5268ac and OpenWRT
This article is about the Pace / Arris / AT&T 5268ac Router / "Gateway" / Wireless Access Point / VoIP device / etc. Depending on your internet provider, the 5268ac (referred to from this point on as just the 5268ac), it could have various logos, names etc. on the exterior. And bad news on the support of the device, Arris, the original manufacturer was bought by a company named CommScope in 2019. All CommScope is interested in is selling you a battery for the 5268ac, so no new firmware from them. The next piece of bad news, is that there's more bad news. That bad news is AT&T still has new firmware that they pump out to these routers whether you want them to or not. They say this is to fix bugs add new "features", etc. But more often that not, it also breaks things. That's why this article is being written.
Even though the main subject is focused on the 5268ac Router, there's also information for anyone who uses OpenWRT (which may also apply to Tomato, DD-WRT, etc.)
My router was working fine until AT&T pushed out a firmware update a couple of years ago. After that, I figured out a way to get things working. But then another firmware update and things were broken again.
Now mine is not the typical network setup. The capabilities of the 5268ac are not sufficient for what I need. If I could have it my way, I'd love to go back to the old days when AT&T and other providers would give me a dumb stupid network bridge device. It might seem derogatory to use the terms 'dumb' and 'stupid', but that's not the case. I really would love it they would just give me a simple bridge device and forget about these complex combo devices that do VoIP, wireless, routing, firewall, and other stuff. I don't need it.
My router is a heavily modified Linksys WRT32X running OpenWRT. It has all the extra bells and whistles like a TTL / Serial adapter added onto it for terminal access. The OS runs on an external NVMe SSD plugged into a USB 3.0 hub, which is plugged into the USB 3.0 port on the router. Extra storage is provide via an 8GB external eSATA device plugged into the router's eSATA port, and of course all the custom network configuration.
The router is set up as a dual WAN router (AT&T / Comcast) with the remaining three ports on the builtin 5 port switch segregated into 3 separate VLANs which service 3 different subnets. The router has all the amenities of a CentOS / RockyOS Linux box, such as Webmin, Apache, OpenVPN, PoPtOp, BIND / NAMED, MySQL, VSFTPD, Monit, LightHTTPD, NGinx, DHCPD, DDNS, etc.
We'll get back to OpenWRT later on
The Information about the 5268ac
The documentation available for this device is horrible. As in it has been all "Appled Up" (IE, is stupid, useless, only for novices, and is no help for experts or other knowledgeable people). The information on various forums is also terrible (no offense). Information on the forums falls under the category of the blind trying to lead the blind (again, no offense to those people, they're just making their best guess).
You have static IP Addresses (usually in a block of 8, 5 usable, sometimes 4, 1 usable (the most wasteful)) from your internet provider AT&T (possibly others too). How do you make functional use of those IP Addresses (notice the use of the word 'functional'). Use the 'powers' of the 5268ac they gave you? Nope. It can't do that. So why did they give you that router? Not sure. Bottom line is that you'll need to use your own equipment for those static IP Addresses.
Next question, how do you make the AT&T Router get along with your equipment so those 5 usable IP Address can be used? There are two ways to configure the 5268ac router to do this;
- "Add Additional Network" 'Mode'
- "Add Cascade Router" 'Mode'
Both of these 'modes' (really a radio button setting) can be found here: Settings Tab, Broadband Sub-Tab, Link Configuration Sub-Sub-Tab, Supplementary Network Section
"Add Additional Network" 'Mode'
This is the mode to use if you have multiple routers / devices (as opposed to a single device) behind the 5268ac
You'll need the information AT&T hopefully gave you for your static IP Addresses, which includes the following;
- Subnet Information (IP Address range and Subnet Mask (for 5 Static IPs, the subnet mask will be 255.255.255.248, AKA a /29 subnet))
- Usable IP Addresses
- Default Gateway
- There's other information AT&T gave you (DNS servers, etc), but not necessary here.
A suggestion before doing any of the below stuff is to go to here: Settings Tab, Diagnostics Sub-Tab, Resets Sub-Sub-Tab, System & Links Resets Section, Clear Devices List, and click on the Clear Button. Don't worry, this won't reset your router. It will however serve to clean up the list of any devices previously connected to the 5268ac device. And again, don't worry, anything reconnected up to the 5268ac will automatically be detected.
In the "Settings Tab, Broadband Sub-Tab, Link Configuration Sub-Sub-Tab, Supplementary Network Section", Add Additional Network Radio Button sub-fields, there are three items (two to fill in and one to check / tick on)
- Router Address: Fill this field with the Default Gateway Address provided by AT&T. This will be the IP Address of the 5268's "LAN Side" (AT&T's misleading term, which should be titled "Customer Facing WAN")
- Subnet Mask: 255.255.255.248 (assuming you have 5 usable static IPs, adjust as needed with the information provided by AT&T)
- Auto Firewall Open: Check this off as it makes life easier (explained below). I'd also swear this wasn't originally available and was one of the useful items added with some firmware update.
