again. – Dom Oct 08 '11 at 06:49
  • It's probably not applicable but dump 2Wire. – Dom Oct 08 '11 at 06:49

3 Answers3

2

There are a couple options. It isn't clear from the question about which connections are closing and if that is configurable. For instance do you have a bunch of web browsers and then also some ssh sessions, and you want to keep your ssh sessions open? You could setup a router internally that natted controlled sessions from the clients to the server. If you use a box that supports classification you could put limits on the number of sessions available to HTTP vs SSH traffic and timeout HTTP connections that are idle before closing SSH connections. You could probably also put a shorter timeout on HTTP connections to free up more space on the silly 2wire for longer running sessions.

Second option is routing through a box off your network. Maybe a VPS on linode.com or a server in a data center related to the business. You could setup an openvpn tunnel and then route traffic through it, the 2wire would only see one session for the openvpn tunnel.

I'd be curious how the pricing worked out for this vs Ethernet-over-Copper for the business side? Here in SF we can get EoC @ 10Mbps bidirectional for ~500/mo. It might be worth researching, unless it is significantly out of budget.

polynomial
  • 4,016
  • 14
  • 24
  • Regarding pricing in this area of Los Angeles: I have a $1,000/mo 10Mbit/s synchronous EOC scheduled to be installed in the future, it's taking a while, but I had to have something now and as far as I could tell AT&T and Time Warner were the only options. The AT&T connection we're using which will eventually be our backup is $95/mo. – caleban Aug 30 '11 at 20:54
2

I'm afraid your only real solution is a VPN. That will allow you to map all your TCP and UDP connections through what the modem/router will see as only a single session. You'll need to borrow/rent a machine on a real net connection somewhere to be the other end of your VPN and have that do your NAT.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
1

I had a similar issue, in order to get some of my sessions back i changed the session TTL from 24 hours to 6 hours. this has freed up my sessions and I no longer run out.

Sean W.
  • 11
  • 1