As you configure your device(s) 'behind' the 5268ac, you can check whether the 5268 is detecting those devices here: Settings Tab, LAN (remember, that's AT&T's misleading term) Sub-Tab, LAN IP Address Allocation Sub-Sub-Tab, Public-Private NAT Mappings and Device IP Allocation Section. You should see your devices listed in this section. There should also be some settings in the form of dropdown boxes, see below;
- Firewall (Disabled / Enabled): Make sure this is set to Disabled as the router behind the 5268ac will have it's own capability. If using a computer, make sure it has a software firewall. In years past, this defaulted to Enabled, so one would have to select Disabled manually. Thanks to one useful firmware update (see the above 'Auto Firewall Open' setting), the 'default' can be set to Disabled (at least for devices in the IP Address range assigned by AT&T)
- Address Assignment: You can pick any setting you want. Assuming you've configured your router behind the 5268ac correctly (IE, a static IP Address is assigned to it from the pool provided by AT&T), this is a bit of a trick, as there is only one choice: Static IP - no DHCP. If you've chosen to leave your device's WAN port set for DHCP, then you'll have a choice. But that shouldn't be the case very often as the entire point of having a static IP is to make a devices WAN IP predictable, IE static.
- WAN IP Mapping: Usually the 5268ac picks this up automatically and correctly, but check against the MAC Address to make sure.
- The MAC Address is displayed above each subsection as 'unknownWhateverMACaddress'. It can also be changed to a different name here: Settings Tab, LAN Sub-Tab, Status Sub-Sub-Tab, Devices Section, Edit Name Link
"Add Cascade Router" 'Mode'
Using this mode, there can only be ONE device that has the 5 Static IP Addresses assigned to it, as the 5268ac will send ALL packets to ONLY ONE device. I can say beyond a shadow of a doubt, this section was very frustrating because of the complete lack of documentation on this item. Nothing from the manufacturer, nothing from AT&T, and really misleading / uninformed information from forums (again no offense to anyone). Even knowing what all the terms were and taking a good educated guess at what the engineers intended, the number of times I got the ERROR message with completely useless information was heading to triple digits.
For any of the below stuff to work, you must FIRST have a device hooked up and connected to the 5268ac with a WAN (not LAN, but WAN) IP Address that is NOT in the range of static IPs allocated to you by AT&T. It can be anything, BUT...
- I very strongly recommend an IP Address in a 'private range', 10.x.x.x, 172.16.x.x, 192.168.x.x.
- Beyond that, don't use an IP Address in your private LAN range / sub-net.
- Assign the WAN port of your device something like 192.168.254.1 / 24 (255.255.255.0)
- And finally, make sure the AT&T Router has an IP Address assigned to it in the same range (IE, if you chose 192.168.254.1 for your router, 192.168.254.254 for the 5268ac is in that same subnet)
- Settings Tab, LAN Sub-Tab, Link DHCP Sub-Sub-Tab, DHCP Configuration Section, DHCP Network Range - Configure Manually Button, Router Address Field, etc.
In the "Settings Tab, Broadband Sub-Tab, Link Configuration Sub-Sub-Tab, Supplementary Network Section", Add Cascade Router Radio Button sub-fields, there are three items to configure (with an additional Radio Button for an the third item(s)).
- Network Address: This is the first address of the subnet AT&T allocated to you. Not the first of five usable IP Addresses, the first of the 8 IP Address allocated by AT&T ("This Subnet", first usable IP, 2nd, 3rd, 4th, 5th, Default Gateway, Broadcast, the Default Gateway used to be at the bottom of the usable IP range, but not anymore).
- Subnet Mask: 255.255.255.248 (again, this assumes 5 usable static IPs)
- Select Router Router (Pizza Pizza anyone) Radio Button: If this field is populated, great. If not, make sure you have a device connected to the 5268ac device (read the second paragraph of this section). If more than one device with a 'non in the AT&T provided public IP Address range' is connected to the 5268ac, then there will be more than one item in this dropdown list.
- Enter Address Radio Button: If there isn't a device with a 'non in the AT&T provided public IP Address range' IP Address, nothing you put here will work and will result in an Error message that isn't helpful.
Since this is a difficult thing to configure, here's a working example of an old subnet I used to own / have control of about 15 years ago (and still hasn't been allocated to anyone else since then, who says we're running out of IPs?);
Subnet: 184.108.40.206 / 29 "This Network" Address: 220.127.116.11 Subnet Mask: 255.255.255.248 Default Gateway: 18.104.22.168 (yes, this is the classic position of the default gateway) Usable IPs: 22.214.171.124 - 126.96.36.199 Broadcast Address: 188.8.131.52
...well, there you go. Better information than anything else that's out there. And by my standards, not very good as I was rushed when writing this article. It should be good for experts that are frustrated and beginners to some degree too. Remember, if you're not an expert, there's probably too many assumptions here on basic information, with too few links to external resources. Sorry, again I was in a rush.